|
Washington State House of Representatives Office of Program Research |
BILL ANALYSIS |
|
|
Financial Institutions & Insurance Committee |
|
|
HB 2016
Brief Description: Protecting privacy.
Sponsors: Representatives McIntire, Hatfield, Benson, Bush, Ruderman, Schual‑Berke, Conway, Kenney, Keiser, Hurst and Kagi.
|
Brief Summary of Bill
$Requires any entity that collects nonpublic personal information on consumers to disclose its information privacy policy.
$Imposes various notification duties on such information custodians, and requires registration of policies with the attorney general.
$Allows consumers and the attorney general to recover damages, penalties and fees and to obtain injunctions against information custodians for violations of these requirements.
|
Hearing Date: 2/21/01
Staff: Bill Perry (786‑7123).
Background:
Until fairly recently, the law has had relatively little to say about the use of customer information held by businesses or other entities. In 1999, significant federal legislation was enacted that to some extent addresses the use by financial institutions of customer information. There is no comparable state law with respect to information held by financial institutions. There is also no comparable federal or state legislation that deals with consumer information held by other kinds of entities.
Federal and State Constitutions - The federal and state constitutions both contain, either explicitly or through case law, a guarantee of a right to privacy. However, these constitutional provisions serve to protect individuals from intrusion by government. They do not, generally speaking, protect an individual=s privacy from the actions of non-government entities.
Federal Statutes Relating to Financial Institutions - The recent Gramm-Leach-Bliley Act (GLBA), made major revisions to federal law on financial services. The act allows greater affiliation of banks, insurance companies, and securities firms.
Title V of the GLBA deals with the privacy of personal information held by financial institutions. Financial institutions and their affiliates have an affirmative duty to respect and protect the privacy of their customers= nonpublic personal information. Financial institution is defined broadly in this section of the new law to include most financial services providers. Regulatory agencies must establish standards to ensure the security and confidentiality of customer=s records and information and to protect against unauthorized access to this information. Every financial institution must disclose its privacy policy to new customers and re-disclose the privacy policy to customers at least annually. Before disclosing customer nonpublic personal information to a non-affiliated third party, a financial institution must: (1) clearly and conspicuously disclose to the customer that the information may be disseminated to third parties; and (2) provide the customer with an opportunity to prevent the information from being released. A financial institution cannot disclose account numbers or other access numbers or codes to non-affiliated third parties for telemarketing or other marketing purposes. These restrictions do not apply to sharing information with affiliates.
States are authorized to provide stronger privacy protections than those afforded by the GLBA, and the Federal Trade Commission is given authority to determine whether a state restriction is more stringent than a federal regulation.
In addition to the GLBA there are several federal statutes that deal with private financial information. These include:
$The Right to Privacy and Bank Secrecy Act prohibits a financial institution from sharing customer financial information with the government unless the government complies with certain legal requirements.
$The Electronic Funds Transfer Act requires the disclosure to consumers of the circumstances under which account information will be shared with others.
$The Fair Credit Reporting Act regulates credit reporting agencies and generally prohibits disclosure of credit information by financial institutions and others except for customer initiated transactions and information normally provided to a credit reporting agency.
$Federal credit unions, under the Federal Credit Union Act, must hold in confidence customer=s personal information except to the extent it is needed to complete customer-initiated transactions or is normally reported to credit reporting agencies.
State Statutes Relating to Financial Institutions - There are some Washington state statutes that deal with private financial information. These include:
$Prohibitions against identity theft and fraudulently obtaining financial information from a financial information repository.
$The state Fair Credit Reporting Act provides similar protections as the federal FCRA.
$The state Consumer Protection Act prohibits unfair and deceptive practices by businesses (as does the Federal Trade Commission Act).
State Public Disclosure Act - The public records portion of the state=s Public Disclosure Act (PDA) generally makes information held by government agencies "public." There are exceptions, however, for some kinds of information and there are also prohibitions on the use of some kinds of public information. Public inspection is prohibited with respect to dozens of kinds of agency records, from personal information held by public schools, heath care facilities and welfare agencies to financial information supplied to the state investment board.
Under the PDA otherwise public information may be withheld from disclosure if its release would violate a person=s right to privacy. Disclosure violates this right if it would be highly offensive to a reasonable person and it would not be of legitimate concern to the public.
The PDA also specifically does not authorize agencies to sell lists of individuals to anyone for commercial purposes.
Common Law - Court developed principles of contract, tort, and agency law provide consumers with some legal privacy rights regarding the use of their financial information and the sharing of that information with private organizations
Summary of Bill:
An ?information custodian@ is required to adopt and then disclose to consumers an information privacy policy. A custodian must register its policy with the attorney general. A custodian is also subject to damages and other civil remedies for violations of these requirements.
Definitions.
An ?information custodian@ includes any person or entity other than the federal government that collects ?nonpublic personal information@ about a ?consumer@ and that shares that information with others for purposes other than those requested by the consumer.
?Nonpublic personal information@ is personally identifiable information that is obtained by a custodian but is not ?publicly available information@ as defined by federal regulations adopted pursuant to the Gramm-Leach-Bliley Act.
?Consumer@ means a person who obtains goods or services from a custodian for primarily personal, family, or household use, and a "customer" is a consumer who has an ongoing relationship with a custodian.
Privacy Policy Disclosure to Consumers.
$An information custodian must develop a privacy policy regarding the use of nonpublic personal information acquired from consumers that includes at least the following:
$What information is collected;
$How information will be used;
$Whether information will be shared with others;
$With whom information may be shared with others;
$What information may be shared with others;
$Whether and how a customer may prevent sharing;
$Procedures for correcting errors in information;
$How the security of information is protected.
The policy must be published and disclosed by clear and conspicuous notice in a manner reasonably calculated to give meaningful notice to consumers. The policy must be disclosed to a consumer at the time of an initial transaction and then at least annually after that. The custodian must also notify its customers at least 60 days ahead of time regarding proposed changes to the policy, and must notify them within 30 days after the adoption of the changes.
Within 60 days of the adoption of a privacy policy or an amendment to the policy, the custodian must register the policy or amendment with the attorney general.
Noncompliance and Remedies.
A custodian=s compliance with the Gramm-Leach-Bliley Act constitutes compliance with the privacy policy disclosure requirements of this act. Information that is subject to the state=s public disclosure act is exempt from the requirements of this act.
Noncompliance is subject to a civil action by a consumer for damages, injunctive relief, and in some cases costs and penalties. An inadvertent violation allows a consumer to recover damages. A negligent violation allows a consumer to recover the greater of actual damages or $500, plus costs and attorneys= fees. A willful violation allows a consumer to recover damages that are increase by three times actual damages or by $1,500, whichever is greater, plus costs and attorneys= fees. Violations of the act are also violations of the Consumer Protection Act, and may be enforced under that act as well.
The attorney general is given rule making authority and the authority to bring civil actions against custodians on the same basis as consumers.
Appropriation: None.
Fiscal Note: Requested on February 15, 2001.
Effective Date: Ninety days after adjournment of session in which bill is passed.