Is G-L-B Privacy Worth It?
It cost a lot. Developing policies, reviewing procedures, writing notices, getting them printed, sending them out, and handling calls and requests for opt-outs took time, money, and effort. It took attention away from other things - things like giving attention to other compliance and to customer service. This is a good time to assess the value of what the industry has just done. Is the G-L-B privacy act worth it?
We think not. Here's why.
The G-L-B Privacy Act doesn't really do anything for consumers. Heresy? Think for a minute about what privacy actually does. Are there really any consumer protections?
The real problem - the practice to which consumers objected - was the sale of their information to entities that were not financial institutions. This information was sold for use by third parties in selling products and/or services. Consumers found this practice appalling. Never in their wildest dreams did they think that by opening a checking account or applying for a mortgage they were providing private, personal information for sale on the open market. So they objected.
Consumers raised numerous concerns. But most of the objections boiled down to two concerns. First, consumers were very nervous about identity theft. They reasoned that if they didn't have control over where and how their information was distributed, they were more vulnerable to identity theft.
The second consumer frustration was being pelted with overtures - through mail and over the telephone - to purchase something. Pressure marketing gets results, but consumers don't like it. They resent the intrusions into their home. They especially resent calls during dinner. And the junk mail that comes in adds to concerns about identity theft. For many, it adds to concerns about the environment and how many trees it takes to generate all this unwanted mail.
Given what consumers most resent, what did the new privacy law accomplish? Very little. It was a very cumbersome and confusing process to get nowhere.
First, the new privacy law doesn't put a stop to the sale of information. In fact, it specifically permits it. It simply imposes one condition: prior notice and the right to opt out. So the practice that concerned consumers most is specifically permitted! Information can still be sold, but some (alert) consumers may prevent their information from being included in the sale. This puts the burden to act on the consumer.
Second, the new privacy law does nothing about identity theft. Other laws speak to this topic, but the privacy law doesn't provide any real protections. In effect, as far as consumers are concerned, it has no teeth.
So what, exactly, did happen? Congress reacted to a practice that most people found to be an invasion of privacy - the unauthorized sale of information about individual customers. To provide protections, Congress put into place a complex system of notices to consumers, the right of consumers to opt out of information sharing, and the burdensome task on financial institutions of managing those opt-outs. Where is the protection?
Wouldn't it have been simpler to simply prohibit financial institutions from sharing information? A few sentences could have resolved the problem. All the law would have to say is: you can't do it!
Or would that be too simple. We wouldn't have a whole industry of notice preparation and delivery. We wouldn't have to overhaul systems to manage opt-outs. We wouldn't have irate customers asking for opt-outs when the notice explained that the institution wouldn't share information anyway.
But we can't help thinking of what could have been if Congress and the industry had simply directed their attention to the real problem.
Copyright © 2001 Compliance Action. Originally appeared in Compliance Action, Vol. 6, No. 14, 12/01
print
share