SENATE BILL REPORT
SB 5503
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
As of January 26, 2001
Title: An act relating to privacy of personal financial information.
Brief Description: Protecting privacy of personal financial information.
Sponsors: Senators Prentice, Kastama, Costa, Fairley, Thibaudeau, Franklin, Shin, Kline, Gardner, Hargrove, Kohl‑Welles, McAuliffe and Rasmussen.
Brief History:
Committee Activity: Labor, Commerce & Financial Institutions: 1/29/01.
______________________________________________________________________________SENATE COMMITTEE ON LABOR, COMMERCE & FINANCIAL INSTITUTIONS
Staff: David Cheal (786‑7576)
Background: Information technology has greatly facilitated the collection, analysis and dissemination of personal information. The result is that personal information has become a marketable commodity of great value in business marketing, credit analysis and other commercial activities. Another result is that consumers are increasingly privacy conscious and alarmed about whether they have control over use and dissemination of very personal and private information, particularly that information they must provide in the course of dealing with financial institutions.
Concerns range from the annoyance of intrusive marketing, to acquiring an economic profile that determines their access to financial services, to the horror of identity theft.
Consolidation of diverse financial services into single companies or affiliated companies, facilitated by recent federal legislation, is described by the industry as an opportunity to provide better products and services more efficiently to consumers. This consolidation has also raised concerns about increased unauthorized sharing of personal information. News of selling of account number and balance information by a large national bank and other privacy concerns, held up the passage of the Financial Services Modernization Act (the Graham, Leach, Bliley Act) until a personal privacy title could be crafted. The federal act expressly leaves room for stronger state action in the area of privacy protection.
Locally, following legislative hearings the Attorney General formed a work group on privacy representing a wide array of interests. An Attorney General=s request bill was introduced last session, based in part on the work group=s efforts. Bills were introduced in Congress to strengthen the privacy provisions of the Graham, Leach, Bliley Act, but did not pass.
Summary of Bill: The bill is based on four principles: Notice, consent or choice, access and correction, and security. Customers and potential customers must be given notice of the categories of information that may be disclosed, a choice as to whether the information is disclosed, and provided access to the personal information maintained by the financial institution. Customers must be provided with a means of correcting errors. The financial institution must take reasonable precautions to prevent loss, theft or misuse of the personal information it collects.
The bill is limited to the practices of financial institutions. Other businesses are not affected. ?Financial institutions@ are defined under the same provision as the Graham, Leach, Bliley Act, which includes banks, credit unions, other lenders, insurance companies, securities brokers and credit card issuers.
Before a financial institution may disclose nonpublic personal information to an affiliate or third party, it must provide written notice of the type of information it intends to disclose, and give the consumer an opportunity to direct that the information not be disclosed. This requirement does not prohibit disclosure in order to perform services for the financial institution, or to market its own products or services, or products or services offered under a joint agreement between two or more financial institutions, subject to certain conditions.
Financial institutions that acquire information in the course of their services about customers= spending habits and sources of income may not transfer that information to an affiliate or third party without an affirmative consent (?opt in@) from the customer.
Account numbers or access codes may not be disclosed, other than to a consumer reporting agency, for direct marketing purposes.
Third parties and affiliates that receive nonpublic personal information from a financial institution are bound by the same disclosure rules as the financial institution from whom they received it, subject to the same exceptions.
Financial institutions must provide to consumers, upon request, information about the consumer under its control or reasonably available to it, with certain exceptions such as legal requirements placed upon the institution by anti-fraud laws. There must be an opportunity to dispute the accuracy of this information, and present evidence on its accuracy. A financial institution must correct material inaccuracies.
A financial institution must disclose its privacy policy to an individual upon request, and to a consumer before establishing a customer relationship with the consumer, and not less than annually during the continuation of the relationship. The disclosure must include its security measures, how it complies with the disclosure limitations of the act, and what it does with the personal information of former customers.
A number of functionally necessary exceptions to the disclosure limitations are provided that allow financial institutions to comply with various reporting laws, and allow them to complete transactions and services requested by a consumer.
Violations of the act are a violation of the Consumer Protection Act. Class action recoveries are limited to the lesser of $1 million or 1 percent of the net worth of the defendant. For most violations, it is an affirmative defense that the violation was the result of a bona fide unintentional error.
Appropriation: None.
Fiscal Note: Not requested.
Effective Date: Ninety days after adjournment of session in which bill is passed.