Summary
holding that a federal statute “requiring financial institutions to ‘respect the privacy of its customers' and ‘protect the security and confidentiality of those customers' nonpublic personal information’ ... together with the [Federal Trade Commission] rule enforcing it” qualifies as an “other statute”
Summary of this case from Planned Parenthood v. BloedowOpinion
No. 82690-1.
Argued May 11, 2010.
Decided November 4, 2010.
Appeal from the Superior Court for Thurston County, No. 07-2-00506-1, Anne Hirsch, J.
Robert M. McKenna, Attorney General, Alan D. Copsey, Deputy Solicitor General, Shannon E. Smith, Senior Counsel, and David W. Huey, Assistant, for petitioner.
Erik D. Price, Michael A. Nesteroff, and Laura T. Morse (of Lane Powell, PC) ( Joanne N. Davies, of counsel), for respondent.
William J. Crittenden and Patrick D. Brown on behalf of Washington Coalition for Open Government, amicus curiae.
Douglas B. Klunder and Margaret Ji Yong Pak on behalf of American Civil Liberties Union, amicus curiae.
¶1 — This case concerns the application of certain federal privacy laws to a request for information brought under the State's Public Records Act (PRA), chapter 42.56 RCW. The Washington State Office of the Attorney General (AGO) obtained loan files, e-mails, and other papers from Ameriquest Mortgage Company during its investigation of Ameriquest's lending practices. The AGO also generated its own documents and received other information directly from consumers who filed complaints about Ameriquest. A member of the public, Melissa A. Huelsman, invoking the PRA, asked for records from the investigation, and the AGO wants to disclose certain information, including names, addresses, phone numbers, and interest rates. Ameriquest does not object to the AGO disclosing information it received from individual consumers. Ameriquest does object to the AGO disclosing information it received from Ameriquest. The disputed issue is whether, and to what extent, the federal Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801- 6809, and the relevant Federal Trade Commission (FTC) rule, preempt the PRA or otherwise bar the AGO from disclosing information it received from Ameriquest.
I. STATEMENT OF THE CASE
A. Overview of the GLBA and the FTC rule
¶2 In the GLBA, Congress enacted the federal policy requiring financial institutions to "respect the privacy of its customers" and "protect the security and confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801(a). Pursuant to the rule-making authority granted in the GLBA, § 6804, the FTC adopted Privacy of Consumer Financial Information, 16 C.F.R. § 313. Under these federal privacy protections, a financial institution is not allowed to disclose a consumer's nonpublic personal information to a nonaffiliated third party, unless the consumer receives a prior notice and an opportunity to opt out. 15 U.S.C. § 6802(a)-(b); 16 C.F.R. § 313.10(a)(1). The notice must describe the financial institution's privacy policies and practices, including the kinds of protected information that the financial institution discloses to nonaffiliated third parties. 15 U.S.C. § 6803; 16 C.F.R. § 313.6. A separate opt out notice must "clearly and conspicuously" describe the consumer's right to opt out of the financial institution's disclosures of protected information and must give the consumer a "reasonable means" to exercise that right. 15 U.S.C. § 6802(b)(1); 16 C.F.R. § 313.7(a)(1). If after giving proper notice and a reasonable opportunity to opt out, the consumer does not opt out, then the financial institution may disclose nonpublic personal information to nonaffiliated third parties. 15 U.S.C. § 6802(a)-(b); 16 C.F.R. § 313.10(a)(1). The disclosure must be consistent with the policies described in the notice. See 15 U.S.C. § 6802(a)-(b); 16 C.F.R. § 313.10(a)(1).
This FTC rule has been upheld against constitutional and administrative law challenges. See Trans Union LLC v. F.T.C., 295 F.3d 42, 46, 353 U.S. App. D.C. 42 (2002); Individual Reference Servs. Grp., Inc. v. F.T.C., 145 F. Supp. 2d 6, 26, 31 (D.D.C. 2001). Since we granted review, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub.L. No. 111-203, 124 Stat. 1376 (July 21, 2010), which included amendments to the GLBA. See Dodd-Frank Act § 1093, 124 Stat, at 2095-97. The amendments appear to take away the rule-making and enforcement authority granted in 15 U.S.C. §§ 6804- 6805 over mortgage lenders such as Ameriquest from the FTC, transferring it to the newly created Bureau of Consumer Financial Protection. See Dodd-Frank Act § 1093, 124 Stat, at 2095-96. However, the parties agree the FTC rule applied when the acts in question occurred. We therefore apply the FTC rule.
