Financial Privacy and the California Experience
Barry A. Abbott & Clayton T. Coon*

I.          Introduction

California has a long tradition of valuing and protecting consumer privacy.  In 1972, California voters passed an initiative to add privacy to the list of citizens’ inalienable rights under the California Constitution.[1]  More recently, in 2000, the California legislature created an Office of Privacy Protection (“the Office”) as part of the Department of Consumer Affairs.[2]  Among other duties, the Office serves as a statewide resource for consumer information and as a source of assistance on identity theft and other privacy issues.[3]  The California Financial Information Privacy Act (“S.B. 1”) is California’s most recent attempt to deal with consumer privacy.[4]

          On August 27, 2003, after significant controversy and four years of effort by California Senator Jackie Speier, S.B. 1 was signed into law, to become effective July 1, 2004.  As enacted, S.B. 1 places a number of new constraints on financial institutions doing business in California that share “nonpublic personal information” about their retail clients with affiliates and third parties.  The law represents a significant expansion of financial privacy rights for California consumers and will impose several new disclosure obligations upon financial institutions.  For bank holding companies and financial holding companies, however, some of the most restrictive provisions of S.B. 1 have likely been preempted by a new federal law amending the federal Fair Credit Reporting Act (“FCRA”),[5] the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”).[6]

This article outlines the principal elements of S.B. 1, describes the effects federal law and FCRA preemption will likely have on various provisions of S.B. 1, and delineates the new regime of financial privacy and disclosure obligations created by the interaction between these new California and federal laws.

II.        Scope of S.B. 1

In the regular course of business, financial institutions collect a significant amount of so-called “nonpublic personal information” from consumers.  When an individual applies to a financial institution for any bank service or account, including a deposit account, loan, or investment product, the financial institution will typically acquire much information in addition to that required by section 326 of the USA PATRIOT Act,[7] including, for example, detailed information regarding the individual’s purchases and other expenditures, income, and perhaps even medical history.  Starting with the enactment of Title V of the Gramm-Leach-Bliley Act (“Title V”)[8] in 1999, federal and state laws have increasingly come to regulate the extent to which financial institutions may share, sell, or otherwise provide such personally identifiable information to affiliated or nonaffiliated parties.  California’s S.B. 1 must now be fit into a relatively complex group of laws regulating the use of information about Californians.

A.        Background

            1.         Covered “Financial Institutions” and “Consumers”

S.B. 1 attempts to add restrictions to Title V, and therefore utilizes many of the same definitions found in that law.[9]  Most importantly, both S.B. 1 and Title V apply to “financial institutions,” which are defined as entities engaging in the financial activities broadly described in section 4(k) of the Bank Holding Company Act of 1956.[10]  But unlike Title V, and probably to avoid enforceability problems, the California legislature made S.B. 1 applicable only to financial institutions “doing business” in California and to individuals (or their legal representatives) residing in California.[11]

The phrase “doing business” is not defined in S.B. 1, and it is unclear what degree of contact with California or California consumers will result in a financial institution without offices in the state being deemed to be “doing business” in California for the purposes of S.B. 1.[12]  Of course, foreign corporations must register with the California Secretary of State if they “transact intrastate business” in California,[13] but under California case law, “transacting intrastate business” is a narrower concept than “doing business” in California.[14]  To complicate the issue, different tests are used by California courts in determining whether a foreign corporation may be sued in California for the corporation’s acts outside the state (the so-called “long-arm statute”),[15] whether a foreign corporation is subject to California taxation,[16] and whether a foreign corporation is “transacting intrastate business.”  Moreover, the language of California Corporations Code section 191(d) provides that “foreign lending institutions” are not “doing business” in California if they engage solely in the activities permitted by that safe harbor statute.[17]  Thus, which entities are “doing business” in California for the purpose of S.B. 1’s jurisdictional reach is a large and important ambiguity at the heart of the statute.

