BILL NUMBER: SB 773 AMENDED BILL TEXT AMENDED IN ASSEMBLY AUGUST 31, 2002 AMENDED IN ASSEMBLY AUGUST 24, 2002 AMENDED IN ASSEMBLY AUGUST 22, 2002 AMENDED IN ASSEMBLY AUGUST 19, 2002 AMENDED IN ASSEMBLY SEPTEMBER 13, 2001 AMENDED IN ASSEMBLY SEPTEMBER 6, 2001 AMENDED IN ASSEMBLY AUGUST 30, 2001 AMENDED IN ASSEMBLY AUGUST 23, 2001 AMENDED IN ASSEMBLY JULY 14, 2001 AMENDED IN ASSEMBLY JUNE 29, 2001 AMENDED IN ASSEMBLY JUNE 13, 2001 AMENDED IN SENATE MAY 30, 2001 AMENDED IN SENATE APRIL 25, 2001 INTRODUCED BY Senator Speierand Assembly Members Nation and Jackson(Principal coauthor: Senator Burton)(Principal coauthors: Assembly Members Alquist and Rod Pacheco)(Coauthors: Senators Bowen and Peace)(Coauthors: Assembly Members Chan, Chu, Cohn, Corbett, Goldberg, Keeley, Kehoe, Liu, Lowenthal, Migden, Pavley, Reyes, Shelley, Simitian, Steinberg, and Strom-Martin)FEBRUARY 23, 2001 An act to add Division 1.2 (commencing with Section 4050) to the Financial Code, relating to financial privacy. LEGISLATIVE COUNSEL'S DIGEST SB 773, as amended, Speier. Financial institutions: confidential consumer information. Existing law provides for the regulation of banks, savings associations, credit unions, and industrial loan companies by the Department of Financial Institutions and by certain federal agencies. Existing federal law, the Gramm-Leach-Bliley Act, requires financial institutions to provide a notice to consumers relative to the use by the financial institution of nonpublic personal information, and in that regard authorizes consumers to direct that the information not be shared with nonaffiliated third parties. This bill would enact the California Financial Information Privacy Act, which would require a financial institution, as defined, to provide a specified written form to a consumer relative to the sharing of the consumer's confidential consumer information, as defined.The bill would allow a consumer to direct the financial institution to not share the confidential consumer information with affiliated companies or with nonaffiliated financial companies with which the financial institution has contracted to provide financial products and services.The bill would require the permission of the consumer before the financial institution could share the confidential consumer information withothernonaffiliated companies. The bill would provide that a financial institution is not required to provide this written form to its consumers if the financial institution does not disclose any confidential consumer information to any nonaffiliated 3rd partyor to any affiliate. This bill would provide that a financial institution shall not deny a consumer a financial product or service because the consumer has not provided the necessary consent that would authorize the financial institution to disclose or share confidential consumer information. The bill would require a financial institution to comply with the consumer's request regarding confidential consumer information within 45 days of receipt of the request. This bill would providethat the bill would not apply to disclosures between certain types of member-owned financial institutions and their affiliates provided that certain requirements are met. The bill would also providethat a financial institution may disclose confidential consumer information to an affiliate or a nonaffiliated 3rd party in order for it to perform certain services on behalf of the financial institution if specified requirements are met. The bill would provide other exceptions from its provisions applicable to particular situations. The bill would provide that confidential consumer information may be released in order to identify or locate missing children, witnesses, criminals and fugitives, parties to lawsuits, and missing heirs and that it would not change existing law regarding access by law enforcement agencies to information held by financial institutions. The bill would also provide for disclosure of confidential consumer information under various other specified circumstances. The bill would provide on January 1, 2003, that enactment of these provisions preempts all local agency ordinances and regulations relating to this subject. The bill would enact other related provisions. The bill would also provide various civil penalties for negligent, or knowing and willful violations of these provisions. The bill would, except as provided above, become operative onNovember 1, 2003January 1, 2004 , except that penalties under the bill would not become operative until July 1, 2004. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Division 1.2 (commencing with Section 4050) is added to the Financial Code, to read: DIVISION 1.2. CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT 4050. This division shall be known and may be cited as the California Financial Information Privacy Act. This division shallbecome operative on November 1, 2003, except that Section 4058.6 shall become operative on January 1, 2003.become operative on January 1, 2004. 4051. (a) The Legislature intends for financial institutions to provide their consumers notice and meaningful choice about how consumers' personal information is shared or sold by their financial institutions. (b) It is the intent of the Legislature in enacting the California Financial Information Privacy Act to afford persons greater privacy protection than those provided in Public Law 106-102, the federal Gramm-Leach-Bliley Act, and that this division be interpreted to be consistent with that purpose. 