The GLBA defines "`[n]onaffiliated third party" as "any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution." 15 U.S.C. § 6809(5).
In limited circumstances not relevant here, an opportunity to opt out does not have to be given. See 15 U.S.C. § 6802(b)(2); 16 C.F.R. § 313.13.
¶3 Several exceptions to the financial institution's notice and opt out obligation are set forth in § 6802(e) and 16 C.F.R. § 313.14-.15. Some of the exceptions are relevant here. The financial institution does not have to give notice if the disclosure is done "with the consent or at the direction of the consumer," § 6802(e)(2); 16 C.F.R. § 313.15(a)(1); or is necessary to, among other things, "comply with Federal, State, or local laws, rules, and other applicable legal requirements," § 6802(e)(8); 16 C.F.R. § 313.15(a)(7)(i); or "comply with a properly authorized civil, criminal, or regulatory investigation," § 6802(e)(8); 16 C.F.R. § 313.15(a)(7)(ii).
¶4 These federal restrictions also prohibit a nonaffiliated third party from reusing or redisclosing any protected information received from a financial institution. The receiving nonaffiliated third party may disclose nonpublic personal information to its affiliates and those of the financial institution. 15 U.S.C. § 6802(c); 16 C.F.R. § 313.11(c)(1)-(2), (d)(1)-(2). However, the receiving nonaffiliated third party may not reuse or redisclose the nonpublic personal information to another nonaffiliated third party unless an exception applies or the reuse or redisclosure would be lawful if done by the financial institution. 15 U.S.C. § 6802(c); 16 C.F.R. § 313.11(c)-(d).
B. Factual and procedural history
¶5 The AGO accumulated thousands of pages of documents when it investigated Ameriquest's lending practices for violations of the Consumer Protection Act, chapter 19.86 RCW. Ameriquest delivered loan files, e-mails, internal customer complaint files, and other documents to the AGO. Individual customers of Ameriquest gave information to the AGO through its consumer complaint process. The AGO also developed its own documents as the investigation unfolded. None of these documents are included in the appellate record, but an Ameriquest employee, in a sworn declaration, summarized the contents of the loan files that Ameriquest gave to the AGO:
[T]he loan files produced by Ameriquest to the AGO would, at minimum, include a customer's full legal name, social security number (possibly an actual copy of the social security card as well), driver's license number (possibly a copy of the actual license as well), date of birth, credit (FICO) [Fair Isaac Corporation] score, credit report (which would identify mortgages and consumer credit information such as name of credit card company, amount charged, amount paid, outstanding balance, timeliness of payments), monthly income, sources of monthly income (which could include a copy of the borrower's paystub, W2 [(tax form)], personal and business tax returns, business profit and loss statement), employer's name, employer's address, length of employment, nature of employment, name and age of any children, checking and savings account information (bank statements, deposit verification), identification of other assets (stocks, bonds, life insurance net cash value, retirement fund holdings, net worth of business), residential address, residential telephone number, personal wireless telephone number, as well as all terms and conditions of the customer's transaction (e.g., loan amount, interest rate etc.).
Clerk's Papers (CP) at 118. The employee also stated that the Ameriquest e-mails given to the AGO "contain confidential customer information." CP at 119. On March 21, 2006, a consent decree terminating the AGO's investigation was entered in King County Superior Court. The decree included a provision relating to the PRA: "If the State receives a request for documents provided by an Ameriquest Party . . ., the State shall comply with applicable public disclosure laws and promptly provide notice to the Ameriquest Parties of the request that will afford the Ameriquest Parties the reasonable opportunity to assert that the documents subject to the request are exempt from disclosure." CP at 168.
¶6 Huelsman is an attorney whose practice specializes in predatory lending cases, and she has represented former customers of Ameriquest. On February 5, 2007, she gave the AGO a request for "[a]ll records relating to [the] investigation of Ameriquest." CP at 132. In follow-up discussions with the AGO, Huelsman clarified that she wanted the borrowers' names, addresses, and loan terms and costs, but not the borrowers' Social Security numbers, account numbers, and the like. The AGO notified Ameriquest that it intended to comply with Huelsman's request.