As with Title V, to be covered by S.B. 1 the consumer must be obtaining a financial product or service for use primarily for personal, family, or household purposes.[18]  While S.B. 1 contains many of the same type of exceptions contained in Title V (such as those involving “private label” credit cards and involving certain insurance information), the California legislature added a number of exemptions not appearing in the federal law, including, for example, exemptions for lawyers and for automobile dealers who promptly assign new finance or lease contracts to financial institutions.[19]  Also, the California law does not specifically retain the consumer/customer distinction contained in Title V.[20]

            2.         “Nonpublic Personal Information”

The principal thrust of S.B. 1 is to restrict how financial institutions handle consumers’ “nonpublic personal information,” which means “personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from any transaction with the consumer of any service performed for the consumer, or (iii) otherwise obtained by the financial institution.”[21]  “Nonpublic personal information does not include publicly available information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government” or other public records or “widely distributed media reports.”[22]

“Personally identifiable financial information” includes information in which the person is identified and which is obtained by a financial institution “in connection with providing a financial product or service to a consumer,” including the following:  information provided in credit reports, credit card or loan applications, account summaries, and payment histories; the fact that an individual is or has been a consumer of the financial institution; and personally identifiable information collected through an Internet cookie or Web server.[23]

            3.         Penalties

S.B. 1 contains significant penalties for violations, including civil penalties of up to $2,500 per violation collectible by the attorney general or specified regulators, with a $500,000 cap for negligent violations, but without a cap for “knowing” or “willful” violations.[24]  Private rights of action to recover these civil penalties are not allowed.[25]  In setting damages for violations of S.B. 1, courts must consider a variety of statutory factors, including the proceeds derived by the financial institution and the harm caused to consumers.[26]  “In the event a violation … results in the identity theft of [the] consumer,” penalties are doubled.[27]

            4.         Preemption of Local Ordinances

S.B. 1 preempts “all local agency ordinances and regulations” relating to the use and sharing of nonpublic personal information by financial institutions.[28]  This is intended to preempt certain local ordinances, such as those passed in Northern California, which the U.S. District Court for the Northern District of California recently ruled were partially preempted by FCRA.[29]  S.B. 1 states that this provision “shall apply both prospectively and retroactively.”[30]  Since S.B. 1 becomes effective July 1, 2004, the legal effect of this preemption section prior to July is not entirely clear.

            B.        Sharing Nonpublic Personal Information

S.B. 1 sets forth a number of disclosure and other requirements that govern how financial institutions may share nonpublic personal information with affiliated and nonaffiliated entities.  The rules that govern information sharing depend upon the relationship between the financial institution and the other entity.  The most restrictive rules apply to sharing information with nonaffiliated third parties.  S.B. 1 also sets forth less restrictive rules that apply to sharing information with affiliates of the financial institution.  However, as discussed in Part III infra, these affiliate rules are likely to be deemed preempted by the provisions of FCRA.

            1.         Sharing Information with Nonaffiliated Third Parties

Even after passage of the FACT Act, and unless S.B. 1 contains a specific exemption, S.B. 1 prohibits a financial institution from sharing a consumer’s nonpublic personal information with any “nonaffiliated third party,” unless the institution has obtained consent.[31]  Consent must be written, have an opt-in clause, and be on a form and in the format specified in the legislation.[32]  In addition, financial institutions may not discriminate against an otherwise qualified consumer who has not opted in.[33]

Requirements regarding the content of the opt-in notice to consumers are set forth in California Financial Code section 4053(a)(2).[34]  Interestingly, while S.B. 1 provides a model form for opt-out notice to consumers regarding sharing information with affiliates,[35] it does not set forth an equivalent model form for opt-in notice to consumers regarding information sharing with nonaffiliated third parties.

The opt-in notice provision is the heart of the new obligations imposed by S.B. 1.  In particular, the opt-in notice requirement is significantly more restrictive for financial institutions than the non-affiliate opt-out notice requirements imposed under Title V[36] or the affiliate opt-out notice required by FCRA.[37]  Well before July 1, 2004, all financial institutions that might be “doing business” in California should review S.B. 1 to ensure that they comply with its disclosure requirements and other obligations regarding sharing nonpublic personal information of California residents with nonaffiliated third parties.