4052. For the purposes of this division: (a) "Confidential consumer information" means personally identifiable financial information (1) provided by a consumer to a financial institution, (2) resulting from any transaction with the consumer or any service performed for the consumer, or (3) otherwise obtained by the financial institution. Confidential consumer information does not include publicly available information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from (1) federal, state, or local government records, (2) widely distributed media, or (3) disclosures to the general public that are required to be made by federal, state, or local law. Confidential consumer information shall include any list, description, or other grouping of consumers, and publicly available information pertaining to them that is derived using any nonpublic personal information other than publicly available information, but shall not include any list, description, or other grouping of consumers, and publicly available information pertaining to them that is derived without using any confidential consumer information. (b) "Personally identifiable financial information" means information (1) that a consumer provides to a financial institution to obtain a product or service from the financial institution, (2) about a consumer resulting from any transaction involving a product or service between the financial institution and a consumer, or (3) that the financial institution otherwise obtains about a consumer in connection with providing a product or service to that consumer. Any personally identifiable information is financial if it was obtained by a financial institution in connection with providing a financial product or service to a consumer, including the fact that a consumer is a customer of a financial institution or has obtained a financial product or service from a financial institution. Personally identifiable financial information includes all of the following: (1) Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service. (2) Account balance information, payment history, overdraft history and credit or debit card purchase information. (3) The fact that an individual is or has been a customer of a financial institution or has obtained a financial product or service from a financial institution. (4) Any information about a financial institution's consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution's consumer. (5) Any information that a consumer provides to a financial institution or that a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan. (6) Any personally identifiable financial information collected through an Internet cookie or an information collecting device from a Web server. (7) Information from a consumer report. (c) "Financial institution" means any institution the business of which is engaging in financial activities as described in Section 1843(k) of Title 12 of the United States Code and doing business in this state. An institution that is not significantly engaged in financial activities is not a financial institution. The term "financial institution" does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et seq.), provided that the entity does not sell or transfer confidential consumer information to a nonaffiliated third party. The term "financial institution" does not include institutions chartered by Congress specifically to engage in a proposed or actual securitization, secondary market sale, including sales of servicing rights, or similar transactions related to a transaction of the consumer, as long as those institutions do not sell or transfer confidential consumer information to a nonaffiliated third party. The term "financial institution" does not include any person licensed as a dealer under Article 1 (commencing with Section 11700) of Chapter 4 of Division 5 of the Vehicle Code that enters into contracts for the installment sale or lease of motor vehicles pursuant to the requirements of Chapter 2b (commencing with Section 2981) or 2d (commencing with Section 2985.7) of Title 14 of Part 4 of Division 3 of the Civil Code and assigns substantially all of those contracts to financial institutions within 30 days. The term "financial institution" does not include any provider of professional services, or any wholly owned affiliate thereof, that is prohibited by rules of professional ethics or applicable law from voluntarily disclosing confidential client information without the consent of the client.(d) "Affiliate" means any entity that controls, is controlled by, or is under common control with another entity, but does not include a joint employee of the entity and the affiliate. A franchisor, including any affiliate thereof, shall be deemed an affiliate of the franchisee for purposes of this division. A financial institution and one or more of its affiliated entities shall be deemed a single entity for purposes of this division to the extent that (1) the financial institution and its affiliated entities are offering financial products or services in conjunction with and as part of a business that is significantly engaged in at least the following financial activities: (A) investment management services, (B) portfolio advisory services, and (C) financial planning, and (2) the operations of the financial institution and its affiliated entities are integrated and that integration facilitates the provision of those services. (e)(d) "Nonaffiliated third party" means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of that institution and a third party.