Letter from
Federal Trade Commission
Washington, D.C.
Office of the Secretary

June 7, 2002

The Honorable John P. Burke
Department of Banking
State of Connecticut
260 Constitution Plaza
Hartford, CT 06103-1800

Dear Commissioner Burke:

This letter responds to your April 19, 2001 petition to the Federal Trade Commission ("Commission") for a determination, under 15 U.S.C.§ 6807, as to whether Connecticut's financial privacy laws, Conn. Gen. Stat., §§ 36a-41, et seq. (2001) ("the Connecticut statute") are preempted by Subtitle A of Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809 ("GLBA").1  You specifically directed our attention to Section 36a-42 of the Connecticut statute, which, with certain exceptions, prohibits the disclosure of "financial records" to "any person" unless the customer has authorized such disclosure.

A federal enactment may preempt state law either through (1) express statutory preemption; (2) implied preemption where the intent of the federal law is to occupy the field exclusively ("field preemption"); or (3) implied preemption where state and federal law actually conflict ("conflict preemption").  See Lorillard Tobacco Co. v. Reilly, 533 U.S. 525, 121 S.Ct 2404, 2414 (2001); Crosby v. National Foreign Trade Council, 530 U.S. 363, 372-73 (2000); English v. General Elec. Co., 496 U.S. 72, 78-79 (1990). Conflict preemption may be found where the state law frustrates the purpose of the federal statutory scheme or where compliance with both the state and federal laws is physically impossible.  See Crosby, 530 U.S. at 372-73; Geier v. American Honda Motor Co., Inc., 529 U.S. 861, 873 (2000); English, 496 U.S. at 79.

Section 507(a) of the GLBA, 15 U.S.C § 6807(a), preserves a state "statute, regulation, order, or interpretation" that is not "inconsistent" with the privacy provisions of the GLBA.  A determination under Section 507(b), 15 U.S.C § 6807(b), that a state law provides "greater protection" to consumer privacy as compared to the federal act is only necessary where the state statute is found to be "inconsistent" under Section 507(a).   Thus it is clear that Congress did not intend, either expressly or by implication, to preempt state laws protecting consumer financial privacy except to the extent that such laws actually conflict or are "inconsistent" with federal law, and then only where the state law fails to provide greater privacy protection.

The first standard for conflict preemption, frustration of purpose, has been defined as "stand[ing] as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress."  Hines v. Davidowitz, 312 U.S. 52, 67 (1941). This analysis explores whether the state law works at a cross-purpose to or otherwise thwarts the objectives of the federal law.   Based on the information you have submitted,2 it does not appear to us that the Connecticut statute frustrates the purpose of Subtitle A of Title V of the GLBA.  In Section 507, Congress intended to preserve state laws that provide additional privacy protections to consumers.  Connecticut's statute, which, with certain exceptions, prohibits the disclosure of "financial records" unless authorized by the customer, appears consistent with the express privacy policy of GLBA, which imposes on each financial institution "an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information."3  15 U.S.C § 6801(a).

The second standard -- whether compliance with both the state and federal laws is physically impossible -- requires determining whether there is an "inevitable collision between the [state and federal] schemes of regulation."   See Florida Lime & Avocado Growers, Inc. v. Paul, 373 U.S. 132, 143 (1963).  Under Florida Lime and its progeny, if a state law permits, but does not require, conduct that a federal law prohibits, it is not physically impossible to comply with both statutes.  See California Fed. Savings & Loan Ass'n v. Guerra, 479 U.S. 272, 290-91 (1987); see also Florida Lime, 373 U.S. at 143. Conversely, if a state law prohibits what federal law merely permits but does not require, compliance with both statutes is possible.  See Pacific Gas & Elec. Co. v. State Energy Resources Conservation & Dev. Comm'n, 461 U.S. 190, 218-19 (1983).   Thus where Connecticut law prohibits disclosure and federal law permits disclosure, a Connecticut financial institution can comply with both laws by not disclosing the consumer's nonpublic personal information.  Likewise, where federal law prohibits disclosure and state law permits disclosure, the financial institution can comply with both laws by not disclosing the information.4  Here, compliance by Connecticut financial institutions with both the federal and state requirements is not physically impossible.

Accordingly, because we do not see an "inconsistency" between the state and federal laws under Section 507(a) based on the information you have submitted, we do not need to reach the Section 507(b) "greater protection" analysis.

By direction of the Commission.

Donald S. Clark

1 In responding to your petition, we have considered the information contained in your April 19 and July 19, 2001 letters.

2 Your petition was accompanied only by a copy of the Connecticut statute.  We do not have, and are not aware of, any other materials interpreting or applying the statute.

3 Based on your petition and our review, we have confined our analysis to this one federal purpose.  The GLB Act may seek to effect other policies or purposes that have not been identified or considered here.

4 We note that the GLBA provides a narrow exception allowing the disclosure of nonpublic personal information where the consumer specifically consents.   See 15 U.S.C. § 6802(e)(2); 16 C.F.R. § 313.15(a)(1); 65 Fed. Reg. 33,671 (consumer should fully understand limits of the consent and consent cannot be fraudulently obtained).

April 19, 2001 letter requesting FTC determination as to whether Connecticut's financial privacy laws are preempted.