UNITED STATES OF
AMERICA Office of the Secretary June 28, 2001 The Honorable Gary D. Preszler Dear Commissioner Preszler: This letter responds to your September 12, 2000 petition to the Federal Trade Commission ("Commission") for a determination, under 15. U.S.C. § 6807, whether the North Dakota Disclosure of Customer Information law, N.D. Cent. Code, ch. 6-08.1-01 to 6-08.1-08 (amended 2001) ("the North Dakota statute"), is superseded, altered, or affected by Subtitle A of Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809 ("GLB Act"). You also asked whether North Dakota state-chartered financial institutions must comply with the provisions of state law that are determined to afford any person greater protection than the federal law as well as with GLB Act provisions not addressed under the North Dakota statute. We note that on April 19, 2001 the Governor of North Dakota signed into law significant amendments to the North Dakota statute that will be effective on July 1, 2001. See S. Bill 2191, 57th Leg., Reg. Sess. (N.D. 2001). You stated in your letter of April 23, 2001, enclosing a copy of the signed law, that your request for a Commission determination "remains unchanged." In reaching our determination, in addition to your September 12, 2000 petition and your April 23, 2001 letter, we have also considered information contained in your November 27, 2000 letter to Debra A. Valentine, General Counsel of the Federal Trade Commission, and in the October 30, 2000 letter from North Dakota Assistant Attorney General Scott A. Miller to Ms. Valentine. In addition, the Commission has consulted with the staff of the federal banking agencies, the Securities and Exchange Commission, the National Credit Union Administration, and the Commodity Futures Trading Commission about your petition. Section 507(a) of the GLB Act, 15 U.S.C. § 6807, preserves a state "statute, regulation, order, or interpretation" that is not "inconsistent" with the provisions of the GLB Act. 15 U.S.C. § 6807(a). Under Section 507(b), a determination that a state law provides "greater protection" to consumer privacy as compared to the federal act deems such statute to be "not inconsistent" with provisions of Subtitle A of Title V, and it is thereby not preempted by that subtitle. 15 U.S.C. § 6807(b). As discussed below, because the Commission concludes that the North Dakota statute and federal law are not "inconsistent," there is no need to reach the Section 507(b) "greater protection" analysis. In adopting Section 507, Congress established the privacy protections in the GLB Act as a "floor," or minimum protections for consumer privacy, that could be exceeded by the states. See 145 Cong. Rec. S13890 (daily ed. Nov. 4, 1999) (statement of Sen. Rod Grams); 145 Cong. Rec. S13789 (daily ed. Nov. 3, 1999) (statement of Sen. Paul S. Sarbanes). State law provisions that add to the privacy protections in that subtitle will not be preempted by that subtitle. It is commonplace that where federal law does not preempt certain state law provisions, state laws and federal laws that touch on the same subject matter create a "dual regulatory scheme." Northwest Central Pipeline Corp. v. State Corporation Commission of Kansas, 489 U.S. 493, 516 (1989). In enacting Subtitle A of Title V, Congress expressly declared that the intent of the GLB Act privacy provisions is to ensure that "each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801(a). To further that objective, Subtitle A of Title V of the GLB Act restricts when a financial institution may disclose a consumer's or a customer's nonpublic personal information to nonaffiliated third parties. Financial institutions are required to provide notices to their customers about their information-sharing practices, and both consumers and customers may "opt out" if they do not want their information shared with nonaffiliated third parties. However, the GLB Act provides specific exceptions whereby a financial institution may share nonpublic personal information with a nonaffiliated third party and the consumer or customer cannot opt out, such as to market the financial institution's own products or services. See 15 U.S.C. §§ 6802(b)(2), (e); 12 C.F.R. §§ 313.13 to 313.15. The North Dakota statute imposes a duty of confidentiality upon its financial institutions to ensure the protection of "customer information." N.D. Cent. Code, ch. 6-08.1-03. Thus, unless the disclosure falls within one of twelve specific exemptions, N.D. Cent. Code, ch. 6-08.1-02, the North Dakota statute prohibits a financial institution from disclosing such information unless the customer has expressly consented or "opted in." Since you filed your original petition, North Dakota enacted a new exemption to its state confidentiality law. The new exemption excepts from the requirements of the state statute "[a] disclosure of customer information by a financial institution to a nonaffiliated third party, if the disclosure is subject to federal law on the date of disclosure and the financial institution complies with applicable federal law in making the disclosure." See S. Bill 2191, Section 2. Thus, a North Dakota financial institution's disclosures of customer information that comply with the GLB Act and its implementing regulations fall within the new exemption.