Fact Sheet 24(c):
How to Shop for Financial Privacy

Copyright © 2001-2007.
Privacy Rights Clearinghouse / UCAN
Posted May 2001.
Revised September 2002.


Search Our Site:
www.privacyrights.org/search/search.php
Have a Question?
www.privacyrights.org/preinquiry.htm
Web: www.privacyrights.org

    HOME
 

How to Shop for Financial Privacy

A new federal law, the Financial Services Modernization Act, enables banks to affiliate with insurance companies and brokerage firms under one corporate roof. These "financial supermarkets" are said to offer the promise of integrated services, lower costs, and new products.

But the law also has significant privacy implications. These new "financial supermarkets" can easily share customer data with one another by merging databases The practice of affiliates sharing information is not new. But, combining personal data from multiple companies means that customer profiles of unprecedented scope can be created from the merged databases of the affiliated companies.

In this new financial marketplace, it is more important than ever for consumers to shop carefully for their banks, credit card companies, insurance companies, and brokerage services. If you are concerned about your privacy -- how your customer data is used, merged and disclosed -- you will want to learn as much as you can about the privacy provisions of this new law, also called the Gramm-Leach-Bliley Act (GLB) after its Congressional authors. GLB became law in 1999 and was implemented in 2001.

The privacy provisions of GLB require companies that sell financial services to mail you privacy notices that explain:

  • How your personal financial and other information is collected.
  • How your information is used.
  • How you can opt-out, that is say "no" to having your information shared, sold or otherwise disclosed to outside companies.

    • However, the law does not require companies to ask your consent before sharing your data with their affiliates. Nor does the company have to get your consent before sharing your information with outside companies that have a joint marketing agreement with your company. Consumer advocates consider these exceptions to be a significant shortcoming of the GLB. We will explain this further below, when we discuss how to shop for financial privacy.

    Banks, credit card companies, brokerage firms, insurance companies, and other kinds of financial institutions must issue privacy notices annually. The American Banker's Association estimated that each household receives between 10 and 15 privacy notices each year.. You only need to opt-out once. So, if you have taken advantage of your financial companies' opt-out provisions already, you do not need to do it again.

    Most financial institutions are in strict compliance with the privacy provisions of GLB. That is, they give you the right to opt-out if their practice is to share information with outside companies. But some are going beyond the law's requirements by offering stronger privacy protection than the law requires. This guide will help you shop for financial privacy by explaining how you can recognize those companies that go the extra mile.

    Here are a few "extras" to look for in the privacy notices you receive. If the company's privacy notice includes one or more of these provisions, it is giving you more privacy than is required.

  • The company does not sell your customer data to outside companies, even though the law says it can.
  • The company makes it easy for you to opt-out by providing a check-off form and a postage-paid envelope.
  • The company provides a toll-free number with "live" customer service representatives to record your opt-out preferences.
  • The company gives you other opt-out choices such as the ability to stop data sharing among affiliates and joint marketers. If you do not want your customer information to be merged to form comprehensive data profiles, this provision is particularly important.
  • The company has specific procedures for handling your medical information.
  • The company uses clear language with specific examples of terms.
  • The company offers to give you its privacy notice in a language other than English.
  • The company invites you to review your records and correct inaccurate information.
  • The company gives you additional privacy tips. For example, it tells you how to remove your name from national mailing lists, telemarketing lists, and lists for pre-approved offers of credit.

    • Be warned: Most privacy policies are not written in language that is easy to understand. It is not always clear that the company is actually going beyond the requirements of the GLB. The following sections describe how you can determine how privacy-friendly your financial institution is.

    Does the company sell your information?

    GLB does not prevent a company from selling a customer's personal information to outside companies (usually referred to in notices as third-party nonaffiliated companies). The law only requires the company to tell you about its policy and the way you can opt-out. If you do not opt-out, the company is free to sell, lease or otherwise disclose almost anything in its files about you -- except your account number and other means of access to your account, such as PIN numbers.

    So, if a company's privacy policy says it does not sell information to outside companies, it is going beyond what the law allows it to do. In this situation, you will probably not be given a form to fill out or a toll-free number to call. That is because you do not need to opt-out. This may be an important consideration if you fear your income, account balances, purchase history, and other customer data will end up in databases that create comprehensive profiles about you.

    Does the company make it easy to opt-out?

