Financial Privacy Notices: Shorter is Better: Comments to the Interagency Meeting on Gramm-Leach-Bliley Short Form Notices

Comments of the Privacy Rights Clearinghouse and Consumers Union

Presented to the Interagency Meeting on Gramm-Leach-Bliley Short Form Notices
February 25, 2004

Re: Interagency Proposal to Consider Alternative Forms of Privacy  Notices under the Gramm-Leach-Bliley Act, 68 Fed. Reg. 75164 (Dec. 30, 2003)

Board of Governors of the Federal Reserve System
Joint Release Commodity Futures Trading Commission
Federal Deposit Insurance Corporation
Federal Trade Commission
National Credit Union Administration
Office of the Comptroller of the Currency
Office of Thrift Supervision
Securities and Exchange Commission

The Privacy Rights Clearinghouse (PRC) and Consumers Union (CU) appreciate the opportunity to participate in this discussion. We will offer additional comments in response to the agencies' Advance Notice of Proposed Rulemaking (ANPR) for the March 29th deadline. http://www.ftc.gov/opa/2003/12/privnoticesjoint.htm The agencies, even without the authority to adopt the consumer-favored opt-in standard, have wide latitude through rulemaking to address the failures of the current notice procedures. That the agencies are willing to revisit this issue by proposing a short-form notice is an encouraging sign for consumer privacy interests.

Before turning to the key questions posed by the agencies for this meeting, we would like to briefly recap the PRC experience from consumer inquiries about privacy notices. In December, 2001, at the Get Noticed Workshop, the PRC reported being contacted by about 2,500 consumers in the months prior to the July 1, 2001, deadline for Gramm-Leach-Bliley Privacy (GLB) Notices. The PRC observed a limited level of consumer knowledge and understanding of the privacy notices. One thing that stood out - and something worth repeating here - was that most consumers who contacted PRC learned about the privacy notices as a result of a media report - not as a result of having seen a privacy notice mailed to them by a financial institution.

The PRC no longer keeps a close count of consumers who e-mail or call us with questions about financial institutions' privacy notices. The numbers today do not come close to the 2,500 contacts reported in 2001. Still, records of PRC web site visitors tell us financial privacy continues to be a major area of consumer inquiry and concern. In 2003, about 2,500 visitors each month looked on our site for information about financial privacy. Most visitors looked at the PRC GLB materials, particularly those items that provide information on opting out.

Between January '03 and the end of October of '03, the most frequently downloaded file on the PRC's web site was the sample opt-out letter. The suggested opt-out letter was the second most downloaded file in November and December of '03. The e-mail message that surfaces around July 1 of every year -- the one that confuses the GLB opt-out with the pre-approved credit offer opt-out allowed by the FCRA -- prompted over 16,000 visits to the PRC site just before and just after July 1. This erroneous message generated numerous e-mails and telephone calls from consumers. The lesson to be learned from these figures -- one agencies should keep in mind - is that consumers are looking for ways to opt-out.

Key questions:

• What do you see as the goals of the notice for consumers, for businesses?

For consumers, the PRC and Consumers Union see three primary goals: (1) recognition (2) understanding and (3) a simple means for consumers to exercise their choices. Consumers should be able to immediately identify a privacy notice tucked among account statements, advertisements, or other required notices. Better yet, the notice should be mailed in its own envelope, although we realize that is not required by GLB.

Once identified, the message must be presented in simple, straightforward language. An example of the kinds of statements consumers can understand was offered in the July 2001 petition for revised rulemaking filed with the GLB agencies by a number of consumer organizations, including the PRC. The favored statements also are part of EPIC's written submission for this meeting.

Finally, consumers should be able to exercise their choices in an easy way. A simple mail-in form or a toll-free number are appropriate options. Complicated options for consumers will result in fewer consumers responding to the notices. For business, the goal should be not only to provide a notice that satisfies the legal requirement, but one that consumers can easily understand. Although practices may vary from company to company, the bottom line is always the same: Companies either share information with affiliates and third parties or not. Consumers either have the right to opt-out or they don't. The goal should not be, as many financial companies seem to have adopted, to use the required notice to market customers on the benefits of not opting out. Our ear to the ground tells us this approach has backfired, creating consumer distrust and skepticism about the true motives of information sharing.

