Comparison of Californias Financial Information Privacy Act of 2003 with Federal Privacy Provisions

CRS Report for Congress
Received through the CRS W eb
Comparison of California’s F inancial
Information Privacy Act o f 2003 w ith Federal
Privacy Provisions
Legislative Attorney
American Law Division
The C al i forni a Fi n anci al In form at i o n P ri vacy Act , 1 enac ted o n August 28, 2003,
and effective o n J uly 1 , 2004, governs t he rights of California residents with respect to
the dissemination of nonpublic personal i nformation by financial institutions. In s ome
respect s, it diverges from t wo federal l aws t hat impose res trictions on the dissemination
of nonpublic personally identifiable customer i nformation b y financial information. It s
major p rovisions include a requirement that befor e sharing nonpublic personal
information with nonaffiliated t hird parties, financial i nstitutions receive an affirmative
consent , an opt -i n, from t hei r cust om ers. Before such i n form at i o n m ay be shared wi t h
affiliates not in the s am e line of busines s and regulated by t he same functional regulat or,
an opt-out notice i s required. Wholly-owned subsidiaries and affiliates i n t he same line
of busines s (securities, banking, or i nsurance) may s hare information, ex cept m edical
information, without an opt-out or opt-in requi rement. C alifornia’s l aw was enacted just
before Congress enacted the Fair and Accurate Credit Transactions Act (P.L. 108-159),
whi ch m akes perm anent federal st at ut ory p reem pt i o n o f s t at e regu l at i o n o f i nform at i o n
sharing among corporate affiliates t hat was set t o ex p ire o n Decemb e r 3 1 , 2003, and
limits the ability of affiliated companies to share consumer information for marketing
solicitations . S ee CRS Report R S21449, Fair Credit Reporting Act : Preemption of
State L aw ; CRS Report R L32121, Fair Credit Reporting Act: A Comparison of House
and Senate L egislation; CRS Report R S21449, Fair Credit Reporting Act : Preemption
of State L aw , CRS Report R L31758, Financial P rivacy: The E conomics o f Opt-In vs
Opt-Out ; and CRS Report R L31847, The Role of Information i n L ending: The C ost of
Privacy Restrictions . This report will be updated as warranted.

1 2003 Cal. Adv. Legi s. Serv. 241 (West); 2003 Cal. Stat. Ch. 241. (Ava ilable September 3,

2003, in LEX IS, ST AT ES Library, CACODE file.

Congressional Research Service ˜ The Library of Congress

Background. There are two s ets o f federal rules for sharing o f non-public personal
information by financial institutions. One, under t he Gramm-Leach-Bliley Act (GLBA),
P.L. 106-102, applies t o i nformation s haring with non-affiliated t hird parties. The o ther,
un d er t he Fair Credit Reporting Act , s peci fically, t he Fair Credit Reporting Act
Amendments of 1996, P.L. 104-208, applies t o i nformation s haring among companies o f
the s am e corporat e family or holding company, i.e., affiliates. GLBA prohibits financial
institutions from s haring nonpublic personally identifiable c u s t o m er i nformation with
non-affiliated third parties unless consumers are given an opportunity to prevent t he
disclosure, t hat i s t o opt out. Under its 1996 amendments, t he Fair Credit Reporting Act
(FCRA) preem pts all stat e l aws with res pect to the ex change of i nformation among
affiliated entities, companies i n t he same corporate family. 1 5 U.S.C. § 1681t(b)(2). As
amended i n 2003, section 214 of P.L. 108-159, 117 Stat. 1 9 52, the Fair and Accurate
Credit Transactions Act o f 2003, these p reemptive p rovisions, due to ex pire at the end of
2003, were made permanent. An additional limitation was placed on information s haring
am ong affiliated companies . S ubject to certain ex ceptions, affiliated companies may not
share customer i nformation for marketing solicitations unless t he consumer is provided
clear and conspicuous notification t hat t he information m ay be ex c h a n ged for such
purposes and an opportunity and a simple method to opt-out.
The C alifornia Financial In format i o n P rivacy Act was enacted as the 1996
FCRA temporary p reemption o f s tate law was about to ex pire and contemporaneously
with Congressional consideration o f p roposals t o ex t end t he FC R A preemption. It s
provisions respecting i nformation s haring am ong corporat e affiliates are s u b j ect to the
preemption provisions of the FCRA. Any provi sions of the C alifornia l aw that relate to
information s haring by financial i nstitutions with non-affiliated t hird parti e s and that
provide more protection t han GLBA’s p ri vacy provisions would not be preempted.
Current Legislation. Among the bills being considered by the 108 th Congress are
H.R. 2622 (Representative Bachus), which has been reported b y t he House Financial
Services Committee (H.Rept. 108-26 3 ) an d passed b y t he House, would, among other
things, m ake permanent the FCRA preem ptions respecting i nformation s haring among
H.R. 1766 (Representative Tiberi and Lu cas ) , i n addition t o m aking t he FCRA
preemptions permanent, would give p reemptive effect to GLBA’s provisions respecting
disclosure of nonpublic pers o n al information b y financial institutions, effectively
es tablishing a national s tandard for discl osure of customer i nformation by financi al
institutions. It would prevent st at es an d l ocal governments from imposing additional
requirements, such as an opt-in for informatio n s haring with non-affiliated t hird parties,
more detailed or m ore frequent notice requirements, or increas ed protection for sensitive
S. 660 (Sen. J ohnson) would m ake t he FCRA p r eemptions permanent, thereby
preem pting s tate laws o r regulations restricting i nformation s haring am ong corporat e

