The Financial Services Modernization Act of 1999 takes effect this year (2001) and will have a significant impact upon consumer privacy. It allows the unfettered exchange of consumer profile information between affiliated financial institutions, and only weakly restricts the exchange of this information with non-affiliates. Such a complete lack of any significant privacy regulations regarding information sharing is in violation of well-known ethical principles, not to mention common-sense. This two-tiered system of affiliates and non-affiliates, in conjunction with the deregulation of other activities financial companies can engage in, provides a loophole through which companies can circumvent regulations designed to protect consumer privacy. More recent privacy legislation to correct such deficiencies is before Congress right now, and is likely to be defeated by well-funded and politically powerful financial industry coalitions. Consumers have few privacy advocates actively working to protect their interests. We have cause for more than concern.

If you have a bank account, credit card, insurance policy, retirement account, or other dealings with a financial institution in the United States, you have probably received a "privacy notice" with a recent account statement. These notices are required by the Financial Services Modernization Act of 1999 (FSMA) to advise you of your institution's policies covering the sharing of your personal financial information, and to give you an opportunity to opt-out of such sharing.¹ However, these notices should also be recognized as a signal to you that the landscape of personal privacy in this country is about to be significantly altered when the act takes effect later this year. Very soon, your bank's loan officer or your stock-broker may be able to know about that half-gallon of chocolate ice cream you bought last week, or what kind of and how many condoms you bought last month. This may be true even if you paid in cash.

The FSMA repeals earlier prohibitions that kept banking, insurance, and securities companies as separate entities. The financial corporate conglomerates that emerge will combine their databases, and will have heretofore unheard of amounts of data pertaining to each of their customers. Many companies are already using this kind of information to build an extensive profile about their customers.

Industry advocates claim that such "data profiling" helps them to improve services, lower costs, and advertise products specifically to those who might be interested. Privacy advocates point out that without tight restrictions on how the information can be shared, profiling greatly increases the potential for abuse and misuse of this information. In spite of common sense, customers have very few rights under the law to access, correct, or even find out what is being done with this information. Additionally, consumer rights to opt-out of information sharing are very limited, and a recent study shows that opt-out notices not likely to be comprehendible by the average adult.²

Only a small fraction of our elected representatives, in conjunction with several privacy rights advocate groups, opposed the FSMA (House vote: 362-57; Senate vote: 90-8). It is not difficult to understand why so few stood on the side of consumer rights: Senator Phil Gramm (TX), chairman of the Senate Committee on Banking, Housing, and Urban Affairs, and one of the sponsors of the FSMA, for example, personally received over $1.6 million from the banking, insurance, and securities industries alone between 1993 and 1998.³

Since then, more restrictive bills have made it to the legislatures in several states. However, these attempts to safeguard our privacy have been defeated by fierce opposition from finance industry coalitions.⁴ At least eleven pieces of legislation concerning the privacy of your financial information are right now before Congress,⁵ and in the meantime, the well-funded industry coalitions have only become stronger.⁶

In viewing the history of American jurisprudence, protections of privacy under the law were rarely explicit. The Constitution makes no explicit reference to "privacy".⁷ It was not until the 1890 article, "The Right of Privacy," by Samuel Warren and Louis Brandeis that privacy was seen as distinct from other rights, and in need of more protection.⁸ However, the Warren/Brandeis conception of "privacy" referred to "protection against brazen journalistic intrusion into people's lives and the unauthorized use of an individual's likeness by advertisers".⁷

Our notion of what constitutes privacy has evolved since then. Technological advancements, particularly the expansion of information databases and telecommunications networks, have shaped the way that we view core privacy issues. In Privacy and Freedom, Alan Westin states that privacy is the ability of individuals "to determine for themselves when, how, and to what extent information about them is communicated to others."⁹

And despite the enactment of legislation over the past 30 years which has been aimed at addressing this new conception of privacy, any so-called "right to privacy" still does not exist for our citizens. We do not have laws, as other countries do, that protect our privacy interests in all aspects of life. Instead, we have a "patchwork" of regulations that address privacy issues in specific sectors. Indeed, Beth Givens of the Privacy Rights Clearinghouse notes that in the past the U.S. has been "criticized by European Union countries for protecting video rental records, for example, more strongly than medical records."⁴

Two important pieces of legislation regarding the financial industry and privacy are the Fair Credit Reporting Act of 1970 (FCRA), and the Financial Services Modernization Act of 1999 (FSMA). The FCRA has been amended recently (1996), and its impact upon financial privacy are included in the following discussion.

The FSMA deregulates the finance industry by repealing prohibitions against affiliation between banking, insurance, and securities-trading companies. "Affiliation" means that one company owns a controlling interest in another, or they are both controlled by a parent company.

Regarding privacy of financial information, the FSMA was supposed to be an improvement over the restrictions of the FCRA with regard to the sharing of personal financial information between all non-affiliated parties. The FSMA restricts non-affiliate sharing (including selling or leasing), by requiring that each customer have an opportunity to "opt-out" (to state that they do not want their information shared). Customers have the right to opt-out at any time, but the company is not required to provide services if the customer chooses to do so.

