About Us
Insurance Reference Manual
Legislative Update
Regulatory Update
Legal Affairs
All Press/Media
Related Links
Contact Us
 

2005 Insurance Reference Manual

Personal Insurance Federation of California Insurance Reference Book

California Laws and Regulations On Financial Privacy

Statutes, regulations, local ordinances, initiatives, and court decisions.

Introduction

The California debate on the issue of financial privacy over the past several years has involved every branch of government, and a controversial morass of existing and proposed state statutes, state regulations, local ordinances, proposed statewide initiatives, and court decisions. The legislative debate culminated in 2003 with the passage of SB 1 by Senator Jackie Speier, portions of which now appear to be preempted by the Fair Credit Reporting Act (FCRA), which was recently reauthorized with enactment of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The following is an overview of the events leading up to the passage of SB 1, a summary of the key provisions of the new law, and remaining implementation issues.

Legislative History

Over the past several years the California Legislature has debated proposed legislation on financial privacy. Starting in 1998, members began floating proposals on "do not call" lists and restrictions on the sharing of personal information by financial institutions. In 2000, the Legislature passed SB 129 by Senator Peace, which established the state Office of Privacy Protection to serve as an ombudsman for consumer questions on privacy issues. In 2001, the Legislature passed SB 771 by Senator Liz Figueroa which enacted the "do not call" law prohibiting telephone solicitors from calling persons who have placed their names on a state do-not-call list maintained by the Attorney General. Implementation of that law was delayed pending the outcome of challenges to the federal "do not call" law which was amended by Congress earlier this year.

In the years 2000 through 2002 several bills were introduced that would have imposed across the board opt-in regimes on the sharing of personal information by financial institutions. However, each of these measures failed passage. The financial services industry, including representatives from the banking, securities, and insurance industries, formed a coalition to oppose these measures and advocated instead for federal uniformity and a national standard. Legislative attention focused in 2001 on SB 773 by Senator Speier, which would have required opt-in for sharing with third parties, and opt-out for sharing with affiliates. The bill was later amended to require opt-out for both affiliates and joint marketing contracts, and opt-in for sharing with third-party non-financial institutions. However, SB 773 failed passage in 2001 and again in 2002 on the Assembly floor. Attempts at compromise measures by other legislators, including Assemblymembers Joe Nation and John Dutra, also failed passage. In 2003 Senator Speier introduced SB 1 which was substantially similar to SB 773 of the prior session.

The insurance industry opposed SB 1 as introduced and raised several concerns with the measure including the following:

  1. The measure conflicted with existing state statutes on insurance privacy enacted in the early 1980s, and based on the NAIC model. Those statutes are known as the Insurance Information Privacy Protection Act (IIPPA) and are codified at CA Insurance Code Section 791 et seq.
  2. The measure conflicted with new state Department of Insurance regulations which took effect in March of 2003 and were designed to harmonize the IIPPA and the Gramm-Leach-Bliley Act (GLBA). These regulations can be found at Title 10, California Code of Regulations, Sections 2689.1 thru 2689.24.
  3. The measure restricted the ability of insurers to share information with affiliates and joint-marketing partners, including wholly owned subsidiaries, and affiliates sharing a common brand name.
  4. The scope of exemptions for sharing of information through common databases, servicing of existing customers, and other legitimate business purposes were unclear.
  5. The provisions did not clearly allow for communications between insurance companies and agents.
  6. The bill mandated a California-only statutory form, and did not permit the notice to be consolidated with other privacy notices, necessitating the mailing of multiple and potentially conflicting privacy forms to the same customer.

SB 1 passed the state Senate but failed passage in the Assembly Banking Committee in June and then failed passage a second time in July of 2003. In the meantime, political pressure over the bill was mounting. The San Francisco Chronicle alone published 60 editorials on the bill, and hundreds of articles were written on the bill over a two-year time period. Privacy advocates also began collecting signatures to place an initiative on the ballot to enact a straight opt-in law that would require prior consent for the sharing of personal information with either third parties or affiliates. The signature drive was financed with a $1 million contribution from Chris Larsen of E-Loan. The sponsors reported in early August 2003 that they had collected sufficient signatures to place the initiative on the ballot.

