US 2003 Enacted Financial Privacy Legislation Resources in United States
US 2003 Enacted Financial Privacy Legislation Resources
| Arkansas | H.B. 2192 Signed by governor 4/25/03, Act 1747 Conforms insurance trade practice laws applicable to insurers and depository corporation affiliates with the federal Gramm-Leach-Bliley Act and to conform the Insurance Sales Consumer Protection Act to federal law. |
| Arizona | H.B. 2429 Signed by governor 5/1/03, Chapter 137 States that beginning on January 1, 2005 a person or entity may not do the following: 1) Communicate an individual’s Social Security number and make it available to the general public. 2) Print an individual’s Social Security number on any card required for the individual to receive products or services provided by the person or entity. 3) Require an individual’s Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted. 4) Require the transmission of an individual’s Social Security number to access an Internet Web site, unless a password or unique identification is also required to access the Internet site. 5) Print an individual’s Social Security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document. Requires insurers, health care service organizations, hospital, medical, dental or optometric service corporations to comply with provisions of this act for all new contracts issued on or after January 1, 2005. Specifies that contract agreements already in existence must comply upon the renewal of the policies or no later than January 1, 2006. Specifies that a person or entity using an individual’s Social Security number in a manner inconsistent with this legislation, prior to July 1, 2004, may continue using that individual’s Social Security number if the use of the Social Security number is continuous. States that the entity must provide the individual with an annual written disclosure of the individual’s right to stop the use of the Social Security number. States that upon request of the individual, the entity must stop using the Social Security number within 30 days and may not charge a fee for implementing the request. Specifies that the legislation does not prevent the collection or release of a Social Security number for internal verification or administrative purposes. Clarifies that the use of Social Security numbers by an agency of this state or by a county, city, town or other political subdivision are exempt from the confidentiality provisions. Clarifies that documents or records that are required to be open to the public pursuant to the constitution, laws of this state or by court order are exempt from the confidentiality provisions. Clarifies that it does not prevent the mailing of documents that include Social Security numbers sent as an application or enrollment process or to establish, amend or terminate an account, contract or policy or to verify a Social Security number. Clarifies that, upon enactment, the state and political subdivisions of this sate shall not use Social Security numbers on state issued or political subdivision issued forms of identification. Makes conforming changes to the effective date. Clarifies that the bill does not limit public access to documents or public records that are recorded or required to be open to the public. Stipulates that this article does not apply to the use of Social Security numbers by an agency of this state or by a county, city, town or other political subdivision of this state. It specifies that these entities must comply with provisions of the act prohibiting the printing of an individual’s Social Security number on any card required for the receipt of products or services, or printing the Social Security number on materials that are mailed unless state or federal law requires the Social Security number. States that this article does not apply to documents or records that are recorded or required to be open to the public by the constitution, laws, or by court rule. Defines “individual” as a resident of this state. |
| California | A.B. 68 Chaptered by secretary of state 10/12/03, Chapter 829 Requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an Internet Web site or online service for commercial purposes, to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the operator may share the information. Preempts and supersedes laws of specified local government entities regarding the posting of a privacy policy on an Internet Web site. |
| A.B. 104 Chaptered by secretary of state 9/17/03, Chapter 375 Requires a common interest development association to make the accounting books and records and the minutes of proceedings of the association available for inspection and copying by a member of the association, or the member’s designated representative, as specified. Permits the association, under certain circumstances, to satisfy these requirements by providing copies of the requested records by mail. Permits the association to withhold or redact information from the accounting books and records and the minutes of the proceedings when the release of the information is reasonably likely to lead to identity theft, fraud in connection with the association, or is privileged by law, with specified exceptions regarding compensation of employees, vendors and contractors. |
|
