190 likes | 299 Views
“Why the Financial Privacy Law is Better than People Think” . Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9, 2002 . Overview of the Talk. The Critiques of Gramm-Leach-Bliley In praise of GLB Two needed improvements:
E N D
“Why the Financial Privacy Law is Better than People Think” Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9, 2002
Overview of the Talk • The Critiques of Gramm-Leach-Bliley • In praise of GLB • Two needed improvements: • Repeal the joint marketing exception • Better notice • Conclusion
Background • My experience as banking law and cyberlaw professor • 1999 -- Chief Counselor for Privacy, as GLB was enacted • 2000 -- Regs promulgated & Administration proposed stronger privacy protections • History of this in the paper
I. The Critiques • Industry critique • Expensive to comply • Accomplishes little • Privacy advocate critique • Illusion of privacy protection • Accomplishes little • My view: GLB privacy a flawed but significantly positive step
II. In Praise of GLB • Look at Fair Information Practices • Notice • Yes for affiliates and third parties • Fin. Institution responsible for stricter promises • Choice/Limit Secondary Use • Limits on transfer of account numbers • Opt out for 3d parties • But, key weaknesses
Fair Information Practices (cont.) • Access • Yes, in practice (you see your bank balance) • Security • Yes, in practice • New standards under GLB • Enforcement • Yes, up to $1 million/day and bank examinations
In Praise of GLB • Notice, choice, access, security, enforcement • Broad definition of covered “financial institutions” • State laws can be stricter • An engine for continued change • Possible state tort & contract suits
II. Secondary Use, Joint Marketing, and Affiliate Sharing • Fair information principles • Expect “primary use” of information, such as to process my checks • Don’t expect “secondary use” of information, such as to tell my boss about my checks • GLB adopts formal approach • If crosses corporate boundary, more likely to be secondary use triggering choice
Some transfers aren’t secondary use • Principal/agent is OK • “On behalf of” the principal • Principal must assure confidentiality • Efficient -- allows principal to choose in-house or independent contractor for printing the checks
Joint marketing exception • Weak limit on secondary use • To any “financial institution” • Definition is broad • Notice to consumers • Notice is vague • Contractual promise of confidentiality • Enforcement not clear • Recipient can use it for any purpose
Joint marketing exception • Bait and switch • Promised as solution for small banks • Citi sells insurance & mutual funds through affiliates • Smallville Bank uses outside firms for that • Political demands for parity for Smallville Bank
The Bait and Switch • Chase uses joint marketing • 30 of 44 major online banks use it • Target.com as an example of the blending of retail and financial services:
Target.com: “We may enter into agreements with other institutions to market products or services jointly between us … We may need to give a financial institution partner the following types of information: Identification and contact information (for example, name, address, and telephone number). Account transaction and experience information (for example, balance, purchase, and payment information).”
Solutions on Joint Marketing • Repeal it. • Clinton Administration supported this. • Create a true small institution exception • We do this for other rules in financial services • Would not apply to large financial institutions who have the large and sensitive databases
III. Notices • Industry critique • Over 1 billion notices • Opt outs <5% • Many trees gave their lives for no purpose
Privacy Critique • Rep. LaFalce: “Most financial institutions have employed dense, misleading statements and confusing, cumbersome procedures to prevent consumers from opting out.” • College-level prose • Hard to compare institutions • Hard to opt out
Why Notices are Surprisingly Good • They help stop egregious practices • The history of U.S. Bank and the rest • Promises now legally enforceable • The biggest effect -- internal changes • “Know your practices” requirement • Chief privacy officers • Upgrade IT systems • Employees learn that privacy is part of their job description
Better Notices • Plain English notices on top • Proxy cards -- short, simple, action-oriented • Detailed notices about internal policies • Bank examinations to the detailed policies • Institutions are bound by the details • Can supplement disclosure requirements over time • Support for the 2-tiered approach at recent agency hearing
Concluding Thoughts • GLB is better at fair information practices than most have realized • Broad coverage • State laws and dynamic for updating • Thwarts egregious practices • Pushes internal procedures for improvement • In short, far more than many have seen