New state privacy law threatened;

Published on

Federal law could block bills protecting financial information

The San Francisco Chronicle

WASHINGTON — When Gov. Gray Davis signed California’s trailblazing financial privacy law on Wednesday, the battle immediately moved to Washington, where pending legislation in Congress could gut some of the new law’s key protections.

At issue is a provision in federal law that pre-empts states from enacting laws like the new California measure, which restricts the sharing of customer information among affiliates of a financial institution. The federal ban is due to expire Jan. 1, but a bill that cleared the House Financial Services Committee in July would make the pre-emption permanent.

The issue, part of a wider debate over renewing the federal Fair Credit Reporting Act and cracking down on identity theft, is expected to be a hot topic when Congress returns from its August recess after Labor Day.

Lawmakers and consumer advocates gathered on the floor of the Pacific Stock Exchange Wednesday amid a crowd of reporters and financial traders to watch Davis sign the California Financial Information Privacy Act into law after a four-year legislative battle.

State Sen. Jackie Speier, D-Hillsborough, the bill’s main sponsor, facetiously suggested that people in the crowd turn to their neighbor and share information about their salary, bank balance and debts. Amid laughter, she turned serious.

“Californians are sick and tired of having their financial information traded and sold like stocks and bonds,” she said.

Sen. Barbara Boxer, D-Calif., vowed to carry the fight forward to the federal level. “In Washington the special interests really rule the day,” she said. “They don’t like what Jackie Speier and her colleagues are doing to fight for the consumer.”

Boxer and the state’s other Democratic senator, Dianne Feinstein, will play a key role in the congressional debate over the pre-emption provision, and Speier plans to lobby in Washington. Boxer sent letters Wednesday to the Senate Banking Committee’s chairman, Richard Shelby, R-Ala., and ranking Democrat, Paul Sarbanes of Maryland, urging them not to pass a bill that would pre-empt California’s new law.

“At the least, you should include a provision to ensure that California’s law is not pre-empted by federal action so that this widely supported and popular legislation can be fully implemented,” she wrote.

And Feinstein said the enactment of California’s law should alert banking interests to change their position. “This new legislation should serve as a wake-up call to banks and financial institutions that we need privacy and identity theft protection on a national level,” said Feinstein, who has proposed her own legislation to crack down on ID theft.

It’s too early to tell whether the two Californians would block Senate action on the credit reporting bill if it contains anything like the House version’s continuation of the pre-emption.

The senators were weighing in on an issue that already has drawn furious lobbying from both sides, in Sacramento and now in Washington. It wasn’t until privacy advocates in California began collecting signatures for a ballot initiative that a compromise measure sailed through the Legislature this month, by a 78-1 vote in the Assembly and 33-6 in the Senate.


On one side of the debate are the same forces that fought against California’s law. Banks, credit unions and other financial institutions say a single national standard for sharing consumers’ financial information is needed.

On the other side are consumer groups who say the hard-won California law represents a revolution in consumer privacy.

The banks warn that a 50-state patchwork will raise costs to consumers, create inconveniences in applying for loans or credit cards and hinder the operation of national markets for things like mortgages. So far, the Bush administration has sided with the bankers.

The pre-emption provision was written into law seven years ago when the credit reporting law was enacted; it contained a sunset clause under which it will expire in January. The aim of the provision, the American Bankers Association says, was to see how a voluntary national credit reporting system would evolve.

“The available evidence — economic and otherwise — demonstrated that the voluntary national credit reporting system . . . has generated extraordinary benefits for individual consumers and the nation as a whole,” the association said in a recent position paper.

“We will continue to push for a national standard and for not allowing any of the pre-emption standards to expire,” said Fritz Elmendorf of the Consumer Bankers Association. “We’re not shifting our strategy.”


The House bill, which was passed by the Financial Services Committee on a 61-3 vote, is expected to come up for a full House vote in mid-September, Elmendorf said.

That shifts the focus to the Senate, specifically to Shelby, generally an advocate of strong privacy rights who so far hasn’t tipped his hand on the pre-emption issue.

Shelby could go along with the bankers and make the pre-emption of state action permanent, or he could drop the provision — allowing California to proceed with the July 1, 2004, start of the law — or he could “grandfather” in California’s provision as a one-time exception, as Speier has proposed.

He also could write legislation adopting California’s new rules on the release of information to a financial institution’s possibly far-flung network of affiliates in all kinds of businesses. But that’s thought to be a long shot.

“Ideally, there should be a strong national law,” said Jamie Court of Santa Monica’s Foundation for Taxpayer and Consumers Rights. “Consumers should have the right to say no to affiliate sharing,” he said in Washington.

Under the state law, consumers can tell their financial institutions not to share information with affiliated firms. This is a key right, Court said, as institutions become international Goliaths. Citigroup, for instance, has 1,700 affiliates that could get consumers’ data and bombard people with solicitations. Court warned that such widespread sharing of information raises the opportunity for identity theft, which is already the financial crime most commonly reported to the Federal Trade Commission.

The law’s provision allowing consumers to block the sale of their information to third parties isn’t affected by the Congress’ debate on pre-emption.

“If you can’t stop the sale of information between affiliates, you don’t have privacy in this country,” Court warned.

When it takes effect: July 1, 2004

How it works: The bill offers different levels of protection. Consumers can “opt out” of information sharing between various financial institutions. They “opt in” to information sharing with nonfinancial institution.

“Opt out.” Consumers will receive privacy notices from their banks, insurance companies, brokerages and other financial institutions. The notices, titled “Important Privacy Choices for Consumers,” may be included with bills or sent as separate mailings. In simple English and easily readable type, the one-page notices will tell consumers how to “opt out” of information sharing, either by mailing the notice back in a postage-paid envelope, calling a toll-free number, sending a toll-free fax, visiting a Web site or sending an e-mail. By choosing to opt out, consumers can prevent any personal and financial information, such as their account balances, loan amounts or spending profiles, from being shared with other financial institutions. If consumers do not respond to a notice, the banks and other financial institutions may share personal and financial information about them with other financial companies.

“Opt in.” If a bank or financial institution wants to share customer information with a nonfinancial institution, it must first ask consumers to “opt in,” or specifically approve the sharing. For example, before a bank could give a travel agency a list of customers who frequently charge airline and hotel expenses on their credit card, the bank will have to get permission from each of those customers by sending them opt-in notices. If a consumer does nothing, then the information cannot be shared.

Allowed sharing. One type of information sharing will still be allowed without consumer intervention: Financial institutions may share customer information with wholly owned subsidiaries that are in the same line of business, are overseen by the same government regulator and use the same brand name. For example, a bank will be allowed to share information about its customers with its credit card division.

Enforcement: Within 45 days after receiving opt-out notices from a customer, financial institutions must comply with that customer’s directions. If consumers think their information has been shared against their wishes, they should complain to the attorney general. Each violation will incur a penalty up to $2,500. The total for multiple violations cannot exceed $500,000.
E-mail Edward Epstein at [email protected]

Consumer Watchdog
Consumer Watchdog
Providing an effective voice for American consumers in an era when special interests dominate public discourse, government and politics. Non-partisan.

Latest Videos

Latest Releases

In The News

Latest Report

Support Consumer Watchdog

Subscribe to our newsletter

To be updated with all the latest news, press releases and special reports.

More Releases