However, under the FSMA, there are no restrictions upon what information may be shared between affiliates. The FCRA does provide that consumers can opt-out of sharing of credit-worthiness information between affiliates, but not "transaction and experience" information. On the other hand, almost anyone with a "legitimate business need" can obtain your credit report which contains the majority of your credit-worthiness information. So, information sharing between affiliates is perhaps complicated, but remains essentially unrestricted. Additionally, neither of these acts restrict what employees may have access to the information, nor the purposes for which it may be used.

This disparity between the laws governing affiliates vs. non-affiliates creates a two-tiered system. The opt-out provisions governing non-affiliates can be circumvented simply by affiliating--which is not as difficult as it sounds. U.S. Representative Pete Stark (CA) points out that to become affiliates, all two companies need do is enter into a joint agreement with one another.¹⁰ Even if this is an exaggeration, as an alternative, the FSMA also repeals most regulations upon the types of business that financial institutions can enter into, so they are also not prevented from purchasing or forming their own affiliate companies for any purpose.

With the FSMA in place, information about customers previously collected and stored in separate databases can now be merged when the companies that own the data affiliate. And it can be merged with data from other sources, including information about consumers' online habits, to create a much more complete profile about each customer. This "data profiling" means that a company can discover almost anything about the customer that they might want to know. Examples of the types of data collected are: all financial information, property ownership, marriage and divorce applications, detailed records of purchases, magazine and other subscriptions, club and other membership information, travel records, and with the proliferation of online profiling, even Web sites and Web pages visited by the customer.⁴

Such extensive profile information will surely be used to target customers with telephone, mail, and email advertisements that more closely match their profile. If that were all that these financial companies were planning to do with the information, we might not have such cause for concern.

Since these companies are also in charge of managing and investing our finances, we can expect that this information will also be used to make financial decisions about us. For example, data about the purchases of medical products or services, such as payment to a psychiatrist, could be used to determine whether a customer is a bad candidate for a personal loan.¹⁰ This should give us cause for concern because often decisions based upon profile information can be wrong, either because the data is erroneous, or conclusions are drawn based upon faulty reasoning.⁴ Revisions were made to the FCRA in 1996, dictating that, if an adverse action is taken based upon affiliate shared information, the consumer is at least notified.¹¹

Proponents of "data profiling" and industry advocates claim that it will make it easier for financial companies to provide improved and highly customized services.¹² For example, a customer may be able to make payments on their credit card, apply for a home loan and insurance, and purchase stocks, all in the course of one transaction via telephone, wireless device, or possibly even at an ATM.

Privacy advocates argue that most of us have not fully considered the potential uses and misuses of such complete profile information. They refer to past abuses of this kind of profile information by government agencies, particularly law enforcement.⁴ Additionally, they note that, despite protections of personal financial information under the FCRA, it is not difficult to obtain personal identifying information about individuals, and that this has been a frequent source of identity theft.¹¹ Allowing personal information to flow freely between affiliates and to be used for any purpose does not protect consumers' interests.

Fair information principles are ethical guidelines for how the sharing of information in both the public and private sectors ought to be regulated. These principles commonly focus on several specific concepts of fairness: "disclosure, consent, access, correction, security, collection limitation, accountability, and secondary use restrictions." A code of privacy ethics such as these principles are used as "the building blocks of many privacy laws, not only in the U.S., but in the European Union, Canada, Australia, New Zealand, Japan, and Hong Kong."⁴

Critics of the FSMA argue that it violates, or does not include provisions to enact most of these principles with regard to information shared between affiliates and non-affiliates. For example (with applicable fairness principles noted in parentheses): Financial companies are not required to tell you specifically what information they are collecting, nor how they obtained that information (disclosure). They are not required to inform the customer for what purposes the information is being used, nor what decisions they are making based upon it (secondary use). They are not required to obtain permission before sharing the information (consent), nor to announce with whom they are sharing it (disclosure). They are not required to show the information to the customer (access), nor to give one a means to correct it (correction). And customers are not allowed to sue the company should they be harmed by their use or sharing of any data (accountability)--a government agency, such as the Federal Trade Commission, are the only ones allowed to sue.

Financial companies and industry advocates might disagree that they are not required to obtain permission. Under the FSMA, these businesses are required to notify customers that they will share information with non-affiliates unless the customer specifically responds to the notice, i.e. opts-out. But critics have repeatedly argued that an opt-out provision does not constitute obtaining consent. Only an opt-in requirement, where consumers must explicitly confirm that they want their information to be shared, would constitute consent.⁴

The opt-out provision cannot come close to being effective at protecting consumers' privacy when the opt-out notices cannot be understood. Mark Hochhauser conducted a recent study of seventeen different notices, primarily from Banks, using grammar and readability analysis software.² He found that the average of these seventeen notices required a 3rd or 4th year college reading level, whereas the average person reads at a level below a high school graduate. Only 24% of adults have at least one Bachelor's degree and thus should have sufficient education to be able to read the notices. In people aged 65 and over, this number drops to 15%.

