BILL NUMBER: AB 1707	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY   APRIL 13, 2000
	AMENDED IN ASSEMBLY   FEBRUARY 10, 2000

INTRODUCED BY   Assembly Members Kuehl and Nakano
   (Coauthors:  Assembly Members  Alquist,  Aroner,
Bock, Cardoza,  Jackson,  Knox, Thomson, and Wildman)
   (Coauthors:  Senators Figueroa, Hayden, Karnette,  Rainey,
 and Solis)

                        JANUARY 3, 2000

   An act to add Chapter 2 (commencing with Section 1798.80) to Title
1.8 of Part 4 of Division 3 of the Civil Code, relating to financial
privacy.



	LEGISLATIVE COUNSEL'S DIGEST


   AB 1707, as amended, Kuehl.  Privacy:  financial transactions:
personal information.
   Existing law prohibits a business entity that performs bookkeeping
services from disclosing the contents of any record which is
prepared or maintained by the business entity to any person, other
than the individual which is the subject of the record, without the
express written consent of the person.
   This bill would enact the Consumers' Financial Privacy Act.  The
bill would prohibit a financial institution, as specified, without a
consumer's prior written consent, from disclosing or making an
unrelated use of the personal information collected by the financial
institution in connection with any transaction with the consumer
involving any financial product or any financial service or otherwise
obtained by the financial institution.  The bill would require
various disclosures by financial institutions to consumers.  The bill
would provide for specified civil remedies and the imposition of a
civil penalty by a court or the imposition of an administrative fine
by a regulatory agency.
   Vote:  majority.  Appropriation:  no.  Fiscal committee:  yes.
State-mandated local program:  no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:


  SECTION 1.  Chapter 2 (commencing with Section 1798.80) is added to
Title 1.8 of Part 4 of Division 3 of the Civil Code, to read:

      CHAPTER 2.  CONSUMERS' FINANCIAL PRIVACY ACT

   1798.80. (a) This chapter shall be known as and may be cited as
the Consumers' Financial Privacy Act.
   (b) The Legislature finds and declares all of the following:
   (1) The right to privacy is an inalienable right protected by the
California Constitution and the United States Constitution.
   (2) The right to privacy protects individuals from the
unauthorized collection, retention, and dissemination of personal
information by business interests.
   (3) Individuals have a reasonable expectation of privacy when they
provide information to a financial institution.
   (4) Inherent in the constitutional right to privacy and the
expectation of privacy of information is the right of individuals to
control the use, gathering, and dissemination of personally
identifiable information.
   (5) It is an invasion of privacy for financial institutions to
disclose a consumer's personal information without the affirmative
written consent of the consumer.
   (6) The federal government, through enactment of the federal
Gramm-Leach-Bliley Act (P.L. 106-102), has expressly invited states
to enact greater protections for the privacy of financial information
of their residents.
   (c) The Legislature intends all of the following:
   (1) The privacy of a consumer's personal information provided to a
financial institution by the consumer or otherwise shall be
protected.
   (2) A consumer's personal information provided to a financial
institution may not be disclosed without the consumer's prior written
consent.
   (3) No financial institution may refuse or limit a consumer's
access to any financial product or service for refusing to provide
consent or canceling consent to disclosure of personal information
provided to the financial institution.
   1798.81.  (a) The following definitions apply to this chapter:
   (1) "Affiliate" means any entity that, directly, or indirectly
through one or more intermediaries, controls, is controlled by, or is
under common control with the other entity.
   (2)  "Consumer" means an individual who obtains or has
obtained a financial product or service from a financial institution
that is to be used primarily for personal, family, or household
purposes.  "Consumer" also includes that person's legal
representative.
   (3) "Control" means the possession, direct or indirect, of the
power to direct or cause the direction of the management and policies
of another entity.
   (4) "Customer relationship" means a continuing relationship
between a consumer and a financial institution under which the
financial institution provides one or more financial products or
services to the consumer. "Customer relationship" does not include an
isolated transaction, or a series of isolated transactions, between
a consumer and a financial institution.
   (5)  "Financial institution" includes a commercial bank,
trust company, savings and loan association, credit union, industrial
loan company, insurance company, securities brokerage, mortgage
lender, or person engaged in the business of lending money.  

