CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2003 No.11
September 26, 2003

Vol 2003 No. 11 September 26, 2003

Summary of SB 27: Privacy Disclosure

Following on the heels of SB 1, the financial privacy bill, is a second major California privacy law, SB 27, aimed at the broader business community. SB 27 is a disclosure law that imposes no restrictions against the disclosure of customer information for any reason. If a business discloses a customer's personal information to a third party for direct marketing purposes, it must provide, within 30 days from the receipt of a request, the names and addresses of the receiving party and other specified information, and must disclose its privacy policies, including how to request the required information. Unlike SB 1 and GLB, there is no initial or annual notice requirement. A disclosure is required only upon request, and if a customer makes multiple requests a business is not required to respond more than once in a calendar year.

A key amendment to SB 27, secured by CBA prior to passage, is an exception for financial institutions subject to SB 1, the state financial privacy bill recently signed into law, but only if the institution is in compliance with the key provisions of SB 1. Because of this general exception, for the moment, banks are not subject to SB 27, and this Bulletin does not analyze the bill in detail.

However, the bill includes the following provision: if SB 1 is overturned by a court or preempted by federal law, and a financial institution chooses not to comply with SB 1, then it has to comply with SB 27. As of the writing of this Bulletin, the federal bills re-authorizing the Fair Credit Report Act include a preemption of any state law affecting affiliate sharing, except possibly with regard to marketing. The federal bills are not expected to affect state laws on non-affiliated third party sharing. Even if the FCRA bill passes and preempts all the affiliate sharing provisions of SB 1, banks that disclose customer information to affiliates for marketing purposes would either comply with SB 1 as if it were not preempted, or become subject to SB 27.

What SB 27 does not address is the potential effect of an FCRA preemption on itself; that is, that SB 27 may also be preempted for the same reason and to the same extent that SB 1 is preempted. But because SB 27 includes no prohibition against affiliate sharing and only a disclosure requirement, the case for preemption of SB 27 is not as strong.

The picture for sharing with non-affiliated third parties is clearer. Even with the passage of FCRA, the SB 1 provisions governing third party sharing would not be affected. If the third party provisions of SB 1 are successfully challenged in court, however, then SB 27, by its terms would apply to banks. But, again, whatever grounds there may be for overturning SB 1 could apply also to SB 27. Since SB 27 will not become effective until January 1, 2005 and the FCRA reauthorization bill should be passed this year, banks should have time to sort things all out.

Summary

SB 27 duties are triggered only if a business has, within the previous calendar year, disclosed certain information regarding an existing customer to a third party for that party's direct marketing purposes. The law applies only to residents of California and where the customer relationship is established for personal, family, or household purposes.

"Direct marketing purposes" refers both to marketing solicitations made through the mail, telephone, or electronic mail for personal, family, or household purposes, and to the (re)sale of customer information to other businesses.

Among the other exceptions provided in the bill are disclosures made by a financial institution to a business pursuant to credit card private label, affinity card, retail installment contract, and co-branding programs, but only to the extent that customer information is used to market products and services directly to customers of both the business and the issuer resulting from the program. Since a card issuer is a financial institution covered under SB 1, and SB 1 includes provisions covering credit card relationships between issuers and businesses, this provision is SB 27 primarily affects the business rather than the card issuer.

Corporate affiliates are included within the definition of third party, but limited exceptions are provided for affiliated entities that share a brand name. General exceptions are created for charitable and political solicitations, and for disclosures related to the sale of accounts or made incident to other transactions.

A business may comply with SB 27 (that is, avoid responding to disclosure requests) by instituting a policy of making customer information sharing subject to customers' right to opt-in or opt-out without cost to the customer. Also, an entity subject to GLB could comply with SB 27 by delivery its GLB notice as long as the disclosure also complies with SB 27.

Violations of SB 27 are subject to civil liability. For further information, you may call James Clark or Pat Zenzola at 916-441-7377, extensions 209 and 210, respectively.