|
|
|
|
|
ORDINANCE NO._______________BOARD OF SUPERVISORS, COUNTY OF SAN MATEO,STATE OF CALIFORNIA |
* * * * * * |
AN ORDINANCE REGULATING THE DISCLOSURE OF CONFIDENTIAL CONSUMER INFORMATION BY FINANCIAL INSTITUTIONS |
The Board of Supervisors of the County of San Mateo, State of California, ORDAINS, as follows: |
SECTION 1. |
Chapter 5.140, consisting of Sections 5.140.010 to 5.140.090, of Title 5 of the San Mateo County Ordinance Code are hereby added as follows: |
| |
|
"5.140.010 |
Purpose and Intent |
(a) |
It is the purpose and intent of the Board of Supervisors that the operation of financial institutions as defined in this ordinance should be regulated so as to provide customers of financial institutions notice and meaningful choice about how their personal information is shared or sold by their financial institutions. |
(b) |
It is the intent of the Board of Supervisors in enacting this ordinance to afford persons greater financial privacy protection than those provided in Public Law 106-102, the federal Gramm-Leach-Bliley Act, and that this ordinance be interpreted to be consistent with that purpose. |
| |
|
5.140.020 |
Definitions |
(a) |
"Confidential consumer information" means information (1) that a consumer provides to a financial institution to obtain a product or service from the financial institution, (2) about a consumer resulting from any transaction involving a product or service between the financial institution and a consumer, or (3) that the financial institution otherwise obtains about a consumer in connection with providing a product or service to that consumer. Any personally identifiable information is financial if it was obtained by a financial institution in connection with providing a financial product or service to a consumer, including the fact that a consumer is a customer of a financial institution or has obtained a financial product or service from a financial institution. Confidential consumer information does not include publicly available information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from (1) federal, state, or local government records, (2) widely distributed media, or (3) disclosures to the general public that are required to be made by federal, state, or local law. Confidential consumer information shall include any list, description, or other grouping of consumers, and publicly available information pertaining to them that is derived using any nonpublic personal information other than publicly available information, but shall not include any list, description, or other grouping of consumers, and publicly available information pertaining to them that is derived without using any confidential consumer information. |
(b) |
Confidential consumer information includes, but is not limited to, all of the following: |
| |
(1) |
Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service. |
| |
(2) |
Account balance information, payment history, overdraft history and credit or debit card purchase information. |
| |
(3) |
The fact that an individual is or has been a customer of a financial institution or has obtained a financial product or service from a financial institution. |
| |
(4) |
Any information about a financial institution's consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution's consumer. |
| |
(5) |
Any information that a consumer provides to a financial institution or that a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan. |
| |
(6) |
Any information collected through an Internet cookie or an information collecting device from a Web server. |
| |
(7) |
Information from a consumer report. |
(c) |
"Financial institution" generally means any institution located in unincorporated San Mateo County that engages in financial activities as described in Section 1843 (k) of Title 12 of the United States Code and doing business in unincorporated San Mateo County. An institution that is significantly engaged in financial activities is a financial institution. The term "financial institution" does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et seq.), provided that the entity does not sell or transfer confidential consumer information to a nonaffiliated third party. The term "financial institution" does not include institutions chartered by Congress specifically to engage in a proposed or actual securitization, secondary market sale, including sales of servicing rights, or similar transactions related to a transaction of the consumer, as long as those institutions do not sell or transfer confidential consumer information to a nonaffiliated third party. The term financial institution does not include any person licensed as a dealer under Article 1 (commencing with Section 11700) of Chapter 4 of Division 5 of the Vehicle Code that enters into contracts for the installment sale or lease of motor vehicles pursuant to the requirements of Chapter 2b (commencing with Section 2981) or 2d (commencing with Section 2985.7) of Title 14 of Part 4 of Division 3 of the Civil Code and assigns substantially all of those contracts to financial institutions within 30 days. The term "financial institution" does not include any provider of professional services, or any wholly owned affiliate thereof, that is prohibited by rules of professional ethics or applicable law from voluntarily disclosing confidential client information without the consent of the client. |
(d) |
"Affiliate" means any person or entity that, directly or indirectly, controls, is controlled by, or is under common control with another person or entity. A franchisor, including any affiliate thereof, shall be deemed an affiliate of the franchisee for purposes of this ordinance. |
(e) |
"Nonaffiliated third party" means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control, with the financial institution. |
(f) |
