December 4, 2001
Interagency Public Workshop
"Get Noticed: Effective Financial Privacy Notices"
Federal Trade Commission
Comments By:
Tena Friery, Research Director
and Beth Givens, Director
Privacy Rights Clearinghouse
Table of Contents
- Executive Summary
- About the Privacy Rights Clearinghouse
- PRC's Financial Privacy Consumer Education Project
- Summary of Consumer Contacts
- Societal Feedback Loop: What Consumers Told the PRC
- Conclusions and Recommendations for More Effective Consumer Education
1. Executive Summary
In November, 1999, President Clinton signed the Financial Services Modernization Act, more commonly known as Gramm-Leach-Bliley or GLB, after the Congressional sponsors of the Act. The main purpose was to overhaul the financial services industry. But privacy provisions were added to GLB near the conclusion of Congressional proceedings giving consumers new rights to notice and consent regarding the information-sharing practices of financial institutions. Title V of GLB gives consumers a right to opt-out, that is prevent sharing or other disclosures of personal information to third-party nonaffiliates.
Given the complexity and limitations of GLB's privacy provisions, the Privacy Rights Clearinghouse (PRC) undertook a major project to educate consumers about the new law and their right to prevent information sharing. The PRC launched this project with the premise that such an educational program would fill the gap left by questions unanswered from consumers' review of the notices required by GLB. Instead, what we found was that the majority of consumers who contacted us had heard or read media stories about the GLB notices and realized they had ignored the notices that their financial institutions had mailed to them in previous months. Few of the consumers who contacted us had actually noticed or read the notices. They were worried that they had missed the opportunity to prevent the sharing of their customer data with other companies.
Of consumers who contacted the PRC with specific questions or comments after obviously having read the privacy notices, the overall theme was that of confusion about the most fundamental aspects of GLB. Thus, the level of consumer awareness as evidenced by the inquiries received by the PRC indicates a far lower level of understanding than we had initially anticipated.
Several news reports indicated an opt-out response rate of 5% or less. We have concluded that the low opt-out rate is not attributable to consumers' approval of information-sharing practices, but rather their lack of knowledge of those practices. We observed striking lack of privacy education, not only on the part of consumers but also by some consumer services representatives of financial institutions.
Industry, government agencies, and consumer education organizations such as the PRC would all do well to view the year 2001 as a costly experiment that resulted in little effective education of the public about the rights to privacy of personal financial information under GLB. Absent stronger legislative initiatives to protect consumer privacy with an opt-in standard, a coordinated multi-organizational effort at educating the public about existing laws is in the best interests of the financial services industry and consumers as well.
2. About the Privacy Rights Clearinghouse
The Privacy Rights Clearinghouse is a nonprofit consumer program with a two-part mission: consumer education and public policy advocacy. Since its inception in July 1992, it has been a unique voice for consumers' rights and interests regarding information privacy, defined by privacy scholar Alan Westin as the "right to determine when, how, and to what extent information is communicated to others."
The goal of the PRC since its inception has been to raise consumers' awareness of how technology is affecting personal privacy and, at the same time, to empower individuals to safeguard their privacy. In addition to its consumer education focus, the PRC represents consumers in a wide range of public policy proceedings, advocating for the right of consumers to control how their personal information is gathered, used, and disseminated.
The PRC publishes many self-help guides for consumers on our web site, www.privacyrights.org. Topics include identity theft, credit reporting, telemarketing, unsolicited mail, Internet privacy, medical records confidentiality, and workplace privacy. Our most recent consumer education initiative is financial privacy, described below.
The PRC serves as a "societal feedback loop" by bringing consumers' actual experiences to the attention of government officials and legislators, regulatory agency officials, industry representatives and other consumer advocates. It is in this spirit that we publish this report about our observations of consumers' responses to the privacy notices they received from their financial institutions during the first half of 2001.
3. PRC's Financial Privacy Consumer Education Project
In January of 2001, the PRC, with the help of grant funding from the Deer Creek Foundation, launched a program to educate consumers about the GLB Act. The PRC began this program with what later turned out to be the faulty assumption that consumers would contact us for specific answers to questions raised after reading the privacy notices required by GLB.
Our educational program consisted of:
- writing a series of fact sheets designed to explain the major provisions of GLB in plain language;
- participating in local and state community outreach programs; and
- launching a media campaign to bring the public's attention to the significance of the privacy notices.
