Center for Democracy and Technology
1634 Eye Street, NW Suite 1100
Washington, DC 20006
202 637-9800 v
202 637-0968 f
http://www.cdt.org

March 30, 2000

Office of the Comptroller of the Currency
Docket No. 00-05

Board of Governors of the Federal Reserve System
Docket No. R-1059

Federal Deposit Insurance Corporation
Comments/OES

Office of Thrift Supervision
Docket No. 2000-13

Federal Trade Commission
"Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 Ð Comment

Introduction
These comments respond to a Joint Notice of Proposed Rulemaking, 65 Fed. Reg. 8770 (February 22, 2000), on Privacy of Consumer Financial Information as well as the Federal Trade Commission's Proposed Rule on the same subject. The Center for Democracy and Technology appreciates this opportunity to comment on the draft regulations to implement Title V of the Gramm-Leach-Bliley Act.

The Center for Democracy and Technology (CDT) is dedicated to preserving and enhancing democratic values and civil liberties on the Internet and other interactive communications media. CDT pursues its mission through public education, grass roots organizing, litigation, and coalition building. CDT is a non-profit, public interest organization (501 (c)(3)). Along with other privacy and consumer organizations CDT has urged policy makers to enact strong privacy protections for personal financial information.

The Act
The Gramm-Leach-Bliley Act (GLB) authorized the wide spread sharing of information about the financial activities of individuals. GLB undermines consumers' expectations of privacy when sharing information with financial institutions. In fact, GLB legalizes activities that had been found deceptive and unfair by a leading state consumer protection authority, Attorney General Mike Hatch (MN). It was a mistake for Congress to pass legislation allowing expansive consolidation in the financial services industry without enacting strong privacy protections for consumers. Loopholes in the GLB deprive consumers of control over personal financial information in several ways:

• It allows personal information to be shared among affiliated companies without the consumer's consent.

• In many instances it allows personal information to be shared between financial institutions and unaffiliated third parties, including marketers, without the consumers consent.

• In several instances it allows institutions to avoid meeting even the minimum notice of information practices required under the Act.

• It does not require financial institutions to provide consumers with access to information about them that the institution holds, despite the fact that the law allows this information to be shared, sold and otherwise used to generate profit.

It is clear that consumers deserve better legal standards to protect the privacy of their personal financial information.

Both Congress and the States have begun the process of closing the vaults of personal data that GLB carelessly left open. As Congress and the Administration well know from the on-going battle to enact legislation and craft regulations to protect the privacy of sensitive medical information, allowing automation, simplification, and modernization to proceed without privacy rules built in on the front-end is a mistake. Consumers' privacy concerns are exacerbated as corporations merge, electronic commerce grows, and personal information is increasingly viewed as a commodity. Financial services modernization is fostering all three of these trends. As mergers, acquisitions, and joint-marketing efforts increase Americans control over sensitive financial information is steadily eroding.

We urge the banking regulatory agencies and the FTC to support the adoption of stronger privacy laws and to use the GLB Act, to the extent possible, to provide privacy protections for consumers. As the financial industry continues to embrace technology -- moving onto the Internet, utilizing biometrics, and creating vast networks of personal information -- there must be clear rules to ensure that individuals' privacy is protected. The key is to ensure that technology and the business models built upon it rest on a framework of strong privacy rules. More than ever, individuals must have the right to control their personal financial information.

COMMENTS ON THE PROPOSED REGULATIONS

§40.1 Purpose and Scope

Within the confines of the GLB Act we commend the Agencies for their effort to increase consumer privacy protection. While the Act itself is gravely flawed, the Proposed Rules are attentive to the privacy considerations of the public to the extent permitted. We have several specific recommendations for strengthening the Rules. But in general, the Agencies have provided a solid framework for its application.

