Division 1.4. California Financial Information Privacy Act of California Financial Code >> Division 1.4.
This division shall be known and may be cited as the
California Financial Information Privacy Act.
(a) The Legislature intends for financial institutions to
provide their consumers notice and meaningful choice about how
consumers' nonpublic personal information is shared or sold by their
financial institutions.
(b) It is the intent of the Legislature in enacting the California
Financial Information Privacy Act to afford persons greater privacy
protections than those provided in Public Law 106-102, the federal
Gramm-Leach-Bliley Act, and that this division be interpreted to be
consistent with that purpose.
(a) The Legislature finds and declares all of the
following:
(1) The California Constitution protects the privacy of California
citizens from unwarranted intrusions into their private and personal
lives.
(2) Federal banking legislation, known as the Gramm-Leach-Bliley
Act, which breaks down restrictions on affiliation among different
types of financial institutions, increases the likelihood that the
personal financial information of California residents will be widely
shared among, between, and within companies.
(3) The policies intended to protect financial privacy imposed by
the Gramm-Leach-Bliley Act are inadequate to meet the privacy
concerns of California residents.
(4) Because of the limitations of these federal policies, the
Gramm-Leach-Bliley Act explicitly permits states to enact privacy
protections that are stronger than those provided in federal law.
(b) It is the intent of the Legislature in enacting this division:
(1) To ensure that Californians have the ability to control the
disclosure of what the Gramm-Leach-Bliley Act calls nonpublic
personal information.
(2) To achieve that control for California consumers by requiring
that financial institutions that want to share information with third
parties and unrelated companies seek and acquire the affirmative
consent of California consumers prior to sharing the information.
(3) To further achieve that control for California consumers by
providing consumers with the ability to prevent the sharing of
financial information among affiliated companies through a simple
opt-out mechanism via a clear and understandable notice provided to
the consumer.
(4) To provide, to the maximum extent possible, consistent with
the purposes cited above, a level playing field among types and sizes
of businesses consistent with the objective of providing consumers
control over their nonpublic personal information, including
providing that those financial institutions with limited affiliate
relationships may enter into agreements with other financial
institutions as provided in this division, and providing that the
different business models of differing financial institutions are
treated in ways that provide consistent consumer control over
information-sharing practices.
(5) To adopt to the maximum extent feasible, consistent with the
purposes cited above, definitions consistent with federal law, so
that in particular there is no change in the ability of businesses to
carry out normal processes of commerce for transactions voluntarily
entered into by consumers.
For the purposes of this division:
(a) "Nonpublic personal information" means personally identifiable
financial information (1) provided by a consumer to a financial
institution, (2) resulting from any transaction with the consumer or
any service performed for the consumer, or (3) otherwise obtained by
the financial institution. Nonpublic personal information does not
include publicly available information that the financial institution
has a reasonable basis to believe is lawfully made available to the
general public from (1) federal, state, or local government records,
(2) widely distributed media, or (3) disclosures to the general
public that are required to be made by federal, state, or local law.
Nonpublic personal information shall include any list, description,
or other grouping of consumers, and publicly available information
pertaining to them, that is derived using any nonpublic personal
information other than publicly available information, but shall not
include any list, description, or other grouping of consumers, and
publicly available information pertaining to them, that is derived
without using any nonpublic personal information.
(b) "Personally identifiable financial information" means
information (1) that a consumer provides to a financial institution
to obtain a product or service from the financial institution, (2)
about a consumer resulting from any transaction involving a product
or service between the financial institution and a consumer, or (3)
that the financial institution otherwise obtains about a consumer in
connection with providing a product or service to that consumer. Any
personally identifiable information is financial if it was obtained
by a financial institution in connection with providing a financial
product or service to a consumer. Personally identifiable financial
information includes all of the following:
(1) Information a consumer provides to a financial institution on
an application to obtain a loan, credit card, or other financial
product or service.
(2) Account balance information, payment history, overdraft
history, and credit or debit card purchase information.
(3) The fact that an individual is or has been a consumer of a
financial institution or has obtained a financial product or service
from a financial institution.
(4) Any information about a financial institution's consumer if it
is disclosed in a manner that indicates that the individual is or
has been the financial institution's consumer.
(5) Any information that a consumer provides to a financial
institution or that a financial institution or its agent otherwise
obtains in connection with collecting on a loan or servicing a loan.
(6) Any personally identifiable financial information collected
through an Internet cookie or an information collecting device from a
Web server.
(7) Information from a consumer report.
(c) "Financial institution" means any institution the business of
which is engaging in financial activities as described in Section
1843(k) of Title 12 of the United States Code and doing business in
this state. An institution that is not significantly engaged in
financial activities is not a financial institution. The term
"financial institution" does not include any institution that is
primarily engaged in providing hardware, software, or interactive
services, provided that it does not act as a debt collector, as
defined in 15 U.S.C. Sec. 1692a, or engage in activities for which
the institution is required to acquire a charter, license, or
registration from a state or federal governmental banking, insurance,
or securities agency. The term "financial institution" does not
include the Federal Agricultural Mortgage Corporation or any entity
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C.
Sec. 2001 et seq.), provided that the entity does not sell or
transfer nonpublic personal information to an affiliate or a
nonaffiliated third party. The term "financial institution" does not
include institutions chartered by Congress specifically to engage in
a proposed or actual securitization, secondary market sale, including
sales of servicing rights, or similar transactions related to a
transaction of the consumer, as long as those institutions do not
sell or transfer nonpublic personal information to a nonaffiliated
third party. The term "financial institution" does not include any
provider of professional services, or any wholly owned affiliate
thereof, that is prohibited by rules of professional ethics and
applicable law from voluntarily disclosing confidential client
information without the consent of the client. The term "financial
institution" does not include any person licensed as a dealer under
Article 1 (commencing with Section 11700) of Chapter 4 of Division 5
of the Vehicle Code that enters into contracts for the installment
sale or lease of motor vehicles pursuant to the requirements of
Chapter 2B (commencing with Section 2981) or 2D (commencing with
Section 2985.7) of Title 14 of Part 4 of Division 3 of the Civil Code
and assigns substantially all of those contracts to financial
institutions within 30 days.
