CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT
(Financial Code Section 4050, et seq.)
Effective July 1, 2004, a financial institution may not share or sell a consumer’s “nonpublic personal information” without obtaining a consumer’s consent.
- What is a “financial institution”?
- What information is “nonpublic personal information”?
- When must a consumer’s consent be obtained?
- Do all disclosures of personal information require the consent of a consumer?
- What are the requirements to obtain the consent of a consumer to share information with an affiliate?
- What are the requirements to obtain the consent of a consumer to share information with nonaffiliated third parties?
The California Financial Information Privacy Act (CFIPA”) defines “financial institution” as follows:
“Financial institution” means any institution the business of which is engaging in financial activities as described in Section 1843(k) of Title 12 of the United States Code and doing business in this state.
An institution that is not significantly engaged in financial activities is not a financial institution.
The term “financial institution” does not include any institution that is primarily engaged in providing hardware, software, or interactive services, provided that it does not act as a debt collector, as defined in 15 U.S.C. Sec. 1692a, or engage in activities for which the institution is required to acquire a charter, License, or registration from a state or federal governmental banking, insurance, or securities agency.
The term “financial institution” does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et seq.), provided that the entity does not sell or transfer nonpublic personal information to an affiliate or a nonaffiliated third party.
The term “financial institution” does not include institutions chartered by Congress specifically to engage in a proposed or actual securitization, secondary market sale, including sales of servicing rights, or similar transactions related to a transaction of the consumer, as long as those institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
The term “financial institution” does not include any provider of professional services, or any wholly owned affiliate thereof, that is prohibited by rules of professional ethics and applicable law from voluntarily disclosing confidential client information without the consent of the client.
The term “financial institution” does not include any person Licensed as a dealer under Article 1 (commencing with Section 11700) of Chapter 4 of Division 5 of the Vehicle Code that enters into contracts for the installment sale or lease of motor vehicles pursuant to the requirements of Chapter 2B (commencing with Section 2981) or 2D (commencing with Section 2985.7) of Title 14 of Part 4 of Division 3 of the Civil Code and assigns substantially all of those contracts to financial institutions within 30 days.
The CFIPA defines “nonpublic personal information” as follows:
“Nonpublic personal information” means personally identifiable financial information
- provided by a consumer to a financial institution,
- resulting from any transaction with the consumer or any service performed for the consumer, or
- otherwise obtained by the financial institution.
Nonpublic personal information does not include publicly available information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from
- federal, state, or local government records,
- widely distributed media, or
- disclosures to the general public that are required to be made by federal, state, or local law.
Nonpublic personal information shall include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived using any nonpublic personal information other than publicly available information, but shall not include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived without using any nonpublic personal information.
“Personally identifiable financial information” means information
- that a consumer provides to a financial institution to obtain a product or service from the financial institution,
- about a consumer resulting from any transaction involving a product or service between the financial institution and a consumer, or
- that the financial institution otherwise obtains about a consumer in connection with providing a product or service to that consumer.
Any personally identifiable information is financial if it was obtained by a financial institution in connection with providing a financial product or service to a consumer. Personally identifiable financial information includes all of the following:
- Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service.
- Account balance information, payment history, overdraft history, and credit or debit card purchase information.
- The fact that an individual is or has been a consumer of a financial institution or has obtained a financial product or service from a financial institution.
- Any information about a financial institution’s consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution’s consumer.
- Any information that a consumer provides to a financial institution or that a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan.
- Any personally identifiable financial information collected through an Internet cookie or an information collecting device from a Web server.
- Information from a consumer report.
The CFIPA requires a financial institution to obtain a consumer’s written consent prior to sharing a consumer’s information with a nonaffiliated third party.
A financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, any nonaffiliated third party […] unless the financial institution has obtained a consent acknowledgment from the consumer that complies with [this section] that authorizes the financial institution to disclose or share the nonpublic personal information. Fin. Code Sec. 4053(a)(1)
The CFIPA requires a financial institution to provide the consumer with the opportunity to “opt-out” of having the consumer’s information shared with an affiliated party prior to sharing a consumer’s information with an affiliate.
A financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing [as provided in this section] that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed. Fin. Code Sec. 4053
The CFIPA contains a list of transactions and disclosures that do not require the consent of the consumer.