It is appropriate that the scope of information and institutions covered by the rule be broad and forward thinking. As the Federal Trade Commission notes in its analysis of the Proposed Rules, non-traditional financial institutions must be considered in crafting the Rules. We support allowing the Federal Trade Commission (FTC) to promulgate regulations that apply to businesses engaging in activities that are financial in nature. Such a broad application of the privacy provision was clearly the intent of Congress when it passed the GLB. In addition, the rules should apply to any institution actively soliciting business in the U.S., unless they have stronger privacy laws in which case the U.S. citizen should be afforded the stronger protection. Foreign financial institutions that solicit business in the U.S. through any media that allows them to direct their communications to U.S. citizens should be covered.

§40.3 Definitions

Collection
We support the Proposed Rules definition of collection. Consumers' expectations of privacy do not turn on whether personal information is collected from them, or is purchased or procured from a third party. Information that is organized or retrievable in a personally identifiable basis, whether obtained from the consumer or another source should be covered by the rules. We emphasize that the words "organized" OR "retrievable" are not synonymous. Where information is retrievable, whether it is organized or not, in personally identifiable form it should be covered by the rules.

Consumer v. Customer
We appreciate the difficulty of the task faced by the drafters and the confines of the underlying statute; the definitions will deprive individuals of the ability to make market place decisions based on banks' privacy policies. Under the proposed structure an individual will not be provided with the full extent of notice required by the Act until after they have disclosed substantial information. The line between consumer and customer is at best fuzzy. In most instances a business solicits consumers in hopes that they will become customers. The yearly notice requirement may be inappropriate in the narrow class of interactions that are discrete, one-time, purchases with no ongoing relationship. But, in general, prior to engaging in any transaction with a financial institution that requires the exchange of personal information individuals (consumers and customers) should be provided with a clear and conspicuous notice of information practices prior to being asked to divulge any information. Without full and fair information prior to the disclosure of personal information consumers will be unable to make market choices that reflect their privacy interests. This would clearly undermine the intent of the legislation.

Financial Institution
The definition of "financial institution" is appropriate. It would benefit from additional examples. In particular in the context on online interactions, would a Web site offering stock quotes, tax preparation assistance or technology, or site specific payment options be covered by this definition.

Nonpublic Personal Information

• Alternative A is preferable.
  Alternative A is consistent with the intent of GLB and to the extent possible under the statutory framework, it is consistent with consumers' expectations. Individuals expect financial institutions to respect the privacy of their personal information. As passed the GLB fails to require this. However, to the extent possible the Rules should use the Act to strengthen privacy protections and buttress consumers' privacy expectations.

  Because Alternative A takes a narrow approach to placing information outside the general rules set out under the Act it should be adopted. Personal information whether collected from the individual or a third party, should be afforded the protection of the Act. Similarly, the use of any personally identifiable financial information to create a list, description, or other grouping of consumers should render all information in that list covered under GLB.

• Alternative B is highly flawed and would undermine the goals of the Act.
  The notion of determining whether information is protected based on whether it is publicly available from some source would create an exception that would swallow the rule. Alternative B could largely gut the protections afforded by the Act. For example, today the public record component of bankruptcy records contains bank account numbers. Some courts are moving toward Internet access to court records. If bankruptcy records were to become accessible over the Internet the Proposed Rule would deny bank account numbers contained in them all protection under GLB. Clearly alternative B in either of these scenarios would directly undermine the express intent of Congress. Similarly, social security numbers continue to be used by several states as drivers' license numbers. Some could argue that they have therefore become public under Alternative B. Clearly personal information as critical to personal privacy as the social security number cannot be claimed to be outside the protections of the Act solely because they may theoretically or actually be found publicly somewhere. In addition, Alternative B could have the perverse result of encouraging businesses to push more information into the public sphere in order to avoid privacy obligations. This would be a disastrous result weakening individual privacy across all sectors of our economy.
  

