ARIZONA STATE SENATE
Phoenix, Arizona
REVISED
release of information;
written authorization
(NOW: consumer information
privacy)
Purpose
Prohibits bell operating companies from releasing certain nonpublic personal customer information without prior consent from the customer. Establishes a consumer privacy information study committee to examine issues relating to private consumer information shared by government entities and businesses for commercial purposes.
Background
The Financial Modernization
Act of 1999, also known as the Gramm-Leach-Bliley Act (GLB), requires financial
institutions to inform customers of policies regarding the collection and
sharing of nonpublic personal financial information in addition to giving
customers the ability to “opt-out” of the financial institutions' sharing of
customer information with unaffiliated third parties. Though it deals
specifically with financial institutions, the federal law has become the model
for proposed broader privacy protection legislation on the state level and is
commonly used by other types of businesses as well.
Vermont, in 2001, became the
first and only state to protect the privacy rights of consumers by implementing
an “opt-in” approach towards banking, insurance and securities industries’ use
of customer information. Unlike the GLB
“opt-out” approach, which relies on customers removing their personal
information from a preconceived list, the Vermont financial privacy regulations
require affirmative customer consent before any nonpublic personal information
may be shared with third parties.
Modeled on the Vermont
financial privacy regulations, S.B. 1258 prohibits bell operating companies
from disclosing any nonpublic personal information to a nonaffiliated third
party without affirmative consumer consent. The legislation also establishes a
consumer privacy information study committee to examine issues relating to
private consumer information shared by government entities and businesses for
commercial purposes.
The fiscal impact of this
measure is unknown.
Provisions
Privacy Notice
1. Requires an entity to provide notice of its privacy policies and practices with respect to nonpublic personal information to its customers.
2. Stipulates that a customer relationship is established at the time the entity and a consumer enter into a continuing relationship.
3. Requires an entity to provide the notice annually during the continuation of the customer relationship. Defines “annually.”
4. Prohibits an entity from disclosing, directly or through an affiliate, any nonpublic personal information about a consumer to a nonaffiliated third party other than described by the initial notice unless:
a) The entity has provided a revised notice that accurately describes its policies and practices to the consumer.
b) The entity has provided a new opt in notice to the consumer.
c) The consumer has provided affirmative consent to the disclosure described in the notice.
5. States that an entity has satisfied the initial notice requirements for existing customers purchasing new products or services that are to be used primarily for personal, family or household purposes if:
a) The entity provides a revised policy notice that covers the customer’s new product or service.
b) The most recent notice provided by the entity to the consumer was accurate with respect to the new product or service.
6. Requires the notice to include the following information:
a)
Categories
of nonpublic personal information that the entity collects.
b)
Categories
of nonpublic personal information that the entity discloses.
c) Categories of affiliates and nonaffiliated third parties to whom the entity discloses the information.
d) Categories of disclosed nonpublic personal information about the entity’s former customers and the affiliates and nonaffiliated third parties to whom the information was disclosed.
e) An explanation of the consumer’s right to opt in prior to the disclosure, including the methods for exercising that right.
f) The entity’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Opt in Notice
7. Requires an entity to provide an opt in notice with respect to nonpublic personal information to its customers.
8. Requires the opt in notice to include the following information:
a) The products or services that the consumer obtains from the entity to which opt in direction would apply.
b)
The
methods by which a consumer may revoke the opt in direction.
c) A request in writing that the consumer affirmatively authorizes the disclosure of nonpublic personal information to nonaffiliated third parties.
9. Requires the entity to provide the required notice so that each consumer can reasonably be expected to receive the actual notice in writing.
Limits on Disclosure to Nonaffiliated Third Parties
10. Prohibits an entity from disclosing, directly or through an affiliate, any nonpublic personal information about a consumer to a nonaffiliated third party unless:
a)
The
entity has provided to the consumer an initial privacy notice.
b)
The
entity has provided to the consumer an opt in notice.
c)
The
entity has obtained from the consumer affirmative consent and consent has not
been withdrawn.
11. Requires an entity to comply with the conditions for disclosure of nonpublic personal information to nonaffiliated third parties regardless of whether the entity and the consumer have established a customer relationship.
12. Prohibits an entity from disclosing, directly or through an affiliate, any nonpublic personal information that the entity has collected, regardless of whether it was collected before or after the opt in notice was provided, unless the entity has complied with the conditions for disclosure.
