Controlling your personal information is an important part of personal privacy. Personal financial information is among the most sensitive of all personal information. Personal financial information includes what you put on an application for a loan or credit card, your account balances, your payment history, your overdraft history, and where you make purchases by debit or credit card. In some instances, it can even include medical information.
California and federal laws allow consumers to put limits on what banks and other financial companies can do with your personal financial information1 California law gives you more rights to limit the sharing of your personal financial information. The laws apply to banks, credit unions, savings and loans, credit card companies, insurance companies and other financial service companies.2
Under California law, financial service companies must get your permission first, before they can share your personal financial information with outside companies. This does not apply to sharing with outside companies that offer financial products or services. You have a right to "opt out" of information sharing with outside companies for those purposes. See below for more on how to opt out.
Both state and federal laws require financial companies to notify their customers of their privacy rights every year. The first federal notices were often written in legal language that was hard to understand, but some companies have improved their notices since then.3 California law requires a notice that is clear and easy to read. The California notice, titled "Important Privacy Choices for Consumers," lets you check off your choices on the sharing of your personal information. You may receive the California financial privacy notice enclosed with the federal notice, or it may come separately.4
California law lets you tell your bank and other financial companies that you do not want them to share your personal financial information in some cases. You can say no to, or opt out of, having your information shared with outside companies that offer financial products or services. You also have the right to opt out of some information sharing with some companies owned or controlled by your financial company (called "affiliates").5
"Opting out" means that if you say "no," then the company must follow your wishes. But if you say nothing, if you do not opt out, then the company is free to share your information. It's easy to opt out on the California "Important Privacy Choices for Consumers" form. Simply check the boxes to indicate your choices and mail the form in the pre-addressed envelope provided. The company may also allow you to opt out by e-mail or by calling a toll-free phone number. It is still a good idea to mail in the form to create a record of your action. You do not have to opt out every year. Your financial institutions must continue to follow your opt-out decision until you change it.
It's never too late to opt-out, even if you did not reply to the privacy notices right away. If you didn't reply within 45 days, then your financial company may have already started sharing your information. But you have a continuing right to opt out and you can prevent future sharing of more current information.
You can make a complaint under the California law to the California Attorney General or to a state or federal agency that regulates financial companies. The agency may investigate your complaint and may take action against the financial company. But the agency can't represent you. You may also file a complaint under the federal law with a federal agency.6
Before filing a complaint, consider writing a letter to the financial company. In your letter, explain why you think the company violated the law and what you would like it to do for you. Ask for a specific response within a reasonable time (for example, 30 days).
The following state government agencies can enforce the privacy protections in the California Financial Information Privacy Act.
Regulates insurance industry in California. Enforces both federal and state privacy laws.
Provides protection to consumers and services to businesses engaged in financial transactions. The Department regulates a variety of financial ser¬vices, products and professionals. The Department oversees the operations of state-licensed financial institutions, including banks, credit unions, money transmitters, issuers of payment instruments and travelers checks, and premium finance companies. Additionally, the Department licenses and regulates a variety of financial businesses, including securities brokers and dealers, investment advisers, deferred deposit (commonly known as payday loans) and certain fiduciaries and lenders..
Department of Financial Protection and Innovation (DFPI)
1810 13th Street
Sacramento, CA 95814
Enforces privacy law on financial service companies not regulated by the state financial regulators.
Office of Attorney General
California Department of Justice
Attn: Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244-2550
The following federal government agencies can enforce the privacy protections in the federal and state laws listed above.
Investigates consumer fraud outside the jurisdiction of other federal agencies.
Regulates banks other than national banks and branches of foreign banks.
Consumer & Community Affairs
20th & C Streets, NW Stop 801
Washington, D.C. 20551
Regulates national banks and branches of foreign banks.
OCC, Customer Assistance Group
1301 McKinley St., Suite 3710
Houston, TX 77010
Regulates federal savings associations and savings banks and state-chartered savings associations.
Oversees stock exchanges, broker-dealers and associates, and investment advisers.
SEC Complaint Center
Investor Education & Assistance
450 Fifth St., NW
Washington, DC 20549
Regulates federal credit unions.
GLB & FCRA Address:
Director, Division of Supervision
2300 Clayton Rd., Suite 1350
Concord, CA 94520
1The Financial Services Modernization Act, or Gramm-Leach-Bliley Act, 15 U.S. Code §§ 6801-6810. Known as the "GLB Act," the law allows financial institutions, insurance companies and investment companies to merge, becoming what have been called "one-stop financial supermarkets." It also provides some consumer privacy rights and requires security safeguards for personal information. The California Financial Information Privacy Act (FIPA), Financial Code §§ 4050-4060, gives California consumers additional rights to limit the sharing of their personal financial information by financial service companies doing business in California. Back to link 1
2The GLB Act and FIPA consider a broad array of businesses to be "financial institutions," including, for example, retailers that issue their own credit cards directly to consumers, real estate appraisers, mortgage brokers, career counselors in the finance area, check printing businesses, and accountants who prepare tax returns. Back to link 2
3The federal GLB Act privacy notices are required to include the following information: how the customer's personal financial information is collected, how the customer's information is used, and how the customer could "opt-out" or choose not to have personal financial information shared with some outside or "third-party" companies. Back to link 3
4FIPA requires the notice, among other things, to be on a single page; be titled "Important Privacy Choices for Consumers;" use the headers, if applicable, "Restrict Information Sharing With Companies We Own Or Control (Affiliates)" and "Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services"; use text in no smaller than 10-point type; provide choices that may be selected by checking a box; use sentences averaging 15 to 20 words or bullet lists where possible; and avoid multiple negatives, legal terminology and highly technical terminology whenever possible. See Financial Code § 4053(d)(1) for details. Back to link 4
5The affiliate sharing provisions of FIPA are being contested in court and may be ruled as preempted by federal law. FIPA provides an opt-out right over sharing with affiliates other than those affiliated companies that are regulated by the same functional regulator, engaged in the same line of business and share a common brand. If the California provision were preempted, then the limited opt-out right in the federal Fair Credit Reporting Act (FCRA) would apply. The FCRA allows a consumer to opt out of having "creditworthiness information" shared with affiliates. This is information such as payment history and credit score. Federal law does not allow consumers to stop a company from sharing the more sensitive "transaction and experience information" with affiliates. Transaction and experience information includes, for example, what items are charged on a credit card. Back to link 5
6You can't go to court to sue the company under FIPA or the GLB Act. Under the FCRA, you have the right to sue a credit reporting agency in federal or state court. You could recover damages from violators of the FCRA. Back to link 6