"Consumer" means an individual or business that obtains or has obtained, from a financial institution as defined in subsection (c) above, a financial product or service that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. For purposes of this ordinance, an individual is not a consumer of a financial institution solely because he or she is (1) a participant or beneficiary of an employee benefit plan that a financial institution administers or sponsors, or for which the financial institution acts as a trustee, insurer, or fiduciary, (2) covered under a group or blanket insurance policy or group annuity contract issue by the financial institution, or (3) a beneficiary in a workers' compensation plan provided that (A) the financial institution provides all required notices and rights required by this ordinance to the plan sponsor, group or blanket insurance policyholder, or group annuity contractholder and (B) the financial institution does not disclose to any affiliate or any nonaffiliated third-party confidential consumer information about the individual except as authorized in Section 5.140.050. A consumer does not include an individual who obtains products or services for business, commercial, or agricultural purposes. |
(g) |
"Control" means the direct or indirect possession of the power to direct or cause the direction of the management and policies of another entity. Control includes any of the following: (1) ownership or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, acting through one or more persons, (2) power in any manner over the election of a majority of the directors, or of individuals exercising similar functions, or (3) the power to exercise a directing influence over the management of policies of a company. |
(h) |
"Necessary to effect, administer, or enforce" means the following: |
| |
(1) |
The disclosure is required, or is a usual, appropriate, or acceptable method to carry out the transaction or the product or service business of which the transaction is a part, and record or service or maintain the consumer's account in the ordinary course of providing the financial service or financial product, or to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part, and includes the following: |
| |
|
(A) |
Providing the consumer or the consumer's agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product. |
| |
|
(B) |
The accrual or recognition of incentives or bonuses associated with the transaction that are provided by the financial institution or another party involved in providing the financial service or product. |
| |
(2) |
The disclosure is required or is a lawful method to enforce the rights of the financial institution or of other persons engaged in carrying out the financial transaction or providing the product or service. |
| |
(3) |
The disclosure is required, or is a usual, appropriate, or acceptable method for insurance underwriting at the consumer's request, for reinsurance purposes, or for any of the following purposes as they relate to a consumer's insurance: |
| |
|
(A) |
Account administration. |
| |
|
(B) |
Reporting, investigating, or preventing fraud or material misrepresentation. |
| |
|
(C) |
Processing premium payments. |
| |
|
(D) |
Processing insurance claims. |
| |
|
(E) |
Administering insurance benefits, including utilization review activities. |
| |
|
(F) |
For internal research purposes. |
| |
|
(G) |
As otherwise required or specifically permitted by federal or state law. |
| |
(4) |
The disclosure is required, or is a usual, appropriate or acceptable method, in connection with the following: |
| |
|
(A) |
The authorization, settlement, billing processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using debit, credit or other payment card, check or account number, or by other payment means. |
| |
|
(B) |
The transfer of receivables, accounts, or interest therein. |
| |
|
(C) |
The audit of debit, credit, or other payment information. |
(i) |
"Financial product or service" means any product or service that a financial holding company could offer by engaging in any activity that is financial in nature or incidental to financial activity under subsection (k) of Section 1843 of Title 12 of the United States Code (the United States Bank Holding Company Act of 1956). Financial service includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for financial product or service. |
(j) |
"Clearly and conspicuously" means displayed in a manner that is readily noticeable, readable, and understandable to consumers. Factors to be considered in determining whether a notice or disclosure is clear and conspicuous include prominence, proximity, absence of distracting elements, and clarity and understanding of the text disclosure. |
(k) |
"Widely distributed media" means publicly available information from a telephone book, a television or radio program, a newspaper or a Web site that is available to the general public on an unrestricted basis. |
| |
|
5.140.030 |
Non-Disclosure of Confidential Consumer Information |
(a) |
A financial institution shall not disclose to, or share a consumer's confidential consumer information with, any nonaffiliated third party or affiliate unless the financial institution has provided written notice to the consumer to whom the confidential consumer information relates and unless the financial institution has obtained a consent acknowledgement signed by the consumer that authorizes the financial institution to disclose or share the confidential consumer information. A financial institution shall not deny a consumer a financial product or a financial service because the consumer has not provided the signed consent acknowledgment required by this section to authorize the financial institution to disclose or share his or her confidential consumer information with any nonaffiliated third-party or affiliate. |
(b) |
Nothing in this ordinance shall prohibit a financial institution from marketing its own products and services or the products and services of others to the financial institution's own customers, provided no confidential consumer information is disclosed except as permitted by Section 5.140.050. |
