The Legal Environment (California):
Sausage Making in California
Reece Hirsch, Partner
Sonnenschein Nath & Rosenthal LLP
San Francisco, CA
(415) 882-5040
IAPP TRUSTe Symposium: Privacy Futures
June 11, 2004
In recent years, California has been a bellwether state for privacy and security legislation. Legislative trends that first surfaced in California have influenced privacy and security regulation in Congress and state legislatures around the country. The following outline briefly summarizes some recent noteworthy California privacy laws.
For a more complete listing of California privacy laws, see the website of the California Office of Privacy Protection at
- California Financial Information Privacy Act (S.B. 1).
A.General.
On August 27, 2003, California Governor Gray Davis signed into law Senate Bill 1, the California Financial Information Privacy Act (the “Privacy Act”), which amends the California Financial Code. The Privacy Act is intended to give consumers more control over the release and distribution of their nonpublic personal information ("NPI"). The drafters of the Privacy Act viewed the law as an enhancement of the protections afforded by the federal Gramm-Leach-Bliley Act ("GLBA").
The Privacy Act allows consumers to prohibit financial institutions from sharing NPI with both affiliated and non-affiliated companies. The Privacy Act regulates three types of disclosures: (i) information sharing among affiliates; (ii) joint marketing agreements; and (ii) information sharing among non-affiliated third parties. The Privacy Act takes effect on July 1, 2004.
B.Legislative Background.
The California Legislature found that cross-industry affiliation permitted under the GLBA "increases the likelihood that the personal information of California residents will be widely shared among, between and within companies," and that the GLBA's policies to protect financial privacy are "inadequate to meet the privacy concerns of California residents."
The Legislature passed S.B. 1 while proposed state Proposition 977 was approaching its deadline for the last day of circulation. The proposition would have imposed more restrictive requirements on financial institutions than the Privacy Act because it required that consumers specifically consent to allowing the disclosure of their personal financial information "to another person or entity, including an affiliate."
C.Affiliate Sharing.
Rather than prohibiting or restricting affiliate sharing of NPI, the GLBA simply required a study of affiliate sharing practices. The Privacy Act is more stringent than the GLBA in this respect, requiring that California consumers be given the opportunity to "opt-out" of information sharing arrangements with affiliates. The Privacy Act prohibits a financial institution from sharing a consumer's "nonpublic personal information with an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information be disclosed." Cal. Financial Code § 4053(b)(1).
Preemption Debate. A debate is brewing over whether the Privacy Act's affiliate sharing provisions are preempted by the federal Fair and Accurate Credit Transactions Act of 2003 ("FACTA"), enacted on December 4, 2003, which amended the Fair Credit Reporting Act ("FCRA"). Section 1681t(b)(2) of the FCRA provides, "No requirement or prohibition may be imposed under the laws of any State . . . with respect to the exchange of information among persons affiliated by common ownership or common corporate control." 15 U.S.C. § 1681(t)(b)(2). This preemption provision was scheduled to expire on January 1, 2004, but was extended by FACTA.
On April 19, 2004, the American Bankers Association, The Financial Services Roundtable and the Consumer Bankers Association filed a lawsuit in federal district court against California's Attorney General, and the Commissioners of the Departments of Financial Institutions, Corporations and Insurance seeking an injunction to bar enforcement of the Privacy Act's affiliate sharing provisions. American Bankers Ass'n v. Lockyer, U.S. District Court for the Eastern District of California, Case Number 04-778. Representatives of the Department of Insurance have privately expressed an intent to enforce the Privacy Act's affiliate sharing provisions commencing on July 1, 2004.
D.Joint Marketing Agreements.
The Privacy Act provides that a financial institution may enter into a contract with a nonaffiliated financial institution on or before January 1, 2004, for the purpose of offering a financial product or service and sharing information with that third party until January 5, 2005. After January 1, 2005, the contract must meet the following requirements: (i) it must involve a financial product or service provided by one of the parties to the agreement; (ii) the agreement must be jointly offered; and (iii) it must provide that the recipient of the information will agree to maintain confidentiality. Consumers must also receive notice of the joint marketing arrangement and be provided with an opportunity to "opt-out" of the disclosure. Cal. Financial Code § 4053(b)(2).
E.Information Sharing With Nonaffiliated Third Parties.
A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless the financial institution has obtained an "opt-in" consent from the consumer that complies with specific requirements set forth in the Privacy Act. Cal. Financial Code § 4053(a)(1). In this respect, the Privacy Act is more stringent than the GLBA, which only requires that a consumer have the ability to "opt-out" of disclosures to non-affiliated third parties.
F.Penalties.
The Privacy Act provides civil penalties for its violation, to be pursued by the Attorney General, or the entity's functional regulator. Penalties are available in two tiers, depending on whether the disclosure was negligent ($2,500 per individual violation; maximum award of $500,000) or willful (no maximum). Double penalties are provided if a violation results in identity theft.
- Online Privacy Protection Act of 2003 (A.B. 68).
A.General.
Assembly Bill 68, also known as the Online Privacy Protection Act of 2003 (the "Online Privacy Act"), adds new Sections 22575-79 to the California Business and Professions Code. The Online Privacy Act, which takes effect July 1, 2004, requires an operator of a commercial website or online service that gathers "personally identifiable information" from California consumers to provide notice of the operator's privacy policy so that consumers are informed of the potential disclosure, sale or sharing of their information.
B.Personally Identifiable Information.
The Online Privacy Act defines "personally identifiable information" as individually identifiable information about a consumer collected (i) online, by (ii) an operator of a commercial website or online service, and (iii) maintained in accessible form. "Personally identifiable information" includes any of the following:
1.First and last name;
2.Home or other physical address, including street name and name of a city and town;
3.E-mail address;
4.Telephone number;
5.Social Security number;
6.Any other identifier that permits the physical or online contacting of a specific individual; or
7.Any information concerning a user maintained in combination with an identifier described above. Cal. Business & Professions Code § 22577(a).