The public records request was filed by Christina Latta, a colleague of Huelsman's. Huelsman, Ameriquest, and the AGO treat the request as Huelsman's, and therefore so do we.
¶7 Ameriquest sought an injunction against the AGO. The trial court entered a temporary restraining order prohibiting the AGO's intended disclosures to Huelsman. In a motion for a preliminary injunction, Ameriquest asked the court to enjoin the AGO's disclosure of five types of documents: (1) Ameriquest's customer loan files, (2) Ameriquest's internal customer complaint files, (3) Ameriquest's employee e-mails, (4) Ameriquest's trade secrets and proprietary information, and (5) the AGO's internally produced documents. Ameriquest did not object to disclosure of the AGO's consumer complaint files, as long the disclosed documents did not include information given by Ameriquest. The trial court denied Ameriquest's motion, concluding that, among other things, the GLBA "does not preempt the State's law on public disclosure of documents." CP at 322. However, the court left the temporary restraining order "in effect until the AGO completes a thorough redaction of exempt personal and confidential information from the records." CP at 323.
This statement about exemptions for sensitive information appears to refer to the privacy protections of the PRA, rather than the GLBA or the FTC rule.
¶8 The Court of Appeals reversed, holding that "[i]f compliance with the PRA is inconsistent with the GLBA, then the GLBA preempts the PRA on this point and prohibits disclosure." Ameriquest Mortg. Co. v. Att'y Gen. of Wash., 148 Wn. App. 145, 159, 199 P.3d 468 (2009). Because the AGO is a nonaffiliated third party under the GLBA and Huelsman is not an affiliate of the AGO, the Court of Appeals concluded that the GLBA applied to the AGO's proposed disclosure to Huelsman. Id. at 162. The Court of Appeals remanded to the trial court, concluding that "[w]hat information in the loan customers' files is public is a factual question that the trial court will need to address." Id. at 165.
¶9 We granted the AGO's petition for review "only on the issue of whether federal law preempts or precludes disclosure of information in the loan files held by the Attorney General." Wash. Supreme Court Order, Ameriquest Mortg. Co. v. Wash. State Office of the Att'y Gen., No. 82690-1 (July 7, 2009).
II. ANALYSIS
¶10 The privacy protections in the GLBA and the FTC rule apply to any "nonaffiliated third party" that obtains "nonpublic personal information" from a "financial institution." 15 U.S.C. § 6802(c); 16 C.F.R. § 313.11(c). The parties agree that Ameriquest is a "financial institution" and that the AGO received "nonpublic personal information" from Ameriquest. (Ameriquest was permitted to share this protected information with the AGO under the exception for "a properly authorized civil, criminal, or regulatory investigation." 15 U.S.C. § 6802(e)(8); 16 C.F.R. § 313.15(a)(7)(h).) The AGO does not challenge the Court of Appeals' holding that the AGO is a nonaffiliated third party in this case. The AGO's concession aside, the parties' arguments raise several questions.
A. Do the GLBA and the FTC rule's prohibitions on redisclosure apply if the AGO's intended recipient is a member of the public?
¶11 When a nonaffiliated third party receives nonpublic personal information from a financial institution, it may freely disclose the information to its affiliates. 15 U.S.C. § 6802(c); 16 C.F.R. § 313.11(c)(1)-(2), (d)(1)-(2). The AGO argues that Huelsman, as a member of the public, is an affiliate of the AGO, and therefore the GLBA and the FTC rule permit disclosure. The AGO is incorrect, and we are not persuaded by its citation of Pennsylvania State University v. State Employees' Retirement Board, 594 Pa. 244, 935 A.2d 530 (2007). In Pennsylvania State, the Supreme Court of Pennsylvania concluded the GLBA did not apply because Pennsylvania's "government and the general public could hardly be more closely affiliated." Id. at 257. However, "affiliate" is a defined term, and Pennsylvania State mistakenly failed to analyze the definition. An "`affiliate'" is "any company that controls, is controlled by, or is under common control with another company." 15 U.S.C. § 6809(6) (emphasis added); 16 C.F.R. § 313.3(a). A "[ c] ompany" in turn, is a "corporation, limited liability company, business trust, general or limited partnership, association, or similar organization." 16 C.F.R. § 313.3(d), (g) (defining [ c] ontrol"). Neither the AGO nor Huelsman is a company; they cannot be affiliates of each other. Therefore, the AGO may not freely disclose nonpublic personal information to Huelsman, unless another ground exists for doing so.