(c) |
Except as otherwise provided in this ordinance, an entity that receives confidential consumer information from a financial institution under this ordinance shall not disclose this information to any other entity, unless the disclosure would be lawful if made directly to the other entity by the financial institution. |
| |
|
5.140.040 |
Notice and Consent |
(a) |
Nothing in this ordinance shall require a financial institution to provide a written notice to a consumer pursuant to Section 5.140.030 if the financial institution does not disclose confidential consumer information to any nonaffiliated third-party or to any affiliate, except as provided in Section 5.140.050. |
(b) |
A financial institution shall provide written notices and consent acknowledgements required by this ordinance to consumers as separate written documents that are easily identifiable and distinguishable from other documents that otherwise may be provided to a consumer. A notice provided to a member of a household pursuant to Section 5.140.030 shall be considered notice to all members of that household unless that household contains another individual who also has a separate account with the financial institution. |
(c) |
Written notices required by this ordinance shall include at least the following: |
| |
(1) |
The specific types of information that would be disclosed or shared, |
| |
(2) |
The general circumstances under which the information would be disclosed or shared, |
| |
(3) |
The specific types of persons or businesses that would receive the information, and |
| |
(4) |
The specific proposed types of uses for the information. |
| |
|
|
5.140.050 |
Exempt Disclosures |
(a) |
Section 5.140.030 shall not apply to information that is not personally identifiable to a particular person. |
(b) |
Section 5.140.030 shall not prohibit the release of confidential consumer information under the following circumstances: |
| |
(1) |
The confidential consumer information is necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer, or in connection with maintaining or servicing the consumer's account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity, or in connection with a proposed or actual securitization or secondary market sale, including sales of servicing rights, related to a transaction of the consumer. |
| |
(2) |
The confidential consumer information is released with the signed consent acknowledgment of or at the written direction of the consumer. |
| |
(3) |
The confidential consumer information is: |
| |
|
(A) |
Released to protect the confidentiality or security of the financial institution's records pertaining to the consumer, the service or product, or the transaction therein. |
| |
|
(B) |
Released to protect against or prevent actual or potential fraud, identity theft, unauthorized transactions, claims or other liability. |
| |
|
(C) |
Released for required institutional risk control, or for resolving customer disputes or inquiries. |
| |
|
(D) |
Released to persons holding a legal or beneficial interest relating to the consumer. |
| |
|
(E) |
Released to persons acting in a fiduciary or representative capacity on behalf of the consumer. |
| |
(4) |
The confidential consumer information is released to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution's compliance with industry standards, and the institution's attorneys, accountants, and auditors. |
| |
(5) |
The confidential consumer information is released to the extent specifically required or specifically permitted under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401 et seq.), to law enforcement agencies, including a federal functional regulator, the Secretary of the Treasury with respect to 12 U.S.C. Secs. 1951-1959, the California Department of Insurance, or the Federal Trade Commission, and self-regulatory organizations. |
| |
(6) |
The confidential consumer information is released (A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), or (B) from a consumer report reported by a consumer reporting agency. |
| |
(7) |
The confidential consumer information is released in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of confidential consumer information solely concerns consumers of the business or unit. |
| |
(8) |
The confidential consumer information is released to comply with federal, state, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by federal, state, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law. |
| |
(9) |
When a financial institution is reporting a known or suspected instance of elder or dependent adult financial abuse or is cooperating with a local adult protecting services agency investigation of known or suspected elder or dependent adult financial abuse pursuant to Article 4 (commencing with Section 15630) of Chapter 11 of Part 3 of Division 9 of the Welfare and Institutions Code. |
| |
(10) |
The confidential consumer information is released to a nonaffiliated third party in order for the nonaffiliated third party to perform services for or functions on behalf of, the financial institution in connection with the financial institution's products and services, such as mailing services, data processing or analysis, or customer surveys, provided that all of the following requirements are met: |
| |
|
(A) |
The services to be performed by the nonaffiliated third party would be lawful if performed by the financial institution. |
| |
|
(B) |
There is a written contract between the nonaffiliated third party and the financial institution that prohibits the nonaffiliated third party from disclosing or using the confidential consumer information other than to carry out the purpose for which the financial institution disclosed the information, as set forth in the written contract. |
| |
|
(c) |
The confidential consumer information provided to the nonaffiliated third party is limited to that which is reasonably necessary for the nonaffiliated third party to perform the services contracted for on behalf of the financial institution. |
