Opt-In to Financial Privacy

It's rare to get a news report from any source these days and not see or hear the words "consumer privacy." It's a hot topic that extends to virtually all aspects of modern life - the Internet, Census forms, medical information, supermarket discount cards... The list goes on and on.

Now, we face the question of consumers' rights to financial privacy, an issue that was brought to the forefront by recent federal legislation, the Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act. At the core of this, as well as most other privacy debates, is the issue of control of personal information. Who ultimately determines how personal information flows and how it is used - the individual who is the subject of the data, or the company that compiles that data?

The Gramm-Leach-Bliley Act (GLB) enables financial institutions such as banks to affiliate with insurance companies and brokerage firms under one corporate roof. A major incentive for these industries to affiliate with one another is the ability to share and intermingle their customer data. Industry representatives paint a rosy picture of the merged industries providing one-stop shopping for their customers, and offering benefits like consolidated statements and "total relationship pricing."

But they gloss over the profound privacy implications of the federal legislation. One's financial information can now be shared with the affiliated insurance company for use in making decisions about coverage and rates. Sensitive health information held by insurance companies might be shared with affiliated banking and brokerage firms. Moreover, comprehensive data profiles can be compiled by combining the customer data of the affiliated banks, insurance companies and investment firms, creating dossiers of unprecedented depth and specificity.

The federal law does provide some small degree of control to consumers. Financial institutions are required to provide customers an "opt-out" opportunity before selling customer data to unaffiliated third parties. But until and unless the customer says "no" to third-party sharing of their data, the bank is free to sell it.

However, the law says nothing about obtaining consent for affiliate sharing, leaving consumers no opportunity to prevent the compilation of detailed profiles of their sensitive financial, health-related and investment data.

Once this federal law was passed, California lawmakers were quick to introduce three financial privacy bills, now at various stages of the legislative process (AB 1707-Kuehl; SB 1337-Speier; and SB 1372-Leslie.) Under the original versions of all three bills, a financial institution cannot share or sell information without the consumer's affirmative consent -- the "opt-in" procedure -- for both affiliate and third-party sharing.

As of this writing, the Kuehl and Speier bills have been killed in committee hearings, the victims of strong industry lobbying. Sen. Leslie's bill has been amended to an "opt-out" requirement for both affiliate and third party sharing, and is continuing to make its way through the legislative gauntlet. (Update: Sen. Leslie's bill was also killed in committee.)

Many consumers feel strongly that information they must supply to a financial institution to open a bank account, get a car loan, a mortgage, an insurance policy or a mutual fund should be used for that one purpose alone. A 1998 AARP poll found that 81% opposed the sharing of personal financial information by corporate affiliates.

The information consumers must give to financial institutions is the sort that most people would never think to share, even with close family members, let alone strangers. This includes Social Security number, income, account balances, net worth, debt level, payment history, alimony or child support payments, and bankruptcies. Also included in a consumer's file may be incidental personal information such as health status, buying patterns, political affiliations, and charitable donations.

Granted, even if opt-in never becomes the law in California, some consumers will try to protect their privacy by following the opt-out procedures. Writing letters and filling out forms would be no easy task for a busy consumer who has, say, two major credit cards, several checking and savings accounts, a mortgage, a car loan, a couple of insurance policies and a brokerage account.

However, the more likely prospect, and no doubt what the industry is counting on, is that financial institutions will obtain implied consent because most individuals will simply not respond to the opt-out notices. Perhaps they are too sick, too tired, too confused, or just uninformed to respond to the opt-out notices.

To be sure, the issue of control does not end there. Even a well-intentioned, consumer-conscious financial institution loses control over how the information is used once it shares or sells its customer data. Industry can offer little to no assurance that information will not end up, for instance, in the hands of unscrupulous telemarketers selling fraudulent investments. This is a disturbing prospect given that one category of consumer unlikely to respond to all opt-out notices, the elderly, is a prominent target of deceptive marketing.

Nor do consumers have any assurance that the opt-out procedure will not increase the already rising tide of identity theft crimes, where minimal consumer information such as a name and Social Security number are sufficient to allow crooks to impersonate the innocent consumer.

If financial institutions want to share customer information with affiliates and third parties in order to provide improved services, let them make the case and enable individuals to choose for themselves how they want their sensitive personal data used.

Besides, common sense tells us that opt-in is the better choice even for businesses (as long as the company merely wants to sell its products and services and has no interest in making money off the sale of confidential customer data). Businesses could save millions of dollars by targeting only consumers who choose to opt-in, and who are genuinely interested in the products or services the company has to offer. That would return to everyone else the right to privacy, the right to control who knows what about us, and the right to be left alone.

Update, Sept. 2000: Although the three opt-in financial privacy bills did not gain passage in the 2000 legislative session, a more narrowly focused bill was signed into law by California Governor Davis. Assembly Bill 2797, introduced by Assemblymember Lou Papan, mandates that insurance companies shall not disclose an individual's medical or genetic information insurance for use in granting credit. (www.leginfo.ca.gov)

Authors note: Beth Givens (bgivens@privacyrights.org) is founder and director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy program based in San Diego, California. Tena Friery is a former securities fraud investigator, now research director for the PRC. Web site: www.privacyrights.org.

Copyright © 2000-2006. Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This document should be used as an information source and not as legal advice. PRC documents contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our information is applicable to consumers nationwide.