The AGO's briefing at this court did not challenge the Court of Appeals' holding on this point. But the AGO has not conceded the issue either, and it is highly relevant to the broader question of whether the GLBA and the FTC rule preempt or preclude the AGO's disclosure. We therefore decide the issue.
B. Does the GLBA or the FTC rule permit disclosure of unprotected information after nonpublic personal information has been redacted?
¶12 The AGO argues that the GLBA and the FTC rule allow it to redact any nonpublic personal information and disclose the rest. In its brief, the AGO indicates it wants to disclose names and addresses "because they already were a matter of public record for the mortgages at issue." Suppl. Br. of Att'y Gen. at 4 n. 2. At oral argument, the AGO added that, in some instances, it also wishes to disclose phone numbers and mortgage interest rates. The AGO's arguments raise two questions: What information here constitutes nonpublic personal information? And does the GLBA or the FTC rule prohibit redactions or repackaging to yield solely public information?
1. What information here constitutes nonpublic personal information?
¶13 The GLBA and the FTC rule use a "relatively complex approach" to defining whether information is "`nonpublic personal information'" or not. Privacy of Consumer Financial Information, 65 Fed. Reg. 33646, 33659 (May 24, 2000). There are three definitional filters through which the information must pass: (1) "personally identifiable financial information," § 6809(4)(A); 16 C.F.R. § 313.3(o); (2) "publicly available information," § 6809(4)(B); 16 C.F.R. § 313.3(p)(1); and (3) "list, description, or other grouping of consumers," § 6809(4)(C)(i); 16 C.F.R. § 313.3(n)(1)(ii), (2)(ii).
a. Any personally identifiable financial information?
¶14 The first meaning of "`[n]onpublic personal information'" is "personally identifiable financial information." 15 U.S.C. § 6809(4)(A); 16 C.F.R. § 313.3(n)(1)(i). " Personally identifiable financial information" means "any information," in the context of the provision of a financial product or service, that (1) a consumer gives to a financial institution, (2) is about a consumer's transaction, or (3) a financial institution obtains from a consumer. 16 C.F.R. § 313.3(o)(1); see also 15 U.S.C. § 6809(4)(A)(i)-(iii). The FTC rule provides relevant examples of information that meets this definition. Meeting the definition are "[i]nformation a consumer provides to you on an application to obtain a loan," 16 C.F.R. § 313.3(o)(2)(i)(A); "[t]he fact that an individual is or has been one of your customers or has obtained a financial product or service from [a financial institution]," 16 C.F.R. § 313.3(o)(2)(i)(C); and "[a]ny information about [a financial institution's] consumer if it is disclosed in a manner that indicates that the individual is or has been [the financial institution's] consumer," 16 C.F.R. § 313.3(o)(2)(i)(D). See 16 C.F.R. § 313.3(h) (defining [ c]? ustomer"). Not meeting the definition of "[ p] ersonally identifiable financial information" is "[i]nformation that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses." 16 C.F.R. § 313.3(o)(D, (2)(ii)(B).
¶15 In the circumstances of this case, names, addresses, and phone numbers meet the definition of "personally identifiable financial information." Not only are these bits of information personal identifiers, but also their disclosure by the AGO would reveal the fact that the individual is or has been Ameriquest's customer. See 16 C.F.R. § 313.3(o)(2)(i)(D). As noted above, the mere existence of the customer relationship is personally identifiable financial information. 16 C.F.R. § 313.3(o)(2)(i)(C). Only blind data or information stripped of personal identifiers are not protected information. 16 C.F.R. § 313.3(o)(2)(ii)(B).
¶16 Notably, the definition of "[ p] ersonally identifiable financial information" relates to "information," and not to the vessel of the information (for example, a document or an e-mail). 16 C.F.R. § 313.3(o)(1). Therefore, any information meeting the definition of "[ p] ersonally identifiable financial information" is subject to the GLBA and the FTC rule, regardless of whether the information appears in loan files, e-mails, or the AGO's internal work product. Id. If the AGO took protected information from a loan file and reproduced it elsewhere (e.g., a memorandum listing the names of the consumers), the information does not lose its status as personally identifiable financial information.
