Presentation by Beth Givens
California Bar Association
Annual Meeting, San Diego, CA
[Note: In the interest of time, a shorter version of this speech was given to the Bar Association. The excerpts that were omitted are marked with brackets.]
Presentation by Beth Givens
California Bar Association
Annual Meeting, San Diego, CA
[Note: In the interest of time, a shorter version of this speech was given to the Bar Association. The excerpts that were omitted are marked with brackets.]
I am Beth Givens, director of the nonprofit program the Privacy Rights Clearinghouse, located here in San Diego. We were established in 1992 and have a two-part mission: first, to educate consumers on ways they can protect their privacy; and second, to advocate for privacy protection laws, regulations, and industry practices in public policy proceedings such as legislative and regulatory hearings, as well as in industry conferences.
Our web site contains all of our consumer education publications - guides on how to get rid of junk mail and telemarketing calls, how to recover from identity theft, medical records confidentiality issues, Internet privacy and the like. The site also contains our public policy writings, such as speeches and legislative testimony.
Some of you may remember when we were a part of the University of San Diego Law School's Center for Public Interest Law. Since 1996, we have been affiliated with the local consumer organization UCAN, the Utility Consumers' Action Network.
The definition of privacy that guides our efforts is that of control. "Privacy is the [ability of individuals] ... to determine for themselves when, how, and to what extent information about this is communicated to others." (Alan Westin, Privacy and Freedom, 1967, p.7). Much of what I have to say about the shortcomings of the federal Financial Services Modernization Act, or Gramm-Leach-Bliley, deal with customers' inability to control how their financial-related information is used in a wide variety of situations.
My presentation will cover these topics:
a short explanation of of the Gramm-Leach-Bliley Act
the public opinion landscape - what the polls are telling us these days about consumers' concerns about threats to their privacy
the California Legislature's response to this federal law
what privacy advocates propose as a better approach
a bit about the political climate in the next two years
SUMMARY OF THE FINANCIAL SERVICES MODERNIZATION ACT
The new federal law, the Financial Services Modernization Act, enables three industries to affiliate under one corporate roof -- banking, insurance, and securities. The Act requires that banks and financial services provide an "opt-out" for customers to restrict the sale of personal information to third parties. But it gives no ability for customers to restrict the sharing of data between and among affiliates.
With the implementation of the Gramm-Leach-Bliley Act, we are looking at a radical change in the way personally identifiable information is collected and used in the marketplace. Think about it. We are talking about the ability of three mega-industries being able to merge their customer information, each of which alone holds extremely sensitive information. All of this information can now be merged into a single data base - without our consent.
I never assume that people understand the difference between opt-in and opt-out. "Opt-out" means that financial institutions can share or sell customer information without their affirmative up-front consent. If customers do not tell the bank to refrain from selling their data, such sale will go on indefinitely. "Opt-in" means that the default is set an "no sharing." The customer must provide consent before any personal data is shared.
THE PUBLIC'S FEARS ABOUT THREATS TO PRIVACY
What is the public opinion landscape? Do consumers really want such three-industry profiles developed without their consent? Polls and recent cases indicate No.
A 1998 AARP poll found that 81%, or 4 out of 5, consumers opposed internal sharing of customer data by affiliates. Only 10% supported it.
A 1998 Lou Harris poll found that 78% had refused a company their personal information for privacy reasons. 82% felt they had lost all control of their personal information. Overall, 90% said they are concerned about threats to their privacy.
A pre-millennium 1999 Wall Street Journal poll found that the number one issue of concern to those surveyed was privacy, outranking even terrorism, education and other burning issues.
Take a look at the uproar that has greeted the long form of the Census this year.
Also, look at the controversy that erupted with the merger of Doubleclick and Abacus, when their customer profile data bases were going to be merged without consent. Doubleclick is an Internet ad-placement company that captures the web-surfing patterns of millions of Internet users, on a mostly anonymous basis. It acquired Abacus, a company that compiles personally identifiable information about the mail order catalog purchases of 90 million households. Consumers have responded to the potential merger of the offline Abacus data with the online Doubleclick data with a firestorm of protest that has shaped public policy development and industry actions greatly since then.
Finally, a recent poll by the Pew Internet and American Life Project found that 86% of Internet users favor the opt-in approach.
In short, consumers want control over uses of their personal information. This flies in the face of the weak privacy standards of the Gramm-Leach-Bliley Act.