C.Privacy Policy.
The statute requires website operators who gather and maintain personally identifiable information from California consumers to conspicuously post a privacy policy that conforms to certain formatting constraints. In addition, the privacy policy must:
1.Identify the categories of personally identifiable information that the operator collects and the third party entities with whom the operator may share that personally identifiable information;
2.Describe the process by which the operator notifies consumers who use or visit the site or service of material changes to the operator's privacy policy;
3.If the operator maintains a process for an individual consumer to review and request changes to any of his or her personally identifiable information collected by the operator, provide a description of that process; and
4.Identify the effective date of the policy. Cal. Business & Professions Code § 22575(b).
- California Security Breach Notification Law (S.B. 1386).
A.General.
Senate Bill 1386, which added new Sections 1798.29 and 1798.82 to 1798.84 to the California Civil Code (the "Notification Law"), requires any person or entity conducting business in California to report any breach of security resulting in the disclosure to an unauthorized person of personal information in electronic form. Cal. Civil Code § 1798.82(a). The Notification Law, which became effective July 1, 2003, only applies to security breaches involving the personal information of California residents.
B.Personal Information.
"Personal information" subject to the Notification Law is defined as an individual's first name or first initial, combined with the last name, plus any one of the following identifiers: (i) Social Security number; (ii) driver's license number or California Identification Card number; or (iii) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account. Cal. Civil Code § 1798.29(e). If both the individual's name and the accompanying identifiers are encrypted, then the data does not constitute "personal information." The statute does not, however, require any specific form of encryption.
C.Security Breach.
The Notification Law defines a security breach broadly as the "unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information." Cal. Civil Code § 1798.29(d). Good faith use of the data by a company's employees for business purposes generally does not constitute a security breach. Companies must notify affected individuals if it is "reasonably believed" that their personal information has been acquired by an unauthorized person.
D.Notification.
In the event of a security breach, a company must disclose the breach to the California residents whose data has been compromised "in the most expedient time possible and without unreasonable delay." Cal. Civil Code § 1798.82(a). The California Department of Consumer Affairs Office of Privacy Protection recommends that notification be provided within ten days of a determination that a breach has, or is reasonably believed to have, occurred.[1] The statute does not specify the content of the notice, but permits notice in written or electronic form.
E.Civil Actions.
If a business fails to promptly provide the required notices to individuals following a security breach, any customer injured by the violation may bring a civil action against the business to recover damages, such as damages resulting from identity theft.
- Medical Marketing Law.
A.General.
On September 28, 2003, California Governor Gray Davis signed Assembly Bill 715 ("A.B. 715"), which amended the California Confidentiality of Medical Information Act ("CMIA") to limit the use of medical information for marketing activities. Previously, the CMIA did not specifically address the use of medical information for marketing communications. A.B. 715 became effective on January 1, 2004.
B.Patient Authorization Required.
A.B. 715 generally prohibits California health care entities from using or disclosing medical information for marketing communications that are paid for by third parties without the patient's authorization.
B.Marketing Defined.
A.B. 715 defines "marketing" to mean making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Excluded from the definition of "marketing" are:
1.Oral or written communications for which the communicator does not receive direct or indirect remuneration (including, but not limited to, gifts, payments or other economic benefits) from a third party for making the communication;
2.Communications to current enrollees solely to describe network participants, the products or services that are provided or covered, or the availability of more cost-effective pharmaceuticals; and
3.Communications to a patient that are "tailored" to the patient's treatment options and treatment compliance issues for a life-threatening or chronic and seriously debilitating condition, when the health care provider or health plan receives direct or indirect remuneration. This third exception only applies when the communication notifies the patient:
a.In at least 14-point type that the sender has been remunerated and gives the source of the remuneration;
b.That the patient may "opt out" of receiving future remunerated communications; and
c.How the patient may opt out of receiving future communications. If the patient opts out, no future communications may be made after 30 calendar days from the date the individual requests to opt out.
C.A.B. 715 and HIPAA.
A.B. 715 was intended to close a perceived "loophole" in the Health Insurance Portability and Accountability Act ("HIPAA") privacy regulations (the "HIPAA Privacy Rule"). Under the HIPAA Privacy Rule, the definition of "marketing" does not take into account whether the sender received remuneration for making the marketing communication.
For example, under the HIPAA Privacy Rule, a pharmacy may send prescription refill reminders to patients without the patient's authorization, even though a pharmaceutical company paid the pharmacy for the cost of the mailings. Under the HIPAA Privacy Rule, such communications would be permitted as a communication for treatment purposes. Under A.B. 715, such refill reminders would require patient authorization because the pharmaceutical company has paid the pharmacy with respect to make the communications.
D.Authorization Forms.
A.B. 715 also amended the CMIA's authorization standard to require that, effective January 1, 2004, all authorizations for the use and disclosure of health information must be in 14-point type, rather than 8-point type.
- Anti-Spam Legislation.
A.General.
On February 12, 2003, Senate Bill 186 ("S.B. 186") was enacted, which would have amended the California Business and Professions Code to generally prohibit a person or entity located in California from initiating or advertising in unsolicited commercial e-mail advertisements.
S.B. 186 was preempted by Section 8 of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the "CAN-SPAM Act of 2003"), which was signed by President Bush on December 16, 2003 and became effective January 1, 2004.
1
[1]California Department of Consumer Affairs, Office of Privacy Protection, "Recommended Practices on Notification of Security Breach Involving Personal Information," at page 11 (available at