FOR CAUCUS & FLOOR ACTION
REVISED
|
|
ARIZONA STATE SENATE
RESEARCH STAFF
|
NATHANIEL SEARING LEGISLATIVE
INTERN JULIE SZPERLING LEGISLATIVE
RESEARCH ANALYST COMMERCE COMMITTEE Telephone: (602) 542-3171 Facsimile: (602) 542-7833 |
DATE: March 14, 2002
SUBJECT: Mitchell Strike
Everything Amendment to S.B. 1258
Purpose
Prohibits a financial institution, local telecommunications service provider and long distance telecommunications service provider from releasing certain nonpublic personal customer information without prior consent from the customer. Establishes a consumer privacy information study committee to examine issues relating to private consumer information purchased and sold by government entities for commercial purposes.
Background
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLB), requires financial institutions to inform customers of policies regarding the collection and sharing of nonpublic personal financial information in addition to giving customers the ability to “opt-out” of the financial institutions' sharing of customer information with unaffiliated third parties. Though it deals specifically with financial institutions, the federal law has become the model for proposed broader privacy protection legislation on the state level and is commonly used by other types of businesses as well.
Vermont, in 2001, became the first and only state to protect the privacy rights of consumers by implementing an “opt-in” approach towards banking, insurance and securities industries’ use of customer information. Unlike the GLB “opt-out” approach, which relies on customers removing their personal information from a preconceived list, the Vermont financial privacy regulations require affirmative customer consent before any nonpublic personal information may be shared with third parties.
Modeled on the Vermont financial privacy regulations, the strike-everything amendment to S.B. 1258 prohibits financial institutions, local telecommunications service providers and long distance telecommunications service providers (entities) from disclosing any nonpublic personal information to a nonaffiliated third party without affirmative consumer consent. The legislation also establishes a consumer privacy information study committee to examine issues relating to private consumer information purchased and sold by government entities for commercial purposes.
The fiscal
impact of this measure is unknown.
Provisions
Privacy
Notice
1. Requires an entity to provide notice of its privacy policies and practices with respect to nonpublic personal information to its customers.
2. Stipulates that a customer relationship is established at the time the entity and a consumer enter into a continuing relationship.
3. Requires an entity to provide the notice annually during the continuation of the customer relationship. Defines “annually.”
4. Prohibits an entity from disclosing, directly or through an affiliate, any nonpublic personal information about a consumer to a nonaffiliated third party other than described by the initial notice unless:
a) The entity has provided a revised notice that accurately describes its policies and practices to the consumer.
b) The entity has provided a new opt in notice to the consumer.
c) The consumer has provided affirmative consent to the disclosure described in the notice.
5. States that an entity has satisfied the initial notice requirements for existing customers purchasing new products or services that are to be used primarily for personal, family or household purposes if:
a) The entity provides a revised policy notice that covers the customer’s new product or service.
b) The most recent notice provided by the entity to the consumer was accurate with respect to the new product or service.
6. Requires the notice to include the following information:
a) Categories of nonpublic personal information that the entity collects.
b) Categories of nonpublic personal information that the entity discloses.
c) Categories of affiliates and nonaffiliated third parties to whom the entity discloses the information.
d) Categories of disclosed nonpublic personal information about the entity’s former customers and the affiliates and nonaffiliated third parties to whom the information was disclosed.
e) An explanation of the consumer’s right to opt in prior to the disclosure, including the methods for exercising that right.
f) Any disclosures that the entity makes under the federal Fair Credit Reporting Act and the federal implementing regulations.
g) The entity’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Opt in Notice
7. Requires an entity to provide an opt in notice with respect to nonpublic personal information to its customers.
8. Requires the opt in notice to include the following information:
a) The products or services that the consumer obtains from the entity to which opt in direction would apply.
b) The methods by which a consumer may revoke the opt in direction.
c) A request in writing that the consumer affirmatively authorizes the disclosure of nonpublic personal information to nonaffiliated third parties.
9. Requires the entity to provide the required notice so that each consumer can reasonably be expected to receive the actual notice in writing.
Limits on Disclosure to Nonaffiliated Third Parties
10. Prohibits an entity from disclosing, directly or through an affiliate, any nonpublic personal information about a consumer to a nonaffiliated third party unless:
a) The entity has provided to the consumer an initial privacy notice.
b) The entity has provided to the consumer an opt in notice.
c) The entity has obtained from the consumer affirmative consent and consent has not been withdrawn.
