Focusing public attention on emerging privacy and civil liberties issues

ABA v. Brown (formerly ABA v. Lockyer)

Top News

  • Supreme Court Maintains California Financial Privacy Law : Today the Supreme Court denied review of the California law that provides customers with privacy safeguards for financial data. The law limits the sale of personal information by financial firms to affiliates, and imposes opt-in requirements. The Ninth Circuit upheld substantial portions of the California Financial Information Privacy Act. EPIC filed a brief in that case favoring the law. Financial firms argued that the California statute conflicts with other federal rules. The Justice Department recommended that the Supreme Court leave the state statute in place. See EPIC ABA v. Brown and EPIC Privacy and Preemption Watch. (Jun. 29, 2009)
  • Obama Administration Recommends that Supreme Court Preserve California Financial Privacy Law, Dismiss Bankers' Appeal: In a filing this week, the Department of Justice urged the nation's highest court to leave intact California's financial privacy law, saying the law does not impose hardships on banks. The California law provides strong financial privacy safeguards, including the right to curtail sale of personal information by financial firms to affiliated companies, and to bar the sale of data to non-affiliates unless consumers explicitly "opt-in." A consortium of financial services companies have challenged the law and, in December 2008, asked the Supreme Court to consider the case. The firms argued that the California statute conflicts with other federal rules. The Supreme Court requested the Administration's view on the case, and has often followed the Department's opinions. Earlier in the litigation, EPIC urged a federal appeals court to uphold the California privacy law. For more information, see EPIC's ABA v. Brown and Privacy and Preemption Watch pages. (Jun. 5, 2009)
  • Federal Appeals Court Upholds California Financial Privacy Law. Today, a federal appeals court upheld substantial portions of California's landmark financial privacy law, reversing a lower court's 2005 decision that invalidated the privacy statute. The law grants Californians the right to curtails sale of their personal information by financial firms to affiliated companies, and prohibits the sale of data to non-affiliates unless consumers explicitly "opt-in." (Sept. 4, 2008)
  • Federal Court Preempts Landmark California Financial Privacy Law. A federal district court has held (PDF) that Fair Credit Reporting Act supercedes, or "preempts," portions of California's landmark financial privacy law. The financial services industry challenged the law, known as SB 1, that allowed Californians to curtail the sale of personal information among a company's affiliates, that is, companies with the same ownership or control. Despite the ruling, provisions of California law that require opt-in consent before data can be sold to third parties (non-affiliates) are still valid. This decision flows from a June 2005 decision from the Ninth Circuit Court of Appeals, ordering the district court to reconsider whether SB 1 was preempted. (Oct. 3, 2005)
  • California Financial Privacy Law Limited by Federal Preemption. The Ninth Circuit Court of Appeals has held (pdf) that some portions of California's Financial Information Privacy Act are superceded by the federal Fair Credit Reporting Act. However, the Court did not interpret the law to completely invalidate California's protections, and most of the law remains intact. A federal judge will now decide the precise scope of the California law's protections. EPIC and a coalition of groups representing 41 million individuals argued in a amicus brief that preemption of state law weakens protections against identity theft and consumer privacy. For more information, see EPIC's Preemption, and Fair Credit Reporting Act pages. (Jun. 21, 2005)
  • EPIC Brief Supports State Privacy Protections. EPIC, joined by a coalition of consumer and civil liberties groups representing 41 million individuals, has filed a brief in support of SB1, California's Financial Information Privacy Act. In the case, ABA v. Lockyer, banks challenged the law, arguing that the federal Fair Credit Reporting Act supercedes the California protections. The brief argues that affiliate sharing causes identity theft and fraud, and is inconsistent with fair information practices. For more information, see the EPIC's Preemption and FCRA Pages. (Sept. 8, 2004)
  • California SB 1 Upheld, Takes Effect Today. A federal judge has upheld (PDF 630k) California's SB 1, the strongest consumer financial privacy law in the country, which takes effect today. Under SB 1, individuals may opt-out of affiliate sharing, and banks are required to obtain opt-in consent before selling data to third parties. Bankers groups had challenged the law, arguing that the federal Fair Credit Reporting Act preempted it, but Judge Morrison C. England, Jr. ruled otherwise, holding that the federal Gramm-Leach-Bliley Act allows states to erect strong financial privacy protections. For more information, see EPIC's Fair Credit Reporting Act, Gramm-Leach-Bliley Act pages. (July 1, 2004)

