CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2003 No.09
August 29, 2003

Vol 2003 No. 09 August 29, 2003

New State Financial Privacy Law

After years of battling a flawed bill, the CBA and other business interests removed their opposition to the California Financial Information Privacy Act ("SB 1"), which was signed on August 27. The final bill, effective July 1, 2004, includes key concessions from the bill authors. Among these are:

• more equal treatment as between information sharing with affiliates and with joint marketing partners. CBA consistently and vigorously opposed prior versions of the bill that disfavored joint marketing agreements, which are used more by smaller banks.1
  

• elimination of a private right of action.
  

• protection of operational and transactional uses of customer information.
  

• more limited use of a separate state privacy notice.
  

• preemption of local privacy ordinances.

Overview. The overall structure of SB 1 is similar to the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). The key definitions largely track those in GLBA, except where noted.2 The GLBA distinction between customer and consumer is not made in SB 1. The bill does not require an annual notice for a "one-off" purchaser of a product or service. However, if such a consumer's information is to be shared, then the consumer must be furnished with the appropriate notice and option. Note that the helpful guidelines provided in GLBA regarding "stale" customer relationships are not included in SB 1.

Two types of notices are contemplated-opt-out and opt-in. The sole opt-in requirement applies to disclosures of customer information to nonaffiliated third parties for the marketing of non-financial products and services.

Information sharing among affiliates for marketing purposes and with nonaffiliated third parties pursuant to marketing agreements is generally subject to a consumer right to opt out. However, if a bank does not share information outside the entity for marketing purposes, no California notice is required, and SB 1 does not apply. No notice or consumer election applies to information sharing among wholly-owned, affiliated financial institutions that are in the same line of business when marketing products and services that share a common brand. There is also a special allowance where customer information is maintained in information systems that are used in common by affiliated entities.

CBA and coalition partners were able to ensure that the GLBA exceptions are included in the bill, so that non-marketing uses of information are not affected. Another key change in the final bill is the elimination of a private right of action. The final bill no longer exposes institutions to the threat of class action law suits. Violations are subject to civil penalties of up to $2,500 per incident, but the right to enforce lies exclusively with the state attorney general and functional regulators.

The affiliate sharing restrictions in SB 1 will face a test very soon in Congress, which is presently wrestling with the imminent sunset of several provisions of the Fair Credit Reporting Act ("FCRA") that preempt non-federal regulation of affiliate sharing. Indeed, if SB 1 were challenged today on preemption grounds, the challenge would likely be successful. This point was underscored recently by a federal district court in a case brought against Daly City and other municipalities, in which CBA participated as friend of the court. The court ruled that the FCRA preempted the financial privacy ordinances passed by the municipalities as to affiliate sharing, but not as to third party sharing. However, what remains of the local ordinances, which include harsh penalties and private rights of action, may be of no consequence because SB 1 explicitly preempts them.3

Definitions and coverage

The key SB 1 definitions, including "nonpublic personal information (hereafter, "customer information" or just "information"), "financial institution," and "affiliate" track those of GLBA. SB 1 covers the disclosure of nonpublic personal information of California residents only.4 A bank is covered if it is "doing business" in the state. Presumably, an institution is doing business in the state if it provides a product or service to a California resident. Thus, banks that have customers in California and other in states would either have to establish different disclosure policies for California and non-California customers, or apply the same California standards to all customers.

Opt-in. The most touted provision of SB 1 is one that the industry is perhaps least concerned over-opt-in for sharing customer information with non-affiliated third parties to market non-financial products. The opt-out form must be provided as a separate document (not incorporated with another document) and, to be effective, must be returned signed and dated by the consumer. The consent must clearly and conspicuously disclose:

• that by signing, the consumer is consenting to information sharing with the institution's nonaffiliated third parties;
  

• that the consent will remain in effect until revoked or modified (which can be done at any time);
  

• the procedure for revoking consent; and
  

• that the bank will retain the consent (or a copy), that a copy is available upon request, and the consumer may want to keep a copy as a record.