California Financial Information Privacy Ac t. T h e f o l l o wing comparison with
ex i s t i n g federal l aw i s p resent ed as a m ean s o f f o c u s i n g o n s om e o f t he i ssues t h at
C ongress has b een ex am i n i n g.
California Law Federal Law
Nonaffiliated 3d Parties
Opt-in for a financial i nstitution t o s hare Opt-out.
non-public personal i nformation (NPPI)
with nonaffiliated t hird parties.
Entities controlled by or under common Same definition. Has no distinction for
control with another entity. Has separate “wholly-owned affiliates.”
rules for wholly-owned financial
affiliates t hat are in the s am e line of
business (banking or insurance o r
securities), regulat ed by the s am e
functional regulator, and use t he same
brand. (Hereaft er, whol l y-owned
Information Sharing Among Affiliates
No opt-out or opt-in requirement for Permits al l affiliates t o s hare ex perience
shari n g o f NP P I am ong whol l y-owned and t ransaction i nformation without an
financial affiliates. Medical information opt-in or an opt-out.
is ex cluded and may b e s hared only
pursuant t o another C al. s tatute. Opt-out required for financial
institutions to share non-ex perience or
Opt-out for financi al institution t o s hare non-transaction i nformation among
NPPI information with affiliates other affiliates.
than those m eeting t he criteria for
“wholly-owned financial affiliates.” No distinction for medical information.
“Financial Institution”
Ex cl udes com put er servi ces, l awyers No such ex cl usi ons.
(and possibly, accountants), and m otor
vehi cl e d eal ers assi gn i n g s al es cont ract s
to financial i nstitutions in 30 days .
“Consumer” or “ Customer”
Ex cl udes b enefi ci ari es of em pl oyee No such ex cl usi ons.

benefit p lan, group insurance p lan,
worker compensation plan, or trust.

Consent Form f or Opting In
There m ust b e: cl ear not i ce t hat i t Not applicable.
remains i n effect until revoked; of
procedures for revocation; and, that a
copy may b e requested. S ignature
required. Institution m ay not
discriminate b ecause consent h as been
withheld, but may offer i ncentive t o
Opt-Out Requirements
Must provide an annual written notice t o One time notice s uffici ent. No details
t h e consum er t h at t h e fi n anci al of cont ent and form speci fi ed by st at ut e;
institution m ay disclose NPPI to nor are t here statutory requirements for
affiliates and that the consumer has not self-addressed return envelopes, model
yet opted out. notice and consent forms, o r a means o f
regu latory approval o f forms. T he
If a com m o n d at a b ase i s m ai nt ai ned regulations provide more detail than the
with affiliates, once t he consumer has statute as t o content and form for
opted out, NPPI in that data base may not consent but are not as specific as i s t he
be further d isclosed or used by an California l aw.
affiliate ex cept as permitted.
Statute contains detailed s pecifications
regarding form and content o f opt-out
notice, including requirements for
providing return envelopes and, in some
instances, postage paid return envelopes.
Statute p rovides a model form t hat acts
as presumptive p roof of compliance i f
used to notify o f opt-out righ t. An
alternative permits financial i nstitutions
to submit forms for approval b y
functional regulators.
Joi n t Market i n g A greement s
Opt-out is required for joint m arketing No opt-out requirement for j oint
agreem ent s ent ered i nt o aft er J anuary 1, marketing agreem ents if the customer
2005 if certain conditions are m et; has notice t hat t he information will be
otherwise opt-in i s required. Conditions provided and the receiving institution
require that the p roduct o r s ervice be that agrees to maintain its confidentiality.
of one of the parties, jointly offered with No further limitations on the s ervices
notice of t he financial i nstitutions that offered o r notices to be provided with
have the NPPI, and the agreement m ust those m arketing o ffers.

provide for confidentiality.

No specific p rovision Account numbers may not be disclosed
for m arketing t o nonaffiliated t hird
Annual Notice o f Privacy Policy
No requirement for annual notice o f GLBA requires i nitial and annual notice
privacy policy o ther than annual notice of financial i nstitution’s privacy policy
that the i nstitution m ay disclose NPPI to and s peci fi es i n form at i o n t o b e
affiliates and the customer has not opted included.
Affinity Partnerships
Requires a written confidentiality GLBA has n o ex p licit provision for
agreem ent. Limits information financi al affi ni t y agreem ent s .
institutions may provide to an affinity
partner with whom it issues a credit card
or provides s ervices, p rimarily to name,
address, and record of purchases wi t h
Similar t o t hose i n GLBA. Ex plicitly Has an ex t ensive list o f ex ceptions.
incl udes USA PATRIOT Act
requirements, and v arious provisions
permitting reporting s uspect ed illegal
activity, such as elder abuse or i dentity
theft, and administering various
programs–such as collection o f child
support, bone marrow donations.
Prescribes liability of up to $2,500 per Administrative enforcem ent by
consum er for each vi ol at i on, up t o functional regulator s–federal b anking
$500,000, enforceable by the C alifornia and s ecurities regulat ors; stat e i nsurance
Attorney General and the C alifornia and regulators, and FTC for entities not
federal functional regulators. subject to other regulator.