| A.B. 763 Chaptered by secretary of state 9/25/03, Chapter 532 Prohibits a Social Security number that is otherwise permitted to be mailed from being printed, in whole or in part, on a postcard or other mailer or visible on the envelope or without the envelope having been opened. |
|
| S.B. 1 Chaptered by secretary of state 8/28/03, Chapter 241 Enacts the California Financial Information Privacy Act, which would require a financial institution, as defined, to provide a specified written form to a consumer relative to the sharing of the consumer’s nonpublic personal information, as defined. Generally allows a consumer to direct the financial institution to not share the nonpublic personal information with affiliated companies or with nonaffiliated financial companies with which the financial institution has contracted to provide financial products and services, but would not restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries or in certain other cases if both entities are regulated by the same functional regulator and are engaged in the same line of business, among other requirements. Requires the permission of the consumer before the financial institution could share the nonpublic personal information with other nonaffiliated companies. Provides that a financial institution is not required to provide this written form to its consumers if the financial institution does not disclose any nonpublic personal information to any nonaffiliated third party or to any affiliate. Provides that a financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or service because the consumer has not provided the necessary consent that would authorize the financial institution to disclose or share nonpublic personal information. Requires a financial institution to comply with the consumer’s request regarding nonpublic personal information within 45 days of receipt of the request. Provides that a financial institution may disclose nonpublic personal information to an affiliate or a nonaffiliated third party in order for it to perform certain services on behalf of the financial institution if specified requirements are met. Provides other exceptions from its provisions applicable to particular situations. Provides that nonpublic personal information may be released in order to identify or locate missing children, witnesses, criminals and fugitives, parties to lawsuits, and missing heirs and that it would not change existing law regarding access by law enforcement agencies to information held by financial institutions. Provides for disclosure of nonpublic personal information under various other specified circumstances. Provides that enactment of these provisions preempts all local agency ordinances and regulations relating to this subject. Provides various civil penalties for negligent, or knowing and willful violations of these provisions. The penalties under the bill would not become operative until July 1, 2004. |
|
| S.B. 27 Chaptered by secretary of state 9/25/03, Chapter 505 Subject to specified exceptions, requires a business that discloses a customer’s personal information, including information relating to income or purchases, to a third party for direct marketing purposes to provide the customer, within 30 days after the customer’s written request, a description in writing or by e-mail of the sources and recipients of that information and the information disclosed. Prohibits a business from conditioning the sale of goods or services on the customer’s consent to that disclosure. In addition to the legal remedies provided under current law, a customer would be entitled to recover a civil penalty, up to $3,000, and attorneys’ fees and costs for a violation of these provisions. |
|
| S.B. 660 Chaptered by secretary of state 8/1/03, Chapter 154 Establishes procedures for keeping the Social Security numbers of persons involved in specified dissolution matters in the confidential portion of court files. Requires specified Judicial Council forms to contain a notice informing parties of their right to redact any Social Security number that was placed in a confidential portion of the court file from other materials filed with the court. |
|
| Colorado | H.B. 1272 Signed by governor 4/22/02, Chapter 180 Prohibits a person from recording a social security number or credit card number when accepting a check. Exempts checks written to provide payment on a credit card account or student loan. Clarifies that a person may ask for a credit card when cashing a check, but may not record more than the type and issuer of the card. |
| Connecticut | S.B. 836 Signed by governor 6/18/03, Public Act 03-121 Requires the Insurance commissioner to maintain certain information as confidential relating to (1) investigations, (2) personal, financial or medical information, and (3) information that would harm the reputation of any person or would affect the safety or soundness of any person whose activities are subject to the regulation of the commissioner and disclosure would not be in the public interest. |
| Delaware | S.B. 11 Signed by governor 7/15/03, Chapter 151 Requires electronically-printed receipts to contain no more than 5 digits of the account number. Credit and debit card takers in business before January 1, 2004 have until January 1, 2005 to comply. Applies immediately to all those who begin to accept credit or debit cards on or after January 1, 2004. The penalty is an unclassified misdemeanor (up to 30 days and up to a $575 fine), and the Consumer Protection Unit of the Attorney General’s Office is given the authority to bring actions to enforce this Act. |
