COURT ISSUES DECISION IN LAWSUIT CHALLENGING LEGALITY OF CALIFORNIA LOCAL GOVERNMENT PRIVACY ORDINANCES

[16383] July 30, 2003 TO: COMPLIANCE ADVISORY COMMITTEE No. 57-03 OPERATIONS MEMBERS No. 20-03 PRIMARY CONTACTS - MEMBER COMPLEX No. 60-03 PRIVACY ISSUES WORKING GROUP No. 2-03 SEC RULES MEMBERS No. 100-03 SMALL FUNDS MEMBERS No. 39-03 TECHNOLOGY ADVISORY COMMITTEE No. 8-03 RE: COURT ISSUES DECISION IN LAWSUIT CHALLENGING LEGALITY OF CALIFORNIA LOCAL GOVERNMENT PRIVACY ORDINANCES On July 29th, the U.S. District Court for the Northern District of California held that privacy ordinances enacted by local governments in California are preempted under the Fair Credit Reporting Act (FCRA), but only to the extent that they restrict the sharing of confidential consumer information between financial institutions and their affiliates.1 Accordingly, the court upheld the authority of the local governments to restrict the sharing of information between financial institutions and non-affiliated third parties. The genesis of this case and the court’s decision are briefly summarized below. Also discussed below is how this case may impact Institute members that conduct business in northern California. BACKGROUND As you may recall, last fall, the governing bodies of various units of local government in northern California began enacting local government ordinances that would prohibit financial institutions operating in these jurisdictions from disclosing or sharing confidential consumer information to affiliates or non-affiliated third parties without written notice to and a consent acknowledgment from the consumer.2 In other words, these ordinances would have required 1 See Bank of America et al. v. City of Daly City, California, Nos. C 02-4343 CW; C 02-4943 CW (ND CA July 29, 2003) (the “Opinion”). A copy of the Opinion is attached. 2 These ordinances have been enacted by Alameda County, Berkeley, Daly City, Contra Costa County, Marin County, San Francisco City and County, San Mateo County, Santa Cruz County, and Solano County. Though none of these ordinances is identical, they each largely track a bill that had been introduced in the California General Assembly for each of the past three legislative sessions (including the current session) that the sponsor has been unable to get enacted. It was thought that, if the local governments within her district enacted a version of this bill at the local level, financial institutions would pressure the General Assembly to pass a bill at the state level that, in part, preempted these local government initiatives. To date, however, the sponsor of the bill in the General Assembly has been unable to secure the votes necessary to have her bill enacted. 2 financial institutions within these jurisdictions to obtain a consumer’s “opt-in” to the sharing of such information. As such, these ordinances were more restrictive than the provisions of the Gramm-Leach-Bliley Act (the “GLB Act”) that permit the free sharing of information with affiliates, but impose an “opt-out” requirement on the sharing of information with non- affiliates. Subsequent to the passage of these ordinances, Bank of America and Wells Fargo were plaintiffs in a suit filed challenging the constitutionality of these ordinances under the Fair Credit Reporting Act (FCRA) and the National Bank Act (NBA).3 A hearing on this matter was held in May, and yesterday the court issued its decision. In particular, the court held as follows: The Court declares that the ordinances at issue are preempted under federal law to the extent that the ordinances restrict the sharing of confidential consumer information between financial institutions and their affiliates. The Court enjoins enforcement of the ordinances to this extent. The court upholds the ordinances’ restrictions on the sharing of information between financial institutions and non-affiliated third parties.4 THE PLAINTIFFS’ FCRA ARGUMENT The Plaintiffs argued that the authority of the local governments to enact laws regulating the sharing of information among affiliates is preempted by Section 1681t(b)(2) of FCRA.5 The Defendants responded that (1) because FCRA is a consumer protection statute regulating the consumer credit reporting industry, the term “information” as used in Section 1681t should be interpreted to refer only to consumer reports, and (2) the savings clause in the GLB Act “trumped” FCRA’s preemption provision.6 According to the court, this issue was one of first impression in the court’s circuit. With respect to the Defendants’ proposed construction of “information” as used in Section 1681t(b)(2) of FCRA, after considering the Congressional history of this provision, the court found the Defendants’ proposed construction inconsistent with other provisions in FCRA and rejected it. The court concluded that “‘information,’ as used in 1681t(b)(2), encompasses the confidential consumer information that is the subject of the ordinances.”7 On the issue of whether the savings clause of the GLB Act trumped the preemption language of FCRA Section 1681t(b)(2), the Defendants argued that to permit FCRA to trump the 3 The ordinances that were challenged in this suit were those enacted by Daly City and the counties of Contra Costa and San Mateo. 4 See Opinion at p. 2. 5 Section 1681t(b)(2) of FCRA [15 USC 1681t(b)(2)] provides in relevant part that “No requirement or prohibition may be imposed under the laws of any State . . . with respect to the exchange of information among persons affiliated by common ownership or common corporate control . . . .” 6 The “savings clause” the Defendants referred to was Section 6807(b) of the GLB Act that, generally speaking, preserves the authority of states to enact privacy laws that afford any person privacy protections greater than those provided under the GLB Act. 7 See Opinion at p. 13. 