California was poised to lose one and win two privacy legislation battles last week as the U.S. House of Representatives approved changes to the Fair Credit Reporting Act that would override a California privacy law, while two state-level privacy bills moved toward final approval in the California Senate.
The changes to the FCRA, which would make permanent the pre-emption of state law, passed 392-30 on Sept. 10 and would take effect Jan. 1 when the pre-emption provision is set to expire. Other changes included protective measures against identity theft.
The House denied a request by Rep. Maxine Waters, D-CA, to exempt California from pre-emption. Her protest was related to a new California law that would mandate opt-in consent for data sharing. The legislation passed Aug. 19 after changes were made and several financial institutions backed down in their opposition to avoid a stricter March ballot initiative. Gov. Gray Davis signed it into law Aug. 27, and it is set to take effect July 1, 2004.
The fate of the California law depends upon whether the U.S. Senate passes the FCRA changes as they now stand. The Federal Trade Commission, Treasury Department and the Direct Marketing Association all support the passage of the changes to the FCRA.
Meanwhile, two other pieces of state legislation emerged from the California Senate's Judiciary Committee on Sept. 11 and awaited final votes Friday, which was to be the last day of California's legislative session.
The first was S.B. 27, which was amended and passed Sept. 8 in the Assembly by a 75-2 vote. As introduced by state Sen. Liz Figueroa, the bill would have required companies to keep records of all customer data that is shared with third parties offline or online for direct marketing purposes. The bill would require companies to provide a consumer with all the data that was shared and the names of the third-party data users within 30 days of a request by the consumer. It would affect any company doing business in California.
The bill, dubbed “Shine the Light” and introduced Dec. 2, passed the California Senate 26-13 on May 29. It was working its way through the Assembly since June and had been defeated 38-12 Aug. 21, though 30 members did not vote.
Under the amended bill, if a business has a privacy policy that gives consumers a choice not to have their personal information disclosed to third parties for marketing purposes, then it does not need to provide the consumer with the details of what data has been shared and with whom. In that case, it must notify the consumer of his ability to opt out for free.
If the Senate approves the Assembly's changes, the bill would face only Davis, who has not said whether he supports it. If it becomes law, it would take effect Jan. 1, 2005.
The other bill up for a vote was S.B. 590, from state Sen. Jackie Speier. It would prohibit marketers from requiring customers to provide personal information irrelevant to the completion of a transaction. It also would require that businesses sharing customer data with third parties give consumers notice and the choice to opt out.
The bill was introduced Feb. 20 and passed in the Senate on May 12. Before an amendment was added in the Assembly, the bill prohibited all sharing of consumer data except for the completion of transactions. Back in the California Senate, the amended bill was out of committee Sept. 11 and set for a vote Friday.
Though the DMA opposes both California bills, each was amended in favor of direct marketers.
“Our [members already] do this,” DMA spokesman Louis Mastria said. “It's a condition of DMA membership.”
Based on the contents of the DMA's Privacy Promise, which became effective July 1, 1999, all member companies should already be in compliance with S.B. 27 and S.B. 590. Under the Privacy Promise, DMA members must:
* Provide customers with annual notice of their ability to opt out of information exchanges.
* Honor customer opt-out requests not to have their contact information transferred to others for marketing purposes.
* Accept and maintain consumer requests to be on an in-house suppress file to stop receiving solicitations from your company.
* Use the DMA Preference Service suppression files for mail, telephone and e-mail lists.
If a DMA member does not follow the Privacy Promise, it faces censure, suspension or expulsion.