(d) "Affiliate" means any entity that controls, is controlled by,
or is under common control with, another entity, but does not include
a joint employee of the entity and the affiliate. A franchisor,
including any affiliate thereof, shall be deemed an affiliate of the
franchisee for purposes of this division.
(e) "Nonaffiliated third party" means any entity that is not an
affiliate of, or related by common ownership or affiliated by
corporate control with, the financial institution, but does not
include a joint employee of that institution and a third party.
(f) "Consumer" means an individual resident of this state, or that
individual's legal representative, who obtains or has obtained from
a financial institution a financial product or service to be used
primarily for personal, family, or household purposes. For purposes
of this division, an individual resident of this state is someone
whose last known mailing address, other than an Armed Forces Post
Office or Fleet Post Office address, as shown in the records of the
financial institution, is located in this state. For purposes of this
division, an individual is not a consumer of a financial institution
solely because he or she is (1) a participant or beneficiary of an
employee benefit plan that a financial institution administers or
sponsors, or for which the financial institution acts as a trustee,
insurer, or fiduciary, (2) covered under a group or blanket insurance
policy or group annuity contract issued by the financial
institution, (3) a beneficiary in a workers' compensation plan, (4) a
beneficiary of a trust for which the financial institution is a
trustee, or (5) a person who has designated the financial institution
as trustee for a trust, provided that the financial institution
provides all required notices and rights required by this division to
the plan sponsor, group or blanket insurance policyholder, or group
annuity contractholder.
(g) "Control" means (1) ownership or power to vote 25 percent or
more of the outstanding shares of any class of voting security of a
company, acting through one or more persons, (2) control in any
manner over the election of a majority of the directors, or of
individuals exercising similar functions, or (3) the power to
exercise, directly or indirectly, a controlling influence over the
management or policies of a company. However, for purposes of the
application of the definition of control as it relates to credit
unions, a credit union has a controlling influence over the
management or policies of a credit union service organization (CUSO),
as that term is defined by state or federal law or regulation, if
the CUSO is at least 67 percent owned by credit unions. For purposes
of the application of the definition of control to a financial
institution subject to regulation by the United States Securities and
Exchange Commission, a person who owns beneficially, either directly
or through one or more controlled companies, more than 25 percent of
the voting securities of a company is presumed to control the
company, and a person who does not own more than 25 percent of the
voting securities of a company is presumed not to control the
company, and a presumption regarding control may be rebutted by
evidence, but in the case of an investment company, the presumption
shall continue until the United States Securities and Exchange
Commission makes a decision to the contrary according to the
procedures described in Section 2(a)(9) of the federal Investment
Company Act of 1940.
(h) "Necessary to effect, administer, or enforce" means the
following:
(1) The disclosure is required, or is a usual, appropriate, or
acceptable method to carry out the transaction or the product or
service business of which the transaction is a part, and record or
service or maintain the consumer's account in the ordinary course of
providing the financial service or financial product, or to
administer or service benefits or claims relating to the transaction
or the product or service business of which it is a part, and
includes the following:
(A) Providing the consumer or the consumer's agent or broker with
a confirmation, statement, or other record of the transaction, or
information on the status or value of the financial service or
financial product.
(B) The accrual or recognition of incentives, discounts, or
bonuses associated with the transaction or communications to eligible
existing consumers of the financial institution regarding the
availability of those incentives, discounts, and bonuses that are
provided by the financial institution or another party.
(C) In the case of a financial institution that has issued a
credit account bearing the name of a company primarily engaged in
retail sales or a name proprietary to a company primarily engaged in
retail sales, the financial institution providing the retailer with
nonpublic personal information as follows:
(i) Providing the retailer, or licensees or contractors of the
retailer that provide products or services in the name of the
retailer and under a contract with the retailer, with the names and
addresses of the consumers in whose name the account is held and a
record of the purchases made using the credit account from a business
establishment, including a Web site or catalog, bearing the brand
name of the retailer.
(ii) Where the credit account can only be used for transactions
with the retailer or affiliates of that retailer that are also
primarily engaged in retail sales, providing the retailer, or
licensees or contractors of the retailer that provide products or
services in the name of the retailer and under a contract with the
retailer, with nonpublic personal information concerning the credit
account, in connection with the offering or provision of the products
or services of the retailer and those licensees or contractors.
(2) The disclosure is required or is one of the lawful or
appropriate methods to enforce the rights of the financial
institution or of other persons engaged in carrying out the financial
transaction or providing the product or service.
(3) The disclosure is required, or is a usual, appropriate, or
acceptable method for insurance underwriting or the placement of
insurance products by licensed agents and brokers with authorized
insurance companies at the consumer's request, for reinsurance, stop
loss insurance, or excess loss insurance purposes, or for any of the
following purposes as they relate to a consumer's insurance:
(A) Account administration.
(B) Reporting, investigating, or preventing fraud or material
misrepresentation.
(C) Processing premium payments.
(D) Processing insurance claims.
(E) Administering insurance benefits, including utilization review
activities.
(F) Participating in research projects.
(G) As otherwise required or specifically permitted by federal or
state law.
(4) The disclosure is required, or is a usual, appropriate, or
acceptable method, in connection with the following:
(A) The authorization, settlement, billing, processing, clearing,
transferring, reconciling, or collection of amounts charged, debited,
or otherwise paid using a debit, credit or other payment card,
check, or account number, or by other payment means.