The goal of business should be to repair the damage done by giving consumers direct answers, void of all marketing language. The only exception should be the financial institution's ability to highlight where its privacy policy exceeds the opt-out requirements imposed by GLB.

• Would a short notice be useful to consumers, to business?

Yes. Simple forms will encourage consumers to read the notices and understand them. The result will be consumers making informed decisions in the marketplace. Forms that are complicated will be ignored by consumers, and Congress' intent to provide some privacy protections under GLB will be lost.

• What are the key elements that should be in the notice?

From PRC and CU's experience, the thing consumers most want to know is how to opt-out as well as just what the opt-out means for them. Under the format now adopted by most financial institutions, opt-out information comes at the end of the notice. Consumers become discouraged or even bored trying to wade through lengthy, undecipherable text, often failing to see the opt-out choice.

The principles for a short form notice created by CDT and other consumer groups, the sample notices attached to the agencies' ANPR, and the notice now required in California under Senate Bill 1 (SB 1) all represent great improvements over the current system. Neither PRC nor CU has designed an ideal short-form notice for purposes of this discussion. However, here are some of the elements that should be included:

• A statement, directly under the caption, that the notice is required by federal law. 
• A focus on ways information flows and how to opt out for each category described This should come directly under the caption. Other elements such as data collected should come later in the notice. 
• A checkbox to indicate whether the consumer does or does not have an opt-out choice for each category of data flow. 
• Reduce all statements about choice to "opt-out." The phrase is sufficiently entrenched into the "privacy" vocabulary that an explanatory statement is not required. 
• The consumer's ability to opt-out or not should be reinforced throughout the short form notice. For example, in Appendix A of the ANPR the section captioned "We share information about you with" includes a statement, "if you wish us to stop sharing this information, follow the instruction in the attached opt-out form." This statement can be reduced to "To opt-out, return the attached form." Categories such as joint marketing where the consumer has no opt, should clearly state, "You cannot opt out." 
• Standardized format for all financial institutions. 
• Format for long form notice should conform to short form notice. 
• Forms that are used by financial institutions should meet an established readability standard. The law in California requires that the forms sent to consumers meet a minimum Flesch reading ease score of 50. A similar requirement should be placed on these notices.
• The envelope that contains the notices should be marked on the outside with a phrase such as "Important Privacy Notice Enclosed."
• The input of people who specialize in simple consumer disclosures (readability experts) should be sought in this process.

The short form notice should be no more than one page, including the opt-out selection form.

• Are you aware of any research or testing data that would be useful to the project?

The only data we are aware of consists of consumer attitude polls about information sharing as well as several studies that point out the inadequacies in the current notice procedures. The most recent studies we know of that look at the shortcomings in privacy notices are:

• Customer Respect Group of Bellingham, Washington, http://www.ivapp.com/offer/cust_respect/collateral/Financial_Services_PR_010904.pdf 
• CALPIRG study of financial institutions policies released in August of 2002, http://www.calpirg.org/reports/Final_Privacy.pdf
• A survey of financial institutions' privacy policies released by the Consumer Federation of California in January of 2004, http://www.consumerfedofca.org/2004_financial_privacy_report_card.pdf

However, it's old news to say that consumer attitudes favor opt-in and that the current system of privacy notices is inadequate. A system that universally receives poor marks from consumers, public interest organizations, government officials, members of Congress, and the industry itself is simply not working. The question now - and a difficult one confronting the agencies - is what will work?

The closest research we're aware of that could form the basis for a new direction is found in papers presented at the December 2001 Workshop by the Privacy Leadership Initiative presented by David Krane, and a survey by Mary Culnan and George Milne. The work represented in these papers is worth a fresh look. The themes could be expanded as a guide for directing further independent consumer testing. The agencies suggest in the ANPR that testing is necessary before a final approach is adopted. We agree.

•  Krane research, http://www.ftc.gov/bcp/workshops/glb/presentations/krane.pdf
•  Culnan research, http://www.ftc.gov/bcp/workshops/glb/presentations/culnan.pdf

The Krane paper, significantly, looked at not only consumer attitudes but also at consumer behaviors and experiences. Krane's survey found that eight out of ten consumers preferred a shorter privacy notice and seven of ten preferred a summary or checklist. Two-thirds of consumers felt it is important to be able to compare privacy policies with other companies. Krane's paper found that consumers perceive the most important component of a privacy policy is how to opt-out of third-party sharing. We believe expanded testing will prove consumers are equally concerned with affiliate sharing. Nonetheless, this finding is significant because it illustrates our belief that, above all, consumers want to know what their financial institution is doing with personal information.

The Culnan-Milne survey, although with a focus on online privacy policies, also looked at consumer behavior, particularly reasons why consumers would or would not read a privacy notice. This study concluded that one of the most important things a consumer wanted to take away from a privacy notice was to learn if the site shared information with other companies. Like the Krane study, the Culnan-Milne survey encourages shorter and simpler notices. The type of behavioral research conducted by the two surveys should be expanded for independent study. All parties seem to agree that a fix is needed. One of the most important questions to ask is why we have this glaring disparity between consumer attitudes and the poor opt-out response rate. The PRC, CU other consumer advocates are convinced that much of this "disconnect" is attributable to the nature of an opt-out as opposed to an opt-in scheme. However, even within the framework of opt-out, there is great room for improvement.

• Are there particular principles or guidelines based on such research or testing that are useful to guide the agencies' development of notices?

Guiding principles for development of a revised procedure should be:

• Consumers are concerned about financial privacy.

The key questions that deserve a simple answer are:

• Whether and with what kinds of entities personal information is disclosed.
• How to stop disclosure of information.
• The reason data is disclosed to an affiliate or unrelated entity.  
• The kinds of information disclosed.

The input of readability experts should be sought in this process.

• Is there anything particularly good about any of the approaches or examples attached to the ANPR? Anything particularly poor?

Any of the samples of short form notices attached to the ANPR are a significant improvement over current notices. Many companies have demonstrated an effort to improve on earlier versions of privacy notices. Even so, we are aware of no privacy notice now being sent to consumers that demonstrates the same degree of simplicity as that set out in the examples appended to the agencies' ANPR.

Overall, PRC and CU believe the check box method provides the most direct approach. With a yes/no check-box, the consumer can see the entire universe of options and can get a general idea of how the financial institution stacks up with the "ideal." With an abridged form that is simply a shorter text-based approach, with key text highlighted in a boxed-format, the company can still use ambiguous words like "share" and "family of companies" to disguise its actual practices.

One shortcoming in all sample notices is that the examples still incorporate ambiguous language such as "sharing information." Depending on the company, the word "share" may incorporate a range of practices including shared databases as well as exchange, lease or sale of customer data. This is an important distinction and one that can sway a consumer to either opt-out or not. Use of the word "shared" to cover a range of practices does not give consumers adequate notice about a company's information handling practices.

To be "clear and conspicuous," a privacy notice must be direct about how information is used and for what purpose. Use of the word "share," to describe all data flow may even shed an unwarranted, negative light on a company's practice when consumers read the word "share" as simply a euphemism for selling or leasing information.

To give effective notice, the language must be straightforward. Words used to describe a company's practice should be carefully selected. Words should neither mask the reality of a company's actual information handling practices nor create an unwarranted negative inference when a company goes the extra mile for its customer's privacy. We also oppose the continued use of corporate "feel good" phrases such as "family of companies."

We strongly encourage the agencies and financial institutions, perhaps through a public-private partnership in cooperation with an academician who has expertise in research design. Testing should be conducted on a variety of sample short notices. Word selection and document format options need to be tested using rigorous research methodologies including standard readability tests such as the Flesch Index as well as focus groups that test reader comprehension. The sample notices included in the Appendices of the Federal Register notice are a good starting point. But we recommend that additional samples be created for such testing. Feel free to contact the Privacy Rights Clearinghouse and Consumers Union if you decide to proceed with such a project. We will be pleased to assist in any way we can. Thank you for the opportunity to participate in the meeting with the agencies to discuss short notices.

Tena Friery, Research Director
Beth Givens, Director
Privacy Rights Clearinghouse
3100 - 5th Ave., Suite B
San Diego, CA 92103
Phone: (619) 298-3396
E-mail: bethg(at)privacyrights.org

Shelley Curran, Policy Analyst
Consumers Union
1535 Mission St.
San Francisco, CA 94103
Phone: (415) 431-6747
E-mail: currsh(at)consumer.org