Posted on September 17, 2008 by Scott J. Carpenter

California's Financial Information Privacy Act Affiliate Sharing Provisions Narrowly Survive Complete Preemption

On September 4, 2008, in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), the Ninth Circuit Court of Appeals revived part of the California Financial Information Privacy Act (“S.B. 1”), allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. Previously, in the 2005 case American Bankers Ass'n. v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth Circuit ruled that the state statute was preempted by provisions of the Fair Credit Reporting Act (“FCRA”) regarding affiliate sharing of “consumer report” information.  The recent 2-1 decision preserves consumers’ rights under California law to restrict affiliate data-sharing related to non-consumer report information.

S.B. 1 sets forth a broad restriction on the sharing of consumer information with affiliates, stating that “[a] financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing . . . that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed.” 

FCRA similarly restricts such affiliate sharing; however, FCRA only applies to “consumer report” information. As defined by FCRA, consumer report information is information used to determine a consumer’s eligibility for credit, insurance or employment.  In particular, consumer report information may include any information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part” for purposes of determining eligibility for credit, insurance or employment. Section 625(b)(2) of FCRA preempts states from regulating the exchange of information among affiliates.   

 

Accordingly, in Gould, the Ninth Circuit held that FCRA preempted S.B. 1 insofar as both laws regulated the sharing of consumer report information with affiliates. The Ninth Circuit remanded the case to determine whether S.B. 1’s restrictions on affiliate-sharing with respect to non-consumer report information were severable, and thus, could survive preemption. On remand, a federal district court held that since the court lacked the power to sever the preempted applications of S.B. 1, the statute’s affiliate-sharing restrictions were preempted entirely.  

 

The Ninth Circuit reversed the district court’s ruling. In Lockyer, the Ninth Circuit looked to whether California law permits the court to narrow S.B. 1’s application to avoid complete preemption. The court determined that if the Legislature’s intent “clearly would be furthered by application of the revised version rather than by the alternative of invalidation,” then the court “must revise the statute.”  From the language of the statute, the Ninth Circuit found that the California Legislature “would have preferred a narrowed version of [S.B. 1] to no version at all.” Moreover, S.B. 1 contained a severability clause in its enactment of the law – further proof that reforming S.B. 1 to sever its preempted applications would best effectuate the Legislature’s intent.  Thus, because S.B. 1 has non-preempted applications, FCRA does not preempt those provisions of S.B. 1 that do not relate to consumer report information. 

 

As a result, certain banks and financial institutions should be mindful that, in addition to the affiliate-sharing restrictions contained in FCRA, California law may require them to provide customers an opportunity to opt-out of data-sharing arrangements with affiliates involving non-consumer report information.

 
Tags: , , , , , , ,
Posted on September 5, 2008 by Natalie Newman

Affiliate Marketing Rule Alert: Compliance Deadline is October 1, 2008

Section 214 of Fair and Accurate Credit Transactions Act (“FACTA") was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.   

On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes. 

The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.

Summary of the Final Rule’s Requirements

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

  • the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
  • the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
  • the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).
Tags: , , , , , ,
Posted on August 7, 2008 by Tanya Forsheit

Red Flag Alert -- Compliance Deadline is November 1, 2008

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.
Tags: , , , , , , , , ,
Posted on June 18, 2008 by Tanya Forsheit

Expiration Date Imminent for Many FACTA Class Actions

New amendments to the Fair and Accurate Transactions Act (“FACTA”) (itself an amendment to the Fair Credit Reporting Act (“FCRA”)) bar consumers from alleging willful violation and seeking statutory damages based on the printing of credit card expiration dates on receipts where the account number is otherwise properly truncated in accordance with FACTA. This development means the end is near for scores of class action lawsuits filed last year.

FACTA prohibits the printing of more than five digits of a credit or debit card number or the expiration date on receipts provided to a customer. Since December 4, 2006, consumers have filed hundreds of suits against merchants who allegedly printed a truncated account number and the expiration dates on receipts, arguing that those merchants “willfully” violated FACTA, and seeking $100 to $1,000 for each violation. At least one court has interpreted FACTA to apply to electronic receipts as well as printed ones.

As discussed here last year , the Supreme Court ruled in Safeco Insurance Co. of America, et al. v. Burr, et al that reckless disregard of the requirements of FCRA can constitute willful violation.  The court left open the question of whether it was objectively reasonable for merchants to continue to print expiration dates on customer receipts after the date for compliance with FACTA had passed. 

In response to the widespread FACTA litigation, Congress amended FCRA to prevent certain putative consumer class actions. The “Credit and Debit Card Receipt Clarification Act of 2007” (“the Act”), signed by President Bush on June 3, amends FCRA to specify that printing expiration dates on receipts where the account number is otherwise properly truncated does not in and of itself constitute willful noncompliance.  Consumers will not be entitled to pursue suits claiming willful violation, and thus not be entitled to seek statutory damages, merely because an expiration date is printed on an otherwise compliant receipt.  The Act does not affect negligence suits filed by consumers who can show actual harm as a result of the printing of the expiration date, or suits against merchants who are otherwise not in compliance with FACTA’s requirements.  The Act applies to any company that printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment. 

Proskauer summer associate Nicole Ross contributed to this post.
Tags: , , , , , , , ,