(B) The transfer of receivables, accounts, or interests therein.
(C) The audit of debit, credit, or other payment information.
(5) The disclosure is required in a transaction covered by the
federal Real Estate Settlement Procedures Act (12 U.S.C. Sec. 2601 et
seq.) in order to offer settlement services prior to the close of
escrow (as those services are defined in 12 U.S.C. Sec. 2602),
provided that (A) the nonpublic personal information is disclosed for
the sole purpose of offering those settlement services and (B) the
nonpublic personal information disclosed is limited to that necessary
to enable the financial institution to offer those settlement
services in that transaction.
(i) "Financial product or service" means any product or service
that a financial holding company could offer by engaging in an
activity that is financial in nature or incidental to a financial
activity under subsection (k) of Section 1843 of Title 12 of the
United States Code (the United States Bank Holding Company Act of
1956). Financial service includes a financial institution's
evaluation or brokerage of information that the financial institution
collects in connection with a request or an application from a
consumer for a financial product or service.
(j) "Clear and conspicuous" means that a notice is reasonably
understandable and designed to call attention to the nature and
significance of the information contained in the notice.
(k) "Widely distributed media" means media available to the
general public and includes a telephone book, a television or radio
program, a newspaper, or a Web site that is available to the general
public on an unrestricted basis.
Except as provided in Sections 4053, 4054.6, and 4056, a
financial institution shall not sell, share, transfer, or otherwise
disclose nonpublic personal information to or with any nonaffiliated
third parties without the explicit prior consent of the consumer to
whom the nonpublic personal information relates.
(a) (1) A financial institution shall not disclose to, or
share a consumer's nonpublic personal information with, any
nonaffiliated third party as prohibited by Section 4052.5, unless the
financial institution has obtained a consent acknowledgment from the
consumer that complies with paragraph (2) that authorizes the
financial institution to disclose or share the nonpublic personal
information. Nothing in this section shall prohibit or otherwise
apply to the disclosure of nonpublic personal information as allowed
in Section 4056. A financial institution shall not discriminate
against or deny an otherwise qualified consumer a financial product
or a financial service because the consumer has not provided consent
pursuant to this subdivision and Section 4052.5 to authorize the
financial institution to disclose or share nonpublic personal
information pertaining to him or her with any nonaffiliated third
party. Nothing in this section shall prohibit a financial institution
from denying a consumer a financial product or service if the
financial institution could not provide the product or service to a
consumer without the consent to disclose the consumer's nonpublic
personal information required by this subdivision and Section 4052.5,
and the consumer has failed to provide consent. A financial
institution shall not be liable for failing to offer products and
services to a consumer solely because that consumer has failed to
provide consent pursuant to this subdivision and Section 4052.5 and
the financial institution could not offer the product or service
without the consent to disclose the consumer's nonpublic personal
information required by this subdivision and Section 4052.5, and the
consumer has failed to provide consent. Nothing in this section is
intended to prohibit a financial institution from offering incentives
or discounts to elicit a specific response to the notice.
(2) A financial institution shall utilize a form, statement, or
writing to obtain consent to disclose nonpublic personal information
to nonaffiliated third parties as required by Section 4052.5 and this
subdivision. The form, statement, or writing shall meet all of the
following criteria:
(A) The form, statement, or writing is a separate document, not
attached to any other document.
(B) The form, statement, or writing is dated and signed by the
consumer.
(C) The form, statement, or writing clearly and conspicuously
discloses that by signing, the consumer is consenting to the
disclosure to nonaffiliated third parties of nonpublic personal
information pertaining to the consumer.
(D) The form, statement, or writing clearly and conspicuously
discloses (i) that the consent will remain in effect until revoked or
modified by the consumer; (ii) that the consumer may revoke the
consent at any time; and (iii) the procedure for the consumer to
revoke consent.
(E) The form, statement, or writing clearly and conspicuously
informs the consumer that (i) the financial institution will maintain
the document or a true and correct copy; (ii) the consumer is
entitled to a copy of the document upon request; and (iii) the
consumer may want to make a copy of the document for the consumer's
records.
(b) (1) A financial institution shall not disclose to, or share a
consumer's nonpublic personal information with, an affiliate unless
the financial institution has clearly and conspicuously notified the
consumer annually in writing pursuant to subdivision (d) that the
nonpublic personal information may be disclosed to an affiliate of
the financial institution and the consumer has not directed that the
nonpublic personal information not be disclosed. A financial
institution does not disclose information to, or share information
with, its affiliate merely because information is maintained in
common information systems or databases, and employees of the
financial institution and its affiliate have access to those common
information systems or databases, or a consumer accesses a Web site
jointly operated or maintained under a common name by or on behalf of
the financial institution and its affiliate, provided that where a
consumer has exercised his or her right to prohibit disclosure
pursuant to this division, nonpublic personal information is not
further disclosed or used by an affiliate except as permitted by this
division.
(2) Subdivision (a) shall not prohibit the release of nonpublic
personal information by a financial institution with whom the
consumer has a relationship to a nonaffiliated financial institution
for purposes of jointly offering a financial product or financial
service pursuant to a written agreement with the financial
institution that receives the nonpublic personal information provided
that all of the following requirements are met:
(A) The financial product or service offered is a product or
service of, and is provided by, at least one of the financial
institutions that is a party to the written agreement.
(B) The financial product or service is jointly offered, endorsed,
or sponsored, and clearly and conspicuously identifies for the
consumer the financial institutions that disclose and receive the
disclosed nonpublic personal information.
