CALIFORNIA CITY PASSES PRIVACY ORDINANCE WITH OPT-IN REQUIREMENT; TWO NATIONAL BANKS FILE FEDERAL SUIT CHALLENGING THE ORDINANCE

[15174] September 13, 2002 TO: CALIFORNIA MEMBERS COMPLIANCE ADVISORY COMMITTEE No. 77-02 PRIVACY ISSUES WORKING GROUP No. 5-02 SEC RULES MEMBERS No. 77-02 SMALL FUNDS MEMBERS No. 36-02 RE: CALIFORNIA CITY PASSES PRIVACY ORDINANCE WITH OPT-IN REQUIREMENT; TWO NATIONAL BANKS FILE FEDERAL SUIT CHALLENGING THE ORDINANCE As we previously informed you, on August 6, 2002, the County of San Mateo, California passed a county ordinance to regulate the disclosure of confidential consumer information by financial institutions located and doing business in unincorporated San Mateo County.1 On September 9, 2002, the City of Daly City, California became the first city in the United States to adopt an ordinance regulating the information sharing practices of financial institutions. While the two ordinances are not identical,2 like the San Mateo ordinance, the Daly City ordinance only applies to financial institutions “located . . . and doing business” in the City of Daly City. (Emphasis added.) This ordinance, which is scheduled to take effect January 1, 2003, is briefly summarized below. Also summarized below is a lawsuit filed by two national banks on September 10th challenging the validity of both of these ordinances. A copy of the Daly City ordinance and the complaint filed in the lawsuit are attached. I. SUMMARY OF THE DALY CITY ORDINANCE A. Notice and Opt-In Requirements As adopted, Section 5.92.020 of the ordinance prohibits a financial institution from disclosing or sharing confidential consumer information with “any third party, including an affiliate or agent of that financial institution, or a subsidiary” (emphasis added) unless the financial institution has provided written notice to the consumer as required by the ordinance 1 See Memorandum No. 15035, dated August 13, 2002. 2 Each of these ordinances is patterned after “opt-in” legislation introduced in 2001 by State Senator Jackie Speier (Senate Bill 773). Senator Speier’s legislation was originally defeated by the California Legislature in 2001 and again when it was reconsidered by the legislature in 2002. The Institute understands that, in light of her inability to get opt- in legislation enacted at the state level, Senator Speier has encouraged the cities and counties in her legislative district to enact provisions similar to those in SB 773, hence the recent actions by San Mateo County and Daly City. 2 and obtained “a written or electronic consent acknowledgment from the consumer” authorizing the sharing of the information. It should be noted that, unlike the San Mateo ordinance, the Daly City ordinance requires a financial institution “that proposes to disclose or share a consumer’s information [to] provide a written notice to the consumer” – regardless of any exemption the financial institution may have from the consent requirements. See Section 5.92.030. As provided in the ordinance, the written notice must describe: (1) the specific types of information that would be disclosed or shared, (2) the general circumstances under which the information would be disclosed or shared, (3) the specific types of persons or businesses that would receive the information, and (4) the specific proposed types of uses for the information. Such notice shall be a separate document that is “easily identifiable and distinguishable from other documents that otherwise may be provided to a consumer.” A notice provided to one member of a household shall be considered notice to all members of the household unless the household contains another individual who also has a separate account with the financial institution. Note that the ordinance only requires this one-time notice and does not impose an annual notice requirement. As with the San Mateo ordinance, the Daly City ordinance does not prohibit a financial institution from marketing its own products and services, or the products and services of others through the financial institution’s mailings or other communications with its customers, provided that no confidential consumer information is disclosed except as permitted under an exemption. See Section 5.92.020(d). B. Exempt Disclosures The exemptions provided in Section 5.92.040 are substantively identical to those in the San Mateo ordinance, and they largely track those in the Gramm-Leach-Bliley Act.3 As mentioned above, however, these exemptions apply only to the release of confidential consumer information. As such, a financial institution that shares information pursuant to an exemption must still provide written notice to the consumer as discussed above. 3 These exemptions include sharing information as “necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer, or in connection with maintaining or servicing the consumer’s account with the financial institution . . ..” See Section 5.92.040 (1). Other exemptions include releasing the information: to protect the confidentiality or security of the financial institution’s records; to protect against or prevent actual or potential fraud, identity theft, unauthorized transactions, claims or other liability; as permitted by law, including to law enforcement agencies or federal functional regulators; in connection with a proposed or actual sale, merger, transfer, or exchange of a business or operating unit; and, to a nonaffiliated third party in order for the nonaffiliated third party to perform services for or functions on behalf of the financial institution in connection with the financial institution’s products and services provided that: (1) the services to be performed by the nonaffiliated third party would be lawful if performed by the financial institution; (2) there is a written contract between the nonaffiliated third party and the financial institution that prohibits the nonaffiliated third party from disclosing or using the confidential consumer information other than to carry out the purpose for which the financial institution disclosed the information; and (3) the information provided to the nonaffiliated third party is limited to that which is reasonably necessary for the third party to perform the services. 3 C. Administrative Penalties and Civil Remedies The Daly City ordinance provides for both civil and administrative remedies in the event of a violation.4 With respect to civil remedies, the ordinance authorizes any consumer to bring an action at law against any financial institution located in Daly City that violates the ordinance for either or both nominal damages of $100 or the amount of actual damages, if any. As regards the nominal damages provision, the ordinance provides that, to recover such damages, “it shall not be necessary that the plaintiff suffered or was threatened with actual damages.” The ordinance also authorizes an administrative fine not to exceed $500 per violation, irrespective of the amount of damages suffered by consumers as a result of the violation. II. TWO NATIONAL BANKS FILE SUIT CHALLENGING THE LOCAL GOVERNMENT ORDINANCES Upon the passage of the Daly City ordinance, two national banks filed suit in the U.S. District Court for the Northern District of California challenging the validity of both the Daly City and the San Mateo County ordinances.5 In addition to seeking preliminary and permanent injunctions, this complaint seeks that the ordinances be declared null and void and unenforceable with respect to national banks and persons covered by the Fair Credit Reporting Act (FCRA) based upon the following grounds: • Violation of provisions in FCRA that permit the sharing of information among affiliates; • Violation of the National Bank Act, which gives the Office of the Comptroller of the Currency exclusive jurisdiction to regulate national banks; • Violation of provisions in the Gramm-Leach-Bliley Act relating to sale of insurance by depository institutions; and • Violation of Article I, Section 8 of the Federal Constitution, which prohibits a state or municipality from regulating interstate commerce that occurs wholly outside of their borders. The defendants in this action have twenty days from the date of service within which to respond to the allegations. * * * * Tamara K. Reed Associate Counsel Attachment (in .pdf format) Note: Not all recipients receive the attachments. To obtain copies of the attachments, please visit our members website (http://members.ici.org) and search for memo 15174, or call the ICI Library at (202) 326-8304 and request the attachments for memo 15174. 4 By contrast, the San Mateo ordinance only provides for administrative penalties. 5 See Bank of America, et al. v. City of Daly City, California, et al., No. C 02-4343 (ND Cal. filed Sept. 10, 2002).