            2.         Jointly Offered Products or Services

Notwithstanding the general rule stated above, S.B. 1 does contain a special exemption for financial products or services jointly offered pursuant to a written agreement between nonaffiliated financial institutions.[38]  This exception requires that:  (i) one of the institutions that is party to the agreement actually offer the product or service; (ii) the product or service is jointly offered, endorsed, or sponsored, and the institutions are clearly and conspicuously identified; (iii) the written agreement provides that the nonpublic personal information will only be used in providing the product or service; and (iv) the consumer has not opted out.[39]  A financial institution can delay the effective date of this rule until January 1, 2005, in connection with offering a financial product or service with a nonaffiliated financial institution, but only if it had entered into a contract with the other institution on or before January 1, 2004.[40]

            3.         Exempt Transactions

Under certain circumstances, financial institutions may release nonpublic, personal customer information without violating S.B. 1.  Information that is not personally identifiable is always exempt from the protections of S.B. 1.[41]  Many of the exempt circumstances are similar to those contained in Title V,[42] including information provided under FCRA or to “protect against or prevent actual or potential fraud, identity theft, unauthorized transactions, claims or other liability.”[43]  Other exempt circumstances include when information is shared pursuant to a consumer request; released to certain state agencies or as otherwise permitted by law; released in connection with actual or proposed sales, mergers, or other business transactions; and released in connection with a written agreement between a consumer and a registered broker-dealer or registered investment adviser.[44]

Financial institutions may also share information with third parties so that the third parties may perform business or professional services on behalf of the financial institution.[45]  However, they may only do so if all of the following requirements are met:  (i) the services to be performed by the third party may lawfully be performed by the financial institution; (ii) there is a written contract that prohibits the third party from disclosing or using the information other than to carry out the purpose for which the financial institution disclosed the information; (iii) the information provided to the third party is limited to that which is necessary for the third party to perform the services; and (iv) the financial institution does not receive any payment in return for the release of the information.[46]

            4.         Sharing Information with Affiliates

S.B. 1 also sets forth an array of regulations regarding the sharing of nonpublic personal information with affiliates.[47]  Although, as discussed in Part III, infra, these provisions are likely to be deemed entirely preempted by federal law, they are briefly described here.  S.B. 1 provides that a financial institution cannot share nonpublic personal information with one of its affiliates unless the consumer is given written notice annually of his or her right to keep the financial institution from disclosing personal information (“opt-out”), and the consumer has not done so.[48]  Much of S.B. 1 addresses the form and location of the required opt-out notices, and even provides a model form to use.[49]  The requirements for printing and providing the form are extremely detailed.[50]  Despite these restrictions regarding sharing information with affiliates, special rules permit information sharing between a financial institution and its wholly-owned financial institution subsidiary, provided that both have the same functional regulator, are in the “same line of business,” and share a “common brand.”[51]

III.       Interaction Between S.B. 1, Title V, and the Fair Credit Reporting Act

S.B. 1 regulates the sharing of nonpublic personal information of Californians by financial institutions with both affiliates and nonaffiliated third parties.[52]  As noted above, two federal laws, Title V and FCRA, also regulate this area.[53]  The two federal laws only partially overlap.  Title V primarily addresses concerns about financial institutions sharing nonpublic personal information with nonaffiliated third parties,[54] while FCRA principally discusses the sharing of such information with affiliates.[55]

Due to the broad scope of S.B. 1 and the importance of the issues involved, it is likely that the impact of Title V and FCRA on S.B. 1 will be tested in the courts; however, no case law exists regarding the viability of S.B. 1 in light of the federal laws.  The following sections discuss factors that courts are likely to consider when deciding how S.B. 1 interacts with these two federal laws.  Our discussion includes a possible resolution of the potential conflicts.  In brief, because Title V specifically provides that states may set forth more rigorous provisions than those contained in Title V, the provisions of S.B. 1 that relate to sharing nonpublic personal information with nonaffiliated third parties are likely to be upheld by the courts.  The provisions of S.B. 1 that relate to sharing nonpublic personal information with affiliates are likely to be preempted by the federal law, however, because FCRA is likely to be deemed to contain a preemption provision with regard to affiliate sharing under state law.

