For the purposes of this division:
(a) “Nonpublic personal information” means personally identifiable financial information (1) provided by a consumer to a financial institution, (2) resulting from any transaction with the consumer or any service performed for the consumer, or (3) otherwise obtained by the financial institution. Nonpublic personal information does not include publicly available information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from (1) federal, state, or local government records, (2) widely distributed media, or (3) disclosures to the general public that are required to be made by federal, state, or local law. Nonpublic personal information shall include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived using any nonpublic personal information other than publicly available information, but shall not include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived without using any nonpublic personal information.
(b) “Personally identifiable financial information” means information (1) that a consumer provides to a financial institution to obtain a product or service from the financial institution, (2) about a consumer resulting from any transaction involving a product or service between the financial institution and a consumer, or (3) that the financial institution otherwise obtains about a consumer in connection with providing a product or service to that consumer. Any personally identifiable information is financial if it was obtained by a financial institution in connection with providing a financial product or service to a consumer. Personally identifiable financial information includes all of the following:
(1) Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service.
(2) Account balance information, payment history, overdraft history, and credit or debit card purchase information.
(3) The fact that an individual is or has been a consumer of a financial institution or has obtained a financial product or service from a financial institution.
(4) Any information about a financial institution’s consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution’s consumer.
(5) Any information that a consumer provides to a financial institution or that a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan.
(6) Any personally identifiable financial information collected through an Internet cookie or an information collecting device from a Web server.
(7) Information from a consumer report.
(c) “Financial institution” means any institution the business of which is engaging in financial activities as described in Section 1843(k) of Title 12 of the United States Code and doing business in this state. An institution that is not significantly engaged in financial activities is not a financial institution. The term “financial institution” does not include any institution that is primarily engaged in providing hardware, software, or interactive services, provided that it does not act as a debt collector, as defined in 15 U.S.C. Sec. 1692a, or engage in activities for which the institution is required to acquire a charter, license, or registration from a state or federal governmental banking, insurance, or securities agency. The term “financial institution” does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et seq.), provided that the entity does not sell or transfer nonpublic personal information to an affiliate or a nonaffiliated third party. The term “financial institution” does not include institutions chartered by Congress specifically to engage in a proposed or actual securitization, secondary market sale, including sales of servicing rights, or similar transactions related to a transaction of the consumer, as long as those institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party. The term “financial institution” does not include any provider of professional services, or any wholly owned affiliate thereof, that is prohibited by rules of professional ethics and applicable law from voluntarily disclosing confidential client information without the consent of the client. The term “financial institution” does not include any person licensed as a dealer under Article 1 (commencing with Section 11700) of Chapter 4 of Division 5 of the Vehicle Code that enters into contracts for the installment sale or lease of motor vehicles pursuant to the requirements of Chapter 2B (commencing with Section 2981) or 2D (commencing with Section 2985.7) of Title 14 of Part 4 of Division 3 of the Civil Code and assigns substantially all of those contracts to financial institutions within 30 days.
(d) “Affiliate” means any entity that controls, is controlled by, or is under common control with, another entity, but does not include a joint employee of the entity and the affiliate. A franchisor, including any affiliate thereof, shall be deemed an affiliate of the franchisee for purposes of this division.
(e) “Nonaffiliated third party” means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of that institution and a third party.
(f) “Consumer” means an individual resident of this state, or that individual’s legal representative, who obtains or has obtained from a financial institution a financial product or service to be used primarily for personal, family, or household purposes. For purposes of this division, an individual resident of this state is someone whose last known mailing address, other than an Armed Forces Post Office or Fleet Post Office address, as shown in the records of the financial institution, is located in this state. For purposes of this division, an individual is not a consumer of a financial institution solely because he or she is (1) a participant or beneficiary of an employee benefit plan that a financial institution administers or sponsors, or for which the financial institution acts as a trustee, insurer, or fiduciary, (2) covered under a group or blanket insurance policy or group annuity contract issued by the financial institution, (3) a beneficiary in a workers’ compensation plan, (4) a beneficiary of a trust for which the financial institution is a trustee, or (5) a person who has designated the financial institution as trustee for a trust, provided that the financial institution provides all required notices and rights required by this division to the plan sponsor, group or blanket insurance policyholder, or group annuity contractholder.