¶17 Next, the information at issue must be filtered through the definition of "[ p] ublicly available information." 16 C.F.R. § 313.3(p)(1).
b. Any publicly available information?
¶18 The AGO's primary argument is that it seeks to disclose only publicly available information. Any information that qualifies as publicly available information is exempted from the definition of "`[n]onpublic personal information,'" even if the information would otherwise meet the definition of "personally identifiable financial information." 15 U.S.C. § 6809(4)(A); 16 C.F.R. § 313.3(n)(1), (2), (o)(1). The term "`[ p] ublicly available information'" is defined as "any information that you have a reasonable basis to believe is lawfully made available to the general public from: (i) Federal, State, or local government records; (ii) Widely distributed media; or (iii) Disclosures to the general public that are required to be made by Federal, State, or local law." 16 C.F.R. § 313.3(p)(1) (emphasis added). And "widely distributed media includes information from a telephone book . . . or a [web site] that is available to the general public on an unrestricted basis." 16 C.F.R. § 313.3(p)(3)(ii). Because much of the information here is available through the telephone book, web sites, and recorded mortgage filings, the AGO argues that the names and addresses culled from the disputed records, as well as phone numbers and mortgage interest rates in some cases, meet the definition of "publicly available information." This information would therefore be exempted from the definition of "nonpublic personal information," and the federal restrictions would not apply. We reject the AGO's position.
The GLBA does not offer its own definition, leaving it to agency rule making to define the term. See 15 U.S.C. § 6809(4)(B).
¶19 The key is the FTC rule's use of the word "you" in the definitions of "[ p] ublicly available information" and "[ r] easonable basis." 16 C.F.R. § 313.3(p)(1), (2). The term "[ y] ou" means "each `financial institution' . . . over which the [FTC] has enforcement jurisdiction pursuant to [the GLBA]." 16 C.F.R. § 313.3(q). This definition expressly "excludes any `other person,'" id., which, in turn, is defined as "third parties that are not financial institutions, but that receive nonpublic personal information from financial institutions with whom they are not affiliated," 16 C.F.R. § 313.1(b). Ameriquest is a "you," and the AGO is an "other person." Only a "you" — a financial institution — can form the reasonable basis to believe information is publicly available.
¶20 For example, as to names, addresses, and loan information, the FTC rule says, " You have a reasonable basis to believe that mortgage information is lawfully made available to the general public if you have determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded." 16 C.F.R. § 313.3(p)(3)(iii)(A) (emphasis added). An "other person" like the AGO may not make this determination. As to phone numbers, the FTC rule says, " You have a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if you have located the telephone number in the telephone book or the consumer has informed you that the telephone number is not unlisted." 16 C.F.R. § 313.3(p)(3)(iii)(B). Simply put, only a financial institution can form the reasonable basis necessary to think that information is publicly available.
¶21 The FTC's final rule statement does not say why it chose this definitional route. See Privacy of Consumer Financial Information, 65 Fed. Reg. 33646. But its choice is consistent with the overall thrust of the federal regulations. The financial institution is allowed to scrutinize a consumer's information for what is publicly available and what is not because the financial institution already has the information, the consumer has consented to the situation, and the financial institution has a business incentive to respect its customers and be careful with their privacy. However, the vetting itself is an intrusion into a consumer's privacy. If a third party holding protected information were allowed to see whether some of the information is publicly available, the third party would have greater reason to rummage through the consumer's information. This would conflict with the carefully drawn limits on a third party's use and redisclosure of the protected information. See 15 U.S.C. § 6802(c); 16 C.F.R. § 313.10(a)(1), .11(c)-(d). Additionally, because a different set of laws might apply to third parties, more information could be inadvertently treated as public. For instance, under the AGO's interpretation, all of the information it controls would be publicly available because PRA requests are "[d]isclosures to the general public that are required to be made by Federal, State, or local law." 16 C.F.R. § 313.3(p)(1)(iii).