It is not necessary to identify the third party with whom information may or will be shared, or to describe specifically what information will be shared.

Affiliate sharing

Disclosures for marketing purposes. The SB 1 restrictions on the sharing of customer information among affiliates apply only to marketing uses of information, and not to transactional or administrative uses. The definition of affiliate is the same as that used in GLBA. Note that banks retain the option to market, without restriction, the products and services of affiliates or nonaffiliated third parties to its own customers if the banks do not disclose customer information in the course of marketing. But the bank is still required to enter into a confidentiality agreement with a non-affiliated third party as to the use of the information received from, or gleaned from the application of, responding customers. The agreement must include the right by the bank to verify compliance by the other entity.

Two different rules apply to affiliate sharing. The general rule is that a bank may disclose information to an affiliate for marketing purposes only after providing a notice annually that information may be shared and the consumer has not opted out. But, if the bank and the affiliate are in the same line of business,5 regulated by the "same" functional regulator, and the provided product or service shares a common brand as between the sharing entities, the notice and opt out provisions do not apply. For purposes of this exemption, all depository financial institutions entities are regulated by the same regulator.

The common brand must consist of more than just a shared name or logo. While no examples are provided, the limiting language is intended to prevent use of the exemption for cross-marketing diverse products that are similar in label only. But given the other requirements (affiliate relationship, line of business), it is not apparent what kind of products and services are intended to be excluded.

For purposes of this exception only, as applied to supervised banks, an affiliate is defined as a wholly-owned bank subsidiary (or chain of wholly-owned subsidiaries), or two banks wholly owned by the same bank or holding company. Note that this definition differs from the general definition in two important aspects. First, the subsidiary must be wholly owned and not simply controlled by the bank, and the affiliate and the bank must both be wholly owned by the parent. In contrast, GLB and the general rule under SB 1 both refer to the more common definition of "control," meaning 25% ownership or voting power.

Second, when referring to regulated banks, the bill excludes the Federal Reserve among the list banking regulators. But because the state Department of Financial Institutions jointly supervises state Federal Reserve member banks, this omission should not pose a problem with most banks.

Note also that the definition of affiliate for purposes of this exemption does not explicitly include a parent holding company, but the omission may be of no consequence. If the holding company performs no services, then its exclusion does not matter. If the holding company engages in support services for its subsidiaries, then the holding company itself may be deemed a financial institution within the broad meaning of the Bank Holding Company Act (12 U.S.C. 1843(k), and thus be qualified to share information with its financial institution subsidiaries.

SB 1 includes an additional "exception" from the notice and opt-out requirement: information is not deemed to be disclosed "merely" because customer information is maintained in an information system that is used in common by affiliated entities, even though employees from the related entities have access. Similarly, a disclosure does not result merely from a consumer gaining access to a web site jointly operated or maintained under a common name of a bank and its affiliate.

It is uncertain how broadly the joint web site exception will be construed. Use of the term "access" suggests the conveying of information in the form of an internet "cookie" or other information collecting device rather than, for example, information obtained in the course of applying for a product on line.

As to the joint database exception, use of the term "merely" suggests that it is intended to preclude application of the notice and opt out requirements if information is shared solely because a family of companies manages its customer data through a separate entity. As drafted, this exception should not be construed to apply if an affiliate uses the bank customer's information to market its own products. The provision goes on to state that if a consumer "has exercised his or her right to prohibit disclosure pursuant to this division, nonpublic personal information [may not be] further disclosed or used by an affiliate except as permitted by this division." This presupposes that a customer is given an opportunity to prohibit disclosure. Certainly, if a customer has opted out pursuant to a notice the bank was required to provide for other reasons, then the affiliate would not be permitted to make further use of the customer's information.6

Credit card rules. The new law includes two special rules governing banks issuing credit cards that bear the name of a non-affiliated third party. But for these rules, a disclosure would otherwise be subject to opt out or opt in. Where a bank issues a "credit account" bearing the name of a retailer (or a name proprietary to a company primarily engaged in retail sales), the bank may provide the retailer with cardholder name and address information and a record of the purchases made with the retailer. If the account can only be used for transactions with the retailer or its retail affiliates, then the bank may disclose any nonpublic personal information regarding the account in connection with offering or providing the retailer's products or services. This provision is included in the definition of "necessary to effect, administer, or enforce," which prefaces the general transactional and administrative exceptions.7

