What You Need to Know Right Now to Protect Your Financial Privacy

By Marc Eisenson and Nancy Castleman

Pay attention to them, and the bite will be as small as possible. Ignore them, and your most private financial information will likely be sold by your bank to all sorts of merchants. Imagine all the spam, telemarketing calls, and junk mail that will result. This wound to your privacy could really sting. Ouch!

Each of the notices you receive will give you the right to "opt-out" -- that is, to forbid your bank from selling personal information about you. Unfortunately, as we'll soon explain, this right is not as far-reaching as we would have liked. We think of it as an ounce of protection rather than a pound of cure.

The law that's behind all this is the Financial Services Modernization Act of 1999, aka Gramm-Leach-Bliley, aka GLB. Thanks to it, financial institutions such as banks, stockbrokers, and insurance companies, can "affiliate," an activity that's been prohibited for more than 60 years.

Fearing that these affiliations would result in far too much of our personal information being tossed about, privacy advocates fought hard, and got some modest protections built into the law - which is why you should have been notified by now of your right to opt-out - to prohibit banks from selling info about you to "unaffiliated" third parties. Also, from now on, you'll be notified of a financial institution's privacy policy whenever you establish an account, and then annually.

Unfortunately, the privacy protectors were up against much $tronger force$ -- the lobbying arms of all the major financial institutions in the country! As a result, information about you can be shared by your bank and other financial companies it may own -- or any companies it chooses to "affiliate" with via a merger or a marketing deal. More on this later. For now, let's focus on what you can do today to protect your financial privacy.

"Follow the money," as Deep Throat would advise.

Financial institutions can collect personal information about virtually every aspect of our lives -- health, habits, hobbies, and habitat, to name but a few. Then, unless you opt-out, they can sell it all to others. As the Privacy Rights Clearinghouse puts it, "GLB and federal regulations only keep financial institutions from disclosing your account number or access code to a third-party non-affiliated company to use in telemarketing or direct mail marketing."

Under GLB, by July 1, 2001, you should have received privacy notices from perhaps dozens of financial service providers. Some came via snail mail, some maybe by email. In any case, the notices should have told you about the type of info the financial institution collects, as well as the kinds of businesses that may ultimately buy that information. Chances are, you didn't get many specifics.

Here's how one giant, BankOne/FirstUSA, puts it:

"We may share any of the personal information that we collect about you with companies or other organizations outside of the Bank One family, including:
        *financial service providers, such as mortgage bankers, securities broker-dealers, and insurance agents;
        *non-financial companies, such as retailers, direct marketers, membership clubs and publishers; and
        *other companies and organizations, such as non-profit organizations."

Note the use of the words "any" and "other." Who and what are left out?!

If you were as exposed as your personal financial business, you'd be arrested for indecent exposure!

To protect the privacy that GLB allows you to protect, you must follow the individual opt-out instructions provided in each notice. That means that you need to notice The Notice -- which may look very much like the junk mail and envelope stuffers you've been routinely tossing, unread, for years.

Assuming you do find, save, and read the notices, don't be surprised if you have trouble understanding what the financial institutions are saying! The ones we've seen are confusing at the very least. For help in deciphering and protecting your limited rights under GLB, read "Financial Privacy: How to Read Your "Opt-Out" Notices."

Details. Details.

While European nations typically have opt-in privacy laws, where marketers must ASK permission to sell information about you, under GLB, you must specifically opt-out, not once, but separately for each bank, broker, insurance company, credit card issuer, or "other" financial service provider that sends you a notice.

If you don't opt-out (generally within 30 days) in accordance with each provider's own procedure (toll-free number, online, or by mail), your "personally identifiable financial information" can be sold, rented, or traded with any and all "third-parties."

Have a joint account? If the bank sends separate notices to each of you, you can each decide to opt out, or not. If only one person responds, according to the FDIC "the bank may continue sharing the other person's information."

Be forewarned: Financial institutions can send a single opt-out notice, even if two people (or more) have a joint account. So it's especially important to pay attention to what the bank says about opt-out requests in this situation.

Whoops! Afraid you already tossed your bank's privacy notice in the circular file? You can still opt-out, even if the deadline the lender set is long gone. "But, be aware," advises the FDIC, "that any opt-out request only covers the sharing of information in the future. There is no requirement that a financial institution contact the organizations it has already shared your information with and tell them they cannot use that information any more."

So get on the stick and call them all to find out who you need to call or write ... before your personal info is sold yet again!

In sum, this major bill, which gives lots of rights to big banks, brokers, and insurers, is one tiny step forward (and a giant step back) to protecting our financial privacy rights. It's not much, but our advice is that you opt-out ANYWAY. At least it will send a small message, and contain the privacy damage slightly.

It's up to you

As we mentioned before, even if you opt-out of financial institutions' data sellng ... they'll still be allowed to share personal information with those companies under their corporate umbrella -- "members of our corporate family" -- or with whom they have joint marketing agreements, or with companies that provide services to the companies with whom they have joint marketing agreements.

If, like us and many privacy advocates, you're not happy about this state of affairs, this is a great time to join the fray. For starters, you can learn more about this and related issues. We give our top link picks below.

Then let your financial institutions know that you want them to respect your privacy and not share info about you with others, including their affiliates. Who knows? If there's enough of a ground swell, maybe they'll listen!

More likely in our view is that new laws will be passed to curb at least some of the potential excesses in the attacks on our privacy. For details on the current pieces of privacy legislation that are being considered, you can search for them using key words like "financial privacy" on the Library of Congress's site.

The National Association of Mutual Insurance Companies (NAMIC), a trade association of property and casualty insurance companies is tracking privacy legislation. (Insurers must comply with GLB, so NAMIC members might have different views than ours, but their site's info seems accurate.)

Even if you don't have the time and patience to follow legislative battles, please let your elected officials know what you think about the erosion of our privacy rights in general. This is an issue that cuts across party lines, as well as traditional labels such as liberal and conservative, so something could actually happen in Washington. If you click here it'll be easy to contact all your elected officials. Let 'em hear from someone who isn't a highly paid lobbyist!

Also, please share your interest in strong privacy policies with the editors at your newspaper, at magazines you read, and at Web sites you visit - and with the producers of your favorite TV and radio shows. The more the pro-privacy message gets out, the more privacy we'll get.

Where to go for more information

For the government's take, we recommend:

     Federal Trade Commission (FTC) Privacy Initiatives

     Federal Deposit Insurance Corporation (FDIC):
     "New Rights to Privacy: You Now Hold the Key to How Much Information Financial Institutions Can Share"

Non-Profit Organizations whose work in this field is particularly useful:

     The Privacy Rights Clearinghouse

     Public Interest Research Group (PIRG): "Privacy Alert Page"

     Privacy.org: a joint project of the Electronic Privacy Information Center (EPIC) and Privacy International (PI)

     The Center for Democracy and Technology

     The Electronic Frontier Foundation

For more of our pearls:

     Our booklet, "Stop Junk Mail Forever (Telemarketing and Spam, Too)," version 4, which we've been researching, writing, and publishing for the last decade as our community service project.