A.        Title V

Like S.B. 1, Title V regulates the use by “financial institutions” of consumers’ “nonpublic private information” and provides for notice to be given to consumers and customers.[56]  In particular, Title V provides that in order to disclose a consumer’s nonpublic personal information to a nonaffiliated third party, a financial institution must furnish the consumer with a clear and conspicuous notice indicating the right of the consumer to opt out of such sharing.[57]

Importantly, while Title V requires a financial institution to disclose to consumers its policy regarding sharing of nonpublic personal information with its affiliates,[58] Title V does not otherwise restrict the disclosure of nonpublic personal information by a financial institution to affiliates of the financial institution.[59]  Title V also explicitly provides that it does not “modify, limit, or supersede the operation of the Fair Credit Reporting Act.”[60]  Thus, Title V’s principal restrictions regarding sharing by financial institutions of consumer information affect sharing with nonaffiliated third parties, not sharing with affiliates.

Does Title V preempt, or otherwise affect, S.B. 1?  Title V specifically provides that it “shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this subtitle, and then only to the extent of the inconsistency.”[61]  This provision is likely to lead courts to hold that Title V does not restrict states from enacting laws that are more protective of consumer privacy than Title V.[62]

The California Legislature enacted S.B. 1 “to afford persons greater privacy protections than those afforded in [Title V], and that this division be interpreted to be consistent with that purpose.”[63]  The provisions of S.B. 1 appear to be more rigorous than those of Title V.  Where Title V requires financial institutions to provide consumers with information on affiliate sharing and opt-out notices for non-affiliate sharing, S.B. 1 requires institutions to provide opt-out notices for affiliate sharing and follow opt-in procedures for any non-affiliate sharing.  As a result, Title V does not appear to preempt S.B. 1.

Several potential wrinkles in this analysis warrant discussion.  First, the preemption language of Title V is not entirely clear.  15 U.S.C. § 6807(a) states that Title V “shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State,” except to the extent that such state law is inconsistent with Title V, and then only to the extent of the inconsistency.[64]  The statement that Title V shall not be construed as affecting any law “in effect in any State” could potentially be construed to exclude laws, such as S.B. 1, that became effective after the passage of Title V.[65]

Second, 15 U.S.C. § 6807(b) provides that “for the purposes of this section, [a state law] is not inconsistent with the provisions of this subtitle” if the state law provides greater protection to consumers “as determined by the Federal Trade Commission” after consultation with the applicable functional regulator.[66]  This language does not clarify whether a state law is necessarily inconsistent with Title V until the FTC makes a determination otherwise.

Finally, the exemptions provided by S.B. 1 do not exactly match those provided by Title V.[67]  Thus, S.B. 1 allows financial institutions to share information with nonaffiliated third parties without providing notice to consumers in circumstances not contemplated by Title V.[68]  For example, S.B. 1 exempts lawyers and certain automobile dealers,[69] and provides that a financial institution may release nonpublic personal information when reporting known or suspected instances of elder abuse[70] or in order to locate missing heirs.[71]  These instances of information sharing are not exempt from the opt-out disclosure required by Title V.[72]  In such cases, a court may hold that S.B. 1 is less protective of consumer privacy than Title V and is therefore preempted by Title V.[73]