- The nonpublic personal information is necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer, or in connection with maintaining or servicing the consumer’s account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity, or in connection with a proposed or actual securitization or secondary market sale, including sales of servicing rights, or similar transactions related to a transaction of the consumer.
- The nonpublic personal information is released with the consent of or at the direction of the consumer.
- The nonpublic personal information is:
- Released to protect the confidentiality or security of the financial institution’s records pertaining to the consumer, the service or product, or the transaction therein.
- Released to protect against or prevent actual or potential fraud, identity theft, unauthorized transactions, claims, or other liability.
- Released for required institutional risk control, or for resolving customer disputes or inquiries.
- Released to persons holding a legal or beneficial interest relating to the consumer, including for purposes of debt collection.
- Released to persons acting in a fiduciary or representative capacity on behalf of the consumer.
- The nonpublic personal information is released to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors.
- The nonpublic personal information is released to the extent specifically required or specifically permitted under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401 et seq.), to law enforcement agencies, including a federal functional regulator, the Secretary of the Treasury with respect to subchapter II of Chapter 53 of Title 31, and Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs. 1951-1959), the California Department of Insurance or other state insurance regulators, or the Federal Trade Commission, and self-regulatory organizations, or for an investigation on a matter related to public safety.
- The nonpublic personal information is released in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of the business or unit.
- The nonpublic personal information is released to comply with federal, state, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, administrative, or regulatory investigation or subpoena or summons by federal, state, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.
- When a financial institution is reporting a known or suspected instance of elder or dependent adult financial abuse or is cooperating with a local adult protective services agency investigation of known or suspected elder or dependent adult financial abuse pursuant to Article 3 (commencing with Section 15630) of Chapter 11 of Part 3 of Division 9 of the Welfare and Institutions Code.
- The nonpublic personal information is released to an affiliate or a nonaffiliated third party in order for the affiliate or nonaffiliated third party to perform business or professional services, such as printing, mailing services, data processing or analysis, or customer surveys, on behalf of the financial institution, provided that all of the following requirements are met:
- The services to be performed by the affiliate or nonaffiliated third party could lawfully be performed by the financial institution.
- There is a written contract between the affiliate or nonaffiliated third party and the financial institution that prohibits the affiliate or nonaffiliated third party, as the case may be, from disclosing or using the nonpublic personal information other than to carry out the purpose for which the financial institution disclosed the information, as set forth in the written contract.
- The nonpublic personal information provided to the affiliate or nonaffiliated third party is limited to that which is necessary for the affiliate or nonaffiliated third party to perform the services contracted for on behalf of the financial institution.
- The financial institution does not receive any payment from or through the affiliate or nonaffiliated third party in connection with, or as a result of, the release of the nonpublic personal information.
- The nonpublic personal information is released to identify or locate missing and abducted children, witnesses, criminals and fugitives, parties to lawsuits, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries, and missing heirs.
- The nonpublic personal information is released to a real estate appraiser Licensed or certified by the state for submission to central data repositories such as the California Market Data Cooperative, and the nonpublic personal information is compiled strictly to complete other real estate appraisals and is not used for any other purpose.
- The nonpublic personal information is released as required by Title III of the federal United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act; P.L. 107-56).
- The nonpublic personal information is released either to a consumer reporting agency pursuant to the Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from a consumer report reported by a consumer reporting agency.
- The nonpublic personal information is released in connection with a written agreement between a consumer and a broker-dealer registered under the Securities Exchange Act of 1934 or an investment adviser registered under the Investment Advisers Act of 1940 to provide investment management services, portfolio advisory services, or financial planning, and the nonpublic personal information is released for the sole purpose of providing the products and services covered by that agreement.
What are the requirements to obtain the consent of a consumer to share information with nonaffiliated third parties?
The CFIPA provides as follows:
A financial institution shall utilize a form, statement, or writing to obtain consent to disclose nonpublic personal information to nonaffiliated third parties […]. The form, statement, or writing shall meet all of the following criteria:
- The form, statement, or writing is a separate document, not attached to any other document.
- The form, statement, or writing is dated and signed by the consumer.
- The form, statement, or writing clearly and conspicuously discloses that by signing, the consumer is consenting to the disclosure to nonaffiliated third parties of nonpublic personal information pertaining to the consumer.
- The form, statement, or writing clearly and conspicuously discloses (i) that the consent will remain in effect until revoked or modified by the consumer; (ii) that the consumer may revoke the consent at any time; and (iii) the procedure for the consumer to revoke consent.