Introduction

In ABA v. Brown (formerly ABA v. Lockyer), financial services companies are suing to invalidate a California law that provides individuals with strong privacy rights. In 2003, California enacted the California Financial Information Privacy Act, commonly known as "SB1." SB1 provides the strongest financial privacy protection in the nation. It allows customers to "opt-out" of information-sharing practices between affiliated institutions, companies that have common ownership. SB 1 also bars financial institutions from sharing information about consumers with nonaffiliated third parties unless an individual gives his or her express "opt in" consent. However, the legal issue in ABA is limited to the constitutionality of the "opt out" provision for affiliate sharing, and a series of other rights created by SB1 are not being challenged in this case.

In April 2004, the American Bankers Association (ABA), the Financial Services Roundtable and the Consumer Bankers Association filed suit arguing that SB 1 is preempted or superceded by the federal Fair Credit Reporting Act (FCRA). As interpreted by the banking industry, the FCRA imposes a preemptive ceiling on state privacy statutes, thereby preventing any state or local regulation concerning affiliate sharing of consumer information.

However, District Court Judge Morrison C. England, Jr. ruled otherwise, holding that the federal Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) allows states to erect stronger financial privacy protections. Judge England's Amended Order, issued on July 9, 2004, concludes that (i) the FCRA was not intended to regulate the simple sharing of information between affiliates, (ii) the only reasonable reading of the FCRA preemption provision is that it prevents states from enacting laws that prohibit or restrict the sharing of consumer reports among affiliates, and (iii) the FCRA preemption provision does not broadly preempt all state laws regulating information sharing by affiliates.

In 2005, the 9th Circuit Court of Appeals ruled that the affiliate-sharing preemption clause of the FCRA preempted the affiliate-sharing provisions of SB1, insofar as SB1 attempts to regulate the communication of "information" between affiliates as defined under the FCRA. Am. Bankers Ass'n v. Gould, 412 F.3d 1081, 1087. The case was remanded to determine whether any portions of the bar on disclosure to affiliates survive federal preemption under this definition of "information." The district court ruled that no pertinent portion of SB1 survived federal preemption, and were thus invalid.

The 9th Circuit then reversed the district court's preemption ruling, and held that: 1) substantial sections of SB1 are not preempted by federal law; and 2) California law demands that the court reform the pertinent sections to sever its preempted applications. In reforming the statute, the court narrowed the affiliate-sharing provisions of SB1 to exclude the regulation of consumer report information as defined by the FCRA, but preserve other privacy protections.

EPIC's Interest

Preserving states' right to regulate is important for privacy protection. Most privacy protections come from state, not federal law. Throughout history, state and local governments have served an important role as real-world laboratories for innovative health and safety policy initiatives. States enjoy a unique local perspective that allows them to craft and test programs to protect consumers. State legislatures are also closer to the constituents they represent and the business communities they regulate. They are the first to see trends and problems, and are well-suited to address new challenges and opportunities that arise from evolving technologies and business practices. Thus, it is important that state lawmakers retain the ability to tailor consumer protections to the needs of regional economies and constituencies. For detailed policy arguments against preemption of privacy law, see EPIC's Privacy and Preemption Page.

Federal privacy law is weak and allows prodigious information sharing. Federal law now allows a broad spectrum of financial institutions to affiliate and operate under a single corporate umbrella - a financial holding company. These diverse institutions engage in a wide range of activities and compile a vast amount of information about their customers. Each time a customer interacts with a single financial institution, a digital record of that interaction may be created and shared by that company's corporate affiliates. The shared data may include financial, medical and other sensitive information. For example, the types of personal information that may be shared include all information on applications to obtain financial services (including credit card or loan applications), bank and credit card numbers and account histories, and the fact that an individual is or was a customer.

Some financial holding companies have thousands of affiliates, making it exceedingly difficult for consumers to understand how personal information provided to a single entity will be employed for secondary purposes across the entity's affiliate structure. CitiGroup, Inc., for example, has over 2700 corporate affiliates. Similarly, Bank of America has almost 1500. Given the vast number of corporate affiliates, individuals have limited insight into how, and for what purposes, their personal information is used by companies with whom they have no contact or business relationship. Furthermore, when information is misused by one of the thousands of an institution's affiliates and marketing partners, individuals are often unable to identify the offender due to the lack of visibility into affiliate sharing policies.

