CDT POLICY POST Volume 7, Number 7, August 30, 2001

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:

(1) Many Banks Fall Short in Providing Online Privacy Choices to Customers

(2) Background on Banking Privacy

(3) CDT Files Complaint with FTC Against Online Mortgage Companies

(4) Online Privacy Issues May Heat Up when Congress Returns

(1) MANY BANKS FALL SHORT IN PROVIDING ONLINE PRIVACY CHOICES TO CUSTOMERS

Online banks are not giving consumers convenient, online opportunities to limit disclosure of their personal financial information, forcing customers to use more cumbersome offline mechanisms to opt-out of data sharing, according to a recent CDT study.

The study, released August 29, found that, of 100 banks studied that offer their customers the ability to open accounts online and use other banking services online (such as bill payment, mortgage quotes, and much more), only 22% provide their customers equally convenient online means of preventing information sharing with other companies.

Of greatest concern, the study found that several mortgage companies offering online services were not giving their customers any notice of their privacy practices. This seems to be in direct violation of the new federal banking law, the Gramm-Leach-Bliley Act ("GLB"), which went into effect on July 1.

CDT's report also found the surprising result that some of the bigger banks have the fewest online privacy options, with almost half offering little or no ability for customers to opt-out of information sharing with third parties.

But the news wasn't all bad. Some banks give customers a wide range of online and offline options for limiting disclosure of data. Among the banks that led the way with best practices were the Internet Bank, which promised not to share customers' information without their affirmative consent (opt-in), and First Union, which provides customers a secure online Web site to remove their information from various kinds of sharing and offers a toll free number for assistance as well.

Based on the results of the study, CDT made the following recommendations:

• Financial institutions should follow the best practices identified in the study. Thirteen institutions adhered to an opt-in policy for unaffiliated third-party sharing. Seven banks offered customers the opportunity to opt-out through a range of means, including the opportunity to opt-out online. Others should be living up to these standards, as a minimum.
• Policy makers should carefully consider the exceptions in the GLB law. Many large institutions that do not share information with third parties reserve the right to share with affiliates and "marketing partners" and the law allows them to do so without offering any opt-out.
• The Federal Trade Commission should look into the practices of the online mortgage companies that do not give consumers notice of their privacy practices. The FTC has oversight responsibility under the GLB law for various institutions, including the independent mortgage companies. These companies fared worst in the study.
• Policy makers considering broader Internet privacy legislation should learn from the lessons of the GLB Act. Requiring an opt-out choice for the financial industry has not yet given consumers easy-to-use controls over disclosure and use of personal financial information.

The full report, entitled "Online Banking Privacy: A Slow, Confusing Start to Giving Customers Control Over Their Information," is online: http://www.cdt.org/privacy/financial/010829onlinebanking.pdf [PDF- 7 MB]

(2) BACKGROUND ON BANKING PRIVACY

Privacy, especially Internet privacy, has become one of the most important issues in the lives of Americans. At the same time, consumers are eager to take advantage of the convenience of online services, including online banking. Over a quarter of Americans who have gone online have used the Internet to bank or invest. Failure to address privacy concerns will hamper growth of this online marketplace and undermine the consumer trust that is essential to sustained online usage.

A recent attempt to address privacy concerns is the Gramm-Leach-Bliley Act of 1999 ("GLB"), which deregulated financial institutions and implemented a series of privacy standards that went into effect July 1, 2001.

Title V of GLB requires banks and other financial institutions to disclose to their customers their information gathering and sharing practices. Further, personal financial information may not be shared with unaffiliated third parties unless the customer is given an opportunity, commonly referred to as opt-out, to prevent such sharing. The law's opt-out requirement does not apply to the internal use of information and the sharing of information with affiliates and "marketing partners," allowing banks to share information with those entities without giving customers any choice. When the GLB law was passed, many advocates criticized these privacy provisions as too weak.

In recent months, as a result of GLB, almost every American has received one or more privacy notices in the mail from a financial institution such as a credit card company, insurance agent, stock broker or bank. Privacy experts have criticized these printed notices as complex and confusing.

Due to the unique concerns that Americans have with online privacy, CDT decided to look at how institutions offering online financial services were complying with the privacy provisions of GLB .

In particular, we wanted to see if financial institutions offering online services were also offering online privacy choices to their customers. In marketing online services, financial institutions consistently refer to ease and convenience. It seems only logical that the banks should provide consumers with a similarly convenient set of privacy choices online. Our study found that many banks were missing an opportunity to make online opt-outs easier for consumers.

For more general information on financial privacy, see:

• The Privacy Rights Clearinghouse Financial Information Page: http://www.privacyrights.org/financial.htm
• Consumers Union's Financial Privacy Page: http://consumersunion.org/i/Financial_Services/Financial_Privacy/index.html

(3) CDT FILES COMPLAINT WITH FTC AGAINST ONLINE MORTGAGE COMPANIES

In the course of surveying online financial institutions, we found that a number of online mortgage companies did not offer adequate notice of their privacy practices when they collected personal information from consumers. One, Sterling Mortgage, responded by promising to post a privacy policy soon. Five others did not respond, so we filed a complaint with the Federal Trade Commission, which has jurisdiction over online mortgage company compliance with GLB.

Our complaint asks the FTC to investigate and, if appropriate, order the companies to post the required privacy policy or take other action as required by law.

The five companies named in the complaint are

• Advantage Mortgage
• Ameriwest Mortgage
• Central New England Mortgage
• G.M. Mortgage
• Online Mortgage Corporation

In recent years, the FTC has shown growing interest in privacy issues. The new Chairman of the Commission has expressed an interest in receiving specific complaints about privacy violations. CDT will be on the lookout for other privacy violations that merit the Commission's attention.

The CDT complaint is online at http://www.cdt.org/privacy/financial/010829ftc.shtml

(4) ONLINE PRIVACY ISSUES MAY HEAT UP WHEN CONGRESS RETURNS

Consumer privacy issues, which were high on Congress' agenda at the end of last year, seemed to have fallen in priority this year, but that may change with Congress' return next week from its August recess.

In the Senate, several privacy bills have been introduced, but the major actors from last year, including the Commerce Committee Chairman and Ranking Member Senator Fritz Hollings (D-SC) and Senator John McCain (R-AZ), have not yet introduced legislation. However, the Commerce Committee's recent hearings revealed intense interest on the part of a number of Senators. CDT expects to see further legislation introduced in the next couple of months, along with efforts to develop a set of protections that could attract wide sponsorship.

The House Commerce Committee has held several hearings on various online privacy issues. Senior Republicans are likely to introduce a bill this Fall, but efforts at a bi-partisan approach have yet to begin.

You can follow the major online consumer privacy bills at CDT's Privacy Legislation Page -- http://www.cdt.org/legislation/107th/privacy/

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_7.07.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Policy Post 7.07 Copyright 2001 Center for Democracy and Technology