BILL NUMBER: SB 1372 AMENDED
BILL TEXT
AMENDED IN SENATE APRIL 24, 2000
INTRODUCED BY Senators Leslie and Johannessen
JANUARY 20, 2000
An act to add Division 10 (commencing with Section 24000) to the
Financial Code, relating to financial institutions.
LEGISLATIVE COUNSEL'S DIGEST
SB 1372, as amended, Leslie. Financial institutions: privacy.
Existing law prohibits a business entity which performs
bookkeeping services from disclosing the contents of any record which
is prepared or maintained by the business entity to any person,
other than the individual which is the subject of the record, without
the express written consent of the person. Existing law
provides for the regulation of various financial institutions by the
Department of Financial Institutions, as specified.
This bill would require a financial institution, as defined, to
make certain disclosures and to obtain the written consent
of to a consumer before disclosing any nonpublic
personal information either provided by the consumer to the
financial institution in connection with any transaction with the
consumer or service performed for the consumer, or otherwise obtained
by the financial institution. The bill would permit a consumer
to notify a financial institution, as specified, not to disclose or
share his or her nonpublic personal information with an affiliate of
the financial institution, or a nonaffiliated 3rd party. The bill
would require the Department of Financial Institutions to adopt
regulations to implement the provisions of this bill for all
financial institutions. This bill would become operative on
July 1, 2001.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Division 10 (commencing with Section 24000) is added to
the Financial Code, to read:
DIVISION 10. INFORMATION ACCESS
CHAPTER 1. PRIVACY PROTECTION FOR CONSUMER INFORMATION
OBTAINED BY FINANCIAL INSTITUTIONS
Article 1. General Provisions
24000. This division shall be known as and may be cited as the
Financial Privacy Act.
24001. "Affiliate" means any company that controls, is controlled
by, or is under common control with another company.
24002. "Consumer" means an individual who requests or obtains
from a financial institution financial products or services,
including fiduciary services, which are to be used primarily for
personal, family, or household purposes, and also means the legal
representative of that individual. A consumer includes, but is not
limited to, any customer, any former customer, any person who applies
for financial products or services but does not become a customer,
and any person who receives financial services or products from a
financial institution through another financial institution, person,
or entity.
24003. "Financial holding company" shall have the same meaning as
in Public Law 106-102.
24004. "Financial institution" includes a commercial bank, trust
company, savings association, savings bank, credit card issuer or
operator of a credit card system, credit union, industrial loan
company, insurance company that is an affiliate of a commercial bank
or trust company, securities brokerage, mortgage lender, financial
holding company, or person engaged in the business of lending money.
24005. (a) "Nonpublic personal information" means personally
identifiable information either provided by a consumer to a financial
institution in connection with any transaction with the consumer or
service performed for the consumer or otherwise obtained by the
financial institution.
(b) "Nonpublic personal information" does not include personally
identifiable information in any list, description, or other grouping
of consumers that is publicly available if the list, description, or
other grouping of consumers was derived without using personally
identifiable information that is not publicly available.
24006. "Nonaffiliated third party" means any entity that is not
an affiliate of, or related by common ownership or affiliated by
corporate control with, the financial institution, but does not
include a joint employee of the institution.
24007. "Unrelated use," when used with respect to information
collected by a financial institution in connection with any
transaction with a consumer in any financial product or financial
service, means any use other than a use that is necessary to effect,
administer, or enforce the transaction.
24008. The disclosure or use of nonpublic personal information
shall be treated as necessary to effect or administer a transaction
with a consumer if the disclosure or use is for any of the following:
(a) Is required, or is a usual, appropriate, or acceptable method,
to carry out the transaction or the product or service business of
which the transaction is a part, and to record or service or maintain
the consumer's account in the ordinary course of providing the
financial service or financial product, or to administer or service
benefits or claims relating to the transaction or the product or
service business of which it is a part and includes either of the
following:
(1) Providing the consumer or the consumer's agent with a
confirmation, statement, or other record of the transaction, or with
information on the status or value of the financial service or
financial product.
(2) The accrual or recognition of incentives or bonuses associated
with the transaction that are provided by the financial institution
or any other party.