(g) “Control” means (1) ownership or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, acting through one or more persons, (2) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions, or (3) the power to exercise, directly or indirectly, a controlling influence over the management or policies of a company. However, for purposes of the application of the definition of control as it relates to credit unions, a credit union has a controlling influence over the management or policies of a credit union service organization (CUSO), as that term is defined by state or federal law or regulation, if the CUSO is at least 67 percent owned by credit unions. For purposes of the application of the definition of control to a financial institution subject to regulation by the United States Securities and Exchange Commission, a person who owns beneficially, either directly or through one or more controlled companies, more than 25 percent of the voting securities of a company is presumed to control the company, and a person who does not own more than 25 percent of the voting securities of a company is presumed not to control the company, and a presumption regarding control may be rebutted by evidence, but in the case of an investment company, the presumption shall continue until the United States Securities and Exchange Commission makes a decision to the contrary according to the procedures described in Section 2(a)(9) of the federal Investment Company Act of 1940.
(h) “Necessary to effect, administer, or enforce” means the following:
(1) The disclosure is required, or is a usual, appropriate, or acceptable method to carry out the transaction or the product or service business of which the transaction is a part, and record or service or maintain the consumer’s account in the ordinary course of providing the financial service or financial product, or to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part, and includes the following:
(A) Providing the consumer or the consumer’s agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product.
(B) The accrual or recognition of incentives, discounts, or bonuses associated with the transaction or communications to eligible existing consumers of the financial institution regarding the availability of those incentives, discounts, and bonuses that are provided by the financial institution or another party.
(C) In the case of a financial institution that has issued a credit account bearing the name of a company primarily engaged in retail sales or a name proprietary to a company primarily engaged in retail sales, the financial institution providing the retailer with nonpublic personal information as follows:
(i) Providing the retailer, or licensees or contractors of the retailer that provide products or services in the name of the retailer and under a contract with the retailer, with the names and addresses of the consumers in whose name the account is held and a record of the purchases made using the credit account from a business establishment, including a Web site or catalog, bearing the brand name of the retailer.
(ii) Where the credit account can only be used for transactions with the retailer or affiliates of that retailer that are also primarily engaged in retail sales, providing the retailer, or licensees or contractors of the retailer that provide products or services in the name of the retailer and under a contract with the retailer, with nonpublic personal information concerning the credit account, in connection with the offering or provision of the products or services of the retailer and those licensees or contractors.
(2) The disclosure is required or is one of the lawful or appropriate methods to enforce the rights of the financial institution or of other persons engaged in carrying out the financial transaction or providing the product or service.
(3) The disclosure is required, or is a usual, appropriate, or acceptable method for insurance underwriting or the placement of insurance products by licensed agents and brokers with authorized insurance companies at the consumer’s request, for reinsurance, stop loss insurance, or excess loss insurance purposes, or for any of the following purposes as they relate to a consumer’s insurance:
(A) Account administration.
(B) Reporting, investigating, or preventing fraud or material misrepresentation.
(C) Processing premium payments.
(D) Processing insurance claims.
(E) Administering insurance benefits, including utilization review activities.
(F) Participating in research projects.
(G) As otherwise required or specifically permitted by federal or state law.
(4) The disclosure is required, or is a usual, appropriate, or acceptable method, in connection with the following:
(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment means.
(B) The transfer of receivables, accounts, or interests therein.
(C) The audit of debit, credit, or other payment information.
(5) The disclosure is required in a transaction covered by the federal Real Estate Settlement Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order to offer settlement services prior to the close of escrow (as those services are defined in 12 U.S.C. Sec. 2602), provided that (A) the nonpublic personal information is disclosed for the sole purpose of offering those settlement services and (B) the nonpublic personal information disclosed is limited to that necessary to enable the financial institution to offer those settlement services in that transaction.
(i) “Financial product or service” means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to a financial activity under subsection (k) of Section 1843 of Title 12 of the United States Code (the United States Bank Holding Company Act of 1956). Financial service includes a financial institution’s evaluation or brokerage of information that the financial institution collects in connection with a request or an application from a consumer for a financial product or service.
(j) “Clear and conspicuous” means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.
(k) “Widely distributed media” means media available to the general public and includes a telephone book, a television or radio program, a newspaper, or a Web site that is available to the general public on an unrestricted basis.
(Added by Stats. 2003, Ch. 241, Sec. 1. Effective January 1, 2004. Section operative July 1, 2004, pursuant to Section 4060.)
Last modified: October 25, 2018