New California Financial Information Privacy Act
On August 27, 2003, former Governor Gray Davis signed the California Financial Information Privacy Act (the "Act").1 The Act will become effective on July 1, 2004. The Act is designed to protect non-public personal information that is in the hands of financial institutions. For a discussion of features of the Act, please refer to Dechert's Financial Services Update Number 62 (Sept. 17, 2003). As noted in that Update, a business need not be located within the state of California to fall within the Act. Thus, the Act may impact businesses across the country.
Generally, with regard to information sharing, the Act is designed to require a financial institution to obtain a consumer's permission (opt-in) before sharing non-public personal information with non-affiliated third parties. At the same time, the Act was drafted to allow consumers to decline to permit (opt-out) sharing with certain affiliates. The Act also contains extremely detailed requirements for provision of privacy and opt-out notices; the specifics of such notices under the Act are different from those notices required by Regulation S-P.
Preemption of the Act by Federal Law
An outstanding question is whether and to what extent the Act is preempted by federal law. The Federal Fair Credit Reporting Act (FCRA)2 appears to preempt at least a portion of the Act.3 While certain preemption provisions in FCRA were to expire at the beginning of 2004, the passage of the Fair and Accurate Credit Transactions Act of 2003 (FACTA),4 and subsequent rulemaking by the Federal Trade Commission (FTC) and the Board of Governors of the Federal Reserve System, made permanent the previous preemptions and added additional preemptions. In addition to FCRA, various other federal agencies may read the law or rules in their functional jurisdictions to preempt the Act, e.g., the Office of the Comptroller of the Currency has issued rules under the National Bank Act to preempt state laws that seek to control certain activities of a national bank. With regard to "the exchange of information among persons affiliated by common ownership or common corporate control," FCRA's preemption provision thus far has been interpreted to preempt the affiliate sharing provisions of the Act. Case law that has interpreted FCRA's preemption provision generally supports preemption of the Act in the realm of affiliate sharing, although some might argue that this issue is not settled. For instance, a case holding that local ordinances governing financial privacy are preempted by FCRA to the extent that they seek to limit sharing of information by a bank with its affiliates has been appealed to the United States Court of Appeals for the Ninth Circuit.5
In addition to case law, we believe an analysis of FCRA/FACTA's statutory construction, congressional intent, and subsequent federal regulations support the conclusion that FCRA will preempt parts of the Act. While not conclusively settled, FCRA appears likely to have a broad preemptive effect. In the words of the California Law Revision Commission (CLRC), "[t]he preemption clause, as it has been interpreted to date, could completely swallow the affiliate sharing provisions of [the Act]..."6
Sharing with Non-Affiliated Third Parties
With limited exceptions, the Act provides that nonpublic personal information may not be shared with nonaffiliated third parties in the absence of explicit prior consent from the consumer to whom the information relates. This opt-in requirement is in contrast to that under Reg. S-P, which provides for mere notice and the opportunity for the consumer to opt out.
Reg. S-P contains a provision regarding preemption of state laws where state law is inconsistent with Reg. S-P. Such inconsistent state law would be preempted unless the FTC determines, in consultation with the SEC, that the state law affords any consumer greater protection. Notably, the FTC has not reached the latter question, instead determining in similar situations that state law was not inconsistent with federal law.7 Given the FTC's interpretation, we believe it is reasonable to assume that explicit prior consent is required before sharing the nonpublic personal information of California residents with non-affiliated third parties.
California Notice Requirement May Still Apply
The Act provides that the special California notice is not required "if the financial institution does not disclose nonpublic personal information to any nonaffiliated third party or to any affiliate, except as allowed in this division."8 Conversely, the California notice and opt-out offer provisions of the Act would be operative when a financial institution determines to share non-public personal information with a non-affiliated third party.
In the middle-ground situation in which a financial institution determines to share non-public personal information only with affiliates or otherwise as permitted by the Act (not including sharing with non-affiliated third parties), the notice requirement appears to be preempted by FCRA under the analysis described above.
1) Fin. Code §§ 4050-4060, enacted by 2003 Cal. Stat. ch. 241.
2) 15 U.S.C. § 1681 et seq.
3) See FCRA § 625, 15 U.S.C. § 1681t.
4) Pub. L. No. 108-159 (2003).
5) See Bank of America, N.A. v. City of Daly City, No. 03-016689 (9th Cir. 2004); Bank of America, N.A. v. City of Daly City, 279 F. Supp. 2d 1118 (N.D. Cal. 2003).
6) CLRC Staff Memorandum 2004-9 (Jan. 22, 2004).
7) See, e.g., FTC Letter to the State of North Dakota (June 28, 2001).
8) See Section 4054(a).