B.        Fair Credit Reporting Act (FCRA)

FCRA was first enacted in 1970,[74] and, before the recent passage of the FACT Act, was last substantially updated in 1996.[75]  FCRA is designed primarily to address the sharing of consumer information by and with the credit reporting industry.  Consumer reporting agencies (“CRAs”) collect detailed personal information designed to evaluate primarily the creditworthiness and credit capacity of millions of consumers.  CRAs collect this information from financial institutions, public records, and other sources.  FCRA establishes a system of procedures that govern the rights of consumers with regard to CRAs, including rules regarding the confidentiality of credit reports and other personal consumer information, rules designed to ensure the accuracy of credit reports, and rules outlining the rights of consumers in relation to their credit reports.  FCRA permits sharing of consumer report information among affiliates where the consumer has first been given notice and an opportunity to opt out of such sharing.[76]

Similar to Title V, when first enacted FCRA contained a savings clause which provided that state and local regulation would be preserved so long as such regulation was not “inconsistent” with FCRA.[77]  However, in 1996 the Consumer Credit Reporting Reform Act (“CCRRA”)[78] amended FCRA in order to address concerns that credit reports were not accurate and that CRAs were unresponsive to consumer complaints.  Among the 1996 amendments were seven provisions intended to preempt certain state laws regarding CRAs in order to establish a national consumer credit system with uniform rules.[79]  Among these preemption provisions was a new subsection 624(b)(2), codified at 15 U.S.C. § 1681t(b)(2), which states in relevant part, “No requirement or prohibition may be imposed under the laws of any State … with respect to the exchange of information among persons[80] affiliated by common ownership or common corporate control ….”

This preemption provision was set to expire on January 1, 2004, pursuant to 15 U.S.C. § 1681t(d)(2).[81]  However, on December 4, 2003, President Bush signed into law H.R. 2622, the FACT Act of 2003.[82]  This legislation contains several major amendments to FCRA.  Among other things, the amendments legislate a comprehensive national program to deal with identity theft,[83] entitle consumers to a free copy of their credit report annually,[84] prohibit the printing of more than the last five digits of a person’s credit or debit card account number on electronically printed receipts,[85] and lengthen the statute of limitations for FCRA violations.[86]

Most important for purposes of the present discussion, section 711 of the FACT Act deleted the sunset clause in 15 U.S.C. § 1681t(d)(2),[87] and thereby made permanent the preemption provided by that section.  To ensure this result, the federal regulators adopted regulations making this effective as of December 31, 2003.[88]

What effect will the preemption provision contained in 15 U.S.C. § 1681t(b)(2) have on S.B. 1?  While no court has yet addressed the affiliate sharing rules of S.B. 1, one federal district court has addressed similar issues in adjudicating a challenge to local consumer privacy ordinances enacted by California county and municipal governments.  In Bank of America v. Daly City,[89] plaintiff financial institutions challenged three local consumer privacy ordinances passed by the City of San Mateo, the City of Daly City, and the County of Contra Costa.[90]  Like S.B. 1, these local ordinances placed restrictions on the ability of financial institutions to share nonpublic personal information with affiliates.[91]  The plaintiffs argued that 15 U.S.C. § 1681t(b)(2) preempted these restrictions, insofar as the ordinances placed restrictions on the sharing of confidential consumer information between financial institutions and their affiliates, because this section provides that State and local governments may not impose requirements or prohibitions “with respect to the exchange of information among persons affiliated by common ownership or common corporate control.”[92]

The defendants responded by arguing that in light of the purpose of FCRA, the term “information” in 15 U.S.C. § 1681t(b)(2) should be construed narrowly to mean only the sharing of a “consumer report” among affiliates, and not other “personal nonpublic information.”[93]

The court in Daly City disagreed with the defendants’ interpretation and held for the plaintiffs, stating that in 15 U.S.C. § 1681t(b)(2), Congress chose expressly to preempt “State laws that impose a requirement or prohibition on information-sharing among affiliates.  In the CCRRA amendments, Congress exempted affiliate information-sharing from the generally applicable consumer protection provisions of the FCRA and prohibited States from providing any additional protection to consumers in that context.”[94]  Thus, in the only directly relevant precedent the authors were able to locate, the federal judge held that FCRA broadly preempts any attempt by state or local governments to regulate any sharing of information among affiliates.[95]