| S.B. 97 Signed by governor 7/11/03, Chapter 127 Restricts the state of Delaware’s ability to disclose personal information about persons who use its web portal services, and requires state agencies to make their individual disclosure policies available on their Web sites. |
|
| Florida | H.B. 1031 Signed by governor 6/4/03, Chapter 104 Expands exemption for identifying information of applicants to Florida Kidcare program to provide that any information identifying program applicant or enrollee held by Agency for Health Care Administration, Children and Family Department, Health Department, and Florida Healthy Kids Corporation is confidential and exempt; provides for disclosure of such information to governmental entities under certain circumstances. |
| Georgia | H.B. 213 Signed by governor 5/29/03, Act 78 Relates to business administration, so as to change certain definitions; provides for restrictions on information which may be printed on receipts for certain payment card transactions; clarifies the administrator’s duties and powers and procedure related to enforcement of this chapter; provides for civil and criminal penalties; provides for related matters. |
| Idaho | H.B. 134 Signed by governor 3/27/03, Chapter 134 Amends and adds to existing law to provide restrictions on the information printed on receipts for payment card transactions by prohibiting the printing of more than the last five digits of the account number; and to provide penalties. |
| Illinois | H.B. 259 Signed by governor 7/22/03, Public Act 93-231 Creates the Credit Card and Debit Card Account Disclosure Act. Provides that a person or entity that provides anything of value upon presentation of a credit card or debit card may not print or otherwise reproduce on the cardholder’s receipt either of the following: any part of the credit card or debit card account number, other than the last five digits or characters, or the expiration date of the credit card or debit card. Provides that the prohibition does not apply where the person to whom the credit card or debit card is presented cannot record credit card or debit card numbers except in writing or by imprint. Provides that the prohibition does not apply to electronic benefits transfers under the federal Food Stamp Program. Provides that a person who violates the prohibition is liable to the issuer or the cardholder for any actual damages resulting from the use of the cardholder’s credit card or debit card without his or her permission and for costs and attorney’s fees. Provides that the Act becomes operative on January 1, 2005 with respect to any credit card or debit card transaction receipt device that is in use prior to January 1, 2004, and becomes operative on January 1, 2004 with respect to any such device first put to use on or after January 1, 2004. |
| H.B. 761 Signed by governor 8/19/03, Public Act 93-0549 Amends the School Code, various Acts relating to the governance of the public universities in Illinois, and the Public Community College Act. Prohibits a school district, university, or community college from providing a student’s name, address, telephone number, Social Security number, e-mail address, or other personal identifying information to a business organization or financial institution that issues credit or debit cards, unless the student is 21 years of age or older. |
|
| S.B. 404 Signed by governor 8/8/03, Public Act 93-0462 Creates the Children’s Privacy Protection and Parental Empowerment Act, provides that a child is a person under the age of 16 (instead of 18). Defines “parent” as a parent, step-parent, or legal guardian. Deletes provisions prohibiting the processing of personal information concerning a child by prisoners or convicted sex offenders or distributing or exchanging a child’s personal information that one has reason to believe will be used to harm or abuse the child. Changes the requirements for information brokers to broker or facilitate the sale of personal information concerning children and provides that the consent of a parent to the sale or purchase of information concerning a child is presumed unless the parent withdraws consent. Amends the School Code. Provides that the state Board of Education shall prepare and disseminate information concerning the Children’s Privacy Protection and Parental Empowerment Act and post a notice of rights under the Act on its Web site. |
|
| Indiana | H.B. 1935 Signed by governor 5/8/03, Chapter 261 Makes various changes in the laws concerning access to public records and the collection and protection of personal information. |
| Louisiana | H.B. 1149 Signed by governor 6/27/03, Act 659 Provides that a health insurance issuer who is in compliance with HIPAA shall be deemed to be in compliance with state laws intended to implement requirements of the Gramm-Leach-Bliley Act providing with respect to personal financial information, including personal health insurance information. |
