Submitted to the following agencies:
U.S. Office of the Comptroller of the Currency
Federal Trade Commission
Federal Deposit Insurance Corporation
Federal Reserve Board
Office of Thrift Supervision
The Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy program, established in 1992. We are affiliated with the Utility Consumers' Action Network (UCAN), a non-profit consumer advocacy group established in 1984 and based in San Diego, California.
The PRC and UCAN jointly administer a consumer hotline. We have occasion to talk directly with a wide variety of consumers on a broad range of privacy-abuse and fraud-related matters. Many of those callers are elderly. We take this opportunity to comment on the proposed joint regulations to be promulgated pursuant to the Gramm-Leach-Bliley Act (G-L-B Act or Act) because we believe the anti-consumer nature of the Act's "opt-out" provision will most adversely affect those who can least afford it: the elderly. In addition, we believe that the Act's broad exemption for data sharing among affiliates will adversely affect all consumers, and the elderly in particular. Although many of our comments, below, are specific to the impact of the Act on the elderly, we believe they pertain to all consumers.
As you are no doubt aware, California, among other states, has proposed legislation that would prevent financial institutions from sharing confidential financial information with unaffiliated third parties without first obtaining the consumer's affirmative consent. In other words, California and other states are considering the so-called "opt-in" procedure. Both the PRC and UCAN have written to those California legislators who have proposed the more consumer-protective procedures to express our support for "opt-in" legislation, and for restrictions on, or at least full disclosure of, data sharing among affiliates.
In doing so, we related the experiences of three elderly UCAN members who were the victims of indiscriminate and unauthorized sharing of information by a bank with its affiliated securities brokerage and insurance entities. In short, elderly depositors who had certificates of deposit and other limited-risk investments were referred to a bank's affiliated securities broker-dealer and ended up with risky investments that lost money. This was all without a clear understanding by the depositors that they were not dealing with bank employees and that the product they purchased was not a bank product.
As our experiences demonstrate, even information sharing among affiliates can be harmful unless consumers receive affirmative notice of the nature of the business that received the information in addition to the nature of the product being marketed. We welcome those provisions in the proposed regulations that require financial institutions to identify the types of businesses engaged in by affiliates and unaffiliated third parties to whom they disclose confidential data. However, we believe that the G-L-B Act and the proposed regulations do not go far enough in protecting unwary consumers from direct marketing by affiliates who may sell products that are more risky than those offered by the financial institution the consumers do business with. The inability of consumers to "opt-out" of data sharing among affiliates exposes consumers to the kinds of marketing abuses suffered by our three elderly UCAN members.
Moreover, by placing the burden of "opting-out" on the consumer instead of requiring financial institutions to obtain affirmative consent before disclosing confidential information to unaffiliated third parties, the Act ensures that large numbers of consumers will unwittingly have their confidential data subject to nearly unlimited exploitation. Once the "opt-out" provisions of the federal Act become effective, consumers will lose all control over the sharing of information with any entity to which the financial institution chooses to disclose confidential financial information. This situation, we believe, will only lead to widespread sharing of information with unscrupulous telemarketers. We believe the government's experience will confirm that a disproportionate number of victims of fraudulent telemarketing are the elderly.
We recognize that regulations promulgated pursuant to the G-L-B Act must be written within the parameters dictated by the Act. However, to the extent the joint agencies' rulemaking allows for flexibility, we believe the provisions should recognize consumers' interest. We all, as consumers, must deal with financial institutions in order to exist in modern society. Consumers should not have to sacrifice privacy as the cost of doing business. Accordingly, we offer the following comments on specific provisions of the proposed rules.
Foreign Financial Institutions:
The agencies have solicited comment on whether the rules should apply to foreign financial institutions. We believe the rules should apply to any entity that solicits business within the United States. Otherwise, the rules would create a loophole whereby foreign, separately incorporated affiliates of a U.S. financial institution could share confidential information without restriction. This could allow a U.S. institution to circumvent its notice requirements by simply distributing information through its separately incorporated foreign affiliates.
Personally Identifiable Financial Information:
The agencies have solicited comment on whether the definition of personally identifiable financial information should include all information gathered in connection with a financial product or service. The proposal notes that this definition may result in certain information, such as health status, being included in the proposed definition. The PRC and UCAN agree with the definition as proposed. To exclude incidental information, such as health status, gathered by a financial institution would create a wide gap in interpretation of the kinds of information that is subject to the notice requirements. Under a more narrow definition, a financial institution could arguably exclude any information that did not specifically deal with dollars and cents. Furthermore, any efforts by the agencies to specify certain kinds of information would only lead to loopholes and subjective interpretations by those who distribute information. We believe consumers are better served with an absolute definition such as that proposed.