13. Prohibits an entity from disclosing any aggregate list of consumers containing or derived from nonpublic personal information to a nonaffiliated third party, unless the conditions for disclosure have been satisfied for each consumer on the list.
14. Prohibits an entity, directly or through an affiliate, from disclosing, other than to a consumer reporting agency, a policy or account number to any nonaffiliated third party for telemarketing, direct mail marketing or through electronic mail marketing unless the entity discloses the number information:
a) To the entity’s service provider solely to market the entity’s own products or services, as long as the service provider is not authorized to directly initiate charges to the account.
b) To an entity who is a producer solely to market the entity’s own products or services.
15. Stipulates that a consumer’s direction to opt in is effective until the consumer revokes it in writing.
16. States that any withdrawal or revocation of consent is subject to the rights of the entity that acted reasonably in reliance on the consent prior to knowledge of its withdrawal or revocation.
17. Specifies that a customer’s opt in direction continues to apply to the nonpublic personal information collected during or related to that relationship when a customer relationship ends.
18. Specifies that the opt in direction applied to a former relationship does not apply to a new customer relationship.
19. Directs an entity to allow a consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt in.
Exemptions
20. Exempts an entity from the opt in requirements when an entity provides nonpublic personal information to a nonaffiliated third party to perform services for the entity or function on the entity’s behalf if the licensee:
a) Provides the required initial privacy notice to the consumer.
b) Contracts with the nonaffiliated third party to prohibit its disclosure or use of the information other than to carry out the purposes for which the entity disclosed the information.
21. Exempts the initial privacy notice and opt in requirements if the entity discloses nonpublic personal information:
a) As necessary to carry out a transaction that the consumer requests or authorizes.
b) With consent of the consumer, provided the consumer has not revoked the consent or direction.
c) To protect the confidentiality or security of an entity’s consumer, service, product or transaction records.
d) To protect against actual or potential fraud or unauthorized transactions.
e) For required institutional risk control or for resolving consumer disputes or inquiries.
f) To holders of legal beneficial interest relating to the consumer.
g) To persons acting in a fiduciary or representative capacity on behalf of the consumer.
h) To provide information to agencies that are rating an entity, assessing an entity’s compliance with industry standards, and the entity’s attorneys, accountants and auditors.
i) To the extent allowed or required under other laws, to law enforcement agencies, state and federal civil or administrative authorities, self-regulatory organizations or for an investigation on a public safety matter.
j) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
k) From a consumer report from a consumer reporting agency.
l) In connection with a proposed or actual affiliation, reorganization, sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure concerns solely the consumers of the business or unit.
Consumer
Privacy Information Study Committee
22. Establishes a 14-member consumer privacy information study committee to:
a) Examine the types of private consumer information shared by government entities and businesses for commercial purposes and the types of commercial purposes they are being used for.
b) Determine which public records laws affect the selling of consumer information by government entities.
c) Make recommendations for limiting access to private consumer information for commercial purposes.
23. Prescribes the membership of the study committee.
24. Requires the study committee to submit a report of its finding and recommendations to the Governor, Legislature, Secretary of State and Arizona State Library, Archives and Public Records by December 31, 2003.
25. Terminates the study committee on June 1, 2004.
Miscellaneous
26. Prohibits an entity from discriminating against consumers or customers due to not having opted in to the disclosure of their nonpublic personal information.
27. Stipulates that a violation of the regulations governing privacy of consumer information is considered an unlawful practice and subject to enforcement and prosecution by the Attorney General under the consumer fraud statutes.
28. Defines terms.
29. Provides for a general effective date.
Amendments
Adopted by Committee
· Adopted the Mitchell strike-everything amendment.
Amendments Adopted by Committee of the Whole
1. Applies provisions of the measure to only bell operating companies.
2. Modifies the membership of the study committee, as follows:
a) Reduces to one representative from businesses that purchase consumer information from government entities.
b) Adds two representatives of businesses that share consumer information with nonaffiliated third parties.
c) Adds one representative who has expertise in information sharing as it relates to the internet.
3. Charges the study committee to look at the sharing of consumer privacy information within the private sector.
4. Extends the repeal date of the study committee to June 1, 2004.
5. Makes technical and conforming changes.
Senate Action
COM 3/13/02 DPA/SE 5-0-1-0
3rd Read 3/21/02 29-0-1-0
Prepared by Senate Staff
March 22, 2002