(1) I. The North Dakota statute is not inconsistent with the GLB Act. A. Traditional preemption principles guide preemption analysis under Section 507 of the GLB Act. In interpreting Section 507 of the GLB Act, our starting point is traditional preemption jurisprudence, which favors the preservation of state laws. New York State Conference of Blue Cross & Blue Shield Plans v. Travelers Ins. Co., 514 U.S. 645, 654 (1995) ("the starting presumption [is] that Congress does not intend to supplant state law").(2) As the Supreme Court has explained: [S]tate law is pre-empted under the Supremacy Clause, U.S. Const. Art. VI, cl. 2, in three circumstances. First, Congress can define explicitly the extent to which its enactments pre-empt state law. Pre-emption fundamentally is a question of congressional intent, and when Congress has made its intent known through explicit statutory language, the courts' task is an easy one. Second, in the absence of explicit statutory language, state law is pre-empted where it regulates conduct in a field that Congress intended the Federal Government to occupy exclusively. . . . Finally, state law is pre-empted to the extent that it actually conflicts with federal law. Thus, the Court has found pre-emption where it is impossible for a private party to comply with both state and federal requirements, or where state law "stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress." English v. General Elec. Co., 496 U.S. 72, 78-79 (1990) (citation omitted). Section 507 of the GLB Act provides:
15 U.S.C. § 6807; see also 16 C.F.R. § 313.17. It is clear that Section 507 of the GLB Act does not expressly preempt all state laws on financial privacy nor does it intend to preempt the field, which are the first two preemption options outlined above in English. Here, federal preemption of a state law provision is limited to the third option, conflict preemption, where the state law "conflicts with federal law" or is "inconsistent" with federal law. B. A state law is "inconsistent" under Section 507(a) only (1) if it frustrates the purpose of the federal law or (2) if compliance with both laws is physically impossible. The U.S. Supreme Court has held through a long line of preemption cases that a finding of inconsistency between state and federal laws must meet a high threshold. One of two specific standards must be met before a state law can be found inconsistent. Federal law will preempt state law if it frustrates the purpose of the federal statutory scheme or if compliance with both the state and federal laws is physically impossible. See Crosby v. National Foreign Trade Council, 530 U.S. 363, __, 120 S.Ct. 2288, 2294 (2000). The first standard, frustration of purpose, has been defined as "stand[ing] as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress." Hines v. Davidowitz, 312 U.S. 52, 67 (1941). This analysis explores whether the state law works at a cross-purpose to or otherwise thwarts the objectives of the federal law. The second standard -- whether compliance with both the state and federal laws is physically impossible -- requires a showing of "inevitable collision between the [state and federal] schemes of regulation." See Florida Lime & Avocado Growers, Inc. v. Paul, 373 U.S. 132, 143 (1963). As explained in Florida Lime and its progeny, "physical impossibility" is a high standard, reflecting the strong presumption against preemption. Thus, if a state law permits, but does not require, conduct that a federal law prohibits, it is not physically impossible to comply with both statutes. See California Fed. Savings & Loan Ass'n v. Guerra, 479 U.S. 272, 291 (1987); see also Florida Lime, 373 U.S. at 143. Conversely, if a state law precludes what federal law merely permits but does not require, that state law does not make it physically impossible to comply with federal law. See Pacific Gas & Elec. Co. v. State Energy Resources Conservation & Dev. Comm'n, 461 U.S. 190, 218-19 (1983) (declining to preempt California law that imposed conditions, not required under federal law, upon the construction of nuclear power plants). C. The North Dakota statute is not inconsistent with the GLB Act under Section 507(a) because the state law does not frustrate the purpose of the federal law and compliance by financial institutions with both statutory schemes is possible. In the present case, under the new exemption, the North Dakota statute exempts a financial institution from the state law requirements if the financial institution complies with the GLB Act. Since compliance with federal law exempts a financial institution from the state law, a North Dakota financial institution is free simply to comply with the federal requirements. Thus, compliance with both federal and state law is clearly possible, and state law does not frustrate the purpose of federal law. Nor do the North Dakota "opt-in" requirements, which come into play if a North Dakota financial institution falls outside the exemption, in this case frustrate the purpose of federal law. The purpose of Title V, Subtitle A, is to ensure that "each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801(a). The North Dakota opt-in requirements, if applicable, are consistent with this purpose.