§ 40.4-6 Notice

Timing of Notice
The Proposed Rule on "notice" should be revisited. Under GLB consumers are expected to protect their privacy by choosing a financial institution that meets their privacy needs. To do so, consumers must have information early enough in the process to know whether their needs are met or they must look further. Treating the privacy notice required under GLB as an after the matter document defeats the purpose of the Act and will eviscerate the limited privacy enhancing effect this law may have. Viewed in light of the Act and its legislative history, the privacy notice should be treated as the equivalent to a loan rate Ð a critical piece of information that must be available to consumers before they decide to pursue a relationship with a financial institution. If privacy is to be a market differentiator Ð as the legislative history of GLB suggests Ð consumers must be provided with information about financial institutions privacy policies prior to entering into any business transaction Ð whether it is discrete or ongoing.

Form of Notice
Electronic commerce can be a benefit to consumers and businesses. However, the online environment raises new twists for commercial interactions. The move from face to face interactions to the faceless ones on the Internet puts a new emphasis on the need of parties to determine with whom they are dealing and the form of signatures required to seal certain transactions. The move from fixed, permanent paper records to electronic bits raises important challenges for consumers and businesses who must be able to receive and agree upon contracts and be assured that these contracts can be stored, viewed and offered as proof if issues surrounding the agreement must be revisited.

All parties agree that the online environment offers consumers an important new avenue to seek out and purchase goods and services. However, to ensure a sound environment for commerce and instill consumer confidence, the unique attributes of electronic communications and transactions must be examined and addressed. The electronic world differs from the physical one. Through interactions with brick and mortar businesses, consumers have developed a range of expectations about commercial interactions. Similarly, businesses that must respond to consumer demands and meet their business needs have expectations of the online marketplace. We must ensure that the online environment meets or exceeds all of these.

To understand the challenges of business to consumer online commerce we must identify the differences between communications and transactions online and offline. With these differences identified we can then decide what the differences mean, if anything, for the policies surrounding online commerce. Providing notice is an area where it is critically important to acknowledge the differences between the online and offline worlds.

Virtually everyone living in the US is reachable through the US Post Office. The Post Office delivers information to individuals at no charge to the recipient and as far as any one can tell it will not be going out of business. When an individual moves they file a single request with the post office -- a change of address form -- that is designed to ensure that, for a period of time, every correspondence sent to their old address will reach them at their new location.

None of these assumptions are true of electronic mail. Many individuals do not have an email address. In general, email addresses are not free but are part of a commercial service that consumers purchase. There are numerous email providers and many email services have come and gone. If an individual changes service providers, changes email addresses, or if an email service provider goes out of business there is no single system for ensuring a simple transition of email from a defunct box to another. An individual may have an email address and a computer capable of sending and receiving email, but at some point in the future lose one or the other. An electronic document sent via email will not necessarily be forwarded on to the intended recipient.

Email can not be viewed as equal to postal mail. All consumers do not have access to computers and email accounts, and those without them should not be expected to rely on electronic communications. This is a fundamental equity issue. Documents and communications sent via email may not reach the intended recipient due to a change in address, the loss of a personal computer, or the demise of an email service provider.

We suggest that the consumer's consent to receive notice electronically should only be acceptable when provided: 1) in electronic transactions; or, 2) electronically by the consumer from a computer within the consumer's control.

Contents of Notice
Consumers should be provided with as much information as possible on the kind of information collected about them and the entities to which it will be disclosed. At the very least, financial institutions should be required to provide at their Web site a full list of the categories of data they collect about consumers and a full list of the entities (affiliated and non-affiliated) with whom they share data. It is critical that consumers be informed of disclosures of personal information to both affiliates and third parties. The Data Protection Registrar in the UK offers an excellent example of how such lists can be compiled and easily maintained in the online environment. Explicit notices are the only way in which consumers will be able to select institutions with stronger privacy protections. It is important that the Rules require full and fair disclosure to consumers.