| |
(11) |
The confidential consumer information is released to identify or locate missing and abducted children, witnesses, criminals and fugitives, parties to lawsuits, parents delinquent in child support payments, organ and bone marrow donors, pension funds beneficiaries, and missing heirs. |
(c) |
Nothing in this ordinance is intended to change existing law relating to access by law enforcement agencies to information held by financial institutions. |
| |
|
5.140.060 |
Insurance and Securities Disclosures |
(a) |
The restrictions on disclosure and use of confidential consumer information, and the requirement for notification, disclosure, and opportunity for the consumer to either direct that the confidential consumer information not be disclosed or provided prior written consent, as provided in this ordinance, do not apply to any person or entity that meets the requirements of Section 5.140.060 (a) (1) or (2) except when confidential consumer information is or will be shared with an affiliate or nonaffiliated third party. |
| |
(1) |
The person or entity is licensed in one or both of the following categories and is acting within the scope of the respective license: |
| |
|
(A) |
As an insurance producer, licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 6 (commencing with Section 1760), or Chapter 8 (commencing with Section 1831) of Division 1 of the Insurance Code. |
| |
|
(B) |
Is duly licensed to sell securities. |
| |
(2) |
The person or entity meets the requirements of Section 5.140.060 (a) (1) and has a written contractual agreement with another person or entity described in subsection (a) (1) and the contract clearly and explicitly includes the following: |
| |
|
(A) |
The rights and obligations between the licensees arising out of the business relationship relating to insurance or securities transactions. |
| |
|
(B) |
An explicit limitation on the use of confidential consumer information about a consumer to transactions authorized by the contract and permitted pursuant to this ordinance. |
| |
|
(C) |
A requirement that transactions specified in the contract fall within the scope of activities permitted by the licenses of the parties. |
(b) |
The restrictions on disclosure and use of confidential consumer information, and the requirement for notification and disclosure provided in this ordinance, shall not limit the ability of insurance producers and brokers to respond to written or electronic, including telephone, requests from consumers seeking price quotes on insurance products and services. |
| |
|
5.140.070 |
Administrative Fines |
(a) |
In addition to any other remedies and penalties provided by law, any financial institution that negligently discloses or shares confidential consumer information in violation of this ordinance shall be liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for an administrative fine not to exceed one thousand five hundred dollars ($1,500) per violation. |
(b) |
Any financial institution that knowingly and willfully obtains, discloses, or uses confidential consumer information in violation of this ordinance shall be liable upon a first violation, for an administrative fine not to exceed two thousand five hundred dollars ($2,500) per violation, or upon a second violation for an administrative fine not to exceed ten thousand dollars ($10,000) per violation, or upon a third or subsequent violation for an administrative fine not to exceed twenty-five thousand dollars ($25,000) per violation. |
(c) |
Any financial institution that knowingly and willfully obtains, discloses, or uses confidential consumer information in violations of this ordinance for financial gain shall be liable upon a first violation of this ordinance for an administrative fine not to exceed five thousand dollars ($5,000) per violation, or upon a second violation for an administrative fine not to exceed twenty-five thousand dollars ($25,000) per violation, or upon a third or subsequent violation for an administrative penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall be subject to disgorgement or any proceeds or other consideration obtained as a result of the violation. |
(d) |
Nothing in this section shall be construed as authorizing an administrative fine or civil penalty under both 5.140.070 (b) and (c) for the same violation. |
| |
|
5.140.080 |
Fair Credit Reporting Act or Federal Conflict |
This ordinance shall not be construed in a manner that is inconsistent with the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.). |
| |
5.140.090 |
Severability |
(a) |
If any provision of this ordinance is held by any court or by any Federal or State agency of competent jurisdiction, to be invalid as conflicting with any Federal or State law, rule or regulation now or hereafter in effect, or is held by such court or agency to be modified in any way in order to conform to the requirements of any such law, rule or regulation, such provision shall be considered a separate, distinct, and independent part of this ordinance, and such holding shall not affect the validity and enforceability of all other provisions hereof. In the event that such law, rule or regulation is subsequently repealed, rescinded, amended or otherwise changed, so that the provision thereof which had previously been held invalid or modified is no longer in conflict with such law, rule or regulation, said provision shall thereupon return to full force and effect and shall thereafter be binding. |
(b) |
If any section, subsection, phrase, clause, sentence, or word in this ordinance shall for any reason be held invalid or unconstitutional by a court of competent jurisdiction, it shall not nullify the remainder of this ordinance but shall be confined to the article, section, subsection, subdivision, clause, sentence or word so held invalid or unconstitutional." |
| |
|
SECTION 2 |
This ordinance shall be effective January 1, 2003. |