http://www.forbes.com/2004/08/11/cz_ae_0811beltway_print.html
Forbes
Business In The Beltway
Privacy Showdown
Ashlea Ebeling, 08.11.04, 6:00 AM ET
The American Bankers Association, the Financial Services Roundtable and the
Consumer Bankers Association have gone to the Ninth Circuit Court of
Appeals to try to stop a California law that restricts how they can use
customer information.
The outcome of their appeal, filed Aug. 2, will decide the fate of the
strictest state privacy law on the books, and the crucial issue of whether
federal law preempts such state laws.
Members of the three trade associations, such as Citigroup (nyse: C -
news - people ), Bank of America (nyse: BAC - news - people ),
Wells Fargo (nyse: WFC - news - people ) and Merrill Lynch (nyse: MER
- news - people ), share customer information among their affiliates.
Under the California Financial Information Privacy Act, commonly called SB1
after its bill number, they would have to either stop sharing among
affiliates that are not in the same line of business (for example, a bank
affiliate couldn't share with an insurance affiliate), or submit to the
law's opt-out requirement. Under that rule, customers have the right to
block, or opt-out, of the sharing of their information among affiliates. (A
separate provision of the law requiring banks to get permission from
customers before their information can be shared with third party companies
is not under attack.)
The bankers argue that the affiliate sharing restrictions are plainly
preempted by the federal Fair Credit Reporting Act. But on June 30, Judge
Morrison C. England Jr. of the U.S. District Court in Sacramento ruled that
the FCRA, whose overriding purpose is to regulate the use and dissemination
of consumer reports, does not preempt SB1. Instead, the judge said, the
Gramm-Leach-Bliley Act, which sets forth basic privacy protections in
non-credit reporting situations, is the relevant federal law and it does
allow states to enact more stringent privacy controls.
The California privacy law went into effect one day later on July 1.
Financial institutions doing business in California now face penalties of
up to $500,000 for negligent disclosure of nonpublic personal information,
with no cap on what they can be fined for knowing and willful violations.
Both state regulators and individual consumers can bring suit over alleged
violations.
On appeal, the industry groups argue that the district court incorrectly
relied on the Gramm-Leach-Bliley Act, and that the FCRA, and 2003
amendments to it, expressly preempt SB1's affiliate sharing requirements.
The state's reply brief is due September 1. "We think the district court
got it right," says Susan Henrichsen, a California supervising deputy
attorney general who is working on the case.
Privacy advocates, including the Consumer Federation of California,
Consumers Union and the Privacy Rights Clearinghouse, hope she's right.
They spent years pushing for the law. California financial privacy
legislation was introduced in 2000 and 2001, but died as industry
lobbyists, and then-Gov. Gray Davis, worked to assure its defeat.
California state Sen. Jackie Speier (D-San Francisco/San Mateo) introduced
SB1 in December 2002. The industry groups spent $20 million trying to stop
SB1, but eventually gave in, in light of an even graver threat.
That threat came from a group called Californians for Privacy Now,
organized and funded by E-Loan (nasdaq: EELN - news - people )
Chairman and Chief Executive Christian Larsen. It gathered 600,000
signatures for a ballot initiative that would have offered voters a chance
to adopt even stricter privacy rules. For example, the initiative would
have required companies to get permission before selling or sharing
customer information, even among their own affiliates. With the passage of
SB1, the group dropped its initiative drive.
Gov. Davis too switched sides, and signed SB1 into law in August 2003. But
industry groups apparently had other plans of attack to invalidate the
affiliate sharing provisions of SB1: First, lobbying Congress to amend the
FCRA, and second, suing in federal court. The fall 2003 amendments to the
FCRA include a provision that broadens the law's preemptive scope--the
bankers say this means the FCRA now preempts SB1. For now their battle is
in the courts, but Congress may well be dragged into the privacy fight
again.
--
-----------------
R. A. Hettinga