| S.B. 106 Signed by governor 6/27/03, Act 534 Makes it a deceptive and unfair trade practice for a retail business to require an individual’s name, address, telephone number, or other personal information when the individual makes payment in cash for a transaction, the subject of which is primarily intended for personal, family, or household use. Nothing shall prevent a retail business from obtaining such personal information when the consumer makes payment by either credit card or by check. Further exempts any cash transaction involving the sale of automobiles, as well as any cash transaction where either state or federal law requires the retail business to obtain a consumer’s personal information from the requirements of new law. Subjects the violator to any and all actions and penalties associated with the Unfair Trade Practices and Consumer Protection Law. |
|
| Maryland | H.B. 313 Signed by governor 4/22/03, Chapter 138 Alters the definition of financial institution in a provision requiring a financial institution to provide specified information and assistance to the Child Support Enforcement Administration; establishes that an institution-affiliated party is not required to provide specified information or assistance to the Administration under specified circumstances; and provides specified immunity from civil liability or criminal penalty for an institution-affiliated party. |
| H.B. 598 Signed by governor 4/22/03, Chapter 68 Increases from $5,000 to $25,000 the maximum fine for a person knowingly, willfully, and with fraudulent intent possessing, obtaining, or helping another person to possess or obtain any personal identifying information of an individual without consent in order to use, sell, or transfer the information to get a benefit, credit, good, service, or other thing of value of a specified value or greater in the name of the individual. |
|
| S.B. 135 Signed by governor 4/22/03, Chapter 67 Increases from $5,000 to $25,000 the maximum fine for a person knowingly, willfully, and with fraudulent intent possessing, obtaining, or helping another person to possess or obtain any personal identifying information of an individual without consent in order to use, sell, or transfer the information to get a benefit, credit, good, service, or other thing valued at $500 or more in the name of the individual. |
|
| Mississippi | S.B. 2756 Signed by governor 8/6/03, Chapter 562 Defines and clarifies certain terms; includes the use of computers in the prohibition of exploitation of children; revises penalties; defines certain terms related to computer crimes; revises computer fraud and penalties; creates the offense of cyberstalking and prescribes penalties for violations; prohibits posting certain messages through electronic media and prescribes penalties for violations; prohibits obtaining personal identity information and prescribes penalties for violations; clarifies where criminal action may be brought; provides for investigations and prosecutions; provides for additional penalties. |
| Missouri | S.B. 292 Signed by governor 5/30/03 Provides that no person, other than the cardholder shall disclose more than the last five digits of a credit card or debit card account number on a sales receipt provided to the cardholder for merchandise sold in this state. |
| Nebraska | L.B. 118 Signed by governor 4/30/03 Provides that a person engages in a deceptive trade practice when, in the course of his or her business, vocation or occupation he or she makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. |
| L.B. 156 Signed by governor 5/28/03 Clarifies the circumstances under which a financial institution or other entity would be required to disclose customer records or information that they deem confidential. Requires a financial institution or other entity when dealing with a law enforcement agency or state agency to be presented with (a) a lawful subpoena, summons, or warrant issued by a court of competent jurisdiction to a law enforcement agency; or (b) a lawful subpoena issued under the laws of this state by a government agency exercising investigatory or adjudicative functions with respect to a matter within the agency’s jurisdiction. Recognizes the ability of a financial institution or other entity to disclose customer records or information deemed to be confidential pursuant to a statute which by its terms or by rules or regulations adopted and promulgated thereunder requires the disclosure in a fashion other than by subpoena, summons, warrant or court order. |
|
| Nevada | S.B. 297 Signed by governor 5/28/03, Chapter 257 Relates to personal identifying information; makes various changes relating to personal identifying information; prohibits a person from unlawfully possessing or using a scanning device or reencoder to acquire certain personal identifying information; clarifies the applicability of certain crimes relating to personal identifying information; prohibits a public officer or public employee from committing certain unlawful acts relating to personal identifying information; restricts the type of credit card or debit card information that may be printed electronically on a receipt; provides penalties. |
| New Mexico | S.B. 253 Signed by governor 4/5/03, Chapter 169 Relates to commercial instruments and transactions; restricts the credit card account number information that can be disclosed; enacts the Privacy Protection Act. |
| New York | A.B. 5150 Signed by governor 9/9/03, Chapter 499 S.B. 4531 Substituted by A.B. 5150 6/11/03 Prohibits businesses from printing charge, credit, or debit card numbers on receipts that are electronically created; imposes penalties for violations. |