Finally, the FSMA does not require that financial companies provide services to customers who do choose to opt-out of information sharing. In the best case, this lack of protection may leave consumers in a position of being required to waive their rights to obtain financial services. And, in the worst case, opting-out will be made part of the consumer's profile, and that may leave them open to future discrimination by way of denial of offers of products and services by the company in question and any of the other companies with whom the consumer's information is shared, either inadvertently, or prior to the customer opting-out.

Most of the legislators and privacy advocates who opposed the FSMA acknowledge that it was a small step forward in the protection of privacy rights; but many also feel that it was not strong enough. As U.S. Representative Maurice Hinchey (NY) says, "This legislation could have made significant progress at protecting consumers' financial privacy. Instead, the bill included watered-down provisions that will allow the corporations that have access to personal information to keep sharing and selling that information."¹³

Just a few weeks ago, two studies--funded by industry coalitions--were released, and are being used to show that privacy regulations will cause higher prices and will do further damage to an already slowing economy. Privacy advocates point out that arguments like those presented in these studies do not "take into account the cost to individuals and society that result from fraud and consumer confusion."⁴ They also add that anytime our rights are protected some cost is to be expected. Ed Mierzwinski of the U.S. Public Interest Research Group responds, "It's a rather specious argument to say that privacy laws are going to cause our economy to tank."⁶

Industry advocates often take the position that consumers must be active participants in protecting their own privacy. Meanwhile, an industry coalition called the Privacy Leadership Initiative, which includes IBM, Ford, and Proctor & Gamble, is planning a $30-million advertising campaign this fall aimed at "easing consumers' privacy fears."⁶ Clearly, these companies do not have our best interests at heart.

An understanding of the effects and shortcomings of the FSMA shows us that we ought to be concerned about our privacy. And, in fact, recent research suggests that consumers are: A 1998 Harris poll found that 78% had refused to give personal information for privacy reasons, 82% felt they had lost all control of their personal information, and 90% said they are concerned about threats to their privacy.⁴ Another Harris poll found that "more Americans say they are very concerned about loss of personal privacy (56 percent) than health care (54 percent), crime (53 percent), and taxes (52 percent)."¹⁴ That study was conducted in 2000, which you may recall was an election year, during which health care, crime, and taxes were major campaign issues.

But without policy-making advocates in Congress, and with such well-funded industry coalitions fighting to defeat privacy rights legislation, we should be a lot more than "concerned."

1. Bill Summary and Status for the 106th Congress: S.900 (12 Nov 1999) Library of Congress <http://thomas.loc.gov/cgi-bin/bdquery/z?d106:s.00900:>
2. Hochhauser, Mark. Lost in the Fine Print: Readability of Financial Privacy Notices. (8 Apr 2001) Privacy Rights Clearinghouse <http://www.privacyrights.org/ar/GLB-Reading.htm>.
3. Scheer, Robert. Your Privacy Could Be a Thing of the Past. In: Conference Report on S. 900 Gramm-Leach-Bliley Act. (4 Nov 1999)
   <http://thomas.loc.gov/cgi-bin/query/D?1r106:1:./temp/~r106D0Hyce:e20937:>
4. Givens, Beth. Financial Privacy: The Shortcomings of the Federal Financial Services Modernization Act. (15 Sep 2000) Privacy Rights Clearinghouse <http://www.privacyrights.org/ar/fin_privacy.htm>
5. EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills in the 107th Congress. (10 Apr 2001) Electronic Privacy Information Center <http://www.epic.org/privacy/bill_track.html>
6. Sanders, Edmund. Firms Renew Assault on Privacy Rules. (27 Mar 2001) Los Angeles Times. <http://www.latimes.com/business/columns/privacy/20010327/t000026306.html>
7. Foner, Eric. The Story of American Freedom. W. W. Norton & Company, New York, NY (1998)
8. Baase, Sara. A Gift of Fire: Social, Legal, and Ethical Issues in Computing. Prentice-Hall, Upper Saddle River, NJ (1997)
9. Westin, Alan. Privacy and Freedom. Atheneum, New York, NY (1967)
10. Stark, Pete. On the Financial Services Modernization Act: What Financial Privacy? (28 Oct 1999) <http://www.house.gov/stark/documents/106th/hr10confstate.html>
11. Ammendments to the Fair Credit Reporting Act. (8 Apr 2001) Privacy Rights Clearinghouse <http://www.privacyrights.org/fs/fs6acrdt.htm>
12. Gramm, Phil. Financial Services Modernization. (22 Oct 1999) News from the Senate Banking Committee. <http://www.senate.gov/~banking/prel99/1022fsm.htm>
13. Hinchey, Maurice. Hinchey Opposes Banking Bill (2 Jul 1999) Maurice Hinchey News <http://www.house.gov/hinchey/070299.html>
14. Online Americans More Concerned about Privacy than Health Care, Crime, and Taxes, New Survey Reveals (4 Oct 2000) National Consumers League <http://www.nclnet.org/pressessentials.htm>