    Companies are only required to give you a "reasonable" way to opt-out. You usually have a choice of:

  • Sending a letter to a specific address.
  • Calling a toll-free number.
  • Opting out online, if that is how you normally do business.
    •

    If you want to opt-out by mail, you must usually write a letter and pay for the postage. Unfortunately, companies are only required to give you an opt-out address. However, some companies make things easier by attaching a check-off form. But beware that some check-off forms ask you to include your Social Security number (SSN) and account number. If the company asks you to include such information on a postcard form, find out if the company will accept the form inside an envelope or by providing only the last four digits of your SSN.

    A few companies even provide a postage-paid envelope. This goes beyond what companies have to do. Many, but not all, provide a toll-free number to call. And some provide an e-mail address or web site for opting out.

    Does the company give other opt-out choices, such as an opt-out for affiliate sharing?

    Most companies freely share personal information with their affiliated companies, that is, companies under common ownership. The only chance you have to prevent information sharing among related companies is to opt-out under another law, the Fair Credit Reporting Act (FCRA). Notice of your right to opt-out under the FCRA is likely to be included with the GLB privacy notice you receive.

    The FCRA says you can say "no" to having a company share "creditworthiness" information among affiliates. This simply means you can prevent sharing of how you pay your bills (on time, late, never) and what your credit score is.

    However, the FCRA does not give you the ability to prevent your most sensitive "transaction and experience" data from being shared with affiliates. Where you shop, your purchase history, the charities you support, your religious affiliation, the political candidates you support, the medical facilities you use, your entertainment choices - in short, where you write checks and use credit cards - can all be disclosed to company affiliates. Some banks have well over 1,000 affiliates.

    Some companies give you the opportunity to tell them you do not want to get offers from them or their affiliate companies. If you are tired of receiving unsolicited offers from your bank, look for a telephone number or address in the privacy notice to opt-out of such marketing offers. The notice might also give you the choice of opting-out of all sharing of information among a company's affiliates. This is an especially important provision if you want to limit the customer information that is compiled in data profiles.

    Some companies go a step further and provide information about how to stop unwanted offers that do not come under the GLB Act. For example, the privacy notices you receive may give you the address to remove your name from national mailing lists, telemarketing lists, or lists for pre-approved credit offers. (See PRC Fact Sheet 1, "Privacy Survival Guide," www.privacyrights.org/fs/fs1-surv.htm.)

    Does the company tell you how it treats medical information?

    The GLB covers information in the files of financial companies. You may not think your bank would have medical information about you in its files. But, it certainly could -- if it were to receive information from its affiliated health insurance company, for example, or were to take note of your checks or credit card payments to medical facilities.

    Unfortunately, GLB does not give consumers any special protection for medical information. Remember, the merging of these giant industries -- not privacy -- is the main purpose of GLB.

    Medical information, like almost everything else about you, can be shared with outside companies unless you opt-out. You have almost no ability to limit access of your medical information among affiliated companies. The privacy notices of a few companies say they limit the use of your medical information with outside companies. Some also say they limit access of medical information among affiliates - although they are not required to do this. Most privacy notices don't mention medical information at all.

    Some state legislatures are stepping in to protect medical information. In 2000, the California Legislature passed a law that prohibits an insurance company from disclosing information to a financial institution for the purpose of granting credit (California Civil Code 56.26). The GLB insurance regulations adopted by each state might also give you more rights to medical privacy.

    Does the company use legalese or straight talk?

    Federal regulations do not require a company to tell you exactly what kinds of information it collects or discloses. The company only has to tell you the categories of information, with examples of each category.

    For instance, all companies collect "application information," that is, information you provide when opening an account or applying for a loan. Privacy notices from some companies might simply state that they obtain application information from you - without explaining what that means. That is an example of legalese, not straight-talk. Other companies spell it out and tell you the information you supply on an application could include your name, Social Security number, date of birth, income, debts, and so on.

    Another example of legalese is the term "nonpublic personal information." Most of the privacy policies we have examined do not describe what this means. Nor do they clearly explain the opposite term, "publicly available information." (See PRC Fact Sheet 24a for an explanation of these terms, "Financial Privacy: How to Read Your 'Opt-Out' Notice," www.privacyrights.org/fs/fs24a-optout.htm.)

    Does the company offer to send you a privacy notice in your own language?