(f)(e) "Consumer" means an individual resident of this state who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. For purposes of this division, an individual resident of this state is someone whose last known mailing address, other than an Armed Forces Post Office or Fleet Post Office address, as shown in the records of the financial institution, is located in this state. For purposes of this division, an individual is not a consumer of a financial institution solely because he or she is (1) a participant or beneficiary of an employee benefit plan that a financial institution administers or sponsors, or for which the financial institution acts as a trustee, insurer, or fiduciary, (2) covered under a group or blanket insurance policy or group annuity contract issued by the financial institution, (3) a beneficiary in a workers' compensation plan, (4) a beneficiary of a trust for which the financial institution is a trustee, or (5) a person who has designated the financial institution as trustee for a trust provided that (A) the financial institution provides all required notices and rights required by this division to the plan sponsor, group or blanket insurance policyholder, or group annuity contractholder and (B) the financial institution does not disclose to any affiliate or any nonaffiliated third-party confidential consumer information about the individual except as authorized in Section 4056. A consumer does not include an individual who obtains products or services for business, commercial, or agricultural purposes.(g)(f) "Control" means (1) ownership or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, acting through one or more persons, (2) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions, or (3) the power to exercise, directly or indirectly, a controlling influence over the management or policies of a company. However, for purposes of the application of the definition of control as it relates to credit unions, a credit union has a controlling influence over the management or policies of a credit union service organization (CUSO), as that term is defined by state or federal law or regulation, if the CUSO is at least 67 percent owned by credit unions. For purposes of the application of the definition of control to a financial institution subject to regulation by the United States Securities and Exchange Commission, a person who owns beneficially, either directly or through one or more controlled companies, more than 25 percent of the voting securities of a company is presumed to control the company, and a person who does not own more than 25 percent of the voting securities of a company is presumed not to control the company, and a presumption regarding control may be rebutted by evidence, but in the case of an investment company, the presumption shall continue until the United States Securities and Exchange Commission makes a decision to the contrary according to the procedures described in Section 2(a)(9) of the federal Investment Company Act of 1940.(h)(g) "Necessary to effect, administer, or enforce" means the following: (1) The disclosure is required, or is a usual, appropriate, or acceptable method to carry out the transaction or the product or service business of which the transaction is a part, and record or service or maintain the consumer's account in the ordinary course of providing the financial service or financial product, or to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part, and includes the following: (A) Providing the consumer or the consumer's agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product. (B) The accrual or recognition of incentives or bonuses associated with the transaction or communications to eligible existing consumers of the financial institution regarding the availability of those incentives and bonuses that are provided by the financial institution or another party. (C) With respect to a financial institution that has issued a credit account bearing the name of a company primarily engaged in retail sales or a name proprietary to a company primarily engaged in retail sales, providing the retailer, or licensees or contractors of the retailer that provide products or services in the name of the retailer and under a contract with the retailer, with confidential consumer information concerning the credit account in connection with the marketing or provision of the products or services of the retailer and those licensees or contractors. (2) The disclosure is required or is one of the lawful or appropriate methods to enforce the rights of the financial institution or of other persons engaged in carrying out the financial transaction or providing the product or service. (3) The disclosure is required, or is a usual, appropriate, or acceptable method for insurance underwriting or the placement of insurance products by licensed agents and brokers with authorized insurance companies at the consumer's request, for reinsurance, stop loss insurance, or excess loss insurance purposes, or for any of the following purposes as they relate to a consumer's insurance: (A) Account administration. (B) Reporting, investigating, or preventing fraud or material misrepresentation. (C) Processing premium payments. (D) Processing insurance claims. (E) Administering insurance benefits, including utilization review activities. (F) Participating in research projects. (G) As otherwise required or specifically permitted by federal or state law. (4) The disclosure is required, or is a usual, appropriate, or acceptable method, in connection with the following: (A) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment means. (B) The transfer of receivables, accounts, or interests therein. (C) The audit of debit, credit, or other payment information. (5) The disclosure is required in a transaction covered by the federal Real Estate Settlement Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order to offer settlement services prior to the close of escrow (as those services are defined in 12 U.S.C. Sec. 2602), provided that (A) the confidential consumer information is disclosed for the sole purpose of offering those settlement services and (B) the confidential consumer information disclosed is limited to that necessary to enable the financial institution to offer those settlement services.