| North Carolina | H.B. 357 Signed by governor 6/18/03, Chapter 206 Prohibits a person that accepts credit, charge, or debit cards for the transaction of business from printing more than five digits of a credit, charge, or debit card account number or an expiration date on a sales receipt and prohibits a person from selling a cash register or other machine or device that electronically prints receipts of credit, charge, or debit card transactions that cannot be programmed or operated to produce a receipt with five or fewer digits of the credit, charge, or debit card account number and no expiration date printed on the receipt. |
| S.B. 966 Signed by governor 6/26/03, Chapter 262 Requires insurers to implement safeguards for the protection of customer information, pursuant to the provisions of the Gramm-Leach-Bliley Act. |
|
| North Dakota | H.B. 1179 Signed by governor 4/23/03 Prohibits an insurance company, nonprofit health service corporation or health maintenance organization from disclosing nonpublic personal information to nonaffiliated third parties. |
| H.B. 1478 Signed by governor 4/7/03 Relates to disclosure of financial information; relates to financial institution customer privacy definitions and exceptions. |
|
| Oregon | H.B. 2103 Signed by governor 6/11/03 Prohibits a person from selling, leasing or renting payment processing system that provides a customer receipt with more information about customer than the customer’s name and last five digits of customer’s credit or debit card number. Prohibits a person from creating customer receipts with more information about a customer than the customer’s name and last five digits of customer’s credit or debit card number. Requires a person that creates or retains a copy of a receipt that contains more information than customer name and last five numbers of credit or debit card to destroy receipt within certain time. Authorizes the attorney general or district attorney to bring action to prevent violations. Imposes civil penalty for violation of order or injunction. Increases civil penalty for unlawful credit or debit card solicitations. Authorizes courts to award attorney fees to the prevailing party in action to impose civil penalty. |
| South Carolina | H.B. 3198 Signed by governor 4/21/03, Act 20 Relates to the prohibition of knowingly obtaining or using personal information obtained from a public body for commercial solicitation directed to a person in this state, so as to substitute “state agency” for “public body” and provides an exclusion. |
| Tennessee | H.B. 931 Signed by governor 5/7/03, Chapter 98 S.B. 496 Revises present authority for disclosure of customer information by financial institutions in regard to suspected illegal activity to allow disclosure where financial institution or its representatives believe information may be relevant; includes as information that may be disclosed descriptive information and activities in addition to identifying information. |
| Texas | H.B. 500 Signed by governor 6/20/03 Amends Subchapter C, Chapter 11 of the Tax Code to make a driver’s license number, personal identification certificate number, or social security account number provided in an application for exemption filed with a chief appraiser confidential and not open to public inspection. Prohibits the information from being disclosed to anyone other than an employee of the appraisal office who appraises property. However, the bill contains a list of exceptions that authorize such information to be disclosed. |
| H.B. 2930 Signed by governor 6/20/03 S.B. 1559 Signed by governor 6/20/03 Relates to the confidentiality of and access to certain personal information contained in instruments recorded with a county clerk. |
|
| S.B. 235 Signed by governor 6/20/03 Relates to the contents of a receipt or other document issued for payment by credit card. |
|
| S.B. 566 Signed by governor 5/18/03 Assigns to the local agency which attains identifying information of a person whose identity has been falsely used, once the true identity of the person has been determined, the responsibility to contact the person whose identity has been falsely used; requires notification to the identity theft victim that he or she is entitled to an expunction of that criminal record; establishes an application process for a person seeking expunction under this circumstance; and makes other provisions regarding the duties of law enforcement agencies regarding the misuse of a person’s identity. |
|
| S.B. 611 Signed by governor 6/18/03 Relates to printing a social security number on an identification card or other identification device; providing a civil penalty. |
|
| Utah | S.B. 202 Signed by governor 3/24/03, Session Law Chapter 216 Modifies the Government Records Access and Management Act regarding private information by providing that peace officers in specified classifications are “at-risk government employees” regarding specified personal information, including Social Security numbers. |