A different provision applies to what is called an "affinity" card program, where a bank issues credit cards bearing the name of an "organization or business entity that is not a financial institution" (referred to as an affinity partner, but excluding retailers). A disclosure under this provision is subject to the notice and opt-out requirements. Pursuant to such a program, a bank may disclose the cardholder's name, address, telephone number, email address, and a record of purchases made with the affinity partner.

In connection with the issuance of any other financial product or service on behalf of an affinity partner, a bank may disclose the customer's contact details only. Also, the disclosure may not be done in a way that reveals any additional customer information.

The affinity partner must be contractually obligated to keep customer information confidential and to use the information only to verify membership, verify contact information, or offer the affinity partner's own products or services. If the affinity partner sends an email message to the customer, the message must identify the sender and provide a cost-free means for the recipient to elect not to receive further email messages.

Note that if the bank's privacy notice includes an opt-out provision for non-affiliated third party sharing (pursuant to a joint marketing agreement), it may be prudent to include a separate opt-out notice for sharing with an affinity partner because a general opt out would also be effective as to sharing with an affinity partner.

As noted, a credit card issued in the name of another entity is treated differently under SB 1 depending largely on whether the entity is a retailer, referred to as a company primarily engaged in retail sales. The distinction would be justified under the assumption that retail cards are only used for transactions made at the retailer, because the law should not interfere with a bank's ability to service the retailer's accounts. However, the "necessary to effect" provision clearly contemplates cards that can be used widely. Cards issued in the name of non-retailers, for example an airline, would fall under the more affinity card provision even though those cards may also be used widely.

Joint marketing agreements

A key issue that CBA has refused over the years to compromise on is that the bill must maintain equal treatment of affiliate sharing and sharing with non-affiliated joint marketing partners. The industry had fought for the same result in GLBA to ensure that smaller banks, which typically do not have affiliate relationships, are able to provide a broad array of financial products and services through marketing agreements with third party providers.

The final version of SB 1 makes what is known under GLBA as joint marketing agreements subject to opt-out rather than opt-in (that is, it is treated generally the same as affiliate sharing). Once again, only the disclosure of information to third parties for marketing purposes is subject to opt out. Broad exemptions are available for disclosures for operational and administrative purposes.

A bank may share customer information with a nonaffiliated financial institution pursuant to an agreement to offer financial products or services jointly. The agreement must require the receiving institution to maintain the confidentiality of the information and prohibit it from disclosing or using the information other than in the course of providing the jointly offered product or service. Agreements entered into prior to January 1, 2004 are not subject to the notice and opt out requirement until January 1, 2005.

Details of notice requirement

SB 1 does not distinguish between an initial and annual notice. It also does not provide guidance on the timing of providing a notice when a customer relationship is established. The general rule is that information may not be shared unless an annual notice and opportunity to opt-out have been provided. Annual means at least once in any period of 12 consecutive months during which the customer relationship exists.

A form opt-out notice is provided that, if used, creates a conclusive presumption of compliance (see form attached to this Bulletin). Notices that are not in the form provided must be submitted to the state Office of Privacy Protection (OPP) within 30 days after its first use. A rebuttable presumption of compliance applies if a non-statutory form is submitted to a regulator for approval, and the approved form is filed with the OPP. A non-statutory notice must be no more than one page and meet all of the following requirements:

Title and headers: the notice must use the title: "IMPORTANT PRIVACY CHOICES FOR CONSUMERS" and the headers (as applicable), "Restrict Information Sharing With Companies We Own Or Control (Affiliates)" and "Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services."

• Clear and conspicuous/format. The titles and headers must be clearly and conspicuously displayed, and no text in the notice may be smaller than 10-point type. The notice must have "wide margins" and "ample line spacing" and use boldface or italics for key words.
  