(i)(h) "Financial product or service" means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to a financial activity under subsection (k) of Section 1843 of Title 12 of the United States Code (the United States Bank Holding Company Act of 1956). Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.(j)(i) "Clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.(k)(j) "Widely distributed media" means media available to the general public and includes a telephone book, a television or radio program, a newspaper, or a Web site that is available to the general public on an unrestricted basis. 4053. (a) A financial institution shall not disclose to, or share a consumer's confidential consumer information with, any nonaffiliated third party unless the financial institution has provided written notice pursuant to subdivision (c), to the consumer to whom the confidential consumer information relates and unless the financial institution has obtained a consent acknowledgment from the consumer pursuant to subdivision (c), that authorizes the financial institution to disclose or share the confidential consumer information. Nothing in this section shall prohibit the disclosure of confidential consumer information as allowed in Section 4056. A financial institution shall not deny a consumer a financial product or a financial service because the consumer has not provided the consent required by this subdivision to authorize the financial institution to disclose or share his or her confidential consumer information with any nonaffiliated third party. Nothing in this section is intended to prohibit a financial institution from offering incentives to elicit a specific response to the notice.(b) (1) A financial institution shall not disclose to, or share a consumer's confidential consumer information with, an affiliate unless the financial institution clearly and conspicuously notifies the consumer annually, commencing on November 1, 2003, in writing to the consumer pursuant to subdivision (c) that the information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the confidential consumer information not be disclosed. A financial institution does not disclose information to, or share information with, its affiliate merely because information is maintained in common information systems or databases, and employees of the financial institution and its affiliate have access to those common information systems or databases, or a consumer accesses a Web site jointly operated or maintained under a common name by or on behalf of the financial institution and its affiliate(s), provided that confidential consumer information is used or otherwise disclosed only as permitted by this division. (2)(b) (1) Subdivision (a) shall not prohibit the release of confidential consumer information by a financial institution with whom the consumer has a relationship, to a nonaffiliated financial institution or institutions for purposes of jointly offering a financial product or financial service pursuant to a written agreement with the financial institution that receives the confidential consumer information provided that all of the following requirements are met: (A) The financial product or service offered is a product or service of, and is provided by, at least one of the financial institutions that is a party to the written agreement. (B) The financial product or service is jointly offered, endorsed, or sponsored, and clearly and conspicuously identifies for the consumer the financial institutions that release the confidential consumer information and the financial institutions that receive that information. (C) The written agreement provides that the financial institution that receives that confidential consumer information is required to maintain the confidentiality of the information and is prohibited from disclosing or using the information other than to carry out the joint offering or servicing of a financial product or financial service that is the subject of the written agreement.(D) The financial institution that releases the confidential consumer information has complied with subdivision (c) and the consumer has not directed that confidential consumer information not be disclosed. The financial institution may, at its option, choose instead to comply with the requirements of subdivision (a). (E)(D) Notwithstanding this section, until January 1, 2004, a financial institution may disclose confidential consumer information to a nonaffiliated financial institution pursuant to a preexisting contract with the nonaffiliated financial institution, for purposes of offering a financial product or financial service, if that contract was entered into on or before January 1, 2003. Beginning on January 1, 2004, no confidential consumer information may be disclosed pursuant to that contract unless all the requirements of this subdivision are met.(3)(2) Nothing in this subdivision shall prohibit a financial institution from disclosing or sharing confidential consumer information as otherwise specifically permitted by this division. (c) (1) The form set forth in this subdivision, or one substantially similar shall be sent by the financial institution to the consumer so that the consumer may make a decision and provide direction to the financial institution regarding the sharing of his or her confidential consumer information. A form shall not be deemed substantially similar for purposes of this subdivision unless at least all of the following requirements are met: (A) The form uses the same title ("IMPORTANT PRIVACY CHOICES FOR CALIFORNIANS") and headers (headings designated in all capital letters in the form set forth below, such as "SHARING INFORMATION WITH AFFILIATED COMPANIES"). (B) The titles and headers in the form are clearly and conspicuously displayed, and no text in the form is smaller than 10-point type. (C) The form is a separate document. (2) (A) None of the instructional items appearing in parentheses in the form set forth below shall appear in the form provided to the consumer, as those items are for explanation purposes only. If a financial institution does not disclose or share confidential consumer information as described in any one or more of the first three headers of the form, the financial institution is not required to include the applicable header or headers, and the accompanying information and box, in the form it provides pursuant to this subdivision.