Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Unless you are the Don Corleone type and prefer to conduct all your transactions on a cash-only basis, you most likely received at least one long, incomprehensible notice this summer purporting to inform you how your bank or broker or insurer or credit card agency handles your personal and financial information. And if you are anything like a typical consumer, you gave the notice one glance before throwing it in the trash. Financial institutions sent these notices to comply with the 1999 Gramm-Leach-Bliley Act (GLB), which requires them to notify customers of their privacy policies and practices. Untold millions of notices were sent and untold billions of dollars spent. One company alone — Citigroup — sent over 125 million notices. But by practically all accounts, these notices were drafted almost solely to satisfy compliance obligations and did little to inform customers of their privacy rights. “Put it this way,” said Mozelle Thompson, a commissioner at the Federal Trade Commission, which has taken the lead among the federal agencies in regulating financial privacy notices. “I am a commissioner of the FTC, I’ve been a practicing lawyer for many years, and I’m a law professor, and I found some of the notices confusing.” This unfortunate state of affairs prompted the FTC to hold a workshop earlier this month, “to talk about the issues, share common ideas, and get everybody on the same page,” according to Thompson. “I gave them almost a call to arms,” he said. “It’s clear something needs to be done.” SIMPLER NOTICES SOUGHT What that something will turn out to be is still an open question. While many experts are calling for simpler, more uniform notices, what these notices would look like and whether they are feasible in light of the legal complexities is another matter altogether. The need for shorter, plainer notices is obvious. Two consumer polls recently confirmed what many had intuited — consumers do not really read privacy notices. One of the studies, commissioned by Privacy Leadership Initiative (PLI), cites two reasons for this: First, consumers lack time and interest; and second, they are put off by the length and legalistic wording of most notices. Commissioner Thompson said the quality of notices that went out “ran the gamut.” Consumer advocate Ari Schwartz concurred, saying that, although some companies produced exemplary notices — he cited US Bank Trust National Corporation as an example — others were just horrendous. “One notice I reviewed said, ‘We share information as allowed by law,’” he said. “You’d have to consult your lawyer to find out what that means.” More than three-quarters of consumers in the PLI study said they would be more inclined to read privacy notices if they were simpler and less comprehensive, said PLI executive director David M. Klaus. Lack of uniformity is another concern. “Consumers want some type of consistency among privacy notices,” he said. But practitioners cautioned that, although a more consumer-friendly privacy notice seemed like a worthwhile goal, achieving that goal may prove elusive. “The complexity of the laws and regulations makes simple notices almost inherently impossible,” said Joan P. Warrington, of counsel at the New York office of Morrison & Foerster. In addition to the FTC, seven other federal agencies have oversight authority for financial privacy notices. Adding to the mix are the states, many of which have their own privacy laws on the books. At least two states, California and Vermont, are considering privacy bills that run directly counter to the federal law. Instead of the federal “opt out” provision, which allows companies to share a customer’s financial information with third parties unless the customer says no, the California and Vermont bills call for “opt in” provisions, which would require companies looking to share financial information to seek the customer’s approval in advance. To make matters even more confusing, many financial institutions must also pay heed to the privacy protections of the Fair Credit Reporting Act, the Health Insurance Portability and Accounting Act and the European Union’s Data Protection Directive, all of which overlap with the financial privacy laws in a variety of confusing and contradictory ways. Given the mind-numbing complexity of the applicable law, privacy notices were almost by necessity written from a compliance perspective, PLI’s Klaus said. “In that regard, they were probably excellent,” he said, “but they weren’t readable.” TWO-TIERED SYSTEM In the face of widespread derision over the first set of privacy notices, financial services companies, who must send the notices on an annual basis, are working hard to do better in the next round. One solution that is gaining popularity is the two-tiered notice system. As explained by John F. Kamp, of counsel at the Washington, D.C., law firm, Wiley, Rein & Fielding, under this system, financial institutions would send out two notices, one a short and simple customer-centric notice designed by “Madison Avenue” types and the second a more comprehensive, lawyer-drafted notice. Other experts advocate modeling notices after nutritional labels. At the workshop, Mary Culnan, a Bentley College professor who co-authored a consumer study, said this would permit customers to shop around for the company that best meets their privacy preferences. But others questioned the feasibility of a nutritional label-type privacy notice. “Nutritional labels are based on numbers, which are easy to compare,” said Morrison & Foerster’s Warrington. “But how do you translate 10 percent sodium to privacy?” James Harper, a lawyer and founder of Privacilla.org who advocates industry self-regulation, also cast doubt on the food label notion. “I have a link on my Web site to a beautiful set of Center for Disease Control charts that show what has happened to obesity levels in the United States since around the time nutritional labeling began,” he said. “I want to caution you: The graphs are very fattening.” He said that the problem goes beyond what privacy notices should look like to the more fundamental question of what purpose, if any, they serve. The GLB privacy notice requirement is a waste of time, effort and money, Harper said. “It shows what is wrong with the government’s current approach to consumer privacy. Like everyone else, they guessed what consumers wanted. But they guessed wrong.” Harper espouses a market approach, where companies sell privacy like any other commodity, such as low interest rates or one-on-one customer support. “We should learn from the mistake of GLB,” he said. “Regulation and deadening uniformity are not going to deliver privacy the way marketplace diversity can.” PHASE TWO BEGINS With the first set of notices out the door, GLB is now moving into phase two, said Warrington. The act arguably sweeps an incredibly wide range of companies into its ambit, including tax preparers, financial advisors, and even wills and trusts lawyers, and its tentacles are reaching further and further out. Warrington even knew of a car rental agency that had gotten a letter asking it if it was in compliance with GLB because it had offered discount coupons to customers of a credit card company. Enforcement is also a growing concern. Although up to this point, the approach of the FTC and other agencies has been more carrot than stick, in its most recent budget request, the FTC has asked for a 50 percent increase in privacy enforcement funding. Consumer watchdogs are on the case as well. The Center for Democracy and Technology has filed complaints against five mortgage companies who failed to post a privacy notice on their Web sites, said consumer advocate Schwartz, who is an associate director of the group. Even states are taking notice. Warrington said that one of her clients got a notice from the state of North Carolina that its privacy notice was not in compliance with state law. And no matter what else they may disagree on, privacy experts all seem to concur that as an issue that has the attention of the public, lawmakers and consumer advocates, privacy is here to stay. “Where before, you would have had to travel to a small town in Maine to get George W. Bush’s arrest record, today you can just punch his name into a database, PLI’s Klaus said. “Technology is forcing us to re-examine our privacy policies.”

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.