In light of the history of the FACT Act and the concerns expressed when it was enacted, it is likely that a court applying 15 U.S.C. § 1681t(b)(2) to the affiliate sharing provisions of S.B. 1 will decide to follow the logic of Daly City and preempt the provisions of S.B. 1 as regards sharing information among affiliates.  Given the absence of case law or other authority on the subject, however, it is possible that a court may hold otherwise, and construe 15 U.S.C. § 1681t(b)(2) more narrowly than the court in Daly City.  In particular, it could decide that 15 U.S.C. § 1681t(b)(2) is limited to affiliate sharing of “consumer credit reports.”  Such an interpretation would likely preserve the effect of the affiliate information-sharing provisions of S.B. 1.

If the affiliate information-sharing provisions of S.B. 1 are deemed by the courts to be preempted, one critical question concerns whether those preempted provisions are severable from the remaining provisions of S.B. 1 -- that is, whether the preemption of one provision of S.B. 1 will result in complete preemption of S.B. 1.  It seems likely that the portions of S.B. 1 that do not address affiliate information sharing, such as the portions dealing with nonaffiliated third parties discussed in Part I, supra, are severable from the preempted portions.  Severability is a question of state law,[96] and the provisions of S.B. 1 regarding affiliate information sharing appear to meet the test set forth by the California Supreme Court in Calfarm Insurance Co. v. Deukmejian:[97] that the invalid portion is “grammatically, functionally, and volitionally separable.”[98]  S.B. 1 contains a severability clause providing that “[t]he provisions of this division shall be severable, and if any phrase, clause, sentence, or provision is declared to be invalid or is preempted by federal law or regulation, the validity of the remainder of this division shall not be affected thereby.”[99]

While it appears that FCRA, as amended by the FACT Act, should preempt S.B. 1’s provisions regarding affiliate sharing, the FACT Act also contains new rules applicable to affiliate sharing.[100]  For example, the new provisions restrict financial institutions from using certain personally identifiable information received from affiliates “to make a solicitation for marketing purposes,” unless they provide the consumer with notice that such information may be used for marketing purposes and the opportunity to opt out.[101]  Regulations shall be issued to further specify the form of opt-out notices.[102]  A consumer’s election to opt out of receiving solicitations shall be effective for at least five years.[103]  Several important exceptions apply, including when the financial institution has a pre-existing business relationship with the consumer.[104]  Furthermore, financial institutions will probably have until late 2004 or early 2005 before they are required to comply with these new requirements, and the requirements do not apply retroactively to consumer information received from affiliates prior to the effective date.[105]

IV.       Conclusion

Financial institutions that do business in California must analyze carefully how they treat their California customers’ nonpublic personally identifiable financial information.  It is clear that, without further legislation, in order to share nonpublic personal information regarding California consumers with nonaffiliated third parties, financial institutions must comply with the opt-in notice and other provisions of S.B. 1 as of July 1, 2004.[106]   Even in cases where the financial institution or transaction may be exempt from S.B. 1 but not from Title V (e.g., where the information is shared in order to prevent elder abuse), the financial institution should probably still provide an opt-out notice and otherwise comply with the requirements of Title V.

In order to share information with affiliates, however, it is likely that a financial institution will not have to comply with the provisions of S.B. 1 regarding information sharing, as FCRA will likely preempt S.B. 1 as to these matters.  Of course, the financial institution must still comply with the requirements of FCRA, including the revised requirements regarding affiliate sharing.

While it is likely courts will eventually resolve S.B. 1’s implementation issues, larger debates regarding consumer privacy will no doubt continue to occupy legislatures at the state and federal level.  Whether others will follow California’s lead is an open question.  Future battles will decide whether other states, or perhaps the federal government, will look to California and to S.B. 1 as a model for consumer privacy regulation, and whether California will lead the way toward even stricter privacy regulation nationwide.