(C) The written agreement provides that the financial institution
that receives that nonpublic personal information is required to
maintain the confidentiality of the information and is prohibited
from disclosing or using the information other than to carry out the
joint offering or servicing of a financial product or financial
service that is the subject of the written agreement.
(D) The financial institution that releases the nonpublic personal
information has complied with subdivision (d) and the consumer has
not directed that the nonpublic personal information not be
disclosed.
(E) Notwithstanding this section, until January 1, 2005, a
financial institution may disclose nonpublic personal information to
a nonaffiliated financial institution pursuant to a preexisting
contract with the nonaffiliated financial institution, for purposes
of offering a financial product or financial service, if that
contract was entered into on or before January 1, 2004. Beginning on
January 1, 2005, no nonpublic personal information may be disclosed
pursuant to that contract unless all the requirements of this
subdivision are met.
(3) Nothing in this subdivision shall prohibit a financial
institution from disclosing or sharing nonpublic personal information
as otherwise specifically permitted by this division.
(4) A financial institution shall not discriminate against or deny
an otherwise qualified consumer a financial product or a financial
service because the consumer has directed pursuant to this
subdivision that nonpublic personal information pertaining to him or
her not be disclosed. A financial institution shall not be required
to offer or provide products or services offered through affiliated
entities or jointly with nonaffiliated financial institutions
pursuant to paragraph (2) where the consumer has directed that
nonpublic personal information not be disclosed pursuant to this
subdivision and the financial institution could not offer or provide
the products or services to the consumer without disclosure of the
consumer's nonpublic personal information that the consumer has
directed not be disclosed pursuant to this subdivision. A financial
institution shall not be liable for failing to offer or provide
products or services offered through affiliated entities or jointly
with nonaffiliated financial institutions pursuant to paragraph (2)
solely because the consumer has directed that nonpublic personal
information not be disclosed pursuant to this subdivision and the
financial institution could not offer or provide the products or
services to the consumer without disclosure of the consumer's
nonpublic personal information that the consumer has directed not be
disclosed to affiliates pursuant to this subdivision. Nothing in this
section is intended to prohibit a financial institution from
offering incentives or discounts to elicit a specific response to the
notice set forth in this division. Nothing in this section shall
prohibit the disclosure of nonpublic personal information allowed by
Section 4056.
(5) The financial institution may, at its option, choose instead
to comply with the requirements of subdivision (a).
(c) Nothing in this division shall restrict or prohibit the
sharing of nonpublic personal information between a financial
institution and its wholly owned financial institution subsidiaries;
among financial institutions that are each wholly owned by the same
financial institution; among financial institutions that are wholly
owned by the same holding company; or among the insurance and
management entities of a single insurance holding company system
consisting of one or more reciprocal insurance exchanges which has a
single corporation or its wholly owned subsidiaries providing
management services to the reciprocal insurance exchanges, provided
that in each case all of the following requirements are met:
(1) The financial institution disclosing the nonpublic personal
information and the financial institution receiving it are regulated
by the same functional regulator; provided, however, that for
purposes of this subdivision, financial institutions regulated by the
Office of the Comptroller of the Currency, Office of Thrift
Supervision, National Credit Union Administration, or a state
regulator of depository institutions shall be deemed to be regulated
by the same functional regulator; financial institutions regulated by
the Securities and Exchange Commission, the United States Department
of Labor, or a state securities regulator shall be deemed to be
regulated by the same functional regulator; and insurers admitted in
this state to transact insurance and licensed to write insurance
policies shall be deemed to be in compliance with this paragraph.
(2) The financial institution disclosing the nonpublic personal
information and the financial institution receiving it are both
principally engaged in the same line of business. For purposes of
this subdivision, "same line of business" shall be one and only one
of the following:
(A) Insurance.
(B) Banking.
(C) Securities.
(3) The financial institution disclosing the nonpublic personal
information and the financial institution receiving it share a common
brand, excluding a brand consisting solely of a graphic element or
symbol, within their trademark, service mark, or trade name, which is
used to identify the source of the products and services provided.
A wholly owned subsidiary shall include a subsidiary wholly owned
directly or wholly owned indirectly in a chain of wholly owned
subsidiaries.
Nothing in this subdivision shall permit the disclosure by a
financial institution of medical record information, as defined in
Section 791.02 of the Insurance Code, except in compliance with the
requirements of this division, including the requirements set forth
in subdivisions (a) and (b).
(d) (1) A financial institution shall be conclusively presumed to
have satisfied the notice requirements of subdivision (b) if it uses
the form set forth in this subdivision. The form set forth in this
subdivision or a form that complies with subparagraphs (A) to (L),
inclusive, of this paragraph shall be sent by the financial
institution to the consumer so that the consumer may make a decision
and provide direction to the financial institution regarding the
sharing of his or her nonpublic personal information. If a financial
institution does not use the form set forth in this subdivision, the
financial institution shall use a form that meets all of the
following requirements:
(A) The form uses the same title ("IMPORTANT PRIVACY CHOICES FOR
CONSUMERS") and the headers, if applicable, as follows: "Restrict
Information Sharing With Companies We Own Or Control (Affiliates)"
and "Restrict Information Sharing With Other Companies We Do Business
With To Provide Financial Products And Services."
(B) The titles and headers in the form are clearly and
conspicuously displayed, and no text in the form is smaller than
10-point type.
(C) The form is a separate document, except as provided by
subparagraph (D) of paragraph (2), and Sections 4054 and 4058.7.
(D) The choice or choices pursuant to subdivision (b) and Section
4054.6, if applicable, provided in the form are stated separately and
may be selected by checking a box.
(E) The form is designed to call attention to the nature and
significance of the information in the document.
(F) The form presents information in clear and concise sentences,
paragraphs, and sections.
(G) The form uses short explanatory sentences (an average of 15-20
words) or bullet lists whenever possible.
(H) The form avoids multiple negatives, legal terminology, and
highly technical terminology whenever possible.
(I) The form avoids explanations that are imprecise and readily
subject to different interpretations.
(J) The form achieves a minimum Flesch reading ease score of 50,
as defined in Section 2689.4(a)(7) of Title 10 of the California Code
of Regulations, in effect on March 24, 2003, except that the
information in the form included to comply with subparagraph (A)
shall not be included in the calculation of the Flesch reading ease
score, and the information used to describe the choice or choices
pursuant to subparagraph (D) shall score no lower than the
information describing the comparable choice or choices set forth in
the form in this subdivision.
(K) The form provides wide margins, ample line spacing and uses
boldface or italics for key words.
(L) The form is not more than one page.
(2) (A) None of the instructional items appearing in brackets in
the form set forth in this subdivision shall appear in the form
provided to the consumer, as those items are for explanation purposes
only. If a financial institution does not disclose or share
nonpublic personal information as described in a header of the form,
the financial institution may omit the applicable header or headers,
and the accompanying information and box, in the form it provides
pursuant to this subdivision. The form with those omissions shall be
conclusively presumed to satisfy the notice requirements of this
subdivision.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
NOTICE OF INCOMPLETE TEXT: The Important Privacy Choices
for Consumers form appears in the hard-copy publication of the
chaptered bill. See Sec. 8, Chapter 444 (p. 15), Statutes of 2013.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(B) If a financial institution uses a form other than that set
forth in this subdivision, the financial institution may submit that
form to its functional regulator for approval, and for forms filed
with the Office of Privacy Protection prior to July 1, 2007, that
approval shall constitute a rebuttable presumption that the form
complies with this section.
(C) A financial institution shall not be in violation of this
subdivision solely because it includes in the form one or more brief
examples or explanations of the purpose or purposes, or context,
within which information will be shared, as long as those examples
meet the clarity and readability standards set forth in paragraph
(1).
(D) The outside of the envelope in which the form is sent to the
consumer shall clearly state in 16-point boldface type "IMPORTANT
PRIVACY CHOICES," except that a financial institution sending the
form to a consumer in the same envelope as a bill, account statement,
or application requested by the consumer does not have to include
the wording "IMPORTANT PRIVACY CHOICES" on that envelope. The form
shall be sent in any of the following ways:
(i) With a bill, other statement of account, or application
requested by the consumer, in which case the information required by
Title V of the Gramm-Leach-Bliley Act may also be included in the
same envelope.
(ii) As a separate notice or with the information required by
Title V of the Gramm-Leach-Bliley Act, and including only information
related to privacy.
(iii) With any other mailing, in which case it shall be the first
page of the mailing.
(E) If a financial institution uses a form other than that set
forth in this subdivision, that form shall be filed with the Office
of Privacy Protection within 30 days after it is first used.
(3) The consumer shall be provided a reasonable opportunity prior
to disclosure of nonpublic personal information to direct that
nonpublic personal information not be disclosed. A consumer may
direct at any time that his or her nonpublic personal information not
be disclosed. A financial institution shall comply with a consumer's
directions concerning the sharing of his or her nonpublic personal
information within 45 days of receipt by the financial institution.
When a consumer directs that nonpublic personal information not be
disclosed, that direction is in effect until otherwise stated by the
consumer. A financial institution that has not provided a consumer
with annual notice pursuant to subdivision (b) shall provide the
consumer with a form that meets the requirements of this subdivision,
and shall allow 45 days to lapse from the date of providing the form
in person or the postmark or other postal verification of mailing
before disclosing nonpublic personal information pertaining to the
consumer.
Nothing in this subdivision shall prohibit the disclosure of
nonpublic personal information as allowed by subdivision (c) or
Section 4056.
(4) A financial institution may elect to comply with the
requirements of subdivision (a) with respect to disclosure of
nonpublic personal information to an affiliate or with respect to
nonpublic personal information disclosed pursuant to paragraph (2) of
subdivision (b), or subdivision (c) of Section 4054.6.
(5) If a financial institution does not have a continuing
relationship with a consumer other than the initial transaction in
which the product or service is provided, no annual disclosure
requirement exists pursuant to this section as long as the financial
institution provides the consumer with the form required by this
section at the time of the initial transaction. As used in this
section, "annually" means at least once in any period of 12
consecutive months during which that relationship exists. The
financial institution may define the 12-consecutive-month period, but
shall apply it to the consumer on a consistent basis. If, for
example, a financial institution defines the 12-consecutive-month
period as a calendar year and provides the annual notice to the
consumer once in each calendar year, it complies with the requirement
to send the notice annually.
(6) A financial institution with assets in excess of twenty-five
million dollars ($25,000,000) shall include a self-addressed first
class business reply return envelope with the notice. A financial
institution with assets of up to and including twenty-five million
dollars ($25,000,000) shall include a self-addressed return envelope
with the notice. In lieu of the first class business reply return
envelope required by this paragraph, a financial institution may
offer a self-addressed return envelope with the notice and at least
two alternative cost-free means for consumers to communicate their
privacy choices, such as calling a toll-free number, sending a
facsimile to a toll-free telephone number, or using electronic means.
A financial institution shall clearly and conspicuously disclose in
the form required by this subdivision the information necessary to
direct the consumer on how to communicate his or her choices,
including the toll-free or facsimile number or Web site address that
may be used, if those means of communication are offered by the
financial institution.
(7) A financial institution may provide a joint notice from it and
one or more of its affiliates or other financial institutions, as
identified in the notice, so long as the notice is accurate with
respect to the financial institution and the affiliates and other
financial institutions.