(B) If a consumer selects the box associated with the header restricting information sharing to the greatest extent allowed by law, that choice shall supersede all other choices. (C)(B) A financial institution shall not be in violation of this subdivision solely because it includes in the form one or more brief examples or explanations of the purpose or purposes, or context, within which information will be shared.(D)(C) The outside of the envelope in which the form is sent shall clearly state in 16-point boldface type "IMPORTANT PRIVACY CHOICES," except that a financial institution sending the form to a consumer in the same envelope as a bill or account statement does not have to include the wording "IMPORTANT PRIVACY CHOICES" on that envelope. The form shall be sent in any of the following ways: (i) With a bill or other statement of account, in which case the information required by Title V of the Gramm-Leach-Bliley Act may also be included. (ii) As a separate notice or with the information required by Title V of the Gramm-Leach-Bliley Act, and including only information related to privacy. (iii) With any other mailing, in which case it shall be the first page of the mailing. (3) The consumer shall be provided an opportunity, before disclosure of information pursuant to this division, for 45 days from the date of postmark or other postal verification of mailing of the initial notice required by this subdivision, to direct that the confidential consumer information not be disclosed except as otherwise permitted by this division. A consumer may direct at any time that his or her confidential consumer information not be disclosed, except as otherwise permitted by this division. A financial institution shall comply with a consumer's directions concerning the sharing of his or her confidential consumer information within 45 days of receipt by the financial institution. When a consumer directs that confidential consumer information not be disclosed, that direction is in effect until otherwise stated by the consumer. (4) A financial institution shall not deny a consumer a financial product or a financial service because the consumer has directed pursuant to subdivision (b) that his or her confidential consumer information not be disclosed provided that nothing in this section shall prohibit the disclosure of confidential consumer information allowed by Section 4056. Nothing in this section is intended to prohibit a financial institution from offering incentives to elicit a specific response to the notice. (5) A financial institution may elect to comply with the requirements of subdivision (a) with respect to disclosure of confidential consumer information to an affiliate or with respect to confidential consumer information disclosed pursuant to paragraph (2) of subdivision (b). (6) If a financial institution does not have a continuing relationship with a consumer other than the initial transaction in which the product or service is provided, no annual disclosure requirement exists pursuant to this section as long as the financial institution provides the consumer with the form required by this section at the time of the initial transaction. As used in this section, "annually" means at least once in any period of 12 consecutive months during which that relationship exists. The financial institution may define the 12-consecutive-month period, but shall apply it to the consumer on a consistent basis. If, for example, a financial institution defines the 12-consecutive-month period as a calendar year and provides the annual notice to the consumer once in each calendar year, it complies with the requirement to send the notice annually. (7) A financial institution with assets in excess of twenty-five million dollars ($25,000,000) shall include a self-addressed postage paid return envelope with the notice. A financial institution with assets of up to and including twenty-five million dollars ($25,000,000) shall include a self-addressed return envelope with the notice. In addition to the return envelope required by this paragraph, a financial institution may offer additional means for consumers to communicate their privacy choices, included, but not limited to, calling a toll-free number, sending a facsimile, or using electronic means. A financial institution shall clearly and conspicuously disclose in the form required by this subdivision the information necessary to direct the consumer on how to communicate his or her choices, including the toll-free or facsimile number or Web site address that may be used, if those means of communication are offered by the financial institution. (8) A financial institution shall file a copy of the initial notice or notices required by this subdivision with the Attorney General. No subsequent filing is required until the financial institution modifies the notice, in which case a copy of the notice as modified shall be filed with the Attorney General. Nothing in this paragraph shall be construed to require that a financial institution file with the Attorney General a copy of the notice or notices it provides to consumers more often than once in each calendar year. The interpretations of functional regulators regarding the form required by this subdivision are