The California Financial Information Privacy Act needs only Gov. Gray Davis' signature, which he has said he will provide, to become law.
The legislation, which mandates opt-in consent for the sharing of financial data, was approved in the state Senate 31-6 yesterday and in the Assembly 76-1 on Monday. The embattled bill was co-authored by state Sens. Jackie Speier and John Burton and introduced in December 2002.
With the bill's passage, Speier vowed to work to get a similar measure passed on the federal level. But one privacy expert said that goal might be a bit premature.
“I don't think it's likely any time soon, and I would suspect that there will be legal challenges to the state law by the industry,” said Robert Gellman, a Washington-based privacy and information policy consultant and DM News columnist.
As it stands, the California privacy bill was weakened on its way to getting passed. After repeated defeats in the legislature, a revised version of the bill agreeable to most was drafted last week.
Among the changes along the way were the delay of implementation until July 1, 2004; elimination of a one-check option for maximum privacy protection; and relief from making financial institutions provide mandatory postage-paid envelopes as long as two other free options for opting in and out exist such as toll-free telephone lines and e-mail addresses.
The California Bankers Association and the Personal Insurance Federation of California came out with statements in support of the bill over the possible alternative. But concerns remain among financial institutions.
“When you consider the multi-state nature of so many financial institutions and then realize that each institution will have to completely separate its California information and implement a completely different structure for using information, you start to understand the magnitude and cost of such an endeavor,” said Anissa Yates, vice president of communications and public relations at the California Bankers Association.
It's unclear how the California privacy law might influence other states or even financial institutions' privacy practices in general.
“California is 10 percent of the U.S., and banks, especially those that primarily do business in California, are going to have to consider whether they want to do for everybody what they're doing in California,” Gellman said. “Whether this will ultimately become a national standard remains to be seen.”
The current national law is the Gramm-Leach-Bliley Financial Modernization Act of 1999, which took effect July 1, 2001. Under GLB, financial institutions must provide clear disclosure of their privacy policies regarding the sharing of nonpublic personal information with affiliates and third parties, and give notice to consumers and a chance to opt out of sharing nonpublic personal information with nonaffiliated third parties. The privacy notices must be sent annually.
Though there is no set time for Congress to revisit GLB, Gellman said there is interplay between it and the state pre-emption provision of the Fair Credit Reporting Act, which will expire if not renewed by Jan. 1.
“People are talking about pre-emption of FCRA,” Gellman said. “GLB pre-emption issues have not been raised as far as I know but the fight is far from over.”
Had the California bill not passed by today, a stricter version likely would have appeared on the March ballot in the state. After the bill was defeated for the second time in the state Assembly in June, a group called Californians for Privacy Now collected more than 600,000 signatures to get the issue in front of voters.
“I think the development of a deal after all these years of fighting and blocking by the industry is fascinating,” Gellman said. “It says basically that they were scared to death of the referendum, and they must have felt that they were going to lose and it was going to be expensive.”
