In last month’s issue, we mentioned (in “Gnu & Gnoteworthy”) the F.D.I.C. released a report entitled “Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks”. Well, privacy issues are popping up all over the place again.
California Financial Privacy Act
The California Financial Privacy Act of 2003 became effective July 1st and requires banks to give customers the right to opt out of sharing information with bank affiliates with separately regulated lines of business and requires banks to get permission from customers to share information with outside companies. After the law was enacted, the American Bankers Association, Consumer Banking Association and Financial Services Roundtable filed suit claiming the Fair Credit Reporting Act—the federal law regulating sharing of information among affiliates—preempted state law and thus the part of the statute attempting to limit sharing of information among affiliates is invalid. Not so, said the Judge—to the surprise of bankers scrambling to comply—a recent notice from the California Department of Financial Institutions indicated it would begin enforcing the law immediately!
The Judge ruled that since the FCRA only applied to the sharing of “credit reports,” the California law covering a broader range of customer information was not preempted by federal law. Will the ruling be appealed? Will other states follow suit?
California Certainly is Busy
The California Online Privacy Protection Act of 2003 went into effect July 1 with some new requirements for “commercial” website operators that collect “personally identifiable information” from California residents through a website or online service. The law requires website operators to post privacy policies on their websites and requires them to comply with them. Thus, if a website operator doesn’t comply with the Act, not only does a consumer have a potential action for failure to honor the terms of the policy, but the operator would now also be in violation of California law.
Privacy and Outsourcing
In May, the FTC published its response to a letter sent by Congressman Edward J. Markey (D–Mass.) in connection with its efforts to protect personal information of U.S. citizens when information is processed outside the United States. The FTC response deals with the Children’s Online Privacy Protection Act (not to
be confused with COPPA, which has been struck by constitutionality problems), Gramm-Leach-Bliley, the Fair Credit Reporting Act, as well as the Do-Not-Call Registry. The report is a good summary of the non-banking regulatory framework that applies and while you can read the FTC’s responses in each category, suffice it to say that the FTC clearly notes: “Simply because a company chooses to outsource some of its data processing to a domestic or off-shore service provider does not allow that company to escape liability for any failure to safeguard the information adequately.”
FACT Act Regulations Surface
Among other things, the Fair and Accurate Credit Transactions Act of 2003, referred to as the FACT Act, created a new provision of the Fair Credit Reporting Act providing that if an affiliated entity received information that would be characterized as a “consumer report,” the affiliate is not permitted to use the information for marketing unless the consumer has an opportunity to opt out. The FACT Act requires the FTC, banking regulatory agencies, the National Credit Union Administration and the SEC to issue rules surrounding the affiliate information-sharing provisions; and while not required to issue a joint rule, they must coordinate to avoid inconsistency in the regulations. The FTC issued its proposed rules on June 15, and on June 25 the Federal Reserve issued substantially similar proposed rules, which have also been approved by the OCC, Office of Thrift Supervision, and National Credit Union Administration. The SEC has yet to issue its proposed rules. Want to know more? Want your voice to be heard? Having problems understanding what compliance means? Call Rimon. Our Financial Services team, Privacy Team and a range of expertise and experience is at your disposal.
Gateway Learning Settles FTC Privacy Charges
Gateway Learning, which markets the “Hooked on Phonics” brand, settled FTC charges that it rented personal information of consumers to other companies, despite having promised not to. In the Matter of Gateway Learning Corp. (FTC File No. 042-3047), the FTC charged Gateway Learning with changing its privacy policy (an allegedly deceptive and unfair practice) after collecting the information, to allow it to share information with third parties without notifying consumers or getting their consent. The settlement prevents Gateway Learning from making misrepresentations about how it will use information it collects from consumers, from using consumer personal information collected before it made the policy changes unless the consumer consents, and restricts it from retroactively applying future privacy policy changes without first getting consumer consent. Need a privacy policy? Thinking of changing your privacy policy? Want to know how this might affect your policy? Call Rimon. We are happy to help.