(b) Is required, or is one of the lawful or appropriate methods,
to enforce the rights of the financial institution or of other
persons engaged in carrying out the financial transaction or in
providing the product or service.
(c) Is required, or is a usual, appropriate, or acceptable method,
for insurance underwriting at the consumer's request or for
reinsurance purposes, or for any of the following purposes as they
relate to a consumer's insurance:
(1) Account administration.
(2) Reporting, investigating, or preventing fraud or material
misrepresentation.
(3) Processing premium payments.
(4) Processing insurance claims.
(5) Administering insurance benefits, including utilization review
activities.
(6) Participating in research projects.
(7) As otherwise required or specifically permitted by state law.
(d) Is required, or is a usual, appropriate, or acceptable method
in connection with any of the following:
(1) The authorization, settlement, billing, processing, clearing,
transferring, reconciling, or collection of amounts charged, debited,
or otherwise paid using a debit, credit, or other payment card,
check, or account number, or by other payment means.
(2) The transfer of receivables, accounts, or interests therein.
(3) The audit of debit, credit, or other payment information.
Article 2. Privacy Protection
24015. A financial institution has an affirmative and continuing
obligation to respect the privacy of consumers as required by this
chapter.
24016. (a) A financial institution, prior to collecting nonpublic
personal information from a consumer, shall provide the consumer
with a summary disclosure that lists all of the following:
(1) The categories of nonpublic personal information that are
collected by the financial institution.
(2) The practices and policies of the financial institution with
respect to using nonpublic personal information, and the persons or
entities that may receive and use this information.
(3) The policies that the institution maintains to protect the
confidentiality and security of nonpublic personal information.
(4) The procedures established in this chapter that a financial
institution is required to follow before disclosing nonpublic
personal information.
(b) A consumer may request a comprehensive disclosure that
provides a more detailed description of the information required to
be contained in the summary disclosure pursuant to subdivision (a).
A financial institution shall make its comprehensive disclosure
available at each business location that is open to the public, and
shall, upon request, send a copy of the comprehensive disclosure by
mail to a person requesting a copy.
(c) A financial institution may not, directly or through an
affiliate or nonaffiliated third party, disclose or make an unrelated
use of any nonpublic personal information of a consumer collected by
the financial institution, unless the financial institution has
obtained the consumer's written consent to disclose the consumer's
nonpublic personal information, and the consumer has not withdrawn
that consent.
(d) The written consent for disclosure required by this section
shall be of two parts. The first part shall list each category of
nonpublic personal information that the consumer consents to being
disclosed. Categories of nonpublic personal information, include,
but are not limited to, name, address, telephone number, gender,
marital status, and the financial products or services requested or
obtained. The second part shall list each class of persons or
entities the consumer consents to have receive the categories of
nonpublic personal information that the consumer consented to in the
first part.
(e) (1) Written consent for disclosure required by this section
shall include consent provided by electronic mail or other electronic
means.
(2) Written consent for disclosure may be obtained by a financial
institution through a form incorporating a simple checkoff system if
the form also contains all of the elements required by subdivision
(d). The checkoff system may contain small checkoff boxes next to
statements that allow the consumer to either consent to or withhold
consent from disclosure of nonpublic personal information.
(c) A financial institution may not disclose or share with an
affiliate, or nonaffiliated third party, any nonpublic personal
information of a consumer, unless the financial institution does all
of the following:
(1) Clearly and conspicuously discloses to the consumer in writing
that his or her nonpublic personal information may be disclosed or
shared with an affiliate, or nonaffiliated third party.
(2) Gives the consumer the opportunity, before the time that the
information is initially disclosed or shared, to direct in writing
that the information not be disclosed or shared with either an
affiliate, or a nonaffiliated third party, or both.
(3) Gives the consumer an explanation of how the consumer may in
writing exercise his or her rights under this section.
(4) Notifies annually all of their customers of each customer's
right to opt-out of having his or her nonpublic information disclosed
or shared with an affiliate, or nonaffiliated third party.
