[15035]
August 13, 2002
TO: CALIFORNIA MEMBERS
COMPLIANCE ADVISORY COMMITTEE No. 61-02
PRIVACY ISSUES WORKING GROUP No. 4-02
SEC RULES MEMBERS No. 63-02
SMALL FUNDS MEMBERS No. 29-02
RE: CALIFORNIA COUNTY PASSES PRIVACY ORDINANCE WITH OPT-IN
REQUIREMENT
On August 6, 2002, the County of San Mateo, California passed a county ordinance to
regulate the disclosure of confidential consumer information by financial institutions.1 This
ordinance, which applies to all financial institutions located and doing business in San
Mateo County, 2 is scheduled to take effect January 1, 2003. This ordinance is briefly
summarized below.3
NOTICE AND OPT-IN REQUIREMENT IMPOSED
As adopted, Section 5.140.030 of the ordinance prohibits a financial institution from
disclosing or sharing a consumer’s confidential consumer information4 with any nonaffiliated
third party or affiliate5 unless the financial institution has provided written notice to the
1 Similar (but not identical) ordinances have been introduced by the Boards of Supervisors in Daly City and San
Francisco, California. The Daly City ordinance is expected to pass this month; hearings on the San Francisco
ordinance are not expected to be held until sometime in September.
2 The definition of “financial institution” in Section 5.140.020(c) of the ordinance is consistent with the definition of
this term in Title V, Section 509(3) of the Gramm-Leach-Bliley Act. As such, it includes entities, such as investment
companies, that are subject to Regulation S-P.
3 A copy of the ordinance may be obtained through the website for San Mateo County (www.co.sanmateo.ca.us) as
follows. After reaching the home page for the county’s website, click onto “Board of Supervisors” in the left hand
margin. On the next screen, click onto the entry for Supervisor Mike Nevin (the sponsor of the ordinance). On
Supervisor Nevin’s page, scroll down to “NEW! Financial Information Privacy Ordinance.”
4 The definition of “confidential consumer information” in Section 5.140.020(a) of the ordinance is substantially
similar to the definition of “personally identifiable financial information” in Section 248.3(u) of Reg. S-P.
5 The term “affiliate” as defined in Section 5.140-020(d) of the ordinance is substantially similar to the definition set
forth in Section 248.3(a) of Reg. S-P. Note, however, that unlike Reg. S-P, the ordinance’s notice and consent
2
consumer and obtained a consent acknowledgment signed by the consumer that authorizes the
disclosure. Notice is not required if the financial institution does not disclose confidential
information to any nonaffiliated third party or to any affiliate or if the disclosure is permitted
pursuant to the exemptions set forth in the ordinance, which are discussed below. It should be
noted that under the ordinance, unlike under Reg. S-P, (1) a notice is only required if consent
(i.e., an opt-in) is also required and (2) there is no annual notice requirement.
The ordinance does not prohibit a financial institution from marketing its own products
and services or the products and services of others to the financial institution’s own customers
provided no confidential consumer information is disclosed in violation of the ordinance. In the
event a notice is required by the ordinance, Section 5.140.040 requires that it be a separate
written document that is easily identifiable and distinguishable from other documents that
otherwise may be provided to the consumer. A notice to a member of the household is
considered notice to all members of the household, unless the household contains other
individuals who maintain a separate account with the financial institution. The contents of the
notice are set forth in Section 5.140.040(c) and include, not only the specific types of information
that are disclosed and to whom, but also “the specific proposed types of uses for the
information.”
EXEMPT DISCLOSURES
Section 5.140.050 exempts certain disclosures from the notice and consent provisions.
These exemptions include information that is not personally identifiable to a particular person
as well as information that is shared under specified circumstances. These circumstances
include sharing information as “necessary to effect, administer, or enforce a transaction
requested or authorized by the consumer, or in connection with servicing or processing a
financial product or service requested or authorized by the consumer, or in connection with
maintaining or servicing the consumer’s account with the financial institution . . ..”6
Other exemptions in the ordinance, which are similar to those in Reg. S-P, include
releasing the information: to protect the confidentiality or security of the financial institution’s
records; to protect against or prevent actual or potential fraud, identity theft, unauthorized
transactions, claims or other liability; as permitted by law, including to law enforcement
agencies or federal functional regulators; in connection with a proposed or actual sale, merger,
transfer, or exchange of a business or operating unit; and, to comply with any federal, state, or
local laws, rules or other applicable legal requirements, including pursuant to a subpoena.
In addition, the information may be disclosed to a nonaffiliated third party in order for
the nonaffiliated third party to perform services for or functions on behalf of the financial
institution in connection with the financial institution’s products and services provided that: (1)
the services to be performed by the nonaffiliated third party would be lawful if performed by
the financial institution; (2) there is a written contract between the nonaffiliated third party and
the financial institution that prohibits the nonaffiliated third party from disclosing or using the
provisions are triggered if the financial institution shares confidential consumer information with an affiliate unless
the sharing is pursuant to an exemption in the ordinance.
6 See Section 5.140.050(b)(1) and 5.140.020(h) of the ordinance. The provisions of this exemption are substantially
similar to those in Section 248.14(b) of Reg. S-P.
3
confidential consumer information other than to carry out the purpose for which the financial
institution disclosed the information; and (3) the information provided to the nonaffiliated third
party is limited to that which is reasonably necessary for the third party to perform the services
contracted for on behalf of the financial institution.
ADMINISTRATIVE FINES
Section 5.140.070 sets forth a schedule of administrative fines that may be imposed on
any financial institution that discloses confidential consumer information in violation of the
ordinance. These fines range from a maximum of $1500 per violation for a negligent disclosure
to a maximum of $25,000 per violation for a knowing and willful disclosure. If, however, the
knowing and willful violation is for the financial institution’s financial gain, the fine may be as
high as $250,000 per violation and the financial institution may also be required to disgorge any
proceeds or other consideration obtained from the violation.
* * * *
Tamara K. Reed
Associate Counsel