   (3) Personal  
   (6) "Personal  information" means personally identifiable
information provided by a consumer to a financial institution in
connection with any transaction with a consumer involving any
financial product or any financial service orpersonally identifiable
information otherwise obtained by the financial institution from the
consumer or any other third party.  
   (4)  
   (7)  "Unrelated use" means any use other than a use that is
necessary to effect, administer, or enforce a transaction with a
consumer in any financial product or any financial service or that
exceeds the stated purpose for which the consumer consented to
disclosure.  
   (5)  
   (8)  "Written consent" includes consent provided by
electronic mail or other electronic means.
   (b) A  person   consumer  has a
protected privacy interest in all of the personal information that he
or she provides to a financial institution or that a financial
institution otherwise obtains.
   (c) A  person   consumer  shall have a
cause of action for any  disclosure in  violation of
this chapter.
   1798.82.  (a) A financial institution may not disclose to any
affiliate or nonaffiliated third party, or through any affiliate or
nonaffiliated third party, or make an unrelated use of, any personal
information unless the financial institution receives the consumer's
prior written consent for the disclosure or use of the information.
The financial institution shall notify the consumer of the
information it wishes to disclose or use, the individual or business
entity that will receive the information, and the purpose for the
disclosureor use, at the time that it solicits written consent from
the consumer.  All those notifications shall also clearly and
conspicuously state that the financial institution may not refuse or
limit a consumer's access to any financial product or service for
refusing to provide consent  or canceling consent  to the
disclosure or unrelated use of personal information.
   (b) At the time of establishing a customer relationship with a
consumer, at the time of the first solicitation for written consent
from the consumer, and not less than annually thereafter, all
financial institutions shall clearly and conspicuously disclose to
the consumer all of the following:
   (1) The categories of personal information that are collected by
the financial institution.
   (2) The policies and practices that the financial institution
maintains to protect the confidentiality and security of personal
information.
   (3) Categories of persons or entities to whom the information is
or may be disclosed or who may be permitted to make unrelated use of
the information.
   (4) The practices and policies of the financial institution with
respect to providing consumers with the opportunity to examine and
dispute information subject to disclosure or unrelated use by the
financial institution or any affiliates or nonaffiliated third
parties.
   (5) The right of a consumer to refuse or cancel consent to the
disclosure or unrelated use of any personal information, and that the
financial institution may not refuse or limit access to any
financial product or service for exercising that right.
   (c) If the financial institution adopts a policy of nondisclosure
and a policy prohibiting any unrelated use of personal information,
 and for so long as the financial institution maintains and
observes those policies,  the financial institution shall not be
required to comply with the annual notification requirements of
subdivision (b).  In that case, the financial institution shall be
obligated to disclose this policy to consumers only once, either at
the time of establishing a customer relationship, or through
communication with existing customers.
   (d) Except as provided in subdivisions (e) and (f), the prior
written consent required by subdivision (a) may be a general
authorization to cover some or all transactions, provided that:
   (1) Any general authorization shall clearly and conspicuously
disclose to the consumer the consumer's right to cancel the general
authorization at any time, as well as all of the information
described in paragraphs (1), (3), (4), and (5) of subdivision (b).
   (2) If a consumer consents to a general authorization, a financial
institution shall provide a consumer with a written notice of each
disclosure or unrelated use that the financial institution makes of
the consumer's personal information either within 30 days of
disclosure or use, or with the next account statement, billing
statement, or other document provided to the consumer by the
financial institution if the statement or other document is provided
within 60 days of disclosure or use.  The written notice shall
include the personal information disclosed or used, who received the
information, the purpose of the disclosure or use, and the consumer's
right to cancel the general authorization at any time.
   (3) An individual may cancel any general authorization at any
time. Immediately upon cancellation of a general authorization, a
financial institution shall be required to obtain the consumer's
prior written consent for any and all subsequent disclosures or
unrelated uses of information subject to the provisions of this
chapter.
   (e) A financial institution shall not disclose to any affiliate or
any nonaffiliated third party, or through any affiliate or any
nonaffiliated third party, without the prior written consent of the
consumer, the consumer's account number or similar form of access
number or access code for a credit card account, deposit account,
checking or savings account, debit card, transaction account, or
similar type of account number or access number or code  , or the
existence of any one or more of these accounts  for use in any
marketing or commercial purpose, including, but not limited to,
telemarketing, direct mail marketing, or marketing through electronic
mail or other means.
   (f) An affiliate or a nonaffiliated third party that receives from
a financial institution the personal information of a consumer shall
not, directly or through an affiliate of the receiving party,
disclose or make an unrelated use of the information to any other
person or entity without the prior written consent of the consumer.
An affiliate or any nonaffiliated third party shall be required to
directly and independently secure the consumer's prior written
consent to  share   disclose or make an
unrelated use of  personal information.  Prior written consent
provided to a financial institution may not include consent for an
affiliate or nonaffiliated third party to subsequently  share
  disclose or make an unrelated use of  personal
information of a consumer with any other person or entity.
   (g) Subdivision (a) shall not be construed to prohibit the
disclosure of personal information  without the prior written
consent of the consumer  in any of the following circumstances:

   (1) The disclosure is necessary to effect, administer, or enforce
a transaction requested or authorized by the consumer in connection
with servicing or processing a financial product or service requested
or authorized by the consumer,  or  for maintaining
or servicing the consumer's account with the financial institution
 , or for enforcing a financial obligation of the consumer
arising from any transaction with the financial institution  .
   (2) The disclosure is necessary to protect the confidentiality or
security of the financial institution's records pertaining to the
consumer, the service or product, or the transaction.
   (3) The disclosure is necessary to protect the consumer against
actual or potential fraud, unauthorized transactions, claims, or
other liability.
   (4) The disclosure is made to persons holding a legal or
beneficial interest relating to the consumer or acting in a fiduciary
or representative capacity on behalf of the consumer.
   (5) The disclosure is made to law enforcement agencies to the
extent specifically permitted or required under state or federal law.