(d) The written notice to a financial institution by a consumer
directing the financial institution not to disclose or share the
consumer's nonpublic personal information with an affiliate, or a
nonaffiliated third party, or both, may be through a form
incorporating a simple checkoff system. The form shall have a first
part that lists each category of nonpublic personal information that
the consumer chooses not to be disclosed or shared. Categories of
nonpublic personal information include, but are not limited to, name,
address, telephone number, gender, marital status, and the financial
products or services requested or obtained. The form shall have a
second part that lists each class of persons or entities the consumer
chooses not to have receive the categories of nonpublic personal
information that the consumer specified in the first part. The
checkoff system may contain small checkoff boxes next to each of the
listed categories in the first part and each of the class of persons
and entities listed in the second part.
(e) Any disclosure or exercising of rights under this article
required to be in writing may also be provided by electronic mail or
other electronic means.
(f) All written material provided by a financial institution to a
consumer pursuant to this division shall be in an easy to read format
and shall use at least 10-point type.
(g) No financial institution may refuse or limit a consumer's
access to a financial product or service for refusing to
provide consent for the disclosure of having chosen
the option of not disclosing or sharing any of their nonpublic
personal information.
(h) A consumer who terminates his or her business relationship
with a financial institution shall be deemed to have withdrawn any
consent to disclose nonpublic personal information that may
previously have been granted to the financial institution by the
consumer.
24017. The Department of Financial Institutions shall adopt
regulations to implement this chapter for all financial institutions.
24018. (a) A financial institution shall not disclose an account
number or similar form of access number or access code for a credit
card account, deposit account, or transaction account of a consumer
to any affiliate or any nonaffiliated third party for use in
telemarketing, direct mail marketing, or other marketing through
electronic mail or other electronic means to the consumer.
(b) An affiliate or a nonaffiliated third party that receives from
a financial institution nonpublic personal information pursuant to
this chapter shall not, directly or through an affiliate of the
receiving party, disclose the information to any other person or
entity unless the financial institution would be permitted to
disclose the information directly to that other person or entity.
24019. The disclosure by a financial institution of nonpublic
personal information without a consumer's written consent
when a consumer has chosen the option pursuant to
Section 24016 of not disclosing or sharing his or her nonpublic
personal information is permitted if disclosure is necessary to
do any of the following:
(a) Effect, administer, or enforce a transaction requested or
authorized by the consumer in connection with any of the following
activities:
(1) Servicing or processing Service or
process a financial product or service requested or authorized
by the consumer.
(2) Maintain or servicing service
the consumer's account with the financial institution.
(3) Securitization, whether proposed or actual, secondary market
sales, including sales of service rights, or similar transactions
related to a transaction of the consumer.
(b) Protect the confidentiality or security of the financial
institution's records pertaining to the consumer, the service or
product, or the transaction therein.
(c) Protect the consumer against actual or potential fraud,
unauthorized transactions, claims, or other liability.
(d) Provide for institutional risk control.
(e) Resolve consumer disputes or inquiries.
(f) Provide information to a person holding a legal or beneficial
interest relating to the consumer.
(g) Provide information to a person acting in a fiduciary or
representative capacity on behalf of the consumer.
(h) Provide information to insurance rate advisory organizations,
guaranty funds or agencies, applicable rating agencies of the
financial institution, and the institution's attorneys, accountants,
and auditors.
(i) Provide information to law enforcement agencies to the extent
specifically permitted or required under state or federal law.
(j) Report to a consumer reporting agency in accordance with the
federal Fair Credit Reporting Act.
(k) In connection with a proposed or actual sale, merger,
transfer, or exchange of all or a portion of a business or operating
unit if the disclosure of nonpublic personal information concerns
solely consumers of the business or operating unit.
(l) Comply with a properly authorized civil, criminal, or
regulatory investigation, subpoena, or summons by federal, state, or
local authorities, or to respond to judicial process or government
regulatory authorities having jurisdiction over the financial
institution.
Article 3. Enforcement
24025. The department shall enforce this division with respect to
state chartered and federally chartered financial institutions, as
consistent with federal law. In this regard, the department shall
have all of the enforcement powers available to the department with
respect to a financial institution as otherwise provided by this
code.
SEC. 2. This act shall become operative on July 1, 2001.