COURT UPHOLDS PROVISIONS OF CALIFORNIA PRIVACY LAW THAT TOOK EFFECT JULY 1ST, DECISION IS CONTRARY TO PREVIOUS COURT RULING

URGENT/ACTION REQUESTED [17747] July 2, 2004 TO: COMPLIANCE ADVISORY COMMITTEE No. 69-04 OPERATIONS MEMBERS No. 26-04 PRIMARY CONTACTS - MEMBER COMPLEX No. 67-04 PRIVACY ISSUES WORKING GROUP No. 1-04 SEC RULES MEMBERS No. 98-04 SMALL FUNDS MEMBERS No. 77-04 TECHNOLOGY ADVISORY COMMITTEE No. 18-04 RE: COURT UPHOLDS PROVISIONS OF CALIFORNIA PRIVACY LAW THAT TOOK EFFECT JULY 1ST, DECISION IS CONTRARY TO PREVIOUS COURT RULING On June 30th, the U.S. District Court for the Eastern District of California issued a decision holding that Federal law does not preempt all state laws regulating information sharing by affiliates, whatever the purpose or context.1 As a result, effective July 1, 2004, all financial institutions are required to comply with all provisions of the California Financial Information Privacy Act (the “Act”), which was enacted in August 2003 and took effect July 1st.2 The Institute strongly encourages each of its members with California investors to review the provisions of the Act that relate to the sharing of information with affiliates and to ensure their compliance with the totality of the Act as soon as practicable. As discussed in more detail below, the court’s decision is directly contrary to a July 2003 decision by the U.S. District Court for the Northern District of California, which held that the provisions of the Act relating to the sharing of information with affiliates were preempted by 1 See American Bankers Association et al. v. Bill Lockyer, in his official capacity as Attorney General of California, et al., No. CIV. S 04-0778 MCE KJM (ED CA June 30, 2004). A copy of the court’s opinion is available through the Office of the California Attorney General at: http://caag.state.ca.us/newsalerts/2004/04-069.pdf. 2 See Institute Memorandum to Compliance Advisory Committee No. 67-03, Operations Members No. 25-03, Primary Contacts – Member Complex No. 68-03, Privacy Issues Working Group No. 3-03, SEC Rules Members No. 113-03, Small Funds Members No. 43-03, and Technology Advisory Committee No. 10-03 [No. 16477], dated August 28, 2003 (the “Institute’s August 2003 Memorandum”). As noted in the Institute’s Memorandum, a copy of the Act, which was enacted during the 2003-2004 Legislative Session as Senate Bill 1, may be found on the website of the California General Assembly at: http://www.assembly.ca.gov/acs/acsframeset2text.htm. 2 federal law. 3 While the Eastern District court’s decision is expected to be appealed, we understand it is unlikely that the decision will be stayed during the appellate process, which is likely to take months. Members should be especially mindful of the fact that the Act imposes on financial institutions privacy requirements that are more rigorous than those under federal law with respect to the financial institution’s disclosure of nonpublic personal information about California residents. Generally speaking, the Act prohibits a financial institution from disclosing a California consumer’s nonpublic personal information to: (1) a nonaffiliated third party unless the consumer has opted in to the sharing of such information; and (2) an affiliate unless the institution provides an annual notice as required by the Act to the consumer and offers the consumer the opportunity to opt out of the sharing. The Act provides several exceptions to these general prohibitions. The provisions in the Act governing the sharing of information with affiliates can be found in Sections 4053(b)(1) and (d) of the Act; the exceptions to these requirements can be found in Sections 4053(c) and 4056 of the Act. The Institute’s August 2003 Memorandum explains these and the other provisions of the Act in detail. As mentioned above, the decision by the U.S. District Court for the Eastern District of California is directly contrary to a decision issued in July 2003 by the U.S. District Court for the Northern District of California that interpreted the same preemption language that was before the Eastern District Court. In particular, in an action challenging the legality of local government privacy ordinances under the preemptive language of the Fair Credit Reporting Act (“FCRA”), the Northern District court held that “States and local governments are free to enact laws affording some protection to consumer privacy greater than that provided by federal law, but not with respect to the disclosure of information to affiliates.” This ruling has been widely relied upon to hold invalid the provisions in the Act that attempted to regulate the sharing of nonpublic personal information among affiliates. Indeed, when Congress extended the preemptive provisions of FCRA beyond their original expiration date of January 1, 2004, it was over the objections of California’s senators who argued that extending the preemptive provision would render null and void the provisions in the Act that attempted to regulate the sharing of information among affiliates. Notwithstanding the Senators’ arguments and the decision issued by the Northern District court, the Eastern District court has ruled that the revised FCRA does not preempt states from regulating the sharing of all information among affiliates. Instead, according to the Eastern District court’s decision, the FCRA only extends to the sharing of “consumer report” information as defined in the FCRA (i.e., that information collected by a consumer reporting agency that is used or collected in whole or in part as a factor in determining a consumer’s eligibility for credit, insurance, employment, or other specifically enumerated permissible purposes). Tamara K. Salmon Senior Associate Counsel 3 See Bank of America et al. v. City of Daly City, California, Nos. C 02-4343 CW, C 02-4943 CW (ND CA July 29, 2003). See also Institute Memorandum to Compliance Advisory Committee No. 57-03, Operations Members No. 20-03, Primary Contacts – Member Complex No. 60-03, Privacy Issues Working Group No. 2-03, SEC Rules Members No. 100-03, Small Funds Members No. 39-03, and Technology Advisory Committee No. 8-03 [No. 16383], dated July 30, 2003, which summarized the court’s decision. A copy of the decision was attached to the memorandum.