WHAT ARE THE CONCERNS? OF THE PRIVACY AND CONSUMER ADVOCATES
Industry representatives claim the privacy provisions of the federal law are far reaching and unprecedented. Granted, the amount of disclosure required of financial services industries is unprecedented. But that doesn't take away from the fact that consumers lack either an opt-in or opt-out ability to prevent the sharing of customer data shared between and among affiliates. I believe that the Gramm-Leach-Bliley Act is one step forward ... but many large steps backward. Allow me to explain.
Each of these industries -- banking, insurance, and securities -- compiles a tremendous amount of sensitive personal data from the transactions of its customers. Think for a moment about what can be determined about you from your banking and credit card data, especially for persons who use credit cards a great deal and engage in online banking - our payments for medical services, entertainment and recreation choices, political interests, charities we support, religious affiliation, and so on.
Consider insurance company records. They include your health conditions, potentially from cradle to grave. Life, automobile, and home insurance information are also highly revealing.
Records from brokerage firm accounts also say a great deal -- the extent of your investment assets, whether you are a conservative investor or take risks, perhaps even your affinity for get-rich schemes and your vulnerability to scams.
The sale of data without consent from any of these three industries could result in significant harm to consumers, much more than simply the aggravation of receiving unsolicited telemarketing calls.
Note the cases last summer and fall in Minnesota and New York, where their Attorneys General sued U.S. Bancorp and Chase Manhattan respectively for the sale of data to third parties contrary to their own privacy policies. In the Minnesota case, U.S. Bancorp sold customer data -- including account numbers and balances, types of accounts Social Security numbers, and phone numbers -- to a telemarketer, Memberworks. When Memberworks successfully sold a product such as a travel club to a bank customer, it automatically debited the account, which it was able to do because the account number had been provided. Many of those customers were not aware that they had given consent to have their accounts debited.
These are examples of abuses that can occur within a single industry when customer data is sold without consent. Now let's look at what can happen when two major financial services industries are allowed to affiliate -- the banking and the securities industries.
In 1998 Nation's Bank was fined nearly $7 million by the U.S. Securities and Exchange Commission for deceiving many of its bank customers into switching their stable savings into the more risky investments of its affiliated securities company. Many of these customers were elderly. They were not made aware of the implications of such decisions. In fact, many did not realize that they were stepping outside of the relative security of their bank accounts into an environment where they could lose their principal. Many incurred significant losses to their life savings.
At our own hotline, we have seen several cases like the Nation;'s Bank scenario involving a prominent bank in which unwary seniors were advised to switch their savings to riskier investments, and then incurred losses. Nation's Bank is not an isolated case. And the SEC investigation and fine has not stopped other banks from engaging in similar practices.
Another example of the kind of abuse that can occur when the boundaries between two financial industries are blurred is the sale of lead lists from brokerage customer files, also known as "sucker lists." Fraud investigators for the securities industry are well aware of this practice and the tremendous harm befalling the individuals, mostly elderly, who "bite" on these schemes and often lose everything.
[A securities fraud investigator recently told me about scams perpetrated on the elderly by "fraudsters" who learn they have sizable assets in their bank accounts. "Lists of names of people with liquid assets in the bank are very valuable, especially to fraudulent telemarketers," she told me. She described a a lawsuit against a man operating a fraudulent investment business who had a side business of selling 'lead lists.' He was getting about $200 a name for 'hot' leads. The senior citizens who have ready money in the bank and are lonely too often welcomes the friendly voice over the telephone. The fraud investigator concluded that the ability of banks to freely share such information about their customers with their affiliated securities firm, without the protection of an informed opt-in consent requirement, is a "major disaster waiting to happen."]
Given that backdrop, consumers are now faced with the merger of three industries, with only the most meager of privacy and disclosure requirements involving third parties. Banks and other financial services can share their significant storehouses of customer data with affiliated insurance companies and brokerage firms without any consent required, not even an opt-out.
I consider affiliate sharing to be no different than third party sale in terms of the final results. The fact that a law has been passed enabling the affiliation of these three industries does not somehow magically make the sharing of customer data between and among these industries benign and without harmful effect.
I have so far mentioned the confusion and fraud potentials that can result from affiliate data sharing. But I haven't yet talked about privacy implications of merging customer data across these three data-rich industries.
The profiling opportunities of combining such customer data are enormous. Now we are being told by industry that the kinds of products and services that will be offered as a result of the merger of their financial, insurance and securities data are so beneficial that no consent is required -- not the up-front opt in, or the after-the-fact opt-out. In this rosy scenario, no consideration is given to possible negative and harmful secondary uses of the data. I would submit that the kind of data that will be shared among banks, insurance companies and brokerage firms is equally as sensitive as the kind of data that would have been merged by Doubleclick and Abacus, in fact, for the most part, far more sensitive.
A basic privacy principle -- one that goes back a quarter century and is a cornerstone of the European Union's Privacy Directive -- is the secondary use principle. "Information that has been collected for one purpose shall not be used for other purposes without the consent of the individual."
Let me use an example from the world of supermarket club card data to illustrate secondary use. The Smith's Food chain, headquartered in Utah and operating in the Southwest, has a very successful discount club program whereby data on each and every purchase of card carriers are recorded. In a story documented in the Washington Post, the U.S. Drug Enforcement Agency subpoenaed the club card records of individuals they were investigating. They were not looking for large quantities of the over the counter medications that comprise "speed," as you might expect. But they were seeking large volume purchases of plastic baggies used, presumably, to package the illicit drugs and sell them on the street. You might respond that such a use is socially beneficial. But how many girl scout leaders buy large quantities of baggies to wrap the troop's sandwiches?
What is the moral of this story? Profiling does not always lead the profiler to the correct conclusion.
Will secondary uses of the rich profiles compiled about customers be found? I think we can count on it. Will customers be able to control which of those secondary uses they would allow? Certainly not within the corporate family of affiliated companies. And with only an opt-out required for third part dissemination of customer data, many consumers might not take the step needed to prevent those disclosures.
I'm currently reading an excellent book about the present privacy policy environment in the U.S. It's Jeffrey Rosen's The Unwanted Gaze: The Destruction of Privacy in America (Random House, 2000). Rosen is a professor of law at George Washington University. His main concern is the compilation of bits and pieces of information about us from disparate sources, taken out of context, and then used to form conclusions and make decisions about us.
He says:
Privacy ... protects us from being objectified and simplified and judged out of context in a world of short attention spans, a world in which part of our identity can be mistaken for the whole of our identity. (p.115)
In his book, Rosen frequently discusses the subpoenaing of Monica Lewinski's book purchases from a Washington, D.C., bookstore as an example of how such profiling can harm us. I have no doubt that the rich profiles compiled by merged financial institutions will be highly sought after in civil proceedings like divorces, child custody suits, business lawsuits, and the like, not to mention criminal investigations.
THE CALIFORNIA LEGISLATURE'S RESPONSE: OPT-IN LEGISLATION
I've discussed the public opinion environment of the Gramm-Leach-Bliley Act, and I've covered many of the objections of privacy advocates to this far-reaching measure. What was the legislative response?
The federal Act contained a provision enabling states to enact stronger privacy measures. And many state legislatures stepped up the plate with strong opt-in bills - requiring opt-in consent for both third party sharing and affiliate sharing. Roughly half the states introduced such bills.
Here in California, we had not one opt-in bill, but three. Remember, we have a strong tradition of consumer protection laws in this state. In addition, we have a strong right to privacy in our Constitution, one that has been interpreted to affect the private sector, as well as the public sector.
The three financial privacy bills were: Assemblymember Sheila Kuehl's AB 1707, Senator Jackie Speier's SB 1337, and Senator Tim Leslie's SB 1372. Leslie's bill is all the more remarkable because he's a Republican and the chair of the Senate Banking Committee.
The bills were somewhat similar. They required these provisions:
Disclosure by the financial institutions of information collected, what is done with the information, and how it is secured.
Opt-in consent for both third party and affiliate sharing of customer data.
The right of access to information and the ability to correct erroneous data.
An anti-coercion clause, stating that banks cannot condition on the receipt of service with the disclosure of customer information to affiliates and others.
Penalties for noncompliance, private right of action.
Of course exceptions were built into these bills for law enforcement access, child support enforcement and the like.
Such provisions are often referred to as the fair information principles - the building blocks of many privacy laws, not only in the U.S., but in the European Union, Canada, Australia, New Zealand, Japan, and Hong Kong.
The common principles are: disclosure, consent, access, correction, security, collection limitation, accountability, and secondary use restrictions. For example the federal Fair Credit Reporting Act of 1970 is based on the fair information principles. So is the federal Privacy Act of 1974.
