Privacy Rights Clearinghouse
Comments of the Privacy Rights
Consumer Financial Protection Bureau
Proposed Policy Statement on the Disclosure of Certain Credit Card Complaint Data
Docket No. CFPB-2011-0040
Submitted January 30, 2012
Privacy Rights Clearinghouse (PRC) appreciates the opportunity to comment on the Consumer Financial Protection Bureau's (CFPB) Proposed Policy Statement addressing its disclosure of credit card complaint data. PRC is a nonprofit consumer privacy education and advocacy organization. We serve consumers nationwide, and have invited individuals to contact us with their privacy complaints and inquiries for almost twenty years.
In January 2012, PRC launched an online complaint center to streamline the process by which individuals communicate with us. Our new online complaint center helps PRC to effectively address consumers' issues or put them in touch with third parties. We believe that our experience as consumer-facing privacy advocates may be helpful to CFPB in developing its policy surrounding consumer complaint data.
PRC fully supports the CFPB's goal of maintaining transparent complaint data while respecting the privacy of the individuals who submit complaints. A database that contains non-personally identifiable information from consumer complaints and issuer responses will be valuable to the public and policymakers on both an individual and aggregate level. At present, the CFPB proposes to include the subject area of the credit card complaint; the issuer; the consumer's zip code; the date of the complaint; and whether and how the issuer responded.
The Proposed Policy Statement says that the database's content will not necessarily be limited to the fields listed above. Leaving open the possibility of adding data fields to the public database gives CFPB flexibility to add richness to the data it provides to the public. In fact, we fully advocate that the CFPB make data publicly available on a more granular level in the future.
However, we often find that individuals are hesitant to give out information when they are not sure exactly how it will be used or disclosed. If the CFPB anticipates making additional data fields public after an individual has submitted a complaint, it should make the individual aware of that possibility. For instance, early in the complaint-submission process CFPB could make it clear that certain information an individual provides will never be made public (and list each of those categories), but that other data may be made public in the CFPB's discretion. The CFPB may also want to consider allowing individuals to choose to add granular detail to the information they provide.
CFPB's Proposed Policy Statement also says that the fields for each complaint will be linked with a unique identifier. The Proposed Policy Statement does not state how this will be generated, but we must emphasize the importance of generating this identifier randomly so that there is no increased chance of the public tying an individual to a complaint.
The CFPB states that it does not intend to publish the narrative portions of consumer credit card complaints in a public database without conducting further study. We believe that allowing public access to as much data as possible, without compromising the privacy of those who submit the complaints, will be beneficial to consumers as well as other stakeholders like NGOs, policymakers and academics. It is exceedingly important that the CFPB craft necessary processes and precautions prior to making narrative fields available in a public database. It may be helpful for the CFPB to first study a large sampling of narrative sections of the comments it receives to determine the uniqueness of the content and how much identifying information individuals include.
For example, PRC receives many complaints that are general in nature, have similar facts to numerous other complaints we receive, and are easily resolved with a straightforward answer. Though we do not publish individual complaints for the public to access, we typically create FAQ resources on our site based on common questions we receive.
However, with the recent launch of our online complaint center and the process by which it walks individuals through the complaint process, we are noticing an increase in the number of extraordinarily detailed and unique complaints that we receive. Most of these recent complaints would be inappropriate to share with third parties without the individual's express consent or heavy redaction or summarization by a PRC staff member. We have been forced to adapt our internal processes to account for the elevated quality and quantity of the complaints we receive, and recognize that the CFPB will likely have to do the same as it receives greater numbers of complaints and also makes those complaints more accessible to the public.
PRC signed on to Consumer Action's comments to the CFPB, and we support their proposed approach to sharing narrative data. Below, we detail a few relevant precautions and processes PRC follows to protect the privacy of individuals who contact us with their privacy questions and complaints, and we recommend some issues that the CFPB may want to consider.
We recognize that PRC's complaint center differs from CFPB's complaint center in many respects. Our focus is not as narrow, we receive a fraction of the complaint volume, and we do not engage in dispute resolution. However, we do follow some general processes and take some precautions that may be relevant.
In the beginning of the complaint-submission process, PRC offers individuals the chance to tell us whether and with whom they would be willing to share their complaint. They can choose to share with the government, the media, a lawyer, or nobody. When an individual chooses "nobody," a PRC staff member attempts to address the complaint, but does not contact third parties on the individual's behalf or volunteer specific information about the complaint to a third party. If an individual chooses the government, the media or a lawyer, a PRC staff member will still respond to the inquiry, but will also submit to the appropriate government agency, and to a lawyer or media outlet if one is interested.
After an individual has entered his or her email address, and has had the chance to voluntarily submit additional contact information, the individual sees a warning screen prior to entering the narrative portion of the complaint. The text on the screen says "Important! DO NOT include any personally identifying information from this point forward." We offer a Why? button that an individual may roll over to receive the explanation that we do not need any additional information to process their complaint. We also provide examples of personally identifying information on this screen. Prior to writing a detailed description of their complaints, we prompt individuals to enter their own heading (100 characters maximum). Individuals also have the option to tag their own complaints. Both of these features allow PRC additional options for characterizing complaints, and are elements that are easier to share with the public
As stated above, we fully support the CFPB's goal to make as much data as possible public while respecting individuals' privacy. We also believe that Consumer Action's comments provide a viable option especially in light of the heavy volume of complaints the CFPB receives and may receive in the future. Prior to publishing narrative data in the "Describe what happened so we can understand the issue" and "What do you think would be a fair resolution" fields for public use, we believe the CFPB should consider the following:
The CFPB should determine how complaints submitted prior to the date narrative data is published will be handled. Will narrative fields retroactively be made public? If so, CFPB must consider how it will communicate these changes to or get consent from any individuals to whom it may apply. Another issue that arises from this is the need for a data retention policy.
Will the CFPB ask for permission prior to publishing narrative data, or will it disclose that the data will become public prior to submission?
Will the CFPB warn individuals that they must not include personally identifiable information in the narrative fields prior to submitting a complaint? How? For instance will the CFPB use a warning screen, require an individual to agree that he or she has not provided any personally identifiable or sensitive information in the public narrative field, both, or neither?
How does CFPB plan to mitigate the risk of publishing personally identifiable or sensitive information from its end? Will there be an automated function that scans entries for personal or sensitive information, will CFPB personnel review and redact complaints, both, or neither?
In conclusion, we applaud the CFPB's efforts, and believe the Bureau serves a vital role in consumer protection and education. By taking the proper precautions while being as transparent as possible, the CFPB's complaint tool will not only help the individuals who submit complaints, but will also serve the public at large and policymakers.
Beth Givens, Director
Privacy Rights Clearinghouse
 The text of this button reads, "We don't need any more personally identifying information to process your complaint and it is NEVER a good idea to submit sensitive information unless it is needed."
 The examples of personally identifying information we provide are: first and last names, credit card numbers, Social Security numbers, driver's license numbers, and personal information about other individuals.