- The form, statement, or writing clearly and conspicuously informs the consumer that (i) the financial institution will maintain the document or a true and correct copy; (ii) the consumer is entitled to a copy of the document upon request; and (iii) the consumer may want to make a copy of the document for the consumer’s records.
What are the requirements to obtain the consent of a consumer to share information with an affiliate?
The CFIPA provides as follows:
A financial institution shall be conclusively presumed to have satisfied the notice requirements of subdivision (b) if it uses the form set forth in this subdivision. The form set forth in this subdivision or a form that complies with subparagraphs (A) to (L), inclusive, of this paragraph shall be sent by the financial institution to the consumer so that the consumer may make a decision and provide direction to the financial institution regarding the sharing of his or her nonpublic personal information. If a financial institution does not use the form set forth in this subdivision, the financial institution shall use a form that meets all of the following requirements:
- The form uses the same title (“IMPORTANT PRIVACY CHOICES FOR CONSUMERS”) and the headers, if applicable, as follows: “Restrict Information Sharing With Companies We Own Or Control (Affiliates)” and “Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services.”
- The titles and headers in the form are clearly and conspicuously displayed, and no text in the form is smaller than 10-point type.
- The form is a separate document, except as provided by subparagraph (D) of paragraph (2), and Sections 4054 and 4058.7.
- The choice or choices pursuant to subdivision (b) and Section 4054.6, if applicable, provided in the form are stated separately and may be selected by checking a box.
- The form is designed to call attention to the nature and significance of the information in the document.
- The form presents information in clear and concise sentences, paragraphs, and sections.
- The form uses short explanatory sentences (an average of 15-20 words) or bullet lists whenever possible.
- The form avoids multiple negatives, legal terminology, and highly technical terminology whenever possible.
- The form avoids explanations that are imprecise and readily subject to different interpretations.
- The form achieves a minimum Flesch reading ease score of 50, as defined in Section 2689.4(a)(7) of Title 10 of the California Code of Regulations, in effect on March 24, 2003, except that the information in the form included to comply with subparagraph (A) shall not be included in the calculation of the Flesch reading ease score, and the information used to describe the choice or choices pursuant to subparagraph (D) shall score no lower than the information describing the comparable choice or choices set forth in the form in this subdivision.
- The form provides wide margins, ample line spacing and uses boldface or italics for key words.
- The form is not more than one page.
The CPIPA continues:
- None of the instructional items appearing in brackets in the form set forth in this subdivision shall appear in the form provided to the consumer, as those items are for explanation purposes only. If a financial institution does not disclose or share nonpublic personal information as described in a header of the form, the financial institution may omit the applicable header or headers, and the accompanying information and box, in the form it provides pursuant to this subdivision. The form with those omissions shall be conclusively presumed to satisfy the notice requirements of this subdivision.
- If a financial institution uses a form other than that set forth in this subdivision, the financial institution may submit that form to its functional regulator for approval, and for forms filed with the Office of Privacy Protection prior to July 1, 2007, that approval shall constitute a rebuttable resumption that the form complies with this section.
- A financial institution shall not be in violation of this subdivision solely because it includes in the form one or more brief examples or explanations of the purpose or purposes, or context, within which information will be shared, as long as those examples meet the clarity and readability standards set forth in paragraph (1).
- The outside of the envelope in which the form is sent to the consumer shall clearly state in 16-point boldface type “IMPORTANT PRIVACY CHOICES,” except that a financial institution sending the form to a consumer in the same envelope as a bill, account statement, or application requested by the consumer does not have to include the wording “IMPORTANT PRIVACY CHOICES” on that envelope. The form shall be sent in any of the following ways:
- With a bill, other statement of account, or application requested by the consumer, in which case the information required by Title V of the Gramm-Leach-Bliley Act may also be included in the same envelope.
- As a separate notice or with the information required by Title V of the Gramm-Leach-Bliley Act, and including only information related to privacy.
- With any other mailing, in which case it shall be the first page of the mailing.
- If a financial institution uses a form other than that set forth in this subdivision, that form shall be filed with the Office of Privacy Protection within 30 days after it is first used.
Note: On October 5, 2005, the United States District Court for the Eastern District of California permanently enjoined enforcement of the affiliate sharing provisions of Senate Bill 1 (the California Financial Information Privacy Act), ruling that the provisions are preempted by federal law, the Fair Credit Reporting Act (FCRA).