not entitled to deference by a court. (d) Nothing in this division shall prohibit a financial institution from marketing its own products and services or the products and services of affiliates or nonaffiliated third parties to customers of the financial institution as long as (1) confidential consumer information is not disclosed in connection with the delivery of the applicable marketing materials to those customers except as permitted by Section 4056 and (2) in cases in which the applicable nonaffiliated third party may extrapolate confidential consumer information about the consumer responding to those marketing materials, the applicable nonaffiliated third party has signed a contract with the financial institution under the terms of which (A) the nonaffiliated third party is prohibited from retaining or using that information for any purpose, and (B) the financial institution has the right by audit, inspections, or other means to verify the nonaffiliated third party's compliance with that contract. 4053.5. Except as otherwise provided in this division, an entity that receives confidential consumer information from a financial institution under this division shall not disclose this information to any other entity, unless the disclosure would be lawful if made directly to the other entity by the financial institution. An entity that receives confidential consumer information pursuant to any exception set forth in Section 4056 shall not use or disclose the information except in the ordinary course of business to carry out the activity covered by the exception under which the information was received. 4054. (a) Nothing in this division shall require a financial institution to provide a written notice to a consumer pursuant to Section 4053 if the financial institution does not disclose confidential consumer information to any nonaffiliated third party or to any affiliate, except as allowed in this division. (b) A notice provided to a member of a household pursuant to Section 4053 shall be considered notice to all members of that household unless that household contains another individual who also has a separate account with the financial institution. (c) (1) The requirement to send a written notice to a consumer may be fulfilled by electronic means if the following requirements are met: (A) The notice, and the manner in which it is sent, meets all of the requirements for notices that are required by law to be in writing, as set forth in Section 101 of the federal Electronic Signatures in Global and National Commerce Act. (B) All other requirements applicable to the notice, as set forth in this division, are met, including but not limited to, requirements concerning content, timing, form, and delivery. (C) The notice shall be delivered to the consumer in a form the consumer may keep. (2) A notice that is made available to a consumer, and is not delivered to the consumer, does not satisfy the requirements of paragraph (1). (3) Any electronic consumer reply to an electronic notice sent pursuant to this division is effective. A person that electronically sends a notice required by this division to a consumer may not by contract, or otherwise, eliminate the effectiveness of the consumer's electronic reply. (4) This division modifies the provisions of Section 101 of the federal Electronic Signatures in Global and National Commerce Act. However, it does not modify, limit, or supersede the provisions of subsection (c), (d), (e), (f), or (h) of Section 101 of the federal Electronic Signatures in Global and National Commerce Act, nor does it authorize electronic delivery of any notice of the type described in subsection (b) of Section 103 of that federal act. 4054.6. When a financial institution and a membership organization, tax-exempt organization, not-for-profit organization, or a professional sports team that is not a financial institution have an agreement to issue a credit card in the name of the membership organization, tax-exempt organization, not-for-profit organization, or the professional sports team ("affinity card"), the financial institution shall be permitted to disclose to the entity in whose name the card is issued, the names and addresses, including electronic mail addresses, of the financial institution's consumers in receipt of the affinity card if all of the following requirements are satisfied: (a) The financial institution has a contractual agreement with the membership organization, tax-exempt organization, not-for-profit organization, or professional sports team that requires the entity in whose name the affinity card is issued to maintain the confidentiality of the confidential consumer information and prohibits the entity in whose name the affinity card is issued from using the information for any purposes other than verifying membership, verifying the affinity cardholder's address or offering the entity's own products or services to the cardholder. Nothing in this section shall prohibit the disclosure of confidential consumer information allowed by Section 4056. (b) The customer list is not disclosed in any way that reveals or permits extrapolation of any additional confidential consumer information about any customer on the list. (c) If the entity in whose name the card is issued sends any message to any electronic mail addresses obtained pursuant to this section, the message shall include at least both of the following: (1) The identity of the sender of the message. (2) A cost-free means for the recipient to notify the sender not to electronically mail any further messages to the recipient.4055. (a) This division shall not apply to disclosures between a member-owned financial institution and its affiliates, or between like affiliates, provided that the disclosure is primarily for customer service purposes and not