§40.8 Form and Method of Opt-out

Accessibility and Ease of Use
The limited privacy protection afforded by GLB turns on the clarity and completeness of notices and the accessibility and ease of use of Opt-out opportunities. In today's market, we have found that it is extremely difficult and cumbersome for consumers to locate and exercise their ability to opt-out. We believe that the experience of consumers in the telemarketing area, where the FTC is currently exploring whether a centralized do-not-call list would be in the interest of consumers and businesses, illustrates the problems in today's marketplace. CDT created the Web site Operation Opt-out to assist consumers who wished to limit solicitations and the reuse of their personal information.

http://opt-out.cdt.org In building Operation Opt-out we found that many businesses make opting-out extremely difficult for consumers. We believe that the Proposed Rules provide guidance to businesses that will ensure that consumers can exercise their right to opt-out. However, we believe that addressing the timing of notice, as discussed above, is essential if consumers are to have a meaningful opportunity to opt-out.

Change in Terms
We strongly disagree with the Proposed Rule on "Notice of change in terms." Absent the individual's (consumer or customer) explicit, affirmative consent, a business may not apply a new privacy policy to data collected under an old policy. Similarly, if a business is purchased, the new company may not apply its terms of service to data purchased but must abide by promises made by the initial company Ð unless the affirmative, explicit, consent of the individual is obtained. Consumers have no say on which business purchases their data. A consumer may have chosen to avoid this institution.

We believe that it is a deceptive practice for a business to change its terms of service with respect to privacy and retroactively apply it to data previously collected. If privacy notices change they cannot be applied to previously collected data absent explicit permission from the customer. However, the law would allow new privacy policies to be applied to data collected after a new notice and opportunity to opt-out have been provided.

Duration of Opt-out
Opt-outs should not be time limited. It is unreasonable for a business to expire an individual's decision.

§40.9 Joint Marketing Exception
The joint marketing exception eats away at the limited protections afforded by the law. To ensure that consumers are able to protect their privacy interests, the Rules should require the name of the financial institution providing the personal information to be boldly displayed on the joint offer. This will allow consumers to understand where the offer originated. By tying the financial institution to the offer, such a Rule would strengthen financial institutions' review of the merchants with whom they enter such arrangements. It will also aid the regulatory institutions engaged in overseeing compliance with GLB.

§40.11 Consent Exception
Disclosures pursuant to the consumer consent exception must be written. When information is released pursuant to the consumer consent provision (or any other) a cover page or notice stating that it is subject to GLB should accompany it. Information provided pursuant to the consent exception should contain a further notice prohibiting its use for any purpose beyond that requested by the consumer.

§40.12 Limits on Redisclosure and Reuse of Information
The underlying statutory language is confusing. It cannot be "lawful" for a recipient of information under GLB to disclose data further because the financial institution is not a party to the transaction. Such a reading would deprive individuals of the notice and opt-out opportunities provided by the statute. It would also invite end runs around the statute.

§40.13 Limits on Sharing Account Number Information for Marketing
Creating a marketing exception for account data would create a loophole for abusive practices. The disclosure of account data by financial institutions has led to well documented abuses. There is no need for a reputable marketer to obtain account information from any source other than the individual who has chosen to purchase their product or service. Account numbers, even if encrypted, should not be disclosed.

Additional Issues

The proposed rule should address these areas:

• Clarify that these rules apply to online transactions conducted between financial institutions and consumers.

• Include a section on how an institution's control over consumer privacy may lead to an anticompetitive effect in the marketplace in the report sent to Congress.

• Specify enforcement mechanisms, including audit procedures to ensure that institutions comply with their privacy policies.

• Ensure that institutions draft notices in plain language so consumers can understand them.

Conclusion

As stated above, the GLB does not provide strong privacy protections for personal information held by financial institutions. However, we urge you to interpret the limited protections and rights afforded individuals under the law in a manner that best protects individual privacy. We commend you on the Proposed Rule and look forward to Final Rule that addresses our concerns. Thank you for the opportunity to comment.

Sincerely,
//
Deirdre K. Mulligan
Staff Counsel
Center for Democracy and Technology

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy