April 17, 2003
Dear Attorney General Lockyer:
Pursuant to Elections Code Section 9005, we have reviewed the proposed initiative entitled the “California Financial Privacy Act” (File No. SA2003RF0006).
Current federal law allows businesses to share customer information (such as names, addresses, and credit information) with other businesses without customer consent. This sharing of information occurs both between related (or “affiliated”) companies and unaffiliated firms. Individuals can “opt out” of such data sharing between unaffiliated companies, but there is no such provision for affiliated companies.
This measure prohibits businesses involved in financial-related activities (as defined by federal law) from disclosing information and data about their customers unless they have obtained the customer’s consent (an “opt in” provision). The measure requires the Attorney General to establish regulations on the method for obtaining a customer’s consent. The restrictions would apply to both affiliated and unaffiliated companies. Federal regulations define the types of businesses that would be subject to the measure. In addition to banks, these include check cashers, accountants, investment advisors, retailers that issue their own credit cards, and automobile dealerships that lease vehicles. Violations of the measure are subject to civil penalties.
The measure permits information sharing without customer consent for specified purposes—such as processing transactions requested by customers, preventing or investigating fraud, enforcing the law, maintaining customer accounts, and other similar purposes permitted under federal law.
The measure could be amended through a bill passed by a majority vote in each house of the Legislature and signed by the Governor.
Enforcement Costs. The measure requires the Attorney General to develop regulations on customer consent. The one-time costs to develop these regulations would likely be minor. The level of ongoing enforcement costs by the state and local governments would depend on decisions by the Legislature and local governments, but could total more than $1 million annually. Any enforcement costs would be partially offset by increased civil penalty revenues.
State and Local Government Applicability. A number of government entities provide financial-related services, such as retirement benefits and student financial aid. In some cases, these programs share customer information with other entities—such as for the production and mailing of newsletters and annual statements. Federal law does not specify whether these government services are subject to regulations regarding information sharing among financial-related businesses. As a result, the applicability of the proposed measure to the state and local governments would depend upon interpretation of the measure. Even if governmental entities are covered by the measure, their activities appear to be allowable (as part of maintaining customer accounts) without customer consent. If the measure restricted these government activities, however, there would be some compliance costs.
Other Possible Impacts. The measure would affect the types of information that certain businesses could share. This could affect the operations of these businesses and their profitability, potentially resulting in some reduction in the tax revenues paid to state and local governments.
Summary. This measure would result in state and local government enforcement costs potentially over $1 million annually, partially offset by increased civil penalty revenues. Depending on implementation issues, the measure could also result in some state and local compliance costs and some revenue reductions.