Significant privacy risks are created each time an individual's personal information is shared with an affiliate. It is possible that a single entity collecting personal data may have a relatively secure technology platform to protect against computer hackers and other types of security breaches. Upon investigation, a consumer may feel comfortable providing such an entity with sensitive information in exchange for the customer service benefit it produces. However, it is a practical certainty that at least one of the potentially thousands of companies with whom the collecting entity may share personal information will not employ equivalent security standards. Variations in technology, personnel, and resources dictate that the protection of sensitive consumer information is inconsistent across affiliates. Absent SB 1's "opt out" provision, consumers in California are stripped of all control over the dissemination of their personal information once it is obtained by a financial institution.

Information sharing can lead to fraud. Major financial institutions have used their aggregate customer lists to target consumers for fraudulent telemarketing schemes. Capital One, Chase Manhattan, Citibank, First U.S.A., Fleet Mortgage, GE Capital, MBNA America, and U.S. Bancorp all have provided their customers' personal and confidential information to fraudulent telemarketers.

In these cases, financial institutions provided telemarketers with the names, telephone numbers and other information about their customers. They also gave them the ability to charge customers' accounts without having to ask consumers to provide an account number. This practice, called preacquired account telemarketing, has subjected thousands of individuals to unauthorized charges for products and services they never wanted or ordered. In one case, during a thirteen-month period a national bank processed 95,573 cancellations of membership clubs and other products that were billed by preacquired account telemarketers without customers' authorization.

Even non-customers can be defrauded by information sharing. In some cases, the sharing of financial information has allowed businesses to defraud non-customers as well. This can occur where a bank sells personal information to another business. Charter Pacific Bank sold its database containing 3.6 million valid credit card account numbers to a convicted felon who then fraudulently billed the accounts for access to Internet pornography sites that victims had never visited. In fact, approximately 45% of the victims did not even own a computer. Charter Pacific did not develop the database from its own customers' information. Instead, it compiled the information from credit card holders who had purchased goods and services from merchants that had accounts at Charter Pacific. The information included the date of sale, account number, and dollar amount of every credit card transaction processed by the bank's merchant customers. The unrestricted sharing of this information resulted in over $44 million of unauthorized charges.

Affiliate sharing can expose the elderly and other at-risk consumers to increased likelihood of fraud. For example, NationsBank shared with its affiliated securities company data on bank customers with low-risk, maturing federally insured CDs. The affiliate, NationsSecurity, then aggressively marketed high-risk investments to these conservative investors, misleading many customers to believe that the investments were as safe and reliable as federally insured CDs. Many customers, including retired elderly, lost significant portions of their life savings. After an investigation, the Securities and Exchange Commission found that the companies intentionally blurred the distinction between the bank and the brokerage, and between the insured CDs and riskier investment products. Affiliate sharing of customers' information made this possible. NationsBank provided the investment representatives with maturing CD customer lists, as well as customers' financial statements and account balances. As a result, when these investment representatives called NationsBanks' customers and indicated that they were with the "investment division" of the bank, many customers reasonably believed that they were bank employees, not brokers. NationsBank is not the only bank to have engaged in such a practice. First Union settled a private lawsuit alleging a similar scheme.

Identity theft is fueled by insiders--financial services company employees--with access to your personal information. The unrestricted sharing of consumers' information also facilitates criminal activity, such as theft of financial identity. Identity theft is one of the nation's fastest growing white-collar crimes. Many of these identity theft cases are "insider jobs," committed by employees who obtain access and misuse individuals' personal information stored in their employers' databanks. A soon-to-be-published survey by researchers at Michigan State University found that up to 70% of identity theft cases involve an insider with access to personal information.

Public opinion polls show strong support for more privacy protection. Independent polls demonstrate that Americans want more control over the use of their personal information. Over a decade of public opinion polling has demonstrated that individuals care about the privacy of their personal information, and that they want protections in law following Fair Information Practices. In 1990, a Harris Poll showed that 65% of Americans favored the creation of a privacy protection commission. A year later, a Time-CNN poll showed that 93% of respondents believed that the law should require companies to obtain permission from consumers before selling their personal information. For more public polls on privacy, see EPIC's Privacy and Public Opinion Page.

Resources

District Court Proceedings

Ninth Circuit Court of Appeals Proceedings

Supreme Court Proceedings

News