3 savings clause of the GLB Act would render the savings clause meaningless. The court, however, found otherwise: The GLB [Act] does not regulate information-sharing among affiliates. . .. Thus, there is no conflict between the GLB [Act] provision, and the FCRA provision. States and local governments are free to enact laws affording some protection to consumer privacy greater than that provided by federal law, but not with regard to the disclosure of information to affiliates.” 8 THE PLAINTIFFS’ OTHER CHALLENGES The Plaintiffs had also challenged the ordinances under provisions in the GLB Act relating to insurance marketing and sales and the NBA. In response to the insurance marketing and sales argument, the court found that, with respect to affiliate sharing, it need not consider Plaintiffs’ arguments based on the above holding relating to affiliate sharing. With respect to sharing consumer information with non-affiliates for insurance marketing and sales purposes, the court disagreed with the Plaintiffs’ argument and held that “the ordinances do not in any way limit insurance sales . . . The ordinances merely impose restrictions on the disclosure of consumer information.” With respect to the Plaintiffs’ arguments under the NBA, which were supported by an amicus brief filed by the U.S. Office of the Comptroller of the Currency, the court found that, “[h]aving concluded that the ordinances are preempted by the FCRA to the extent they restrict such affiliate disclosure, the Court need not consider Plaintiffs’ arguments regarding the NBA.”9 THE ISSUE OF SEVERABILTY The court next considered whether the provisions in the local government ordinances that the court found to be preempted by Federal law are severable from the remainder of the ordinances, such that the remainder of the ordinances would remain valid and enforceable. The court found that the ordinances could be severed by merely striking the words “any affiliate or” or similar provisions in these ordinances. With these words stricken, the court found that the ordinances “are complete in themselves, imposing an opt-in requirement for the disclosure of consumer information to non-affiliated third parties.”10 As such, “the remaining provisions of the ordinances, including those regarding disclosure to nonaffiliated third-parties, are not preempted.” THE PARTIES’ 60-DAY STAY Prior to the court’s ruling, the parties to this action had agreed to stay the effective dates of the local government ordinances for 60 days from the court’s ruling, and had asked the court to issue an order to this effect. Concurrently with the issuance of its decision in this matter, the court also issued the parties’ requested order. Accordingly, the effectiveness of the local government ordinances has been stayed until September 27th. 8 See Opinion at p. 16 (emphasis added). 9 See Opinion at p. 19. 10 See Opinion at p. 20. 4 IMPACT OF THE COURT’S RULING ON INSTITUTE MEMBERS Based upon the court’s ruling in this matter, financial institutions that are subject to these ordinances11 will be required to abide by their notice and opt-in provisions as they apply to the sharing of confidential consumer information with a non-affiliated third party. Importantly, however, these ordinances, as enacted, provide several exemptions from the notice and consent provisions. These exemptions include, for example, the sharing of information that is not personally identifiable to a particular person as well as sharing information as “necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer, or in connection with maintaining or servicing the consumer’s account with the financial institution . . ..”12 Other exemptions in these ordinances, which are also similar to those in Reg. S-P, include releasing the information: to protect the confidentiality or security of the financial institution’s records; to protect against or prevent actual or potential fraud, identity theft, unauthorized transactions, claims or other liability; as permitted by law, including to law enforcement agencies or federal functional regulators; in connection with a proposed or actual sale, merger, transfer, or exchange of a business or operating unit; and, to comply with any federal, state, or local laws, rules or other applicable legal requirements, including pursuant to a subpoena. In addition, the information may be disclosed to a non-affiliated third party in order for the non-affiliated third party to perform services for or functions on behalf of the financial institution in connection with the financial institution’s products and services provided that: (1) the services to be performed by the nonaffiliated third party would be lawful if performed by the financial institution; (2) there is a written contract between the non-affiliated third party and the financial institution that prohibits the non-affiliated third party from disclosing or using the confidential consumer information other than to carry out the purpose for which the financial institution disclosed the information; and (3) the information provided to the non-affiliated third party is limited to that which is reasonably necessary for the third party to perform the services contracted for on behalf of the financial institution. Tamara K. Salmon Senior Associate Counsel Attachment (in .pdf format) Note: Not all recipients receive the attachment. To obtain a copy of the attachment, please visit our members website (http://members.ici.org) and search for memo 16383, or call the ICI Library at (202) 326-8304 and request the attachment for memo 16383. 11 Each of the ordinances is drafted differently, though they largely contain the same substantive provisions. Also, the applicability of these ordinances differs. For example, the ordinances passed by the Berkeley City Council, Contra Costa County, Daly City, and the County of San Mateo apply only to those financial institutions located and doing business in these jurisdictions. By contrast, the San Francisco ordinance applies to financial institutions doing business in the city and county of San Francisco. 12 These provisions are substantially similar to those in Section 248.14(b) of SEC Regulation S-P, which implements the requirements of the GLB Act for investment companies, investment advisers, and broker-dealers.