for marketing purposes, and that the financial institution meets all of the following requirements: (1) A majority of the financial institution's consumers are members of the United States military services, veterans of the United States military services, current or former spouses or dependents of these persons and the primary purpose of the financial institution is to serve these persons. (2) The financial institution and its affiliates are in compliance with Title V of the federal Financial Services Modernization Act. (3) Consumers of the financial institution and its affiliates are informed in writing on an annual basis of the opportunity to opt out of information sharing among the institution and its affiliates for marketing purposes. (b) For purposes of this section, "marketing purposes" means for use in unsolicited telemarketing, unsolicited direct mail, or unsolicited commercial electronic mail for the primary purpose of encouraging the purchase or rental of, or investment in, property, goods, or services. For purposes of this section, "marketing purposes" shall not include communications to a person with that person's prior express invitation or permission, or in response to a communication from such person.4056. (a) This division shall not apply to information that is not personally identifiable to a particular person. (b) Sections 4053 and 4054 shall not prohibit the release of confidential consumer information under the following circumstances: (1) The confidential consumer information is necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer, or in connection with maintaining or servicing the consumer's account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity, or in connection with a proposed or actual securitization or secondary market sale, including sales of servicing rights, or similar transactions related to a transaction of the consumer. (2) The confidential consumer information is released with the consent of or at the direction of the consumer. (3) The confidential consumer information is: (A) Released to protect the confidentiality or security of the financial institution's records pertaining to the consumer, the service or product, or the transaction therein. (B) Released to protect against or prevent actual or potential fraud, identity theft, unauthorized transactions, claims, or other liability. (C) Released for required institutional risk control, or for resolving customer disputes or inquiries. (D) Released to persons holding a legal or beneficial interest relating to the consumer, including for purposes of debt collection. (E) Released to persons acting in a fiduciary or representative capacity on behalf of the consumer. (4) The confidential consumer information is released to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution's compliance with industry standards, and the institution's attorneys, accountants, and auditors. (5) The confidential consumer information is released to the extent specifically required or specifically permitted under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401 et seq.), to law enforcement agencies, including a federal functional regulator, the Secretary of the Treasury with respect to subchapter II of Chapter 53 of Title 31, and Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs. 1951-1959), the California Department of Insurance or other state insurance regulators, or the Federal Trade Commission, and self-regulatory organizations, or for an investigation on a matter related to public safety. (6) The confidential consumer information is released (A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.); or (B) from a consumer report reported by a consumer reporting agency. (7) The confidential consumer information is released in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of confidential consumer information concerns solely consumers of the business or unit. (8) The confidential consumer information is released to comply with federal, state, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, administrative, or regulatory investigation or subpoena or summons by federal, state, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law. (9) When a financial institution is reporting a known or suspected instance of elder or dependent adult financial abuse or is cooperating with a local adult protective services agency investigation of known or suspected elder or dependent adult financial abuse pursuant to Article 3 (commencing with Section 15630) of Chapter 11 of Part 3 of Division 9 of the Welfare and Institutions Code. (10) The confidential consumer information is released to an affiliate or a nonaffiliated third party in order for the affiliate or nonaffiliated third party to perform services, such as mailing services, data processing or analysis, or customer surveys, on behalf of the financial institution, provided that all of the following requirements are met: (A) The services to be performed by the affiliate or nonaffiliated third party could lawfully be performed by the financial institution. (B) There is a written contract between the affiliate or nonaffiliated third party and the financial institution that prohibits the affiliate or nonaffiliated third party, as the case may be, from disclosing or using the confidential consumer information other than to carry out the purpose for which the financial institution disclosed the information, as set forth in the written contract. (C) The confidential consumer information provided to the affiliate or nonaffiliated third party is limited to that which is reasonably necessary for the affiliate or nonaffiliated third party to perform the services contracted for on behalf of the financial institution. (D) The financial institution does not receive any payment from or through the affiliate or