¶22 In sum, any information that meets the definition of "nonpublic personal information" cannot be recast as exempt publicly available information by the AGO. Only Ameriquest can form the reasonable basis to color the information that way, and nothing suggests that Ameriquest has taken the necessary steps.
c. Any list or grouping of consumers constituting nonpublic personal information?
¶23 Information included in a "list, description, or other grouping of consumers" is automatically protected if it is "derived using any nonpublic personal information." 15 U.S.C. § 6809(4)(C)(i); 16 C.F.R. § 313.3(n)(1)(ii). Even if some publicly available information is included in such a grouping, all of the information in the list or grouping is deemed nonpublic personal information. 15 U.S.C. § 6809(4)(C); 16 C.F.R. § 313.3(n)(2)(i). Here, any list, description, or other grouping included in the records at issue are nonpublic personal information because the AGO necessarily must derive the grouping using personally identifiable financial information, such as the fact that the consumer is or was an Ameriquest customer.
¶24 To summarize our conclusions thus far, the only disputed information that is not subject to the federal nondisclosure rules is "[i]nformation that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses." 16 C.F.R. § 313.3(o)(2)(ii)(B).
2. Does the GLBA or the FTC rule prohibit redactions or repackaging to yield solely public information?
¶25 The FTC rule tightly restricts what a nonaffiliated third party may do with the protected information that it receives. The third party may "disclose and use" the protected information only "in the ordinary course of business to carry out the activity covered by the exception under which [it] received the information." 16 C.F.R. § 313.11(a)(1)(iii). This use restriction recognizes that "consumers have a privacy interest in the initial use of their nonpublic personal information for the creation of aggregate data." Individual Reference Servs. Grp., Inc. v. F.T.C., 145 F. Supp. 2d 6, 38 (D.D.C. 2001). Here, the exception under which the AGO received the information from Ameriquest was the exception for a government investigation. 15 U.S.C. § 6802(e)(8); 16 C.F.R. § 313.15(a)(7)(ii). Public disclosures are not an ordinary part of an investigation. Thus, the AGO is not permitted to use any nonpublic personal information for purposes of public disclosure. We think "use" includes redactions and repackaging of information because the AGO is required to leave the information — and the consumer's privacy — undisturbed unless the AGO needs to use it in the ordinary course of business to carry out the investigation.
¶26 Chao v. Community Trust Co., 474 F.3d 75 (3d Cir. 2007), which contemplated redactions under the GLBA, is not on point. The Third Circuit reasoned that disclosures were permitted under the GLBA after redactions "because there would not be a release of personal financial information." Id. at 87 n. 6. However, the issue was a financial institution's disclosure of information to a nonaffiliated third party, not the use or redisclosure of that information by the third party. See id. at 84. As we have discussed, the "use" restriction of 16 C.F.R. § 313.11(c) imposes tight restrictions on what third parties can do with the protected information they receive. The financial institution might use protected information for redaction and repackaging, but the third party may not.
¶27 To be sure, blind data and identifier-free information may be disclosed because it is not protected information. 16 C.F.R. § 313.3(o)(2)(ii)(B). If some of the records here already contain information in that permissible form (for example, a memorandum analyzing the interest rates given to certain income groups, with no names or addresses included), then the AGO may disclose it because no additional use of protected information is necessary. Thus, the AGO may disclose blind data and identifier-free information if it has already been created.
C. Do any exceptions to the GLBA or the FTC rule apply?
¶28 The AGO's fallback position is the exceptions enumerated in § 6802(e) and 16 C.F.R. § 313.15. Because the language of the GLBA and the FTC differ somewhat, we address each in turn.
1. The GLBA exceptions
¶29 The GLBA prohibits nonaffiliated third parties from redisclosing nonpublic personal information "[e]xcept as otherwise provided." 15 U.S.C. § 6802(c). Relying on this language, the AGO argues that it can disclose nonpublic personal information pursuant to the GLBA exception for disclosures necessary "to comply with Federal, State, or local laws." 15 U.S.C. § 6802(e)(8). Because the PRA is a "State . . . law," the AGO claims it may disclose "to comply." Id. We disagree. The AGO cites the statute out of context.
