Privacy Legislation in California and Congress

After three years of debate, a controversial privacy bill has again failed to advance in the California state legislature. The California Financial Information Privacy Act, known as SB1, was authored and sponsored by state Sen. Jackie Speier (D- San Mateo). The bill failed in a 3-2 vote (with seven abstentions) to advance out of the Assembly Banking and Finance Committee. Among other provisions, the bill would have required financial institutions to get explicit permission from customers (i.e., "opt-in") prior to sharing their personal financial information with third parties. Federal law passed in 1999 as part of the Gramm-Leach-Bliley Act requires firms to offer customers the opportunity to opt-out of such sharing, but does not prohibit states from passing tougher rules. Privacy advocates have been pushing for tougher "opt-in" rules at both the federal and state levels. California was viewed as a prime opportunity to implement opt-in, and increase the pressure on financial institutions to do the same elsewhere. The financial services industry has vigorously opposed such restrictions.

Separately in California, a coalition called Californians for Privacy Now is planning a statewide ballot initiative for the March 2004 primary elections that would take the privacy issue directly to voters. One of the primary backers of the initiative is a financial services CEO, Christian A. Larsen, chairman of E-Loan, Inc. Following the defeat of SB1, Larsen told the American Banker, "There's an elephant in the room which is not being addressed—the unbridled sharing of information, which leads to identity theft, which leads to risk-based profiling." The March 2004 ballot initiative seeks to implement a privacy bill even tougher than the defeated SB1.

Interestingly, the debate underway this summer in the U.S. Congress over amendments to the Fair Credit Reporting Act may directly impact the California ballot initiative, and shape all future attempts to limit information sharing by the states. Currently, the FCRA preempts any state or local attempts to limit the sharing of personal information across corporate affiliates. That preemption will expire at the end of 2003 unless Congress extends it or makes it permanent. SB1 would not have run afoul of this preemption, but a tougher ballot initiative that attempts to control information sharing across affiliates would. Consumer advocacy groups have long pushed for laws that would require firms to give consumers that right to opt-out of affiliate sharing. Some of the more extreme proposals advocate an opt-in rule for affiliate sharing. Both of these proposals are banned at the moment, but that could change if Congress fails to act before the end of the year. Clearly, conditions are ripe for new restrictions in states like California should Congress open the door.