Local Privacy Ordinances

Meanwhile, in 2002, after SB 773 failed passage, several California cities and counties adopted local privacy ordinances patterned after SB 773. Local agencies adopting privacy ordinances included several Bay Area jurisdictions, including Daly City, San Mateo County, the City of Belmont, Alameda and Contra Costa Counties. Bank of America and Wells Fargo challenged the local ordinances in federal court raising issues of federal preemption under the FCRA, the National Bank Act, and the GLBA. The Personal Insurance Federation and other insurance trade associations filed an amicus curiae brief in support of the banks' motion, raising additional issues of preemption under state law and the GLBA. The federal district court issued a decision on July 27, 2003, and a final ruling on August 11, 2003, declaring the provisions of the ordinances restricting disclosure of information among affiliates invalid on the grounds that they were preempted by the FCRA. (See Bank of America v. City of Daly City , No. C 02-4343 and C 02-4943.)

The federal district court concluded that Congress in the FCRA had expressly preempted state laws that impose a requirement or prohibition on information sharing among affiliates. According to the court's analysis, Congress exempted affiliate information sharing from the generally applicable consumer protection provisions of the FCRA and prohibited states from providing any additional protection to consumers in that context. The court expressly rejected the defendant's proposed construction of "information" used in Section 1681t(b)(2) of the FCRA as limited to consumer reports, and found such an interpretation inconsistent with the language of Sections 1681a(d)(2)(A)(ii) and 1681a(d)(2)(A)(iii), which expressly exempted information shared among affiliates from the definition of a consumer report. The court concluded that "information" as used in Section 1681t(b)(2), encompassed the confidential consumer information that was the subject of the local ordinances. (Note that the court's analysis was based on the FCRA as it stood at that time, not on the new FACT amendments which had yet to be adopted.) The court concluded that Section 1681t(b)(2) expressly preempted State laws that impose requirements or prohibitions on the sharing of such information with affiliates. The court therefore ordered the affiliate provisions in the local ordinances enjoined and severed. However, the court also held that the provisions of the local ordinances restricting third-party sharing were valid. The court did not reach the banks' National Bank Act arguments. On September 9th, 2003 Bank of America and Wells Fargo appealed the portion of the court's judgment relating to the preemption claims under the GLBA to the 9th Circuit. As of the date of this writing, that appeal is still pending.

However the case is ultimately resolved, as discussed further below, SB 1(Speier) as enacted expressly preempts the local privacy ordinances in their entirety. One note of caution -- SB 1 does not take effect until July 1, 2004, whereas some of the local ordinances took effect in 2003. Nevertheless, the language of SB 1 provides in pertinent part that "This division shall preempt and be exclusive of all local agency ordinances and regulations relating to the use and sharing of nonpublic personal information by financial institutions. This section shall apply both prospectively and retroactively." (CA Financial Code Section 4058.5).

SB 1 Enactment

The various elements discussed above - defeat of SB 1 in the Legislature, the federal district court decision on the local ordinances, the potential for an expensive initiative campaign, and the uncertainty of federal reauthorization of FCRA - all combined to create sufficient incentive for both sides to come together to attempt to negotiate a compromise on SB 1. Final amendments were crafted over several weeks of intensive negotiations in August of 2003 and a compromise bill was drafted. Significant portions of the financial services industry, while they did not support the bill, agreed to remove their opposition once amendments were accepted to address several workability problems. At the same time, all sectors of the industry continued to make it clear to the author and sponsors that federal uniformity and a national standard was still the preferred solution. Some opponents became less concerned about the affiliate sharing restrictions in the bill once it appeared likely that the FCRA preemption provisions would be extended by Congress, and that the legal arguments for FCRA preemption of state restrictions on affiliate sharing were strong. In addition, amendments were negotiated to SB 1 that allow the sharing of information without restriction among wholly owned subsidiaries operating under a common brand, and between insurance companies and their licensed agents. Another point of significant importance was the agreement to amend the notice provisions of the bill to allow financial institutions flexibility in designing the notices, and to differ from the statutory notice as long as certain standards are met.

The following is a summary of the key provisions of SB 1 as enacted:

Summary of SB 1: Enacts the California Financial Information Privacy Act ( California Financial Code Sections 4050-4069). Requires financial institutions, including insurers, to provide specified notices to consumers regarding the sharing of nonpublic personal information with affiliated companies or with nonaffiliated financial companies with whom the financial institution has contracted to provide financial products and services, and to give consumers the opportunity to opt-out of the sharing of such information. Requires the financial institution to obtain the permission of the consumer before a financial institution can share nonpublic personal information with other nonaffiliated companies (opt-in). Provides certain exceptions from these requirements, including where the release is necessary to effect, administer or enforce a transaction, to service an account, to operate a common database among affiliated companies, and for sharing with wholly owned subsidiaries. SB 1, among other things, specifically provides for the following:

  • Prohibits a financial institution from disclosing nonpublic personal information to any nonaffiliated third party unless the financial institution has obtained the consent of the consumer (the consumer has "opted-in").