• Separate document. The notice must be provided as a separate document, meaning that it may not be incorporated into another document.
  

• Opt out opportunity. The opportunity to opt out must be "stated separately" (presumably meaning it cannot be imbedded in a paragraph) and may be exercised by checking a box.
  

• Prominence. The notice is "designed to call attention to [its] nature and significance."
  

• Clarity. The notice uses clear and concise sentences, paragraphs, and sections; uses short explanatory sentences (an average of 15-20 words) or bullet lists, and avoids multiple negatives, legal terminology, and highly technical terminology, and explanations that are imprecise and readily subject to different interpretations.
  

• Flesch score. The notice must achieve a minimum "Flesch" reading ease score of 50, not including the required title and header(s). As defined in Title 10, Section 2689.4(a)(7) of the California Code of Regulations, the Flesch Reading Ease Score rates text on a 100-point scale, as follows:
  
  206.835 - (1.015 x ASL) - (84.6 x ASW), where:
  ASL = average sentence length (the number of words divided by the number of sentences), and
  ASW = average number of syllables per word (the number of syllables divided by the number of words).

The higher the score, the more readable is the text. The language used where the customer makes the election whether to opt out may not score lower than the corresponding language used in the text of the notice describing the options. Examples may be provided as long as the clarity and readability standards are met.

Delivering the notice. The SB 1 opt-out notice may be delivered in a number of ways. It could be delivered by mail alone. If delivered with the GLB notice, the envelope must either include only additional privacy information and nothing else, or the two notices may be part of an envelope containing a bill, statement of account, or application requested by the consumer. This option would appear to be the most feasible. If the SB 1 notice is delivered with any other mailing, it must be the first page of the mailing, and the envelope may not include the GLB notice. Additionally, except where the SB 1 notice is delivered with a bill, statement, or application, on the outside of the envelope must be clearly printed in 16-point boldface type: "IMPORTANT PRIVACY CHOICES."

A privacy notice may be delivered electronically if it complies with applicable provisions of the Electronic Signatures in Global and National Commerce Act (ESIGN Act), complies with the requirements applicable to paper notices (except providing a return envelope), and the notice is delivered in a form the consumer may keep. A consumer may reply electronically, and may not be required to reply in another manner.

GLBA does not explicitly refer to the ESIGN Act, which sets forth detailed standards regarding consent, prior notice about the right to receive a paper record, the right to withdraw consent, and other requirements. Also, SB 1 does not include the detailed guidance contained in GLBA regulations setting forth the conditions in which an initial notice and annual notice may be provided electronically. SB 1 states that an electronic notice must be delivered, and that it is insufficient that it is only "made available" to the consumer. This would suggest that the notice may not be incorporated into an on line application process by appearing on a web page or made available as a link, but must be delivered by email some time during or after the transaction. It also casts doubt on the ability to notify a customer by email of the availability of a new privacy notice that is posted on a web site.

Opportunity to opt out. A consumer must be given a reasonable opportunity after receiving a notice to opt out, but no set period of time is provided. A consumer may opt out at any time, and the bank must comply within 45 days after receipt of the consumer's election. The election is in effect until otherwise stated by the consumer.

A self-addressed return envelope must be included with the notice. If the bank has more than $25 million in assets, it must either provide a first class business reply return envelope or a self-addressed envelope along with two alternative cost-free means for opting out, such as use of a toll-free telephone number, a toll-free fax number, or an email address.

General exceptions

The general exemptions available in SB 1 largely track those available under GLB, and include new ones. Exemptions are available:

• for transactional and servicing purposes

• in connection with securitizations and secondary market sales

• upon consumer consent or request

• to safeguarding information/protecting the bank

• relating to representatives of the consumer

• relating to rating agencies, auditors, etc.

• pursuant to the Right to Financial Privacy Act and other laws governing access by public entities

• in connection with sales and mergers

• to comply with legal process and other laws, including specifically the USA PATRIOT Act

• pursuant to the Fair Credit Reporting Act
  

• to report elder abuse
  

• to identify or locate missing children, witnesses, criminals and fugitives, parties to lawsuits, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries, and missing heirs.
  