The PRC produced five fact sheets:
- Protecting Financial Privacy in the New Millennium: The Burden is on You
- Financial Privacy: How to Read your "Opt-Out" Notices
- Take the Cloze Test: Readability of a Financial Privacy Policy (developed with readability consultant Mark Hochhauser, Ph.D.)
- How to Shop for Financial Privacy
Frequently Asked Questions About Financial Privacy
As our project progressed, we received many inquiries from consumers about how to contact their financial institutions in order to request another copy of the privacy notices. We compiled a list of approximately 200 addresses and telephone numbers taken from our review of privacy notices and posted them on our web site. In addition, we provided a sample letter for consumers to use in instances where a letter was the designated means of opting out.
- Opt-Out Addresses
- Sample Opt-Out Letter
The PRC was fortunate to have been contacted by readability consultant Mark Hochhauser, Ph.D., who was concerned about the difficulty encountered by average consumers in understanding the privacy notices. He conducted a readability assessment of approximately 60 notices to determine the Flesch Reading Ease Score. The results of Hochhauser's study are posted on the PRC web site.
- Lost in the Fine Print: Readability of Financial Privacy Notices
4. Summary of Consumer Contacts
The PRC received approximately 2,000 inquiries from consumers as a result of our financial privacy educational project. We received most inquiries near the deadline in May, June, and July of 2001. Most contacts resulted from the consumer having read or heard a media report.
Nearly half of the contacts came to us via postal mail, usually as a result of consumers having read an article in such publications as the AARP Bulletin. We responded by mailing our fact sheets. The remaining inquiries were received and answered primarily by electronic mail with links to our fact sheets and other information. We also received telephone calls from consumers, although not in as great numbers as the mail and e-mail inquiries.
We have attempted to assess the level of the public's financial privacy education by dividing the inquiries into the following three categories: low, moderate, and high levels of knowledge.
- Consumers who showed a low level of knowledge of GLB (about 65%).
- First heard about GLB in a media report in May, June, or July 2001.
- Vaguely remembered seeing notices but failed to understand them
- Consumers who showed moderate level of knowledge. Had seen notices but were confused about them (about 20-25%).
- Had questions about the deadline.
- Wondered about the continuing nature of the opt-out.
- Asked whether they have an opt-out or if their financial company was in compliance with GLB.
- Questioned why they were getting the notices; also asked what types of companies should send notices to them.
- Wondered what to do about closed or joint accounts.
In addition to consumers who indicated either low or moderate levels of awareness about GLB, we received some inquiries from consumers who had obviously read the notices and were making an effort to understand the significance of GLB and to follow-up with their financial institution in order to opt-out. Most of these consumers contacted the PRC with complaints and reports of frustration in their efforts to follow the procedures to opt-out. We characterize this group as having the highest level of understanding about GLB, and have divided their complaints into the following major categories:
- Consumers who showed a high level of understanding about the privacy notices (about 10%).
- Complaints about the time it takes to opt out.
- The cost of opting out.
- The form of the notices.
- Complaints about their attempts to follow-up with and contact their financial institutions.
- No confidence that opt-out would be honored.
- Information required to opt-out, e.g. Social Security number.
5. Societal Feedback Loop: What Consumers Told the PRC
We can think of no better way to send consumers' messages to industry and government representatives than to use the words of consumers themselves. The remarks we report here are exact quotes and are typical of those received in the categories we summarized above. Unless otherwise indicated, we obtained these comments from electronic mail messages.
Consumers Who Showed a Low Level of Knowledge of GLB
Comments from those who seemed to have no prior knowledge
"I heard the end of a story regarding the submission of paperwork to prevent the selling of my private information between banks, insurance companies and others. Could you provide me with guidance as to what I can do and what paperwork I need to submit."
"My husband and I were watching the news this morning and they were talking about protecting your privacy. . . . We didn't receive anything in the mail and would like for you to send the information to us."
"I heard about your web site on KPCC tonight. I am greatly concerned."
"I heard on the national news last night about the privacy policy forms that were being sent out to consumers in their bills, notices, etc. I make it a point to read all of what I receive in my mail, and I swear that I didn't receive a single one of these forms."
Comments from those who saw the notices but misunderstood their significance
"I was one of the ones who did not read all the opt-out forms that were sent to me. I only completely understood about it after hearing about it this past week on the Today show."
