BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Martha M. Escutia, Chair
2003-2004 Regular Session
SB 27 S
Senator Figueroa B
As Amended September 5, 2003
Hearing Date: September 11, 2003 2
Civil Code 7
MTY
SUBJECT
Personal Information: Disclosures for Marketing Purposes
DESCRIPTION
This bill would require businesses to either: 1) disclose
to customers, upon request, what categories of personal
information the business shares with third parties for
marketing purposes, or 2) provide customers with the
ability to opt-out of having their information shared for
marketing purposes.
This bill is being heard today in Committee pursuant to
Senate Rule 29.10.
BACKGROUND
SB 27 passed this Committee on May 7, 2003, with a
commitment to return for hearing due to several outstanding
issues that had yet to be resolved at that time. The bill
is sponsored by the California Public Interest Research
Group (CalPIRG), and seeks to provide consumers with
information on how their information is being shared by
companies with whom they do business. It would provide
consumers with the right to request information on the
types of information shared for marketing purposes, and the
parties with whom it was shared. According to the author's
office, it is intended to provide consumers with more
information regarding information sharing by businesses so
that they can make educated privacy decisions.
(more)
�
SB 27 (Figueroa)
Page 2
CHANGES TO EXISTING LAW
Existing law requires any person who, in the course of
business, provides mailing lists, computerized or
telephone-based reference services, or similar products or
service utilizing lists, to either: a) obtain the buyer's
name, address, telephone number, tax I.D. number, and a
sample of the material to be distributed using the list, or
b) make a good faith effort to verify the nature and
legitimacy of the business to which the list is sold or
distributed. [Penal Code Sec. 637.9.]
Existing federal law , the Gramm-Leach-Bliley Act, permits
financial institutions to share nonpublic customer
information with non-affiliated third parties, unless the
consumer "opts out" of such disclosure.
Existing state law prohibits insurance companies and credit
cards from sharing customer information for marketing
purposes if the consumer has expressly prohibited such
sharing. [Insurance Code Sec. 791; Civil Code Sec.
1749.12.]
This bill would require a business that discloses personal
information for marketing purposes to disclose to
customers, upon the customer's request, a list of the
categories of information the business has disclosed in the
past year to third parties for marketing purposes, and the
names and addresses of those parties.
This bill would provide that the disclosure is not
necessary if the business adopts, discloses, and maintains
a privacy policy that provides the consumer with the
opportunity to prevent information sharing for marketing
purposes. If the business chooses to comply with the bill
in this manner, it must respond to a customer's request for
information with a notification of the customer's right to
prevent sharing.
This bill would require a covered business to designate an
address, email address, telephone number, or fax number to
which customers may deliver requests for information. In
addition, the bill would require that the business do one
of the following: 1) notify all agents and managers who
supervise employees who have regular contact with customers
�
SB 27 (Figueroa)
Page 3
of the designated address, 2) add to the home page of its
website a link to the business's privacy policy, or 3) make
the designated address readily available upon request at
every place of business in California where the business
has regular contact with customers.
This bill would require a covered business to respond to a
customer request within 30 days of a request provided to
the designated address, and within 150 days of a request
provided to another location. The bill would provide that
a business is required to respond to a request only once
per calendar year for any particular individual.
This bill would define an "established business
relationship" as a voluntary ongoing relationship or, if
there has been solely a purchase, rental, or lease of
property, the bill would provide that the relationship
extends 18 months after that transaction.
This bill would define a third party as a business that is
a separate legal entity from the business or any business
that has access to a database shared among businesses if
the business is authorized to use the database for direct
marketing purposes.
This bill would not apply to businesses with fewer than 20
employees.
This bill would provide that various disclosures of
personal information do not qualify as sharing for
marketing purposes, including: a) joint marketing
agreements where the agreement restricts the further
sharing of personal information; b) disclosures pursuant to
a private label or affinity card arrangement; c)
disclosures to or from a consumer credit reporting agency;
or d) disclosures to obtain payment.
This bill would provide for a private right of action for
actual damages and a civil penalty of up to $500 for
violations. The bill would also provide for a civil
penalty of up to $3,000 for willful, intentional, or
reckless violations.
This bill would provide that for a negligent failure to
provide accurate, complete, or timely information in
�
SB 27 (Figueroa)
Page 4
response to a consumer request, it is a complete defense in
any action to enforce the bill's provisions to provide
accurate or complete information within 90 days of the date
the business knew that it had not provided accurate,
complete, or timely information.
