<http://www.forbes.com/2004/08/11/cz_ae_0811beltway_print.html> Forbes Business In The Beltway Privacy Showdown Ashlea Ebeling, 08.11.04, 6:00 AM ET The American Bankers Association, the Financial Services Roundtable and the Consumer Bankers Association have gone to the Ninth Circuit Court of Appeals to try to stop a California law that restricts how they can use customer information. The outcome of their appeal, filed Aug. 2, will decide the fate of the strictest state privacy law on the books, and the crucial issue of whether federal law preempts such state laws. Members of the three trade associations, such as Citigroup (nyse: C - news - people ), Bank of America (nyse: BAC - news - people ), Wells Fargo (nyse: WFC - news - people ) and Merrill Lynch (nyse: MER - news - people ), share customer information among their affiliates. Under the California Financial Information Privacy Act, commonly called SB1 after its bill number, they would have to either stop sharing among affiliates that are not in the same line of business (for example, a bank affiliate couldn't share with an insurance affiliate), or submit to the law's opt-out requirement. Under that rule, customers have the right to block, or opt-out, of the sharing of their information among affiliates. (A separate provision of the law requiring banks to get permission from customers before their information can be shared with third party companies is not under attack.) The bankers argue that the affiliate sharing restrictions are plainly preempted by the federal Fair Credit Reporting Act. But on June 30, Judge Morrison C. England Jr. of the U.S. District Court in Sacramento ruled that the FCRA, whose overriding purpose is to regulate the use and dissemination of consumer reports, does not preempt SB1. Instead, the judge said, the Gramm-Leach-Bliley Act, which sets forth basic privacy protections in non-credit reporting situations, is the relevant federal law and it does allow states to enact more stringent privacy controls. The California privacy law went into effect one day later on July 1. Financial institutions doing business in California now face penalties of up to $500,000 for negligent disclosure of nonpublic personal information, with no cap on what they can be fined for knowing and willful violations. Both state regulators and individual consumers can bring suit over alleged violations. On appeal, the industry groups argue that the district court incorrectly relied on the Gramm-Leach-Bliley Act, and that the FCRA, and 2003 amendments to it, expressly preempt SB1's affiliate sharing requirements. The state's reply brief is due September 1. "We think the district court got it right," says Susan Henrichsen, a California supervising deputy attorney general who is working on the case. Privacy advocates, including the Consumer Federation of California, Consumers Union and the Privacy Rights Clearinghouse, hope she's right. They spent years pushing for the law. California financial privacy legislation was introduced in 2000 and 2001, but died as industry lobbyists, and then-Gov. Gray Davis, worked to assure its defeat. California state Sen. Jackie Speier (D-San Francisco/San Mateo) introduced SB1 in December 2002. The industry groups spent $20 million trying to stop SB1, but eventually gave in, in light of an even graver threat. That threat came from a group called Californians for Privacy Now, organized and funded by E-Loan (nasdaq: EELN - news - people ) Chairman and Chief Executive Christian Larsen. It gathered 600,000 signatures for a ballot initiative that would have offered voters a chance to adopt even stricter privacy rules. For example, the initiative would have required companies to get permission before selling or sharing customer information, even among their own affiliates. With the passage of SB1, the group dropped its initiative drive. Gov. Davis too switched sides, and signed SB1 into law in August 2003. But industry groups apparently had other plans of attack to invalidate the affiliate sharing provisions of SB1: First, lobbying Congress to amend the FCRA, and second, suing in federal court. The fall 2003 amendments to the FCRA include a provision that broadens the law's preemptive scope--the bankers say this means the FCRA now preempts SB1. For now their battle is in the courts, but Congress may well be dragged into the privacy fight again. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'