  • Prohibits a financial institution from discriminating against or denying an otherwise qualified consumer a financial product or service because the consumer has not provided that consent, but does not prohibit a financial institution from offering an incentive or discount designed to elicit a specific response to the notice.

  • Sets forth the specific requirements that the opt-in form utilized to obtain the prior consent must meet.

  • Prohibits a financial institution from disclosing nonpublic personal information to an affiliate unless the financial institution has notified the consumer annually in writing that the information may be disclosed and the consumer has not directed that the nonpublic personal information not be disclosed (has not "opted-out").

  • Provides that information is not disclosed to an affiliate merely because the information is obtained in a common information system or database to which employees and affiliates of the financial institution have access, or because a consumer accesses a Web site jointly operated by the financial institution and its affiliate, provided that where a consumer has exercised the right to opt-out, nonpublic information is not further disclosed or used by an affiliate except as otherwise permitted by this division.

  • Allows the release of nonpublic personal information by a financial institution to another nonaffiliated financial institution with whom the financial institution has a written joint marketing agreement without obtaining the prior consent of the consumer if the following requirements are met: (a) the financial product being offered is a product of at least one of the financial institutions that is a party to the agreement, (b) the product is jointly offered and clearly and conspicuously identifies for the consumer both of the financial institutions disclosing and receiving the information, (c) the agreement includes a confidentiality clause and restricts the disclosure and use of the information to the joint offering of the product that is the subject of the agreement, and (d) the consumer has been given the opportunity to opt-out and has not done so. Allows information to be disclosed pursuant to a preexisting joint marketing contract until January 1, 2005 without having to meet the above requirements.

  • Provides that nothing in this division shall restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries, or among financial institutions that are wholly owned by the same holding company, or among the insurance and management entities of a single insurance holding company system consisting of one or more reciprocal insurance exchanges, provided that in each instance the companies are regulated by the same functional regulator, are engaged in the same line of business, and share a common brand. Provides that insurance, banking and securities are separate lines of business. Excludes a brand consisting solely of a graphic element or symbol.

  • Provides a conclusive presumption of compliance if the financial institution uses the opt-out notice set forth in the statute. Provides that if the financial institution does not use the statutory form, then they may use an alternative form, provided that the form meets certain specified criteria. Allows a financial institution that uses an alternative form other than the statutory form to submit the form to its functional regulator for approval. Requires that any such alternative forms be filed with the Office of Privacy Protection within 30 days after their first use. Alternative forms approved by the institution's functional regulator and filed with the Office of Privacy Protection prior to July 1, 2007 are entitled to a rebuttable presumption that the form complies with the statute.

  • Requires that the notice be sent as a separate notice, with the GLBA privacy notice, with a bill, application, or statement of account, or with any other mailing, in which case it must be the first page of the mailing. States that insurers may combine the form required by this bill with the form required pursuant to Sections 791 et seq of the Insurance Code and implementing regulations.

  • Requires a financial institution with assets in excess of $25 million to include a stamped self-addressed return envelope with the notice. In lieu of paid postage, the institution may provide two alternative cost-free means for a consumer to communicate their privacy choices. Financial institutions with less than $25 million in assets are required to include a self-addressed return envelope but it need not be stamped. Also, notices sent by electronic means that comply with certain specified requirements are not required to include a return envelope.

  • Requires a financial institution to allow 45 days to pass after the first opt-out notice to a consumer before disclosing information. Allows a consumer at any time to direct that their nonpublic personal information not be disclosed. Requires the financial institution to comply with such direction within 45 days of receipt.

  • Sets forth specific requirements for sharing of information with affinity product partners, limiting the types of information which can be shared and requiring that the consumer be given the opportunity to opt-out.

  • Provides express exemptions permitting the release of nonpublic personal information under specified circumstances, including but not limited to, where necessary to effect, administer or enforce a transaction requested or authorized by the consumer, in connection with maintaining or servicing an account, to prevent fraud, for debt collection, to insurance rate advisory organizations, guaranty funds, rating agencies, attorneys, accountants and auditors, for law enforcement purposes, for data processing and mail house services pursuant to a contract, for real estate appraisals, to consumer reporting agencies, and pursuant to a written agreement between a consumer and a securities broker-dealer or a registered investment advisor.