(e) Nothing in this division shall prohibit a financial
institution from marketing its own products and services or the
products and services of affiliates or nonaffiliated third parties to
customers of the financial institution as long as (1) nonpublic
personal information is not disclosed in connection with the delivery
of the applicable marketing materials to those customers except as
permitted by Section 4056 and (2) in cases in which the applicable
nonaffiliated third party may extrapolate nonpublic personal
information about the consumer responding to those marketing
materials, the applicable nonaffiliated third party has signed a
contract with the financial institution under the terms of which (A)
the nonaffiliated third party is prohibited from using that
information for any purpose other than the purpose for which it was
provided, as set forth in the contract, and (B) the financial
institution has the right by audit, inspections, or other means to
verify the nonaffiliated third party's compliance with that contract.
Except as otherwise provided in this division, an entity
that receives nonpublic personal information from a financial
institution under this division shall not disclose this information
to any other entity, unless the disclosure would be lawful if made
directly to the other entity by the financial institution. An entity
that receives nonpublic personal information pursuant to any
exception set forth in Section 4056 shall not use or disclose the
information except in the ordinary course of business to carry out
the activity covered by the exception under which the information was
received.
(a) Nothing in this division shall require a financial
institution to provide a written notice to a consumer pursuant to
Section 4053 if the financial institution does not disclose nonpublic
personal information to any nonaffiliated third party or to any
affiliate, except as allowed in this division.
(b) A notice provided to a member of a household pursuant to
Section 4053 shall be considered notice to all members of that
household unless that household contains another individual who also
has a separate account with the financial institution.
(c) (1) The requirement to send a written notice to a consumer may
be fulfilled by electronic means if the following requirements are
met:
(A) The notice, and the manner in which it is sent, meets all of
the requirements for notices that are required by law to be in
writing, as set forth in Section 101 of the federal Electronic
Signatures in Global and National Commerce Act.
(B) All other requirements applicable to the notice, as set forth
in this division, are met, including, but not limited to,
requirements concerning content, timing, form, and delivery. An
electronic notice sent pursuant to this section is not required to
include a return envelope.
(C) The notice is delivered to the consumer in a form the consumer
may keep.
(2) A notice that is made available to a consumer, and is not
delivered to the consumer, does not satisfy the requirements of
paragraph (1).
(3) Any electronic consumer reply to an electronic notice sent
pursuant to this division is effective. A person that electronically
sends a notice required by this division to a consumer may not by
contract, or otherwise, eliminate the effectiveness of the consumer's
electronic reply.
(4) This division modifies the provisions of Section 101 of the
federal Electronic Signatures in Global and National Commerce Act.
However, it does not modify, limit, or supersede the provisions of
subsection (c), (d), (e), (f), or (h) of Section 101 of the federal
Electronic Signatures in Global and National Commerce Act, nor does
it authorize electronic delivery of any notice of the type described
in subsection (b) of Section 103 of that federal act.
(a) When a financial institution and an organization or
business entity that is not a financial institution ("affinity
partner") have an agreement to issue a credit card in the name of the
affinity partner ("affinity card"), the financial institution shall
be permitted to disclose to the affinity partner in whose name the
card is issued only the following information pertaining to the
financial institution's customers who are in receipt of the affinity
card: (1) name, address, telephone number, and electronic mail
address and (2) record of purchases made using the affinity card in a
business establishment, including a Web site, bearing the brand name
of the affinity partner.
(b) When a financial institution and an affinity partner have an
agreement to issue a financial product or service, other than a
credit card, on behalf of the affinity partner ("affinity financial
product or service"), the financial institution shall be permitted to
disclose to the affinity partner only the following information
pertaining to the financial institution's customers who obtained the
affinity financial product or service: name, address, telephone
number, and electronic mail address.
(c) The disclosures specified in subdivisions (a) and (b) shall be
permitted only if the following requirements are met:
(1) The financial institution has provided the consumer a notice
meeting the requirements of subdivision (d) of Section 4053, and the
consumer has not directed that nonpublic personal information not be
disclosed. A response to a notice meeting the requirements of
subdivision (d) directing the financial institution to not disclose
nonpublic personal information to a nonaffiliated financial
institution shall be deemed a direction to the financial institution
to not disclose nonpublic personal information to an affinity
partner, unless the form containing the notice provides the consumer
with a separate choice for disclosure to affinity partners.
(2) The financial institution has a contractual agreement with the
affinity partner that requires the affinity partner to maintain the
confidentiality of the nonpublic personal information and prohibits
affinity partners from using the information for any purposes other
than verifying membership, verifying the consumer's contact
information, or offering the affinity partner's own products or
services to the consumer.
(3) The customer list is not disclosed in any way that reveals or
permits extrapolation of any additional nonpublic personal
information about any customer on the list.
(4) If the affinity partner sends any message to any electronic
mail addresses obtained pursuant to this section, the message shall
include at least both of the following:
(A) The identity of the sender of the message.
(B) A cost-free means for the recipient to notify the sender not
to electronically mail any further message to the recipient.
(d) Nothing in this section shall prohibit the disclosure of
nonpublic personal information pursuant to Section 4056.
(e) This section does not apply to credit cards issued in the name
of an entity primarily engaged in retail sales or a name proprietary
to a company primarily engaged in retail sales.
(a) This division shall not apply to information that is not
personally identifiable to a particular person.
(b) Notwithstanding Sections 4052.5, 4053, 4054, and 4054.6, a
financial institution may release nonpublic personal information
under the following circumstances:
(1) The nonpublic personal information is necessary to effect,
administer, or enforce a transaction requested or authorized by the
consumer, or in connection with servicing or processing a financial
product or service requested or authorized by the consumer, or in
connection with maintaining or servicing the consumer's account with
the financial institution, or with another entity as part of a
private label credit card program or other extension of credit on
behalf of that entity, or in connection with a proposed or actual
securitization or secondary market sale, including sales of servicing
rights, or similar transactions related to a transaction of the
consumer.