"I need to notify all my accounts that I do not want any personal information given to anyone for any reason. Like many others, I did not realize what I received. How do I recover? There should be a law against such confusing methods to trick the American people. I am downright angry!"
"I do not recall getting these notices. If I did . . . I probably threw them out because of the tons of junk we all get."
"I failed to respond to the mailers I received thinking they were just some more junk mail."
"I heard about your organization this morning on a local news cast here in the Dallas metroplex. They reported that the privacy policies that the bank and insurance companies have been sending do in fact have a specific purpose to them other than just be helpful. I am one of those individuals that have received my banks and insurance company's privacy policies and neglected to read them."
"I, in retrospect, know I got a few of these notices. I did pitch them. I thought it was just the company stating they would not do this and they respected my privacy."
"I, like Barbara Walters, did not think it was something that I needed to respond to. I thought it was just something from them telling me that they will not give out personal information unless I told them it was OK."
"I read about the privacy notices that are being sent through the mail. I read a few of them and was obviously not clear since it was my understanding that I did not have to do anything to keep my information private."
"We recently received a document in the mail pertaining to something called 'opt-out." We didn't know exactly what it was and inadvertently tossed it in the trash. We later saw a story on the news that referred to this term of 'opt-out' and we now would like to know how to go about activating our right to 'opt-out' without the aid of the now trashed document."
"I completely misunderstood what I need to do to take advantage of the new privacy act. I thought I had to send the documents back only IF I WANTED MY INFO SENT OUT."
Comments from Consumers Who Showed Moderate Level of Knowledge - Had Seen Notices but Were Confused about Them
Deadline
"What would be the procedure for opting out past the deadline date of July lst"?
"Are they still sending out these notices through the summer or was the deadline July 1, 2001?"
"When is the absolute deadline for submitting our acceptance or refusal of personal data that will be available to whomever unless we make our choice known."
"Would you please send me whatever forms are necessary for privacy notification that must be sent by July 1. I have heard a lot about it on TV but to my knowledge I have never received a form or notice."
Continuing nature of opt-out
"I recently heard a report about all of our financial institutions sending out privacy policy forms (which I have thrown away). Is it correct that if I haven't signed these and sent them in by July 1st they can give my information to whoever they want. If I missed the deadline can I still write them and be taken off that list?"
"In the opt-out info on your website, it was written that companies would be mailing out opt-out notices until July 1st. Will I still have the same right to opt-out after they quit sending notices or is that the deadline?"
" . . .now that I may have thrown out some of the 'Opt-Out' notices, what can I do to rectify the situation? Must I wait a year for another notice . . .?"
"If I opt out this year am I required to file my wishes with the same institution next year to keep my intent current?"
Whether they have an opt-out
"I am confused. Are credit unions covered under this stupid Gramm et al financial info sharing nightmare? I got a "Privacy Notice" from mine but they tell me that I don't need to opt out."
"To whom should one report a privacy policy that offers no "opt-out" possibilities. The statement itself from a life insurance company did not identity the appropriate company individual with whom to speak or a representative of whom to ask questions."
A caller to PRC complained that he got a notice from an insurance company but there was no way to opt-out.
"I have been attentive to the opt-out notices my various banks send. Today I got one from (my bank) which explained that they were going to share my information with anyone, and did not offer any way to opt out. When I called the number they gave, they explained that sharing my information was their right, but that I could write a letter requesting that my information not be shared."
"I have problems with some of the language in this privacy policy. . . . [T]he most glaring problem with this is the lack of *ANY* information about my opt-out rights. When I asked them about this, they told me that they were not required to offer opt-out because 'We never sell any information to unaffiliated third parties.' I am disturbed by their statement, because I'm not sure these verbal statements .offer any guarantee and [they] do not use the language mandated by the laws. .. [In the written statement] they say 'We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted or required by law.'"
" [the company] appears not in compliance - no address, no phone number."
Why they got the notices; also, what types of companies should send notices to them
"I have been receiving mail from places I've never heard of about giving out my personal information to people who ask for it without my permission."
" . . . I just now realized what I may have received was not just a statement of what these companies were going to charge in the future in the way of finance charges."
" . . . I got [a privacy notice] yesterday from . . . but there was no place to put in X and mail it back. To the best of my knowledge, I don't do any business with the companies listed on the back. It looks like they got my name from an e-mail address."
"Recently I received in the mail a notice concerning my privacy rights. The bank I received it from I [had] nothing to do with."