  • Exempts licensed insurance producers acting within the scope of their respective license provided information is not shared with an affiliate or nonaffiliated third party. Provides that it does not limit the ability of insurance producers to respond to requests from consumers and to obtain competitive quotes. Exempts the sharing of nonpublic personal information by an insurer or its affiliate with its exclusive agent.

  • Provides for civil penalties of up to $2,500 per violation for a negligent violation, up to a total of $250,000, and $2,500 per violation for a knowing and willful violation. Provides for doubling of the penalty where a violation results in identity theft. Provides that the civil penalties shall be exclusively assessed and recovered in a civil action brought in the name of the people of the state by the Attorney General or the functional regulator.

  • Preempts all local agency ordinances and regulations relating to the use and sharing of nonpublic personal information by financial institutions. This provision applies prospectively and retroactively.

  • SB 1 becomes effective July 1, 2004.

Effect of FCRA Reauthorization on SB 1 Implementation

Efforts by Senators Feinstein and Boxer to incorporate SB 1's provisions into the FCRA reauthorization bill were unsuccessful and it now appears likely that the affiliate provisions of SB 1 are unenforceable under the FCRA. The FCRA, as amended by the FACT Act, now includes two provisions preempting state laws to the extent they attempt to limit the exchange of information between persons affiliated by common ownership or corporate control, or with respect to the use of information from an affiliate to make solicitations for marketing purposes.

Assuming the affiliate sharing restrictions in SB 1 are preempted under FCRA, other provisions of SB 1 that restrict sharing with third parties and joint marketing partners are not preempted and should be severable. SB 1 provides that "The provisions of this division shall be severable, and if any phrase, clause, sentence, or provision is declared to be invalid or is preempted by federal law or regulation, the validity of the remainder of this division shall not be affected thereby." (CA Financial Code Section 4059).

Other California State Laws

In addition to SB 1, other new privacy laws were enacted in California in 2003. In particular, AB 68 (Simitian) enacts the Online Privacy Protection Act of 2003 (Business and Professions Code Section 22575) which requires an online business operator who collects personally identifiable information through an Internet web site or online service for commercial purposes, to conspicuously post its privacy policy on its web site or online service and to comply with the policy. The law requires the policy, among other things, to identify the categories of information the operator collects about individual consumers and the third parties with whom they share information. The bill defines "personally identifiable information" and "conspicuously post" for purposes of these requirements, and provides that an operator who fails to comply with the requirements of the law or the provisions of the privacy policy shall be deemed to be in violation if the noncompliance was done "knowingly and willfully" or "negligently and materially." Like SB 1, AB 68 also preempts local ordinances regarding online privacy policies, and has a delayed effective date of July 1, 2004.

SB 27 by Senator Liz Figueroa requires a business that discloses a customer's personal information, as defined, to a third party for direct marketing purposes, to provide the customer, within 30 days after the customer's request, in writing or by e-mail, the names and addresses of the recipients of the information and specified details regarding the information disclosed. SB 27 also requires businesses to inform customers of their privacy policies and the means for making inquiries regarding those policies; defines a "third-party" to include affiliates; provides for specified exemptions from the disclosure requirements, including processing, storing and managing of data, maintaining and servicing accounts, joint marketing agreements, private label and co-branded credit cards, communications between licensed agents and their principals, and established business relationships; and provides a reduced disclosure obligation for affiliates with a common brand. Most notably for financial institutions, SB 27 provides that this section does not apply to a financial institution that is subject to the California Financial Information Privacy Act (SB 1(Speier)) (Division 1.2 (commencing with Section 4050) of the Financial Code) if the financial institution is in compliance with Sections 4052, 4025, 4053, 4053.5 and 4054.6 of the Financial Code, as those sections read when they were chaptered on August 28, 2003, and as subsequently amended by the Legislature or by initiative. Any customer injured by a violation of SB 27 may institute a civil action to recover damages. Finally, it provides that for a willful, intentional, or reckless violation, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation.

California's "Do-Not-Call" law (SB 771(Figueroa) of 2001) is finally being implemented this Fall now that the Federal list is functional. Rather than maintain a separate California list, the state opted to piggy-back on the federal list. The California Attorney General will enforce the California law, but consumers who want to be on the do-not-call list will have to sign up via the federal do-not-call list.

Finally, the California Legislature has enacted over 40 other new laws relating to privacy over the past several years. A list of those measures is attached.

Back to Table of Contents