(2) The nonpublic personal information is released with the
consent of or at the direction of the consumer.
(3) The nonpublic personal information is:
(A) Released to protect the confidentiality or security of the
financial institution's records pertaining to the consumer, the
service or product, or the transaction therein.
(B) Released to protect against or prevent actual or potential
fraud, identity theft, unauthorized transactions, claims, or other
liability.
(C) Released for required institutional risk control, or for
resolving customer disputes or inquiries.
(D) Released to persons holding a legal or beneficial interest
relating to the consumer, including for purposes of debt collection.
(E) Released to persons acting in a fiduciary or representative
capacity on behalf of the consumer.
(4) The nonpublic personal information is released to provide
information to insurance rate advisory organizations, guaranty funds
or agencies, applicable rating agencies of the financial institution,
persons assessing the institution's compliance with industry
standards, and the institution's attorneys, accountants, and
auditors.
(5) The nonpublic personal information is released to the extent
specifically required or specifically permitted under other
provisions of law and in accordance with the Right to Financial
Privacy Act of 1978 (12 U.S.C. Sec. 3401 et seq.), to law enforcement
agencies, including a federal functional regulator, the Secretary of
the Treasury with respect to subchapter II of Chapter 53 of Title
31, and Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs.
1951-1959), the California Department of Insurance or other state
insurance regulators, or the Federal Trade Commission, and
self-regulatory organizations, or for an investigation on a matter
related to public safety.
(6) The nonpublic personal information is released in connection
with a proposed or actual sale, merger, transfer, or exchange of all
or a portion of a business or operating unit if the disclosure of
nonpublic personal information concerns solely consumers of the
business or unit.
(7) The nonpublic personal information is released to comply with
federal, state, or local laws, rules, and other applicable legal
requirements; to comply with a properly authorized civil, criminal,
administrative, or regulatory investigation or subpoena or summons by
federal, state, or local authorities; or to respond to judicial
process or government regulatory authorities having jurisdiction over
the financial institution for examination, compliance, or other
purposes as authorized by law.
(8) When a financial institution is reporting a known or suspected
instance of elder or dependent adult financial abuse or is
cooperating with a local adult protective services agency
investigation of known or suspected elder or dependent adult
financial abuse pursuant to Article 3 (commencing with Section 15630)
of Chapter 11 of Part 3 of Division 9 of the Welfare and
Institutions Code.
(9) The nonpublic personal information is released to an affiliate
or a nonaffiliated third party in order for the affiliate or
nonaffiliated third party to perform business or professional
services, such as printing, mailing services, data processing or
analysis, or customer surveys, on behalf of the financial
institution, provided that all of the following requirements are met:
(A) The services to be performed by the affiliate or nonaffiliated
third party could lawfully be performed by the financial
institution.
(B) There is a written contract between the affiliate or
nonaffiliated third party and the financial institution that
prohibits the affiliate or nonaffiliated third party, as the case may
be, from disclosing or using the nonpublic personal information
other than to carry out the purpose for which the financial
institution disclosed the information, as set forth in the written
contract.
(C) The nonpublic personal information provided to the affiliate
or nonaffiliated third party is limited to that which is necessary
for the affiliate or nonaffiliated third party to perform the
services contracted for on behalf of the financial institution.
(D) The financial institution does not receive any payment from or
through the affiliate or nonaffiliated third party in connection
with, or as a result of, the release of the nonpublic personal
information.
(10) The nonpublic personal information is released to identify or
locate missing and abducted children, witnesses, criminals and
fugitives, parties to lawsuits, parents delinquent in child support
payments, organ and bone marrow donors, pension fund beneficiaries,
and missing heirs.
(11) The nonpublic personal information is released to a real
estate appraiser licensed or certified by the state for submission to
central data repositories such as the California Market Data
Cooperative, and the nonpublic personal information is compiled
strictly to complete other real estate appraisals and is not used for
any other purpose.
(12) The nonpublic personal information is released as required by
Title III of the federal United and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (USA Patriot Act; P.L. 107-56).
(13) The nonpublic personal information is released either to a
consumer reporting agency pursuant to the Fair Credit Reporting Act
(15 U.S.C. Sec. 1681 et seq.) or from a consumer report reported by a
consumer reporting agency.
(14) The nonpublic personal information is released in connection
with a written agreement between a consumer and a broker-dealer
registered under the Securities Exchange Act of 1934 or an investment
adviser registered under the Investment Advisers Act of 1940 to
provide investment management services, portfolio advisory services,
or financial planning, and the nonpublic personal information is
released for the sole purpose of providing the products and services
covered by that agreement.
(c) Nothing in this division is intended to change existing law
relating to access by law enforcement agencies to information held by
financial institutions.
(a) The provisions of this division do not apply to any
person or entity that meets the requirements of paragraph (1) or (2)
below. However, when nonpublic personal information is being or will
be shared by a person or entity meeting the requirements of paragraph
(1) or (2) with an affiliate or nonaffiliated third party, this
division shall apply.
(1) The person or entity is licensed in one or both of the
following categories and is acting within the scope of the respective
license or certificate:
(A) As an insurance producer, licensed pursuant to Chapter 5
(commencing with Section 1621), Chapter 6 (commencing with Section
1760), or Chapter 8 (commencing with Section 1831) of Division 1 of
the Insurance Code, as a registered investment adviser pursuant to
Chapter 3 (commencing with Section 25230) of Part 3 of Division 1 of
Title 4 of the Corporations Code, or as an investment adviser
pursuant to Section 202(a)(11) of the federal Investment Advisers Act
of 1940.