COMMENT
1. Need for the bill
The author's office writes that:
Secret direct marketing "profiles" of consumers
are being exchanged every hour invisibly and
routinely by the companies with which they do
business. Not only are consumers powerless to
stop such invasions of privacy, they do not even
know whether and to what extent it is taking place
. . .
To support this argument, the author's office has
provided Committee staff with numerous examples of lists
for sale on the internet, including lists of clothing
consumers by height and weight, adult web site customers,
charitable donors to terminally ill children, and
supporters of the public posting of the Ten Commandments.
Supporters argue that, by and large, consumers are not
aware of the extent to which their personal information
is sold. Supporter Privacy Rights Clearinghouse adds
that:
Many Californians have contacted our organization
to complain that they are deluged with direct
marketing solicitations and do not know how
marketers got their information originally.
As a result, the author's office argues, this bill
is necessary because:
Transparency is the touchstone of consumer
confidence in information handling . . . Because
privacy is, by definition, so intensely personal,
for a consumer to make a rational and informed and
personal choice to opt-in, opt-out, or simply take
�
SB 27 (Figueroa)
Page 5
their business elsewhere, the consumer must know
the "who, what, where and when" of how a business
handles personal information.
When the bill passed the Senate, it provided for
consumers' ability to request and receive information
from businesses on how and when their information is
shared for marketing purposes. During the course of
discussions in the Assembly with interested parties, the
author's office has responded to concerns expressed by
business representatives by adopting the following major
changes to the bill:
1) scaled back the disclosure requirement to require
disclosure of the categories of information shared,
rather than disclosures individualized to the
requesting consumer;
2) agreed to exempt businesses that provide consumers
with an opt out for information sharing for marketing
purposes;
3) provided businesses with a 90-day right to cure
violations; and
4) exempted business that will be covered by SB 1, if
that bill goes into effect.
When these changes are viewed in context, the bill's
supporters argue, this bill will protect consumer privacy
while not placing undue burdens on business.
2. The bill would provide businesses with an option to
provide generalized disclosures or develop opt-out
privacy policy
As a result of the changes to the bill in the Assembly,
it essentially provides businesses with a choice:
respond to consumer requests for information on how their
personal information is being shared, or in the
alternative, provide consumers with the ability to stop
their information from being shared for marketing
purposes. The bill's supporters argue that this option
should address any concerns by the business community
that the bill would create mandatory onerous disclosure
requirements but still provide an appropriate baseline of
consumer protections. Also, the opt-out policy need only
apply to sharing for marketing, so the bill does not
�
SB 27 (Figueroa)
Page 6
raise various issues relating to information sharing for
business operations that have arisen in connection with
other privacy bills.
3. Bill would provide businesses with a 90-day right to
cure a violation
Another significant change to the bill made to
accommodate business concerns is the addition of a 90-day
right to cure for negligent violations. If a business
negligently fails to provide a complete, accurate, or
timely disclosure to a requesting customer, the bill
provides that it is a complete defense to provide all the
untimely or incomplete information, or accurate
information, within 90 days of the date the business knew
it failed to provide complete, accurate, or timely
information.
Generally speaking, the Committee has preferred to
approve a right to cure only in circumstances where there
is a high likelihood that compliance will be difficult or
complex, the difficulties or complexities are likely to
create significant liability, and parties might find
themselves liable despite their reasonable best efforts
to comply with the law. Industry representatives (and
the bill's supporters) argue that this bill meets those
factors because of the large volume of information in the
possession of some businesses, and the frequency with
which it is made available for a variety of purposes.
Industry representatives also argue that without the
90-day right to cure, many businesses might find
themselves subject to liability under Business and
Professions Code Section 17200 to individuals who wish to
use the bill's provisions as a liability trap.
4. Bill exempts small businesses and businesses covered
by SB 1, if it goes into effect
The author has also agreed to amendments which exempt
small businesses (with 20 or fewer employees) from the
bill's provisions. This amendment reflects the general
consensus that small businesses are unlikely to collect
or share consumer information in ways inconsistent with
consumer expectations, and are also likely to lack the
resources and/or sophistication necessary to comply with
�
SB 27 (Figueroa)
Page 7
the bill's requirements.
The author has further agreed to exempt financial
institutions that are subject to SB 1 (Speier). As a
result, if SB 1 survives the expected court challenge and
goes into effect, financial institutions will be exempt
from this bill's requirements. If, however, the
challenge to SB 1 is successful in whole or in part, then
this bill's provisions will apply to any financial
institutions not covered by SB 1.