(3) For these reasons, the North Dakota statute is not "inconsistent" under Section 507(a) and the state law is therefore not superseded, altered, or affected by Subtitle A of Title V of the GLB Act. D. Since the two laws are not inconsistent, there is no need to consider whether the North Dakota statute provides greater protection under Section 507(b). The Commission does not need to reach the Section 507(b) "greater protection" analysis unless, as provided in subsection (a), the state and federal laws are inconsistent. As set forth above, the two statutes are not inconsistent. Thus, in accordance with Section 507 and with the Supreme Court's cautious approach to preempting state law, the Commission concludes that the GLB Act does not preempt the North Dakota statute. II. North Dakota financial institutions must comply with GLB Act privacy provisions since federal law establishes the minimum privacy protections for consumers. You also inquired whether North Dakota state-chartered financial institutions must comply with GLB Act provisions that are not covered under North Dakota law. Yes, financial institutions must comply with all applicable GLB Act privacy provisions, as those provisions establish a "floor" on the level of privacy protections afforded consumers. Here, for example, the GLB Act will place new notice and security requirements on all financial institutions (as defined in the GLB Act) in North Dakota. North Dakota law does not require financial institutions to provide notices regarding financial privacy policies to their customers, according to your September 12, 2000 letter. In contrast, the GLB Act requires financial institutions to provide notices to customers not later than when a customer relationship is established and annually thereafter.(4) 15 U.S.C. § 6803(a); see also 16 C.F.R. § 313.4(a). Thus, all financial institutions operating in North Dakota must provide initial and annual notices to customers as required under the GLB Act and must implement the administrative, technical, and physical safeguards to protect the security and confidentiality of customer records and information. See 15 U.S.C.§§ 6803, 6801(b). This is so even if these financial institutions do not share nonpublic personal information without the customers' affirmative consent. In addition, the definition of "financial institution" under the state law appears to be narrower than under the federal statute. Compare 15 U.S.C. § 6809(3)(A) with N.D. Cent. Code, ch. 6-08.1-01(3).(5) In Mr. Miller's October 30, 2000 letter, he explained that other than the entities specified in the North Dakota definition of "financial institution" and their affiliates, the scope of entities covered by the North Dakota statute "would most likely be a question of fact." Thus, there may be "financial institutions" as defined in the GLB Act that need not comply with the state law, but must comply with the federal statute. By direction of the Commission. Donald S. Clark 1. We also note additional privacy provisions in the amended state law, such as privacy protections for "agricultural and commercial accounts." S. Bill 2191, Section 3. Private information that does not relate to an individual's personal, family or household use is not protected under the GLB Act. 2. Federal agency regulations as well as statutes may preempt state law. "The statutorily authorized regulations of an agency will preempt any state or local law that conflicts with such regulations or frustrates the purposes thereof." City of New York v. FCC, 486 U.S. 57, 63-64 (1988). 3. In the Commission's opinion, financial institutions that comply with the state law opt-in provisions are deemed to be in compliance with the opt-out provisions in the federal law. Customers of such financial institutions are effectively opted-out by operation of state law. Where financial institutions comply with the opt-in provisions and do not share customer information absent written and express consent, the GLB Act opt-out notice is unnecessary, although, as discussed below, such financial institutions are required to provide privacy notices. 4. The North Dakota amendments changed the definition of "customer" to be congruent with "consumer" under the GLB Act and do not distinguish between these terms as regards a financial institution's obligations. The GLB Act requires financial institutions to provide notices to consumers who are not customers prior to sharing consumers' nonpublic personal information with nonaffiliated third parties. 15 U.S.C. § 6802(a); see also 16 C.F.R. § 313.4(a). 5. Under the GLB Act, the definition of "financial institution" includes a broad spectrum of entities that engage in activities that are deemed to be "financial in nature," such as loan brokers, check guaranty services, check cashers, collection agencies and credit bureaus. See GLB Act Section 509(3)(A), 15 U.S.C. § 6809(3)(A) (citing section 4(k) of the Bank Holding Company Act (12 U.S.C. § 1843(k)). See also 65 Fed. Reg. 33647 (2000). The definition of "financial institution" in N.D. Cent. Code ch. 6-08.1-01(3) is "any organization authorized to do business under state or federal laws relating to financial institutions, including, without limitation, a bank, including the Bank of North Dakota, a savings bank, a trust company, a savings and loan association, or a credit union." This definition would also include affiliates of such financial institutions. See Oct. 30, 2000 letter from Assistant Attorney General Scott Miller to Debra A. Valentine. |