CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2004 No.4
March 17, 2004

Vol 2004 No. 4 March 17, 2004

DFI Set to Pre-approve Non-conforming SB1 Privacy Notices

As discussed in a previous CBA Regulatory Compliance Bulletin (August 29, 2003), California's financial privacy law, popularly known as SB1, requires financial institutions to deliver privacy notices to customers as a condition of disclosing customer information to affiliates and third parties for marketing purposes.

Banks are not permitted to share customer information for marketing purposes until 45 days after delivering the state privacy notice, and complying with the opt-out and opt-in provisions, as applicable. The notice, which must be delivered to California residents, must be provided in addition to the federal Gramm-Leach-Bliley notice. To avoid any interruption in information sharing practices through July 1, 2004, the effective date of SB1, banks will have to deliver the notices by the middle of May.

A bank is conclusively presumed to have satisfied the notice formatting requirements of SB1 if it uses the statutory form (see reproduction attached). If a bank chooses to use a non-conforming form, certain formatting requirements apply (see excerpts from SB1 below). However, a bank could still secure a rebuttable presumption of compliance by having the form approved by the bank's primary regulator, and filed with the new Office of Privacy Protection prior to July 1, 2007 (http://www.privacy.ca.gov/).

The Department of Financial Institutions, under newly appointed Commissioner Howard Gould, is sensitive to these timing pressures, and is willing to accept samples of non-statutory forms for preliminary review and approval. CBA will collect sample notices from its membership and submit representative forms to DFI on a no-names basis. This will give DFI time to review them and release samples that the department deems acceptable for approval.

If you are a bank subject to DFI supervision, and intend to use a non-conforming SB1 notice, please send a pro forma version to CBA, attention Leland Chan (415-284-6999 x214, or email lchan@calbankers.com). As discussed, CBA will forward representative specimens to the DFI. Forms should be provided to CBA no later than early April.

The Fair and Accurate Credit Transactions Act of 2003 ("FACT Act") extended the preemptive effect of the Fair Credit Reporting Act as to banks' disclosing customer information to affiliates. However, the provisions of SB1 applicable to disclosures to non-affiliated entities (including disclosures made pursuant to what in GLBA parlance is known as joint marketing agreements) are not preempted by the FACT Act. Banks should consult with counsel to determine the applicability of the notice requirements to your bank in light of the FACT Act. Note also the potential applicability of SB 27 if you do not comply with SB 1 (see CBA Regulatory Compliance Bulletin of September 26, 2003).

Information sharing pursuant to a joint marketing agreement entered into on or before January 1, 2004 may continue without regard to SB1 until January 1, 2005, meaning that an opt out notice would have to be delivered in mid-November to ensure no disruption.

[Section 4053(d)(1) of SB1] (SB1 formatting guidelines)

(d) (1) A financial institution shall be conclusively presumed to have satisfied the notice requirements of subdivision (b) if it uses the form set forth in this subdivision. The form set forth in this subdivision or a form that complies with subparagraphs (A) to (L), inclusive, of this paragraph shall be sent by the financial institution to the consumer so that the consumer may make a decision and provide direction to the financial institution regarding the sharing of his or her nonpublic personal information. If a financial institution does not use the form set forth in this subdivision, the financial institution shall use a form that meets all of the following requirements:
(A) The form uses the same title ("IMPORTANT PRIVACY CHOICES FOR CONSUMERS") and the headers, if applicable, as follows: "Restrict Information Sharing With Companies We Own Or Control (Affiliates)"
and "Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services."
(B) The titles and headers in the form are clearly and conspicuously displayed, and no text in the form is smaller than 10-point type.
(C) The form is a separate document, except as provided by subparagraph (D) of paragraph (2), and Sections 4054 and 4058.7.
(D) The choice or choices pursuant to subdivision (b) and Section 4054.6, if applicable, provided in the form are stated separately and may be selected by checking a box.
(E) The form is designed to call attention to the nature and significance of the information in the document.
(F) The form presents information in clear and concise sentences, paragraphs, and sections.
(G) The form uses short explanatory sentences (an average of 15-20 words) or bullet lists whenever possible.
(H) The form avoids multiple negatives, legal terminology, and highly technical terminology whenever possible.
(I) The form avoids explanations that are imprecise and readily subject to different interpretations.
(J) The form achieves a minimum Flesch reading ease score of 50, as defined in Section 2689.4(a)(7) of Title 10 of the California Code of Regulations, in effect on March 24, 2003, except that the information in the form included to comply with subparagraph (A) shall not be included in the calculation of the Flesch reading ease score, and the information used to describe the choice or choices pursuant to subparagraph (D) shall score no lower than the information describing the comparable choice or choices set forth in the form in this subdivision.
(K) The form provides wide margins, ample line spacing and uses boldface or italics for key words.
(L) The form is not more than one page.