"Should I also send a notice to my HMO"?
"Should we notify [companies] with their own credit cards, e.g. gas companies, retail stores)"?
"I have a card from Visa through my federal credit union. Do I need to opt-out to Visa"?
"I am unclear . . .if the opt-out law applies in the case of health insurance companies."
In addition to consumers' questions as indicated above, the PRC also received inquiries from the following types of companies asking us for advice on whether they should give a GLB notice: tax preparer, collection agency, apartment rental agency, and real estate appraiser.
What to do about closed or joint accounts
"How do I handle items such as savings accounts for my children?"
"Do my husband and I both have to send in a separate letter to each institution"?
"Do we need to send opt-out letters only to accounts that are currently open, insurance policies that are currently active, or do we also need to send these letters to closed accounts/policies"?
"How can I 'opt-out" [of] all financial and medical institutions as I do not have records of all the institutions that I deal with in the past 20 year. Would [my] 'credit report' give such information, or [is] there another way."
"It seems to me that I may have gotten a notice or two from companies where I closed my accounts. Do these companies continue to use or share my information from closed accounts, and, if so, are they required to send me an opt-out notice"?
Comments from Consumers Who Showed the Highest Level of Understanding about GLB
Time spent to opt-out
"It took me two days to go through all my files and find all the incoming notices . . . and identity those I needed to deal with, and either call or write to opt-out. . . After reading all the notices I am still not sure what it all means. . . In total, I sent out 10 letters . . . and called 5 numbers. I am offering the above as an accounting of an ordinary citizen dealing with this issue . . ."
Cost of opting-out
" I am going to mail the letters which will cost us hard-earned money to do so, not to mention that I have now spent at least 4 hours getting the letter organized, and looking up account numbers and addresses. . ."
"I'm concerned about the sensitive information that is requested on the opt-out forms. What information . . must I submit to opt-out? I don't feel that I should be required to take on additional risk, not to mention the cost, of mailing documents."
Form of notice
" . . .[the notice was] confusing, has no return, is threatening (they say their policy applies, even if you close your account). I was puzzled by it . . ."
" . . . I may have inadvertently thrown [the] notices away, which were bundled in the envelopes with the monthly statements."
"I did attempt to opt out at . . . by calling customer service. They said I had to mail in the form."
"The main webpage on this bank has nothing on opt out, privacy, or the laws by name (although I would not be surprised to find something buried . . ."
"We received an opt-out notice . . . and were instructed to phone if we chose to opt out. We did phone [and] the system was automated and verified we had opted out. . . . Three days later we received a second opt out notice in the mail. When we called . .. to again opt out, the automated system informed us that this would not take effect for FOUR WEEKS!"
"I did compose my own opt-out letter I would like to send to all who request opt-out information from me. I intend to clip it to their forms. I don't know if they will accept it, but I'm very annoyed with their small print and small forms . .. ."
"If any of the . . . businesses/institutions we deal with sent us any kind of notice, they all did an incredible job of disguising them. . . Inserts with, and attachments to, statements, monthly or otherwise, are junk mail which is always thrown away (and totally ignored and never opened)."
"Got a privacy notice from the bank. Very confusing. Keep getting them. Don't know what I'm supposed to do."
"It [notices] should have been more user friendly . . I think we all have been taken advantage of with unreadable letters . . .I feel tricked because I didn't have time in my busy schedule to realize what was happening to us by not responding to each letter we received . . ."
Attempts at follow-up with their financial institution
"When I called my bank . . the person I talked to didn't know what I was talking about, and didn't seem to be able to find anyone who did. She then turned me over to their Mastercard Services who offered me a package (Privacy Guard) for about $50.00 per year. Is this legal/acceptable?"
"I called the general customer services 800 phone number for [my] bank. I was told by the rep that the notice in the mail is the only option for opt out. I persisted and asked to complain to someone. I was transferred around and 'surprised' someone in marketing who did not know they were going to get me. She told me that the 800 number would take my information or she would. When I informed her of the number that I called and what was said, she said she was surprised and then took my info."
A consumer called the PRC and reported having called the customer service department of their bank about the July 1 deadline. The person who answered the phone was "clueless."
"I have accounts with [two insurance companies and an investment company]. I phoned [the investment company and one of the insurance companies] and was told they do not have opt-out procedures because they do not disclose (or sell) information. [The other insurance company] did not reply to either my e-mail or letters."