| Virginia | H.B. 1928 Signed by governor 3/18/03, Chapter 541 S.B. 1135 Signed by governor 3/18/03, Chapter 549 Requires a financial institution or credit card issuer to disclose bank records or credit card information concerning a customer upon the issuance of a subpoena duces tecum. Provision is made for the financial institution or credit card issuer to move to quash or modify the subpoena duces tecum if compliance would cause an undue burden and for holding harmless the financial institution or credit card issuer or its employees for releasing such information or records pursuant to an order. The statement of facts documenting the reasons the records or information are sought will be sealed upon issuance of the subpoena duces tecum, and the use of such records or information is limited to the investigation and legitimate law-enforcement purposes. At the end of the investigation the records or information will be sealed. A provision is added allowing seizure of certain property used in money laundering and punishable as a felony under the laws of another state or territory of the United States, the District of Columbia, or the United States. |
| H.B. 2175 Signed by governor 3/23/03, Chapter 914 Limits the appearance of social security numbers on identification cards and parcels. Punishes the distribution or possession with intent to distribute another’s personal identifying information or the distribution of the means by which personal information may be stolen. Creates a mechanism whereby a victim may expunge a criminal charge resulting from identity theft. Punishes obtaining goods and services, and identification documents and information of another. Requires the Library Board to develop regulations providing for the destruction of Social Security numbers in public records. Allows a clerk of court to refuse to record a document upon which there appears a grantor’s or grantee’s Social Security number. Sets up a procedure for blocking credit misinformation appearing in a credit report. |
|
| H.B. 2426 Signed by governor 4/2/03, Chapter 988 Provides that beginning January 1, 2004, no court clerk shall post on a court-controlled Web site any document that contains the following information: (i) an actual signature; (ii) a Social Security number; (iii) a date of birth identified with a particular person; (iv) the maiden name of a person’s parent so as to be identified with a particular person; (v) any financial account number or numbers; or (vi) the name and age of any minor child. Provides an exception for court clerks providing remote access to their records if their network or system that is used to provide the access has been certified by the Department of Technology Planning. Requires the Department to establish security standards that must be followed by court clerks providing remote access to records in consultation with circuit court clerks, the Supreme Court, the Compensation Board, users of land and other court records, and other interested citizens. |
|
| S.B. 815 Signed by governor 3/16/03, Chapter 97 Deletes requirement that beneficiary’s Social Security number and birth date and the proposed dates of final and periodic disbursements routinely be included in the court order and provides instead that the general receiver file a sealed affidavit with this information. |
|
| S.B. 878 Signed by governor 3/19/03, Chapter 729 Requires insurance institutions, agents, and insurance-support organizations to implement a comprehensive information security program to safeguard the privacy of consumer information. The measure is required pursuant to the federal Gramm-Leach-Bliley Act and is based on model language adopted by the National Association of Insurance Commissioners. |
|
| S.B. 992 Signed by governor 3/16/03, Chapter 223 Requires a financial institution or credit card issuer to disclose bank records or credit card information concerning a customer upon the issuance of a subpoena duces tecum. Provision is made for the financial institution or credit card issuer to move to quash or modify the subpoena duces tecum if compliance would cause an undue burden and for holding harmless the financial institution or credit card issuer or its employees for releasing such information or records pursuant to an order. The statement of facts documenting the reasons the records or information are sought will be sealed upon issuance of the subpoena duces tecum, and the use of such records or information is limited to the investigation and legitimate law-enforcement purposes. At the end of the investigation the records or information will be sealed. |
|
| Washington | H.B. 1845 Signed by governor 5/7/03, Chapter 124 S.B. 5718 Broadens the exemption from public disclosure under the open public records act for credit card numbers, debit card numbers, electronic check numbers, card expiration dates, or bank or other financial account numbers. Removes the limitation that allowed the exemption only when the number or date was supplied to an agency for the purpose of electronic transfer of funds. |
| West Virginia | S.B. 400 Signed by governor 4/1/03, Chapter 122 Relates to authorizing limited disclosure of confidential information received by the insurance commissioner; Makes amendments regarding disclosure of confidential information by the insurance commissioner to federal banking agencies required by the federal Gramm-Leach-Bliley Act. |
| Wyoming | S.F. 108 Signed by governor 3/6/03, Chapter 155 Relates to the dissolution of marriage; makes financial information provided by parties for child support confidential; removes parties’ Social Security numbers from divorce decrees. |