¶30 To understand the meaning of the exception in § 6802(e)(8), one has to read it together with the introduction to subsection (e) this way: "Subsections (a) and (b) of this section shall not prohibit the disclosure of nonpublic personal information . . . to comply with Federal, State, or local laws." 15 U.S.C. § 6802(e)(8). And subsections (a) and (b), in turn, are the notice and opt-out requirements imposed on financial institutions. 15 U.S.C. § 6802(a)-(b). Therefore, the exceptions enumerated in § 6802(e) are not general exceptions available to whoever holds protected information. Rather, the exceptions describe the limited circumstances under which a financial institution may bypass the notice and opt-out provisions. Thus, the § 6802(e) exceptions do not give nonaffiliated third parties an unrestricted escape hatch from the nondisclosure rule of § 6802(c).
¶31 The AGO may invoke an exception under § 6802(e) only if Ameriquest could. Section 6802(c) allows the AGO's disclosure if "such disclosure would be lawful if made directly to such other person by the financial institution." By the terms of § 6802(c), the lawfulness of the disclosure is measured as if the financial institution were standing in the shoes of the nonaffiliated party. See Marks v. Global Mortg. Grp., Inc., 218 F.R.D. 492, 496 (S.D. W. Va. 2003) ("The language in § 6802(e)(8) permitting disclosure `to comply with Federal, State, or local laws, rules, and other applicable legal requirements' refers to the numerous federal and state statutes, rules, and legal requirements that regulate the financial industry."). Ameriquest could not disclose directly to Huelsman in order "to comply with Federal, State, or local laws," § 6802(e), because the PRA applies to only state agencies, RCW 42.56.010(1), .070(1). Thus, the AGO may not invoke this exception.
The Court of Appeals held that the exception for disclosures "to respond to judicial process," § 6802(e)(8), does not apply. Ameriquest, 148 Wn. App. at 165. The AGO does not challenge this holding, and we agree with the Court of Appeals that a public records request is not a "judicial process." 15 U.S.C. § 6802(e)(8).
¶32 The AGO could plausibly argue that Ameriquest, and therefore it, could disclose to Huelsman after obtaining the consumers' prior consent. 15 U.S.C. § 6802(e)(2). However, the FTC rule forecloses it.
2. The FTC rule exceptions
¶33 The AGO argues that the FTC rule broadens its access to the § 6802(e) exceptions. The AGO is incorrect; the FTC rule actually limits its access. The FTC's final rule says the "third party may also disclose and use the information pursuant to one of the section [(§ 6802(e))] exceptions as noted in the rule." Privacy of Consumer Financial Information, 65 Fed. Reg. at 33667 (emphasis added). The § 6802(e) exceptions are contained in 16 C.F.R. § 313.15, including the familiar exceptions of prior consent, 16 C.F.R. § 313.15(a)(1), and "[t]o comply with Federal, State, or local laws," 16 C.F.R. § 313.15(a)(7)(i). However, as with the GLBA, these are exceptions to the financial institution's duty to give notice and an opportunity to opt out, 16 C.F.R. § 313.15(a), and so the third party may invoke them only if the financial institution could.
¶34 The FTC rule includes an additional limitation on a third party's access to the exceptions. It provides that, when a third party receives the protected information under an exception, the third party may subsequently invoke an exception to redisclose the information only "in the ordinary course of business to carry out the activity covered by the exception under which it received the information." 16 C.F.R. § 313.11(c)(3). (This is the same part of the rule that limits a third party's use of protected information, as discussed above.) Thus, not only must the redisclosure be adjudged as if the financial institution were making it, but also the redisclosure is lawful only if done in the ordinary course of the third party's reason for possessing the information. Here, the PRA does not apply to Ameriquest, and so the AGO may not disclose pursuant to 16 C.F.R. § 313.15(a)(7)(i). Further, although Ameriquest could disclose with the consumers' consent, the AGO may not because doing so would not be in the ordinary course of the AGO's investigation. Thus, these exceptions to the FTC rule do not apply here.
D. Do the GLBA and the FTC rule preempt the PRA?
¶35 By force of the supremacy clause of the United States Constitution, federal law can preempt state law. Wash. State Physicians Ins. Exch. Ass'n v. Fisons Corp., 122 Wn.2d 299, 326, 858 P.2d 1054 (1993). Preemption principles apply equally when the federal law is a regulation promulgated by a federal agency rather than a statute passed by Congress. Fid. Fed. Sav. Loan Ass'n v. de la Cuesta, 458 U.S. 141, 153-54, 102 S. Ct. 3014, 73 L. Ed. 2d 664 (1982). Ameriquest argues that the PRA's disclosure rules are preempted so completely that none of the information that Ameriquest gave to the AGO may be disclosed. Ameriquest is incorrect.