nonaffiliated third party in connection with, or as a result of, the release of the confidential consumer information. (11) The confidential consumer information is released to identify or locate missing and abducted children, witnesses, criminals and fugitives, parties to lawsuits, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries, and missing heirs. (12) The confidential consumer information is released to a real estate appraiser licensed or certified by the state for submission to central data repositories such as the California Market Data Cooperative, and the confidential consumer information is compiled strictly to complete other real estate appraisals and is not used for any other purpose. (13) The confidential consumer information is released as required by Title III of the federal United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act; P.L. 107-56). (c) Nothing in this division is intended to change existing law relating to access by law enforcement agencies to information held by financial institutions. 4056.5. (a) The provisions of this division do not apply to any person or entity that meets the requirements of paragraph (1) or (2) below. However, when confidential consumer information is being or will be shared by a person or entity meeting the requirements of paragraph (1) or (2) with an affiliate or nonaffiliated third party, this division shall apply. (1) The person or entity is licensed in one or both of the following categories and is acting within the scope of the respective license or certificate: (A) As an insurance producer, licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 6 (commencing with Section 1760), or Chapter 8 (commencing with Section 1831) of Division 1 of the Insurance Code, as a registered investment adviser pursuant to Chapter 3 (commencing with Section 25230) of Part 3 of Division 1 of Title 4 of the Corporations Code, or as an investment adviser pursuant to Section 202(a)(11) of the federal Investment Advisers Act of 1940. (B) Is licensed to sell securities by the National Association of Securities Dealers (NASD). (2) The person or entity meets the requirements in paragraph (1) and has a written contractual agreement with another person or entity described in paragraph (1) and the contract clearly and explicitly includes the following: (A) The rights and obligations between the licensees arising out of the business relationship relating to insurance or securities transactions. (B) An explicit limitation on the use of confidential consumer information about a consumer to transactions authorized by the contract and permitted pursuant to this division. (C) A requirement that transactions specified in the contract fall within the scope of activities permitted by the licenses of the parties. (b) The restrictions on disclosure and use of confidential consumer information, and the requirement for notification and disclosure provided in this division, shall not limit the ability of insurance producers and brokers to respond to written or electronic, including telephone, requests from consumers seeking price quotes on insurance products and services or to obtain competitive quotes to renew an existing insurance contract, provided that any confidential consumer information disclosed pursuant to this subdivision shall not be used or disclosed except in the ordinary course of business in order to obtain those quotes. 4057. (a) An entity that negligently discloses or shares confidential consumer information in violation of this division shall be liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. However, the total civil penalty awarded pursuant to this subdivision shall not exceed five hundred thousand dollars ($500,000) per occurrence. (b) An entity that knowingly and willfully obtains, discloses, shares, or uses confidential consumer information in violation of this division shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. (c) In determining the penalty to be assessed pursuant to a violation of this division, the court shall take into account the following factors: (1) The total assets and net worth of the violating entity. (2) The nature and seriousness of the violation. (3) The persistence of the violation, including any attempts to correct the situation leading to the violation. (4) The length of time over which the violation occurred. (5) The number of times the entity has violated this division. (6) The harm caused to consumers by the violation. (7) The level of proceeds derived from the violation. (8) The impact of possible penalties on the overall fiscal solvency of the violating entity. (d) In the event a violation of this division results in the identity theft of a consumer, as defined by Section 530.5 of the Penal Code, the civil penalties set forth in this section shall be doubled. (e) This section shall become operative on and after July 1, 2004, for acts in violation of this division that occur on and after July 1, 2004. 4058. This division shall not be construed in a manner that is inconsistent with the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.). 4058.5. Nothing in this division shall be construed as altering or annulling the authority of any department or agency of the state to regulate any financial institution subject to its jurisdiction. 4058.6. This division shall preempt and be exclusive of all local agency ordinances and regulations relating to the use and sharing of confidential consumer information by financial institutions. This section shall apply both prospectively and retroactively. 4059. The provisions of this division shall be severable, and if any phrase, clause, sentence, or provision is declared to be invalid or is preempted by federal law or regulation, the validity of the remainder of this division shall not be affected thereby.