   (6) The disclosure is made in compliance with a properly
authorized civil, criminal, or regulatory investigation or subpoena
or summons by federal, state, or local authorities, or to respond to
judicial process or government regulatory authorities having
jurisdiction over the financial institution.
   (7) The disclosure is made to a local, state, or federal agency
for child support enforcement purposes.
   (8) The disclosure is made to a consumer reporting agency in
accordance with the federal Fair Credit Reporting Act  (15 U.S.C.
Sec. 1681 et seq.) or the Consumer Credit Reporting Agencies Act
(Title 1.6 (commencing with Section 1785.1))  .
   (h) No financial institution may refuse or limit a consumer's
access to a financial product or service for refusing to provide
consent to the disclosure of personal information provided by the
consumer to the financial institution or for canceling that consent.

   (i) Every financial institution shall provide a consumer, upon
request, with the opportunity to examine all personal information
subject to disclosure or unrelated use, to dispute the accuracy of
any of the information, and to require the financial institution to
correct information that has been demonstrated by the consumer to be
inaccurate.
   1798.83. (a) In addition to any other remedies available 
at   under state or federal  law, all of the
following remedies, fines, and penalties are applicable to a
violation of this chapter:
   (1) Any individual may bring an action against  any person
or entity who   a financial institution, or affiliate
or nonaffiliated third party, that  has negligently disclosed
 or used  personal information in violation of this chapter,
for either or both of the following:
   (A) Nominal damages of one thousand dollars ($1,000).  In order to
recover under this subparagraph, it shall not be necessary for the
consumer to have suffered actual damages.
   (B) The amount of actual damages, if any, suffered by the
consumer.
   The court shall award reasonable attorney's fees and costs to the
plaintiff if he or she prevails in the action.  
   (2) Any individual may bring an action for injunctive relief
against any person or entity that has disclosed personal information
in violation of this chapter.  
   (2) Any financial institution, or affiliate or nonaffiliated third
party, that violates, proposes to violate, or has violated any
provision of this chapter may be enjoined in any court of competent
jurisdiction. 
   (3) A  person or entity   financial
institution, or affiliate or nonaffiliated third party,  that
negligently discloses  or uses  personal information in
violation of the provisions of this chapter shall be liable,
irrespective of the amount of damage suffered by the consumer as a
result of that violation, for an administrative fine or civil penalty
not to exceed two thousand five hundred dollars ($2,500) per
violation.
   (4) A  person or entity who   financial
institution, or affiliate or nonaffiliated third party, that 
knowingly or willfully discloses  or uses  personal
information in violation of this chapter shall be liable for an
administrative fine or civil penalty of not less than two thousand
five hundred dollars ($2,500) but not to exceed twenty-five thousand
dollars ($25,000) per violation.
   (5) A  person or entity who   financial
institution, or affiliate or nonaffiliated third party, that 
knowingly or willfully discloses  or uses  personal
information in violation of this chapter for the purpose of financial
gain shall be liable for an administrative fine or civil penalty not
less than twenty-five thousand dollars ($25,000) but not more than
two hundred fifty thousand dollars ($250,000) per violation and shall
also be subject to disgorgement of any proceeds or other
consideration obtained as a result of the violation.
   (6) Nothing in this subdivision shall be construed as authorizing
an administrative fine or civil penalty under both paragraphs (4) and
(5) for the same violation.
   (b) In assessing the amount of an administrative fine or civil
penalty pursuant to paragraph (3), (4), or (5) of subdivision (a),
the regulatory agency or court shall consider any one or more of the
relevant circumstances presented by any of the parties to the case,
including, but not limited to, the following:
   (1) Whether the defendant has made a reasonable, good faith
attempt to comply with this chapter.
   (2) The nature and seriousness of the misconduct.
   (3) The harm to the consumer.
   (4) The number of violations.
   (5) The persistence of the misconduct.
   (6) The length of time over which the misconduct occurred.
   (7) The willfulness of the defendant's misconduct.
   (8) The defendant's assets, liabilities, and net worth.
   (c) (1) The civil penalty imposed pursuant to paragraph (3), (4),
or (5) of subdivision (a) shall be assessed and recovered in a civil
action brought in the name of the people of the State of California
in any court of competent jurisdiction.
   (2) Nothing in this section shall be construed as authorizing the
imposition of both an administrative fine and civil penalty for the
same violation.
   (3) The imposition of an administrative fine or civil penalty
provided for in this section shall not preclude the imposition of any
other sanctions or remedies authorized by law.