¶36 Because there is no inconsistency with these federal laws and the PRA, there is no preemption. Both the GLBA and the FTC rule provide that they are to be construed as "superseding, altering, or affecting" a state law "only to the extent of [an] inconsistency." 15 U.S.C. § 6807(a); 16 C.F.R. § 313.17(a). Although the PRA requires state agencies to "make available for public inspection and copying all public records," the PRA provides an exemption to this disclosure requirement if there is any "other statute which exempts or prohibits disclosure of specific information or records." RCW 42.56.070(1). This other statute exemption avoids any inconsistency and allows the federal regulation's privacy protections to supplement the PRA's exemptions. We have held numerous other state statutes' disclosure prohibitions are thus incorporated into the PRA. See Hangartner v. City of Seattle, 151 Wn.2d 439, 453, 90 P.3d 26 (2004) (RCW 5.60.060(2)(a)); Progressive Animal Welfare Soc'y v. Univ. of Wash., 125 Wn.2d 243, 261-63, 884 P.2d 592 (1994) (ch. 19.108 RCW; RCW 4.24.580). We see no reason why federal law should be treated differently. We conclude that the GLBA (together with the FTC rule enforcing it) is an "other statute." RCW 42.56.070(1).
¶37 We recognize the PRA's rule of construction, which dictates that "[i]n the event of conflict between the provisions of [the PRA] and any other act, the provisions of this chapter shall govern." RCW 42.56.030. The only potential source of conflict that would call for a preemption analysis is the PRA's redaction requirement. The PRA requires redactions and disclosure of the rest of the record to the extent that exempted "information . . . can be deleted from the specific records sought." RCW 42.56.210(1). We see no conflict. While the GLBA and the FTC prohibit the AGO's redactions or repackaging of information, the PRA's redaction requirement applies only where "information . . . can be deleted." Id. Further, the PRA's "other statute" exemption allows for a separate statute to preclude disclosure of "specific information" or entire "records." RCW 42.56.070(1). Thus, the PRA makes room for an "other statute" that expressly prohibits redactions or disclosures of entire records.
¶38 As we have discussed, however, the GLBA and the FTC prohibit specific information, not entire records. These federal regulations are unconcerned with the containers in which the information is found. Thus, to the extent that a record contains unprotected information, the disclosure of which would not violate the GLBA or the FTC rule, the PRA is not preempted in requiring the record's disclosure.
III. CONCLUSION
¶39 For the foregoing reasons, we affirm on different grounds the Court of Appeals' holding that federal privacy laws apply to the disputed information in this case. To summarize our conclusions, the restrictions of the GLBA and the FTC apply to the AGO's disclosures of nonpublic personal information to Huelsman. Any information meeting the definition of "personally identifiable financial information" is nonpublic personal information that may not be disclosed, regardless of whether the information appears in loan files, e-mails, or the AGO's internal work product. Under the circumstances of this case, names, addresses, and phone numbers meet the definition of "personally identifiable financial information." Not only are these bits of information personal identifiers, but also their disclosure by the AGO would impermissibly reveal the fact that the individual is or has been Ameriquest's customer. Any information that meets the definition of "nonpublic personal information" cannot be recast as publicly available information by the AGO.
¶40 The only disputed information that is not subject to the federal nondisclosure rule is "[i]nformation that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses." 16 C.F.R. § 313.3(o)(2)(ii)(B). However, the GLBA and the FTC do not permit the AGO to newly redact or repackage the information in its possession to yield the blind data, aggregate information, and personal-identifier-free information that can be treated as public information. Thus, the AGO may disclose blind data and identifier-free information only if it has already been created.
¶41 The nondisclosure rules of the GLBA and the FTC rule are incorporated as an exemption to the PRA through RCW 42.56.070(1).
MADSEN, C.J., and C. JOHNSON, ALEXANDER, SANDERS, CHAMBERS, OWENS, J.M. JOHNSON, and STEPHENS, JJ., concur.