"Because we value your privacy.. we may sell your personal financial information." Does this make sense? Of course, not. But, that is precisely the message many banks and other financial companies are now sending to their customers. However, this message -- blurred by fine print, big words, long sentences and marketing jargon -- is far from clear.
The Financial Services Modernization Act (also known as Gramm-Leach-Bliley or GLB) requires banks and other companies that provide financial services and products to tell their customers how financial and other data is collected, the kinds of data collected. Companies must also tell consumers how to opt-out, that is say "no" if the company sells, leases or otherwise discloses personal information to outside companies (third party non-affiliates).
Notices are now arriving in the mail, with many more to come by July 1, 2001. Whether the privacy notices accomplish what they were intended to do hinges on two big questions: Will consumers recognize the notices among the daily deluge of advertisements? Even if they do, will they be able to understand what companies are actually saying? If the notices that have come out so far are any indication, the answer to both questions is a resounding "no."
Clear and Conspicuous
Federal regulations require banks and other financial companies to make the notices "clear and conspicuous." Notices are supposed to be prepared "in a manner designed to draw attention to the significance of the information contained in the notice." Congress also said the notices had to be written in "plain language." Other than this vague bit of guidance, the government left the form of the privacy notices up to each company.
Companies are certainly expert in techniques that draw attention to mailings. How many solicitation do we get with" Urgent" or "Important" or "Open Immediately" splashed in large, bold type across the envelope? The purpose of this is, of course, to grab consumers' attention. They know how it's done. But, the privacy notices -- which really are important, urgent, and need to be opened immediately - come stuffed in envelopes along with account statements and advertisements.
Furthermore, many companies seem to believe that privacy notices are made "clear and conspicuous" by simply omitting any references to the fact that the notices are required by law. If a company really wants a consumer to understand the significance of the privacy notice, it should use a caption such as "You Have the Following Legal Rights to Protect Your Privacy."
Plain Language without Plain Meaning
Ironically, while most companies shy away from references to consumers' legal rights, privacy notices are filled with words and phrases taken directly from federal regulations. For example, a privacy notice could say "We compile and may sell or lease a list of the checks you write and all the credit card charges you make." But, consumers will never see such a straightforward statement. Instead, notices are much more likely to say "We may share experience and transaction information with third-party non-affiliates."
To say information about checks and credit charges may be sold gives consumers at least a fighting chance at understanding the kinds of data that may be at stake. A profile of checks and credit charges might include payments for political contributions, medical bills, religious and charitable donations, entertainment choices, travel activities, and more. The words "experience and transaction," although ordinary enough, don't begin to describe the degree of personal information involved.
Because We Like You
What's worse, most companies have used their legal obligation as just another marketing opportunity. Many notices begin with a phrase like "Because you are a valued customer . . ." or "In order to provide you with better products and services . . ." or "Because we respect your privacy . . . we are sending you this notice of our privacy policy."
Lead-ins of this sort do nothing to help consumers understand the minimal privacy rights they have. Such declarations of goodwill may even discourage consumers from reading further into the notice where the gist of the company's policy is hidden. Companies that want to combine a bit of marketing along with their obligation to consumers would do better to point out how their policy goes beyond what the law requires or allows. This is something consumers understand.
"As Permitted By Law" - A Phrase Loaded with Unexplained Meaning
If a company does not sell personal information to outside companies, the privacy notice is likely to so say in very specific terms, e.g. "We do not sell information to third party non-affiliates." However, if a company does sell information to outside companies, the message is often so blurred that the consumer is left to guess. Do they sell my information or don't they? A company that sells consumer information outside its own corporate structure, may say, "We share information with third-parties as permitted by law." What does this mean?
To "share" information as "permitted by law" may mean one of two things: It could mean that information is shared with outside companies that provide services such as check printing services. Or it could mean that information is shared with joint marketers. These are exceptions to the consumer's right to opt out, and consumers have no control over how a company uses information for these two purposes.
On the other hand, "as permitted by law" also could mean the company actually sells information, a practice that is "permitted by law" unless the consumer opts-out. Companies should say what they mean. For example, "We share information with companies that provide a service for us or companies that have entered into a joint marketing agreement with us."
If the sharing of information does not stop there, companies should plainly say "Unless you opt-out, we are permitted by law to sell, lease, share, or otherwise disclose your personal information to outside companies. This is our practice."
Consumers Deserve Straight Talk and More to Show for Their Money
A tremendous amount of time and money has been spent to develop and send out the privacy notices - costs that will inevitably be passed on to consumers. Polls show most consumers are concerned about privacy. A low response rate doesn't mean the polls are wrong. It simply means financial companies have failed in what they were supposed to do - use plain language to inform consumers of the significance and consequences of not opting out.
Look at it this way: If GLB had required the strong privacy standard of "opt-in" (no consumer data sold without permission), you can rest assured that the privacy notices would have been written in crystal clear prose, extolling the benefits of enabling the financial companies to compile, profile and sell or share customer data. Further, financial institutions would likely provide incentives for customers to allow their personal data to be shared or sold with affiliate companies and third parties - perhaps six months of fee-free service, or a round-trip airplane ticket. That way, consumers would at least get some benefit from the free flow of their personal information.
Yes, our elected officials got it wrong, and we are paying the price by having to decipher egregiously complicated privacy notices that give us limited rights to privacy. The least consumers can do is take advantage of these opt-out rights as a way of letting financial institutions know that we value our privacy - even if they don't.