These principles were first introduced in the U.S. in the early 1970s. They spread to the western European countries and became the foundation for their omnibus privacy laws, called "data protection" laws. The approach in the U.S. has differed significantly from the direction taken in the industrialized countries. Most countries have adopted omnibus laws, covering all aspects of life, whereas in the U.S. we have adopted sector-by-sector privacy laws. Examples are credit reporting, telemarketing, government records, video rental records, and cable television.
Our approach is characterized as a "patchwork" of laws. We are criticized by European Union (EU) countries for protecting video rental records, for example, more strongly than medical records. I will not discuss the protracted struggle between the U.S. and the EU countries over the lower privacy protection standards in the U.S. vis-a-vis the EU Privacy Directive.
Let me return to a discussion of the 2000 legislative session and what happened to the three strong opt-in bills. The short story is they were all killed because of strong and highly orchestrated opposition by the financial services industries. They combined forces nationwide by forming a group called the Financial Services Roundtable. Their representatives appeared at the hearings in all states where opt-in bills were introduced, including California. Even though 15 consumer advocacy organizations formed a loose coalition to support the three bills, we had nowhere near the people-power and funding to launch an effective campaign.
Senator Tim Leslie attempted to convert his bill into an opt-out bill, requiring an opt-out for both affiliate and third party sharing. But that measure did not gain the support of either industry or the consumer organizations.
[Before talking about what we can expect next year, I would like to address the main arguments that the financial industry made against the opt-in approach.
Business costs: The first is the cost to businesses of the opt-in approach. Industry representatives state that opt-in is too costly and will put up barriers to businesses that want to merge with each other and reach out to new customers. I ask, costly compared to what? These industries are currently very successful. There is no evidence that their current business models will not succeed in the future. What we are really talking about is that opt-in MAY mean their profits won't be as high as they could be if they have to take extra steps to inform customers of their consent actions. And I stress MAY. Remember this is the New Economy, the Internet Age.
Industry analysts also claim that the opt-in approach costs significantly more because companies will have to get permission from customers each and every time they want to share or sell their information. On the contrary: In an opt in environment, companies will have clear policies that are communicated to all customers in bill inserts, on their web sites, when customers are in one-to-one contact with company staff.
Further, when making the cost argument, industry fails to take account of the huge individual and societal costs that result from fraud and consumer confusion.
In addition, the cost of implementing the required Gramm-Leach-Bliley opt-out disclosure notices is going to be huge. Why would it cost any more to provide notice about the opt-in approach? FYI, I read in one report that banks think it will cost about $1 per customer to provide them the required notice of the Gramm-Leach-Bliley Act.
Besides, it may be that some cost is to be expected ... in order to be able to use customer data in a merged system ... in order to ensure consumer safeguards ... in order to allow the time for the marketplace to mature. I am not saying opt-in has to be forever. There may be a time when there will be enough consumer awareness to shift to an opt-out model.
Consumer convenience: A second industry argument against the opt-in requirement is the inability of affiliated companies to offer convenient and beneficial services to consumers.
Industry representatives have talked about the convenience of one-stop shopping, of merged statements, and of highly customized services. Granted, some customers are savvy enough about the pro's and con's of allowing the three industries to safely merge their customer data. But most, I would wager, are not.]
Let's think back to the results of telecommunications deregulation begun 15 years ago. The negative fallout from that process has been considerable consumer confusion and fraud -- for example, slamming and cramming.
I believe the marketplace must be allowed to mature before opt-out can even be considered to adequately safeguard consumer privacy. And given the sensitivity of one's customer data within the financial services industries, I am not sure that opt-out can ever be adequate, even with the most stringent disclosure requirements.
WHAT NEXT?
We are now at the end of the legislative year. No strong financial privacy bills made it to the Governor's desk. What can we expect next year and the year after?
Assemblymember Sheila Kuehl, who is expected to win her state Senate race, has said she will re-introduce her opt-in bill.
There has also been talk of a consumer privacy ballot initiative being introduced. But what it would look like is up in the air. If you remember nearly 30 years ago, it was a ballot initiative in 1972 that established our state's constitutional right to privacy in Article 1, Section 1 of the California Constitution. Given the very high poll numbers showing consumer alarm, even outrage, over the loss of privacy, a ballot initiative might have strong public support.
CONCLUSION
In closing, having a bank account is a necessity for most individuals. Consumers should not have to trade off their privacy in order to obtain much needed financial, securities, and insurance services. Because of the sensitivity of customer data as well as the potential for the data to be used in ways that are harmful to consumers, it is critical that strong opt-in and disclosure standards be passed into law for both affiliate and third party sharing.
Thank you for your attention.