    For most English-speaking consumers, privacy notices are, at best, difficult to understand. This means that important rights and choices are easily overlooked. For non-English speaking customers, exercising the rights to privacy is nearly impossible since companies are not required to give notices in languages other than English. But some companies provide notices in other languages. If your company offers to send you its privacy policy in your own language, it is going beyond what the law requires.

    Does the company invite you to correct inaccurate information?

    GLB says nothing about your ability to look at the contents of your financial files. Nor does GLB say anything about your right to correct inaccurate information. A few privacy notices state that the company wants to make sure you can correct anything in your file that is wrong.

    It is a good idea to review your file, especially if you have disputed erroneous data that has been disclosed to a credit reporting agency (CRA). For example, your bank's records might show a series of late payments on a credit card that you have disputed with a CRA. If the CRA investigated and found that the entry should be removed from your credit report, it should also have been removed from your bank's records. If your bank continues to sell or share this erroneous information with outside companies (or even shares it with its own affiliates), your credit score and ability to get credit could be adversely affected.

    What can you do if you don't like your company's privacy policy?

    If you are not satisfied with your company's privacy policy, we recommend that you write the company and complain. Of course, your opt-out is another way of telling the company you do not like its information-sharing policy.

    Your letter of complaint and opt-out vote alone will probably not be enough to make a change. However, if enough people write and if large numbers choose to opt-out of information-sharing, companies with minimal privacy protections may be forced to change their policies or lose consumer confidence and loyalty. Keep in mind, GLB does not prevent companies from adopting more consumer-friendly policies.

    Of course, you can also vote with your feet. Privacy may be important to you. If you have a choice of dealing with a company that does not sell your personal information or one that does, this might be a key factor in deciding where to keep your accounts.

    We also recommend that you complain about your lack of financial privacy to your state and federal legislators. Let them know that you want laws to require financial institutions to more adequately safeguard your privacy. The reason the privacy provisions of the GLB are weak is because financial industry representatives heavily lobbied members of Congress. But the GLB does not prevent state legislatures from passing stronger laws. You may want to contact your state legislators as well.

    In 2000, about half the states considered measures that would have strengthened the GLB. Each of these bills was defeated by strong industry lobbying. The only way stronger privacy laws will be enacted is if large numbers of consumers contact their elected representatives.

    How you can help us monitor the opt-out notices. The Privacy Rights Clearinghouse is collecting as many financial privacy notices as we can. You can help us by sending the opt-out notices that you receive, or a photocopy of those notices. Please mail them to the address listed at the top of page one.

    We are also interested in knowing if you have difficulty opting out. Was the toll-free number difficult to use? Were instructions unclear for mailing your opt-out preferences? If you use an online financial service, were you able to opt-out by e-mail or the company's web site? Contact information is provided at the top of this fact sheet.

    RESOURCES

    Other PRC Financial Privacy Fact Sheets:

    Fact Sheet 24. "Financial Privacy in the New Millennium: The Burden Is on You,"
    www.privacyrights.org/fs/fs24-finpriv.htm

    Fact Sheet 24(a). "Financial Privacy: How to Read Your "Opt-Out" Notices,"
    www.privacyrights.org/fs/fs24a-optout.htm

    Fact Sheet 24(b). "Take the Cloze Test: Readability of a Financial Privacy Policy,"
    www.privacyrights.org/fs/fs24b-ClozeFinancial.htm

    Fact Sheet 24(c). "How to Shop for Financial Privacy,"
    www.privacyrights.org/fs/fs24c-ShopFin.htm

    Fact Sheet 24(d). "Frequently Asked Questions About Financial Privacy,"
    www.privacyrights.org/fs/fs24d-FinancialFAQ.htm

    "Lost in the Fine Print: Readability of Financial Privacy Notices," by Mark Hochhauser, readability consultant
    www.privacyrights.org/ar/GLB-Reading.htm

    Fact Sheet 6. "How Private Is My Credit Report?"
    www.privacyrights.org/fs/fs6-crdt.htm

     

    		 
     

    HOME        TOP
     

    Copyright © 2001-2007. Privacy Rights Clearinghouse/UCAN. For distribution of this fact sheet, see our copyright and reprint guidelines. This copyrighted document may be copied and distributed for nonprofit, educational purposes only.The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide.

    Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org