Decision May Further Restrict Financial Institutions’ Activities
Financial institutions that want to share customer information with their affiliates must now give California residents more notice and control over how that information is shared. The Ninth Circuit recently ruled that the Fair Credit Reporting Act (FCRA) does not preempt California’s Financial Information Privacy Act (commonly referred to as “SB1”) from being applied to any information that is not a “consumer report.” American Bankers Association v. Lockyer, --- F.3d ----, 2008 WL 4070308.
This ruling adds clarity to an earlier Ninth Circuit decision that held that the FCRA preempts SB1 with respect to consumer reports. American Bankers Association v. Gould, 412 F.3d 1081 (9th Cir. 2005).
The Ninth Circuit found that while the FCRA preemption provisions constrained SB1’s notice and opt-out requirements, the court could sever the preempted application of the provisions. The court believed this interpretation clearly furthered the legislature’s intent when passing the law. The majority therefore found that the FCRA only prohibits SB1’s application to consumer report information and that the law could be applied to all other data.
Judge Wallace dissented from the opinion, arguing that, while SB1 gives the court authority to sever any “phrase, clause, sentence or provision,” such authority does not extend to differing applications of the statute.
This decision means that non-consumer report information is now subject to California’s stricter privacy regulations regarding affiliate sharing. Under the FCRA, consumer reports include any information that is:
- provided by a consumer reporting agency;
- bears on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living (the socalled “seven characteristics”); and
- is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; or certain government licenses.
Therefore, the sharing of information about California residents not captured by this definition is constrained by SB1. Because courts have held that virtually all information about consumers bears on one of the seven characteristics, the critical questions in determining whether information is a consumer report and therefore exempt from SB1 are whether it is: (1) provided by a consumer reporting agency, and (2) expected to be used for one of the purposes discussed above. See TransUnion v. Federal Trade Commission, 267 F.3d 809 (D.C. Cir. 2001) (“[A]lmost any information about consumers arguably bears on their personal characteristics or mode of living.”).
The practical impact of this decision is that financial institutions that wish to share information other than consumer reports with their affiliates must provide California residents with notices that follow the prescribed statutory language, and allow them to optout and prevent companies from sharing that information (there are exceptions to the optout requirements, including data transfers done at the request of the consumer and transfers necessary to administer a transaction). Moreover, companies may draft their own notices, but they must be approved by banking regulators or the Office of Attorney General.
Ultimately, this ruling likely will have the biggest effect on financial institutions’ ability to cross market products offered by affiliates to California residents.