California’s Financial Information Privacy Act

California has a number of formal acts in statute. Financial Code Division 1.4 provides the California Financial Information Privacy Act, which is contained in Sections 4050 to 4060. Division 1.4 was added in 2003 by Chapter 241. Section 4050 names the Act.

Section 4051 provides legislative intent language, including that financial institutions should provide their consumers notice and meaningful choice about how consumers’ nonpublic personal information is shared or sold by their financial institutions. In addition, in enacting the California Financial Information Privacy Act, the Legislature intends to afford persons greater privacy protections than those provided in Public Law 106-102, the federal Gramm-Leach-Bliley Act, and that this division be interpreted to be consistent with that purpose.

Section 4051.5 provides legislative findings and declarations, including that federal banking legislation, known as the Gramm-Leach-Bliley Act, which breaks down restrictions on affiliation among different types of financial institutions, increases the likelihood that the personal financial information of California residents will be widely shared among, between, and within companies.

In addition, the Legislature intends to ensure that Californians have the ability to control the disclosure of what the Gramm-Leach-Bliley Act calls nonpublic personal information, as well as to provide consumers with the ability to prevent the sharing of financial information among affiliated companies through a simple opt-out mechanism via a clear and understandable notice provided to the consumer.

Section 4052 contains definitions for the following terms: “nonpublic personal information”; “personally identifiable financial information”; “financial institution”; “affiliate”; “nonaffiliated third party”; “consumer”; “control”; “necessary to effect, administer, or enforce”; “financial product or service”; “clear and conspicuous”; and, “widely distributed media.”

Section 4052.5 prohibits a financial institution from selling, sharing, transferring, or otherwise disclosing nonpublic personal information to or with any nonaffiliated third parties without the explicit prior consent of the consumer to whom the nonpublic personal information relates.

Section 4053 prohibits a financial institution from disclosing to, or sharing a consumer’s nonpublic personal information with, any nonaffiliated third party, unless the financial institution has obtained a consent acknowledgment from the consumer that authorizes the financial institution to disclose or share the nonpublic personal information.

In addition, a financial institution cannot discriminate against or deny an otherwise qualified consumer a financial product or a financial service because the consumer has not provided consent to authorize the financial institution to disclose or share nonpublic personal information pertaining to him or her with any nonaffiliated third party. 

Also, a financial institution must utilize a form, statement, or writing to obtain consent to disclose nonpublic personal information to nonaffiliated third parties. The form, statement, or writing must meet specified criteria. Moreover, a financial institution cannot disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed. 

Additionally, a financial institution cannot discriminate against or deny an otherwise qualified consumer a financial product or a financial service because the consumer has directed that nonpublic personal information pertaining to him or her not be disclosed. 

Finally, nothing in this division restricts or prohibits the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries; among financial institutions that are each wholly owned by the same financial institution; among financial institutions that are wholly owned by the same holding company; or among the insurance and management entities of a single insurance holding company system consisting of one or more reciprocal insurance exchanges which has a single corporation or its wholly owned subsidiaries providing management services to the reciprocal insurance exchanges, provided that in each case all of the specified requirements are met.

Section 4053.5 provides that an entity that receives nonpublic personal information from a financial institution under this division cannot disclose this information to any other entity, unless the disclosure would be lawful if made directly to the other entity by the financial institution.

Section 4054 precludes a financial institution from being required to provide a written notice to a consumer if the financial institution does not disclose nonpublic personal information to any nonaffiliated third party or to any affiliate.

Section 4054.6 provides that, when a financial institution and an organization or business entity that is not a financial institution (“affinity partner”) have an agreement to issue a credit card in the name of the affinity partner (“affinity card”), the financial institution must be permitted to disclose to the affinity partner in whose name the card is issued only specified information pertaining to the financial institution’s customers who are in receipt of the affinity card. In addition, certain disclosures are only permitted if specified requirements are met.

Section 4056 provides that this division does not apply to information that is not personally identifiable to a particular person. In addition, a financial institution may release nonpublic personal information only under specified circumstances.

Section 4056.5 provides that the provisions of this division do not apply to any person or entity that meets certain requirements. The restrictions on disclosure and use of nonpublic personal information, and the requirement for notification and disclosure provided in this division, does not limit the ability of insurance producers and brokers to respond to written or electronic, including telephone, requests from consumers seeking price quotes on insurance products and services or to obtain competitive quotes to renew an existing insurance contract, provided that any nonpublic personal information disclosed pursuant to this subdivision is not be used or disclosed except in the ordinary course of business in order to obtain those quotes.

Section 4057 provides that an entity that negligently discloses or shares nonpublic personal information in violation of this division is liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to exceed $2,500 per violation. However, if the disclosure or sharing results in the release of nonpublic personal information of more than one individual, the total civil penalty awarded pursuant to this subdivision cannot exceed $500,000.

In determining the penalty to be assessed pursuant to a violation of this division, the court is required to take into account specified factors. In addition, where a violation of this division results in the identity theft of a consumer, the civil penalties set forth in this section must be doubled.

Section 4058 precludes this division from being construed as altering or annulling the authority of any department or agency of the state to regulate any financial institution subject to its jurisdiction. Section 4058.5 states that this division preempts and is exclusive of all local agency ordinances and regulations relating to the use and sharing of nonpublic personal information by financial institutions. This section applies both prospectively and retroactively.

Section 4059 provides that the provisions of this division are severable, and if any phrase, clause, sentence, or provision is declared to be invalid or is preempted by federal law or regulation, the validity of the remainder of this division will not be affected thereby. Section 4060 provides that this division became operative on July 1, 2004.