July 18, 2001, 10:35 AM — California lawmakers, in a key vote Monday, moved closer to rebuking the financial privacy provisions set in federal law by giving consumers in the nation's largest state more control over their financial information than a recently enacted federal law allows.
Financial services groups, worried that California may lead a national push by states toward tougher financial privacy, are lobbying against the bill. Companies that have already spent millions, including IT costs, to comply with the privacy provisions of the Gramm-Leach-Bliley (GLB) Financial Modernization Act, which took effect July 1, face the possibility of having to again change systems to deal with a new set of privacy rules for sharing customer information.
If the California law is adopted, other states may follow, argue industry opponents. "Hypothetically, we would have to come up with 50 different databases for 50 different laws," said Jim Garavaglia, a senior vice president and chief privacy officer at Comerica Inc., a Detroit-based financial services firm.
In approving the GLB law, Congress didn't limit the rights of states to set more restrictive privacy standards. "I think that was a flaw in the law," said Garavaglia.
The California Assembly's Banking and Finance Committee approved the Financial Information Privacy Act, Senate Bill 773, sponsored by state Sen. Jackie Speier, a Daly City-based lawmaker. The bill has already won state Senate approval but it faces additional review by other Assembly committees, a floor vote in that chamber, as well as approval by the governor.
The proposed law differs from the GLB act in two key respects: Unlike the federal law, it gives consumers the ability to "opt-out" of confidential data sharing with affiliated firms. GLB allows personal information sharing to affiliates without consumer consent. Second, the proposed state law requires "opt-in" or affirmative consent rule for companies that want to sell or share customer data to third parties. The federal law only requires opt-out for third parties.
Privacy advocates, as well as many in Congress, believe GLB offers weak privacy protections. Although the California bill applies only to companies that do business in that state, whether they have a physical office in the state or not, the law could have national implications.
"It's not lost on us that a state of 35 million people is in many ways a bellwether for other states," said Robert Herrell, Speier's staff director.
For IT managers, the implications raised by varying privacy rules depend on how integrated their systems are. Financial services companies with disparate databases face greater obstacles in adapting to regulatory changes, said analysts and end users.