Nonpublic Personal Information:
Some of the agencies have offered two alternatives, A and B, for determining whether information available from public sources falls within the definition of "nonpublic personal information," and is therefore subject to the limitations on disclosure of information to unaffiliated third parties. As we understand the proposal, Alternative A includes in the definition of "nonpublic personal information" any information provided by the consumer to the financial institution, or otherwise learned by the financial institution in connection with a transaction with the consumer, even if that information is also available from a public source. Alternative B, in contrast, excludes from the definition of "nonpublic personal information" any information that is available from a public source, even if that information is also supplied by the consumer or otherwise learned by the financial institution through a transaction with the consumer (other than customer lists).
We believe that Alternative A provides greater protection for the consumer, and strongly recommend its adoption over Alternative B. Alternative A, unlike Alternative B, is consistent with the principle that information collected for one purpose should not be used for another purpose without the consumer's consent. When a consumer provides information about his or her name, address, occupation or gender to a bank to apply for a loan, that consumer believes that the information will be used only for the purpose of determining eligibility for the loan. To allow the bank to sell that information to unaffiliated third parties without first notifying the consumer, simply because the information may also be available from some public source, violates that important principle. Alternative B harms consumers because it would allow financial institutions to disclose confidential consumer data to unaffiliated third parties without giving consumers any right to limit the disclosures, check the accuracy of the information being disclosed, or even to know that the financial institution is making the disclosure.
Further, with respect to Alternatives A and B, we suggest that the Rules delete "Internet site" from the examples of "widely distributed media" encompassed within the definition of publicly available information. As you are undoubtedly aware, there have been repeated instances recently of unscrupulous individuals posting confidential information on Internet sites that are available to the general public. Thus, classifying all information posted on the Internet as "publicly available" could potentially undermine the consumer privacy goals that the G-L-B Act was intended to further.
Finally, we support adoption of a variation of Alternative A that would require a financial institution to take reasonable steps to ensure that information is in fact available from public sources before it may be disclosed, without restriction, as "publicly available information."
Clear and Conspicuous Notice:
The proposed rules require that financial institutions provide notice of its information disclosure policies in a clear and conspicuous manner. In this regard, we suggest that financial institutions be required to deliver notices that are on a separate page from other notices required to be given. Such notices should be clearly captioned in at least ten-point bold type. In this way, a consumer's attention is more likely to be drawn to the notice than if the notice is merely included along with other notices. Electronic notices also should be given in a manner that would clearly distinguish it from other disclosures required to be given.
To further the goal of making notices reasonably understandable to consumers, we also suggest that financial institutions be encouraged to provide concrete examples to explain the terms in their notices.
Notice for Joint Account Holders:
The agencies have invited comment on whether notices should be given to all parties of an account or whether notice to one account holder is sufficient. On this topic, we submit that privacy is a highly individual right and that no person, despite the relationship of the parties, should be allowed to speak for another person. As we all know, personal as well as business relationships sometimes deteriorate over time, and the division of joint accounts often ends up in the courts. For these reasons, the regulations should not assume that notice to one is sufficient notice to all. We believe this is particularly true given the sensitive and personal information that could potentially be disclosed under the G-B-L Act.
Content of Notice
With respect to the content of the notice, we object to the provision that allows a financial institution to identify categories of confidential information that it may in the future decide to disclose to affiliates and unaffiliated third parties, and that allows a financial institution to identify categories of affiliates and unaffiliated third parties to whom it may in the future decide to disclose confidential information. We believe that financial institutions will use this provision to list a large number of future possibilities, and make the notice too long and confusing to the average consumer. Further, if a financial institution is permitted to list all potential future disclosure options, the consumer is not able to determine the effect of "opting-out" of data sharing among unaffiliated third parties. A financial institution that seeks to increase the scope of its data sharing should be required to identify new categories of data and recipients in its annual notice, and should be prohibited from making any such disclosures until a reasonable period of time after the revised notice is disseminated to consumers.
Form and Method of Providing Opt Out Notice:
As previously stated, the notice required under the Act should be distinctly separate from all other notices required to be given. In addition, financial institutions should be required to provide a form letter, along with a self-addressed stamped envelope, for use by consumers who want to "opt-out." To require consumers to compose individual letters to financial institutions and to pay for the postage necessary to protect information that is already rightfully theirs poses an undue burden. This is particularly true for the elderly who are frequently house bound and often have difficulty with vision and writing skills. Finally, the toll-free number that consumers can use to exercise their "opt-out" right must enable the user to reach a live person if he or she wishes. Many consumers are confused and frustrated by lengthy recordings, and would be effectively denied their right to "opt out" if their telephone call only sent them into a series of recorded options.
We appreciate the opportunity to comment on the agencies' proposed regulations. We trust that in promulgating final regulations the agencies will consider our comments along with comments by other consumer advocacy groups.
Beth Givens, Director
Privacy Rights Clearinghouse
3100 - 5th Ave., Suite B
San Diego, CA 92103
Jodi Beebe, Consumer Advocate
Utility Consumers' Action Network