11. Requires an entity to comply with the conditions for disclosure of nonpublic personal information to nonaffiliated third parties regardless of whether the entity and the consumer have established a customer relationship.
12. Prohibits an entity from disclosing, directly or through an affiliate, any nonpublic personal information that the entity has collected, regardless of whether it was collected before or after the opt in notice was provided, unless the entity has complied with the conditions for disclosure.
13. Prohibits an entity from disclosing any aggregate list of consumers containing or derived from nonpublic personal information to a nonaffiliated third party, unless the conditions for disclosure have been satisfied for each consumer on the list.
14. Prohibits an entity, directly or through an affiliate, from disclosing, other than to a consumer reporting agency, a policy or account number to any nonaffiliated third party for telemarketing, direct mail marketing or through electronic mail marketing unless the entity discloses the number information:
a) To the entity’s service provider solely to market the entity’s own products or services, as long as the service provider is not authorized to directly initiate charges to the account.
b) To an entity who is a producer solely to market the entity’s own products or services.
15. Stipulates that a consumer’s direction to opt in is effective until the consumer revokes it in writing.
16. States that any withdrawal or revocation of consent is subject to the rights of the entity that acted reasonably in reliance on the consent prior to knowledge of its withdrawal or revocation.
17. Specifies that a customer’s opt in direction continues to apply to the nonpublic personal information collected during or related to that relationship when a customer relationship ends.
18. Specifies that the opt in direction applied to a former relationship does not apply to a new customer relationship.
19. Directs an entity to allow a consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt in.
Exemptions
20. Exempts an entity from the opt in requirements when an entity provides nonpublic personal information to a nonaffiliated third party to perform services for the entity or function on the entity’s behalf if the licensee:
a) Provides the required initial privacy notice to the consumer.
b) Contracts with the nonaffiliated third party to prohibit its disclosure or use of the information other than to carry out the purposes for which the entity disclosed the information.
21. Exempts the initial privacy notice and opt in requirements if the entity discloses nonpublic personal information:
a) As necessary to carry out a transaction that the consumer requests or authorizes.
b) With consent of the consumer, provided the consumer has not revoked the consent or direction.
c) To protect the confidentiality or security of an entity’s consumer, service, product or transaction records.
d) To protect against actual or potential fraud or unauthorized transactions.
e) For required institutional risk control or for resolving consumer disputes or inquiries.
f) To holders of legal beneficial interest relating to the consumer.
g) To persons acting in a fiduciary or representative capacity on behalf of the consumer.
h) To provide information to agencies that are rating an entity, assessing an entity’s compliance with industry standards, and the entity’s attorneys, accountants and auditors.
i) To the extent permitted or required under other laws and in accordance with the federal Right to Financial Privacy Act of 1978, to law enforcement agencies, state and federal civil or administrative authorities, self-regulatory organizations or for an investigation on a public safety matter.
j) To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
k) From a consumer report from a consumer reporting agency.
l) In connection with a proposed or actual affiliation, reorganization, sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure concerns solely the consumers of the business or unit.
Consumer
Privacy Information Study Committee
22. Establishes a consumer privacy information study committee to:
a) Examine the types of private consumer information purchased from government entities and used by businesses for commercial purposes and the types of commercial purposes it is being used for.
b) Determine which public records laws affect the selling of consumer information by government entities.
c) Make recommendations for limiting access to private consumer information for commercial purposes.
23. Prescribes the membership of the study committee.
24. Requires the study committee to submit a report of its finding and recommendations to the Governor, Legislature, Secretary of State and Arizona State Library, Archives and Public Records by December 31, 2003.
25. Terminates the study committee on December 31, 2003.
Miscellaneous
26. Specifies that financial institutions must comply with the regulations governing privacy of consumer information.
27. Prohibits an entity from discriminating against consumers or customers due to not having opted in to the disclosure of their nonpublic personal information.
28. Stipulates that a violation of the regulations governing privacy of consumer information is considered an unlawful practice and subject to enforcement and prosecution by the Attorney General under the consumer fraud statutes.
29. Defines terms.
30. Provides for a general effective date.
Amendments
Adopted by Committee
· Adopted the Mitchell strike-everything amendment.
Senate
Action
COM 3/13/02 DPA/SE 5-0-1-0
NS/jas