"[My credit card company] was not helpful on the phone. I called their opt out number and they kept trying to send me to a web site or to another 800 number to explain all this to me. When I informed them that I understood, that I just wanted to opt out, they gave me an address. When I asked for an opt out telephone number I was told I could only do this by sending a letter. . ."
No confidence that opt-out would be honored
"The present rules governing the 'PROTECTION OF YOUR PRIVACY' law is a total farce. If it were to be proven that a financial institution has distributed one's personal information then the consumer has no proof that he has 'opted out' of permission for the financial institution to distribute the information. Most of the privacy notices require a telephone call to 'opt out.' Even a written notice cannot be proved to have been received by the financial institution."
"How do we check to make sure that institutions with which we bank etc. have in fact opted us out"?
Information required to opt out
"I am concerned as I probably have received nothing from 50% [of financial institutions I deal with], and of those [where] I have received something, there is either no opt out form/or if there is one they want you to put your ss # on it and mail it to them. I don't know what your mail situation is in your city, but I certainly do not want my name and ss # floating around for anyone to get their hands on. ."
"I've received an opt out form from . . They say that I must provide my social security number so that they can properly identify me. This sounds like one last great opportunity for them to tie everything together before the door shuts. Instead of opting out, they seem to think I should supply added info to help them gather additional info. I might add, the top of the form has my membership number so they should certainly be able to identify me for this purpose."
"[An insurance company] sent me an opt out notice, but in order to opt out I must give them by social security number. . . I am leery of providing even more personal info to them when my whole attempt is to withhold personal info from the corporate arena."
Comments from Individuals Who Participated in Community Forums
During the course of the year 2001, the PRC participated in numerous community outreach programs in both northern and southern California. Some of the programs were aimed at overall privacy issues while others focused only on GLB and the issue of financial privacy. These programs were conducted primarily in community centers and were largely attended by active retirees. We estimate we reached between 500 and 600 California citizens in this way.
We found that the reaction of consumers we met in person at outreach programs paralleled that of the consumers who contacted the PRC via e-mail, telephone and letters. In the early months of 2001, when the subject of GLB and financial privacy was addressed in community outreach talks, we seldom encountered any member of the audience who had heard of the new law.
As the months progressed and consumers began to receive more notices and to hear or read news reports, the awareness level increased. However, we heard most of the same comments from workshop participants as we received in hotline calls and in the mail. For example, those who remembered seeing the notices but did not opt-out told us they did not understand what they were required to do. They also said they could not read the notice because the print was too small. A small percentage of people reported that they had returned the notices, but were unhappy about the time and cost of opting out.
There is a final (and we believe very important) message we have received from our consumer contacts. That is that the information-sharing practices of financial institutions are largely not understood by the public. This lack of understanding leads to mistrust and ideas that the information-sharing practices may be more prevalent than they are in reality.
Postscript: Comments from Those Who Received an Erroneous E-mail Message
We have not included in this list the comments and questions from the several hundred consumers who contacted the PRC after having received an anonymous, erroneous e-mail message concerning opting out of credit reporting agencies' sale of consumer data. The message confused the deadline for the GLB opt-out provision with the opt-out which the FCRA requires credit reporting agencies to provide for pre-approved credit offers. The following e-mail message spread like wildfire on the Internet.
Just wanted to let everyone know who hasn't already heard, the four major credit bureaus in the US will be allowed, starting July 1, to release your credit info, mailing addresses, phone numbers..... to anyone who requests it. If you would like to 'opt out' of this release of info, you can call 1-888-567-8688. It only takes a couple of minutes to do, and you can take care of anyone else in the household while making only one call, you'll just need to know their social security number. Be sure to listen closely, the first opt out is only for two years, make sure you wait until they prompt you to press '3' on your keypad to opt out for good.
The Federal Trade Commission, Associated Credit Bureau, the California Attorney General, the Privacy Rights Clearinghouse, and others issued press releases and posted information on their respective web sites in order to clarify and correct the erroneous e-mail message.
The fact that this message spread so far and wide is significant for several reasons:
- First, it indicates that consumers are indeed concerned about their financial privacy. We received hundreds of inquiries from panicked consumers who were worried that their personal information was going to be sold by the credit bureaus unless they opted out.