• to complete a real estate appraisal
  

• relating to insurance and securities

Other services. A new exception is available for a disclosure as necessary for an affiliate or a nonaffiliated third party to perform "business or professional services, such as printing, mailing services, data processing or analysis, or customer surveys, on behalf of the financial institution." The conditions are that the services could lawfully be performed by the bank, a confidentiality agreement is in place limiting disclosure and use of the information, and the bank does not receive any compensation from the other entity in connection with the release of the information.

Enforcement

The state Attorney General and a financial institution's functional regulator are exclusively granted authority to enforce SB 1. A person who negligently discloses customer information, or intentionally obtains, discloses, or uses nonpublic personal information is liable for a civil penalty of $2500 irrespective of the amount of damages suffered by an affected consumer. A cap of $500,000 applies to a negligent disclosure of information of more than one individual, but there is no cap applicable to any intentional violation. If a violation results in the identity theft of a consumer, as defined by Section 530.5 of the Penal Code, the applicable penalties are doubled.

Preemption. Local ordinances governing the disclosure of customer information by financial institutions are preempted by SB 1. By its terms, the preemption provision applies retroactively as well as prospectively. However, the bill is not effective until July 1, 2004, which creates some uncertainty whether banks could be held liable for a violation of local ordinances until that time.

Other provisions

Notice to same household/joint notice. As under GLBA, if joint accountholders reside at the same address, only one privacy notice is required. A notice may be delivered jointly with an affiliate or other financial institution as long as it accurately discloses the practices of the entities.

Non-discrimination. A bank may not discriminate against or deny an otherwise qualified consumer a financial product or a financial service based on a consumer's opt out decision or decision not to opt in. However, a bank is not liable if the inability to disclose information prevents the product or service from being provided. The bill does not prohibit the offer of incentives or discounts in exchange for a specific response to a notice.

Third party receivers of information. Anyone who receives nonpublic personal information from a bank, whether an affiliate or non-affiliated third party, is under a legal obligation not to disclose the information to any other entity unless the disclosure would be lawful if made directly by the disclosing bank. An entity that receives nonpublic personal information pursuant to a general exception may not use or disclose the information except in the ordinary course of business to carry out the activity covered by the exception.

A copy of SB 1 may be obtained from the website: www.leginfo.ca.gov/bilinfo.html (type in "SB 1" and choose chaptered version. SB 1 is effective July 1, 2004. If you have any questions, you may contact Leland Chan, CBA General Counsel, at 415-284-6999 ext. 214 or James Clark, chief lobbyist on SB1 at 916-441-7377 ext. 209.

1 The broad GLBA definition of "financial institution" is used in SB 1. In this Bulletin, unless otherwise indicated, the term "bank" may be used to refer to all covered financial institutions.

2 SB 1does not include the specific GLBA carve-out for information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers. Nevertheless, even without a similar exception, it would be difficult to characterize such data, even under the state law, as personally identifiable.

3 Note, however, that all of the local ordinances, including those passed by municipalities not subject to the law suit, become effective on January 1, 2004 or earlier. While SB 1 does not become effective until in July 1, 2004, its preemption provision applies retroactively and prospectively.

4 A state resident is someone whose last known mailing address, other than an Armed Forces Post Office or Fleet Post Office address, as shown in the records of the financial institution, is located in California.

5 Both the disclosing and receiving entity must be in the same line of business, and the only qualifying businesses are banking, insurance, and securities.

6 On occasion, a bank will receive a request to opt out of affiliate sharing in response to a GLBA notice (even though the opportunity to opt out was not provided), but SB 1 does not contemplate this situation because it refers to a consumer direction "pursuant to this division."

7 What may be a broader exception is available for information sharing pursuant to servicing a "private label credit card program." This exception does not identify the same limits on the type of information that may be disclosed in connection with retail cards, but the wording of this exception is less than clear.

The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice.  Please consult with your counsel for more detailed information applicable to your institution.