CBA Publications >> Members' Only Publications >> Current Events

Current Events - 09/11/2000

Much Ado About Nothing

AB 2869 — Last Thursday the American Banker ran an article titled “Banks to Push for Veto of California Privacy Bill.” Unless you read the article closely and knew a little about California law, the title left you with the impression that the California Legislature was charting new ground in the privacy realm. Nothing could be further from the truth. The legislation in question, AB 2869 (Machado), does not enact new privacy law but rather amends an existing California privacy standard that has been in place since 1994. That law requires credit card issuers who disclose “marketing information” to unaffiliated third parties to notify cardholders of that fact and give cardholders the right to opt out of the information sharing.

At issue in AB 2869 is not whether an opt-out notice just be given (existing law requires that already), but rather:

1) The frequency of the notice. AB 2869 proposes an annual opt-out notice.
2) The form and timing of the notice. AB 2869 requires the notice to be in 10-point type rather than using the federal standard of “clear and conspicuous,”  and requires the notice to be given 60 days before information is disclosed. Additionally, the notice has to be included with the credit card when it is initially delivered.
3) Scope of notice. AB 2869 requires the notice to begiven when “marketing information,” as defined, is disclosed to subsidiaries and affiliates. These three provisions take effect April 1, 2002.

Now, how far reaching are these provisions? The annual opt-out/disclosure requirement will be required by Graham-Leach-Bliley (GLB), effective July 1, 2001. So this provision is of no consequence. With respect to subsidiaries and affiliates, the bill contains a provision that exempts information transfers to subsidiaries and affiliates to the extent “experiential” information may be shared with affiliates under the federal Fair Credit Reporting Act (FCRA). Matthew Street, associate general counsel of the American Bankers Association, has described this provision of federal law as “a powerful expression of Congress’ total control over interstate commerce.” Practical effect—none unless Congress allows the preemption to lapse in 2004. Finally, what about the form and frequency requirements? California law and AB 2869 contain a “reverse preemption” provision that provides that if the laws of the United States require disclosure concerning the use of personal information, compliance with federal law will deemed to be compliance with state law. Since GLB does require disclosure regarding the use of personal information, compliance with GLB may be all that is required.

So, if the bill doesn’t do anything why is CBA asking for a veto? The legislation is unnecessary and confusing for banks and consumers.