- Second, it shows how confusing and ineffective the GLB notices were. The erroneous e-mail message circulated in the weeks just prior to the July 1 GLB deadline. By that time, the majority of consumers had already received the GLB notices. Obviously, few were aware they had received them. And the few who had read them had difficulty understanding them enough to determine that the anonymous e-mail message was false.
- Third, many of those who contacted us about the erroneous message were worried that the opt-out number was a scam. The voice message system for 888-5optout requires the caller to provide the Social Security number, in addition to name and address. Many individuals called us after they had disclosed their SSN, worrying that they had made a mistake by leaving their personal information on the voice recording system. They thought in hindsight that the opt-out number might have been operated by an identity theft fraudster in order to obtain SSNs to commit credit fraud.
This points out a related concern regarding Social Security numbers. Some of the opt-out forms required customers to provide the SSN in addition to the account number. Because of the threat of identity theft, we question the necessity of providing the SSN on opt-out forms or of requiring it when customers call the opt-out number. Account number should be sufficient.
6. Conclusions and Recommendations for More Effective Consumer Education
A belief in the right of consumers to control how their personal information is used is the core of the PRC's existence. Control of personal information is best achieved through consumers' prior consent to disclose information, that is, an opt-in standard. Not even an aggressive consumer education program can replace the control lost to an opt-out standard.
Having said that, the need for education is always more urgent in situations such as GLB where only the weakest of opt-out requirements is in effect.
Conclusions
After studying the responses and inquiries received by the PRC, we have reached the inescapable conclusion that the existing GLB privacy notice procedure has failed in its fundamental objective: To give consumers notice of the information-sharing practices of financial institutions, and when appropriate, consumers' ability to opt-out of third-party sharing of their customer data. Considering the cost of implementing these requirements, both to government and the industry, and the low level of consumer awareness achieved, we are not able to conclude otherwise. We should all work to do better.
While some efforts were made by government, consumer organizations, and some members of the financial services industry, the most effective efforts at drawing consumers' attention to the significance of the information contained in the privacy notices have come from the news media.
In our opinion, more effective consumer education about GLB would result if the active players in the education process were completely turned around. Instead of the media taking the lead, this role should go to the financial institutions as the entities best positioned to get consumers' attention. Whether customers read the notices or not, they must become aware of having received them. Our experience has shown that even brief references to "privacy" and "opting out," if they are prominently placed, are likely to get consumers' attention. We also believe that government agencies and nonprofit organizations have important education roles. These are all discussed below.
Recommendations for Future Consumer Education Efforts
Industry
- Write the notices at a high school reading level, ideally at an eighth grade level.
- Place the most important message, the opt-out notice, at the top of the notice rather than at the end. Keep marketing messages to a minimum on the privacy notice.
- Make the notices appealing to the eye by taking advantage of bulleted lists, headings and subheadings in bold text, ample margins, and plenty of white space.
- Send the notices in separate mailings, and not inserted into account statements along with advertisements. Place a message on the outside of the envelope that alerts customers to the content, such as, "Important Privacy Notice Inside."
- Offer flexibility in accepting alternative opt-out elections. Ideally, enable customers to opt-out in writing, by telephone, and online.
- Provide easy access to privacy policies. Post notices at branch offices and have copies on the counter. Print the telephone number for the opt-out department on all account statements and other mailings that are sent to customers. In addition, enable customers to opt-out online.
- Provide customers a means to confirm their opt-out selection. (The PRC received several complaints from individuals who asked, "How will I know if they really opted me out?")
- Train all staff on the privacy policy and opt-out methods. All customer service staff should be trained or at minimum have a privacy "script" if training is too costly because of employee turnover.
- Create a consortium of financial services industry associations to develop uniform standards for readability, customer outreach, opt-out mechanisms, and so on. Perhaps develop a seal-of-approval symbol like Truste or BBB Privacy Online.
- Consider developing a single industry-wide web site where consumers can click on the links for each of their financial institutions and be guided to web pages that enable them to opt-out. (The PRC received numerous inquiries of this nature: "Isn't there one web site I can go to in order to opt-out of all my banks and credit card companies.")
Government
- Conduct an aggressive ongoing consumer education program led by one agency, e.g. the Federal Trade Commission, in conjunction with a multi-agency task force. Use multiple media channels to reach consumers with public service announcements (PSAs), press releases, and informational materials. Develop materials in languages other than English.
- Because of the complexity of the message that must reach consumers, design the public education campaign in levels. Focus on expanding consumer awareness of the opt-out option with simple, broadly-disseminated messages. For those consumers who want to learn more, direct them to in-depth information such as printed brochures available from their financial institutions and accessible on web sites.
