U.S. DISTRICT COURT FINDS CALIFORNIA PRIVACY LAW NOT PREEMPTED BY FCRA
On June 30, 2004, the U.S. District Court for the Eastern District of California held that the California Financial Information Privacy Act, Cal. Fin. Code §§ 4050 et seq., enacted by 2003 Cal. S.B. 1 (effective July 1, 2004)(FIPA), is not preempted by the federal Fair Credit Reporting Act(FCRA).
The FIPA applies to “financial institutions,” defined to include any institution (i) the business of which is engaging in financial activities as described in Section 1843(k) of Title 12 of the United States Code and (ii) doing business in California. Cal. Fin. Code § 4052(c). The first part of this definition is identical to the definition of “financial institution” in the federal Gramm-Leach-Bliley Act (GLBA). See 15 U.S.C. § 6809(3)(A).
The stated intent of the FIPA is to provide greater privacy protections than the GLBA by, among other things, (i) requiring that financial institutions that want to share nonpublic personal information with third parties and unrelated companies seek and acquire the affirmative consent of California consumers prior to sharing the information and (ii) providing consumers with the ability to prevent the sharing of financial information among affiliated companies through a simple opt-out mechanism via a clear and understandable notice provided to the consumer. See Cal. Fin. Code §§ 4051(b), 4051.5(b)(2), (3). In short, the California law requires “opt in” for sharing with nonaffiliates (whereas the GLBA requires “opt out” for sharing with nonaffiliates) and “opt out” for sharing with affiliates (whereas the GLBA does not restrict sharing with affiliates). See id §§ 4052.5, 4053(b).
Three trade groups (the American Bankers Association, the Financial Services Roundtable and the Consumer Bankers Association) filed suit in April 2004 alleging that the FIPA is preempted in part by the FCRA, which provides that no requirement or prohibition may be imposed under the laws of any state with respect to the exchange of information among affiliates. See 15 U.S.C. § 1681t(b)(2).
The District Court rejected the plaintiff’s arguments, concluding that (i) the FCRA was not intended to regulate the simple sharing of information between affiliates, (ii) the only reasonable reading of the FCRA preemption provision is that it prevents states from enacting laws that prohibit or restrict the sharing of consumer reports among affiliates and (iii) the FCRA preemption provision does not broadly preempt all state laws regulating information sharing by affiliates. In addition, the court looked to the GLBA and found that the GLBA savings clause preserving states’ ability to enact laws providing greater protection against dissemination of financial information than the GLBA weighed heavily against preemption by the FCRA. Accordingly, the court granted summary judgment for the defendants, who included Attorney General Bill Lockyer, Commissioner of the Department of Financial Institutions Howard Gould, Commissioner of the Department of Corporations William P. Wood and Commissioner of the Department of Insurance John Garamendi.
The FIPA impacts financial institutions’ communications with California consumers regarding information sharing. If you would like a copy of the court’s June 30th opinion and/or the FIPA, do not hesitate to contact us.