5. Bill has been amended to require disclosure of
categories of information shared, rather than
individualized information specific to the requesting
customer
Since the bill passed the Senate, it has been amended to
reduce the specificity of the disclosure. In its current
form, if a business chooses disclosure over providing
consumers an opt out, the bill requires that a business
disclose categories of information (such as names,
addresses, telephone numbers, purchase history) that it
has shared with third parties for marketing purposes.
For example, a consumer that requests information would
be informed that the business has shared names and
telephone numbers with a third party for marketing
purposes within the last twelve months. The consumer
would also be informed of the names and addresses of the
third parties. However, the business would not be
required to inform the consumer how his or her individual
information was shared.
The categories of information shared for marketing
purposes which would trigger the disclosure requirement
are: (i) name and address, (ii) electronic mail address,
(iii) age or date of birth, (iv) names of children, (v)
electronic mail or other addresses of children, (vi)
number of children, (vii) age or gender of children,
(viii) height, (ix) weight, (x) race, (xi) religion,
(xii) occupation, (xiii) telephone number, (xiv)
education, (xv) political party affiliation, (xvi)
medical condition, (xvii) drugs, therapies, or medical
products or equipment used, (xviii) the kind of product
the customer purchased, leased, or rented, (xix) real
property purchased, leased, or rented, (xx) the kind of
�
SB 27 (Figueroa)
Page 8
service provided, (xxi) social security number, (xxii)
bank account number, (xxiii) credit card number, (xxiv)
debit card number, (xxv) bank or investment account,
debit card, or credit card balance, (xxvi) payment
history, (xxvii) information pertaining to the customer's
creditworthiness, assets, income, or liabilities.
A more limited list of categories would apply to
disclosures between affiliated third parties that share
the same brand name (see page 12, line 3-17, of the bill
for this list).
6. Opposition argues that bill's burdens outweigh consumer
benefits
While many industry representatives have removed their
opposition to the bill, it is still opposed by the Direct
Marketing Association (DMA), which argues that the
compliance costs and potential liability associated with
the bill outweigh the consumer benefits to be gained.
7. Interaction with SB 590 (Speier)
SB 590 (Speier) would prohibit businesses from
requesting, or requiring as a condition of a transaction,
any personal information other than that necessary to
effect a transaction. The bill would also prohibit
businesses from sharing any information not necessary to
conduct a transaction, unless the consumer is given the
opportunity to opt out of sharing. The bill has passed
the Assembly and is slated to be heard by this Committee
upon a Rule 29.10 referral.
This bill provides businesses with the option of
compliance by providing consumers with an opt out of
sharing, while SB 590 prohibits sharing without an
opportunity for the consumer to opt out. This bill would
require that the opt out apply only to sharing for
marketing purposes, while SB 590 would provide for a
broader opt out. In addition, the bills use different
definitions of third party for sharing purposes, as well
as slightly different definitions of personal
�
SB 27 (Figueroa)
Page 9
information.
Conceptually, the bills do not appear to be in conflict.
If many businesses enact opt out policies as a result of
SB 590, then those businesses will also be in compliance
with most of the provisions of this bill. If, however,
businesses do not adopt opt out policies in response to
SB 590, then they would find themselves covered by this
bill.
However, because both bills have been recently amended,
Committee staff is still in the process of reviewing both
for possible interaction or compliance difficulties, and
it is not clear to Committee staff at this time what the
practical impact will be for businesses if both bills are
enacted into law.
Support: Privacy Rights Clearinghouse; Consumer Federation
of California; Walt Disney Company; Consumers for
Auto Reliability and Safety (CARS)
Opposition: Direct Marketing Association (DMA); Experian,
Inc.
HISTORY
Source: California Public Interest Research Group
(CalPIRG)
Related Pending Legislation: SB 1 (Speier) would restrict
information sharing by financial
institutions. The bill has been
chaptered (Ch. 241, Stats of 2003).
SB 590 (Speier) would prohibit
consumer businesses from requesting,
or requiring as a condition of a
transaction, any personal information
other than that necessary to effect a
transaction. The bill would also
prohibit consumer businesses from
sharing the information unless the
consumer is given the opportunity to
opt out of sharing.
�
SB 27 (Figueroa)
Page 10
Prior Legislation: None Known
Prior Vote: Senate Judiciary Cmte. (5-1); Senate Floor
(26-13); Assembly Judiciary Cmte. (9-3); Assembly
Banking and Finance Cmte. (10-0); Assembly Floor
(38-12) (failed passage, reconsideration granted);
second Assembly Floor vote (75-2)
**************