- Post information on agency web sites about the types of companies that are financial institutions (FTC) and the types of products they offer consumers. (The PRC received numerous inquiries from consumers as well as businesses about whether or not certain businesses needed to comply with GLB.)
- Foster interagency cooperative enforcement efforts. Regulatory agencies and the FTC should share information about possible violations of GLB privacy provisions from audits and customer complaints.
- Work with industry to cut costs of compliance by greatly simplifying notices.
- Hold a fact-finding workshop on the information-sharing practices of financial institutions. (We learned from consumers that there is significant confusion, even mistrust, about the sharing of customer data with third parties. What types of data are shared or sold (rented)? Who obtains it? How is it used by the nonaffiliated third parties who obtain it? Also, find out about affiliate-sharing practices.)
Nonprofits and Community-Based Organizations
Nonprofit consumer advocacy organizations and community-based organizations (CBOs) can play a significant role in educating consumers about the privacy provisions of Gramm-Leach-Bliley for several reasons.
- First, they can shape the message so it is more easily understood by the clients they serve.
- Second, they can deliver the message in many different languages.
- Third, they can deliver the message in modes most acceptable to members of their community. For example, in-person meetings might be more successful in reaching some individuals and groups than media messages.
- Fourth, nonprofits and CBOs often have the trust of the individuals they serve.
But funding for such education and outreach efforts is difficult for such groups to obtain on a reliable, ongoing basis. The PRC was fortunate to receive funding for our financial privacy educational efforts from a one-time grant. Our ability to obtain funding to continue to develop consumer education materials and conduct consumer outreach is not assured. In addition, there need to be many more nonprofit consumer-oriented organizations to spread the word about the GLB privacy provisions.
We recommend that the Federal Trade Commission, the other federal agencies with GLB oversight, and industry groups consider developing a grant fund for nonprofits and CBOs. Its purpose would be to award grants to nonprofits and CBOs to develop educational materials and reach out to consumers with information about the privacy provisions of GLB. A committee comprised of representatives of all the stakeholders could oversee the grant fund.
The state of California has conducted several such grant programs that could serve as a model for financial privacy educational efforts. In fact, the Privacy Rights Clearinghouse was established in 1992 with funding from one such fund, the Telecommunications Education Trust (TET), administered by the California Public Utilities Commission (CPUC) to educate consumers about the changing nature of telecommunications services. A committee of stakeholders (CPUC officials, telephone company representatives, and consumer representation) developed grant criteria and provided oversight of the grant-giving process. They hired a company on contract to handle the logistics of the grant operation - notifying applicants of the grant application process, distributing the requests-for-proposals (RFPs), evaluating the completed applications, requiring and obtaining quarterly and final reports, handling the distribution of grant funds, and so on.
Several hundred California consumer organizations and community-based organizations have received such funding for consumer education projects in the past dozen years. The Telecommunications Education Trust operated from the late 1980s through 1995. In 1996, the CPUC implemented another consumer education fund when Caller ID was first offered in California by the local telephone companies. The PRC also received funding from that grant fund.
The California Consumer Protection Foundation (CCPF) could serve as another model for your consideration. It was established in 1991 to administer and distribute funds from a multi-million-dollar consumer class action lawsuit. Over the years it has administered other trust funds as opportunities arise. From 2000 to the present, it has administered the CPUC's Electric Education Trust to support a grassroots consumer education campaign regarding deregulation. More recently, it has become the administrator for the Community Collaborative Fund which resulted from the merger of GTE California and Bell Atlantic, now doing business as Verizon. This grant fund will operate for 10 years in order to fund consumer education projects that enhance access of underserved communities to telecommunications and information services projects. The CCPF is governed by a five-member Board of Directors to represent diverse consumer interests from across the state.
In closing, the Privacy Rights Clearinghouse thanks the Federal Trade Commission and the other agencies in this Interagency Public Workshop for the opportunity to provide our comments. We realize that we - federal agencies, financial services institutions, and consumer groups -- are only in the first year of this endeavor. We have learned a great deal and are encouraged that you have held this workshop in order to determine ways to improve our collective consumer education and outreach efforts. Please count on us to continue to work with you and industry groups in order to develop effective means to reach out to consumers with information about the privacy provisions of the Gramm-Leach-Bliley Act.