Unless you've taken measures to prevent it, financial institutions are passing around your Social Security number, financial records and personal information like old photos at a family reunion.

The information you've given banks, insurance companies and other financial institutions quietly fuels the modern financial services industry, where credit scores determine creditworthiness and customers are corralled into databases.

But the California Legislature may change all that. This week, the state's lawmakers will decide the fate of a landmark consumer-privacy bill from state Sen. Jackie Speier that would create privacy standards that exceed federal law.

"At issue here is who really has control of your personal information," says Tena Friery, research director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy site. "Once your bank sells your personal information to a third-party marketer or a telemarketer, that bank has lost all control over it, and it can be passed from one source to another."

Not only do financial institutions make millions of dollars by selling your personal information, they stand to make millions more by tailoring marketing pitches based on what they've found out about you from others. Credit-card mailings, promotional emails about mortgage products and telemarketer phone calls are the public symptoms of this widespread phenomenon.

It's more than an annoyance. As the flow of information has increased, so have the number of identity theft complaints. Last year, the Federal Trade Commission estimated that 750,000 people were victims of identity theft, a figure they expect to double by 2005.

The problem with federal regulation, according to many consumer groups, is that it doesn't provide strong privacy protections for consumers, something the California bill, called SB773, is attempting to remedy.

The Status Quo

Under current federal law, established in 1999's Gramm-Leach-Bliley Act, consumers must inform financial institutions if they don't want their personal information shared with third-party affiliates. Starting in July 2001, financial institutions became required to inform customers once a year of their information-sharing policies and provide customers with the ability to opt out of third-party information sharing.

But even if customers opt out, some financial information can still be shared. Within a financial services juggernaut like Citigroup ( C - Get Report), there is no way to prevent the company's credit-card unit from passing your financial information over to the salespeople in the mortgage department. And when banks create joint-marketing agreements among themselves, it's impossible to opt out under federal law.

"The California bill (SB773) would require financial institutions to get permission before selling or sharing your information with third-party affiliates," Friery says. "You'd 'opt in' to share information, which is the total opposite of federal policy. And when it comes to joint marketing and sharing with affiliates (within the corporation), you'd have the ability to opt out."

Under the proposed California law, consumers would gain greater control over their personal financial information, which supporters say will cut down on unwanted solicitations and curb some forms of identity theft.

The Cost of Privacy

Such consumer protections come with a price tag, however. The financial services industry will have to spend millions to comply with California's proposed regulation, just two years after the financial services industry spent millions to comply with Gramm-Leach-Bliley.

Furthermore, companies will lose revenue generated from their ability to sell and trade customer information at will.

"In California, they'd incur the cost of sending separate notices to customers. And in a back office sense, financial companies in California will have to significantly retool the systems to accept, track and manage customer preferences," says Michael Beresik, national director of privacy issues at PricewaterhouseCoopers. "Changing these systems to accommodate those requests is not easy or inexpensive."

Because California represents an enormous bloc of registered voters and wields tremendous economic influence, the legislation it passes could become the de facto national standard, upping the cost even more.

In 1998, California did just that when it passed a law designed to cut down on the amount of unwanted email computer users receive in their accounts. The law required adult entertainment sites to include the phrase "ADV:ADLT" in the subject line of emailed advertisements. Rather than delineate between California residents and nonresidents, many sites simply complied with California law.

"This could create a crazy quilt of legislation where the state with the harshest penalties sets policy for the whole country," says Christopher Wolf, a partner in Proskauer Rose, a law firm specializing in intellectual property. "I'm all in favor of privacy, but I don't think it should be legislated at the state and local level. If I'm an Internet merchant in Washington, I don't want to be subject to California's laws."

Will It Pass?

Before it adjourns on Friday, the California Legislature must decide the fate of SB773 and with it, essentially, a national privacy policy. Unlike last year, when a group of pro-business Democrats easily defeated the bill, this vote likely will come down to the wire.

"No one can tell if it will pass. The financial services industry has been pouring hundreds of thousands of dollars in lobbying efforts over the last few months," says Ken McEldowney, executive director of Consumer Action, a consumer group backing the bill. "But moderate elements may want to pass it to avoid even stronger legislation next year. And no one knows what the governor will do."

No matter what the outcome in California, the trend toward tougher privacy laws is something the financial services industry will have to grapple with. Last year, Vermont became the first state to pass an "opt in" regulation that supercedes federal law. In June, North Dakota voters approved a similar measure by a 3-1 margin.

Even if SB773 doesn't pass, a group of Californians led by E-Loan ( EELN) CEO Chris Larsen, called Californians for Privacy Now, is ready to put the issue to the test in a March 2004 referendum.

"We've set up the committee and I've personally funded it with a million dollars," says Larsen. "Privacy is an issue and will continue to be one. We believe that technology has moved ahead of legal protections and that is why this issue won't go away."