(B) Is licensed to sell securities by the National Association of
Securities Dealers (NASD).
(2) The person or entity meets the requirements in paragraph (1)
and has a written contractual agreement with another person or entity
described in paragraph (1) and the contract clearly and explicitly
includes the following:
(A) The rights and obligations between the licensees arising out
of the business relationship relating to insurance or securities
transactions.
(B) An explicit limitation on the use of nonpublic personal
information about a consumer to transactions authorized by the
contract and permitted pursuant to this division.
(C) A requirement that transactions specified in the contract fall
within the scope of activities permitted by the licenses of the
parties.
(b) The restrictions on disclosure and use of nonpublic personal
information, and the requirement for notification and disclosure
provided in this division, shall not limit the ability of insurance
producers and brokers to respond to written or electronic, including
telephone, requests from consumers seeking price quotes on insurance
products and services or to obtain competitive quotes to renew an
existing insurance contract, provided that any nonpublic personal
information disclosed pursuant to this subdivision shall not be used
or disclosed except in the ordinary course of business in order to
obtain those quotes.
(c) (1) The disclosure or sharing of nonpublic personal
information from an insurer, as defined in Section 23 of the
Insurance Code, or its affiliates to an exclusive agent, defined for
purposes of this division as a licensed agent or broker pursuant to
Chapter 5 (commencing with Section 1621) of Part 2 of Division 1 of
the Insurance Code whose contractual or employment relationship
requires that the agent offer only the insurer's policies for sale or
financial products or services that meet the requirements of
paragraph (2) of subdivision (b) of Section 4053 and are authorized
by the insurer, or whose contractual or employment relationship with
an insurer gives the insurer the right of first refusal for all
policies of insurance by the agent, and who may not share nonpublic
personal information with any insurer other than the insurer with
whom the agent has a contractual or employment relationship as
described above, is not a violation of this division, provided that
the agent may not disclose nonpublic personal information to any
party except as permitted by this division. An insurer or its
affiliates do not disclose or share nonpublic personal information
with exclusive agents merely because information is maintained in
common information systems or databases, and exclusive agents of the
insurer or its affiliates have access to those common information
systems or databases, provided that where a consumer has exercised
his or her rights to prohibit disclosure pursuant to this division,
nonpublic personal information is not further disclosed or used by an
exclusive agent except as permitted by this division.
(2) Nothing in this subdivision is intended to affect the sharing
of information allowed in subdivision (a) or subdivision (b).
(a) An entity that negligently discloses or shares nonpublic
personal information in violation of this division shall be liable,
irrespective of the amount of damages suffered by the consumer as a
result of that violation, for a civil penalty not to exceed two
thousand five hundred dollars ($2,500) per violation. However, if the
disclosure or sharing results in the release of nonpublic personal
information of more than one individual, the total civil penalty
awarded pursuant to this subdivision shall not exceed five hundred
thousand dollars ($500,000).
(b) An entity that knowingly and willfully obtains, discloses,
shares, or uses nonpublic personal information in violation of this
division shall be liable for a civil penalty not to exceed two
thousand five hundred dollars ($2,500) per individual violation,
irrespective of the amount of damages suffered by the consumer as a
result of that violation.
(c) In determining the penalty to be assessed pursuant to a
violation of this division, the court shall take into account the
following factors:
(1) The total assets and net worth of the violating entity.
(2) The nature and seriousness of the violation.
(3) The persistence of the violation, including any attempts to
correct the situation leading to the violation.
(4) The length of time over which the violation occurred.
(5) The number of times the entity has violated this division.
(6) The harm caused to consumers by the violation.
(7) The level of proceeds derived from the violation.
(8) The impact of possible penalties on the overall fiscal
solvency of the violating entity.
(d) In the event a violation of this division results in the
identity theft of a consumer, as defined by Section 530.5 of the
Penal Code, the civil penalties set forth in this section shall be
doubled.
(e) The civil penalties provided for in this section shall be
exclusively assessed and recovered in a civil action brought in the
name of the people of the State of California in any court of
competent jurisdiction by any of the following:
(1) The Attorney General.
(2) The functional regulator with jurisdiction over regulation of
the financial institution as follows:
(A) In the case of banks, savings associations, credit unions,
commercial lending companies, and bank holding companies, by the
Department of Business Oversight, Division of Financial Institutions
or the appropriate federal authority; (B) in the case of any person
engaged in the business of insurance, by the Department of Insurance;
(C) in the case of any investment broker or dealer, investment
company, investment adviser, residential mortgage lender or finance
lender, by the Department of Business Oversight, Division of
Corporations; and (D) in the case of a financial institution not
subject to the jurisdiction of any functional regulator listed under
subparagraphs (A) to (C), inclusive, above, by the Attorney General.
Nothing in this division shall be construed as altering or
annulling the authority of any department or agency of the state to
regulate any financial institution subject to its jurisdiction.
This division shall preempt and be exclusive of all local
agency ordinances and regulations relating to the use and sharing of
nonpublic personal information by financial institutions. This
section shall apply both prospectively and retroactively.
Nothing in this division shall prevent an insurer, as
defined in Section 23 of the Insurance Code, from combining the form
required by subdivision (d) of Section 4053 with the form required
pursuant to Article 6.6 (commencing with Section 791) of Chapter 1 of
Part 2 of Division 1 of the Insurance Code and state regulations
implementing the provisions of that article, provided that the
combined form meets the requirements contained in paragraph (1) of
subdivision (d) of Section 4053.
The provisions of this division shall be severable, and if
any phrase, clause, sentence, or provision is declared to be invalid
or is preempted by federal law or regulation, the validity of the
remainder of this division shall not be affected thereby.
This division shall become operative on July 1, 2004.