Interface: The Journal for Education, Community, and Values

by Glee Cady <gleecady@gmail.com>

It’s that time of year again, when here in the United States our statements for our credit accounts begin to weigh more because our lending agencies are informing us of their policies around the acquisition, use and maintenance of data about us.

Do you read the notices? Probably not. And even fewer of us actually exercise our choice.

I certainly don’t read all of them and I even work in financial services and I know how important they can be. Of course, I read carefully the ones my institution sends. And I read the notices of some others because I want to see how other companies address the requirement to inform their customers.

I don’t think many of us pay any attention to the notices. They’re just another piece of paper in a package that offers me the opportunity to buy a clock radio from my gasoline credit provider or to get more mileage credit on one of my airline frequent flyer programs by changing telephone providers. Isn’t that a shame? We are supposed to be knowledgeable, intelligent, and thoughtful consumers of credit, and we don’t even read the annual notices. Why ever not?

Some notices are designed not to catch your attention. Sometimes the company who is sending it hopes the notice will disappear into the myriad pieces of paper you receive. Then, if you don’t read it and understand it, you may not exercise your privacy rights. Other times the sheer ugliness of the notice is to save money on printing or because the creators of the notice were the folks in Legal who are employed to protect the company, not to sell the product. (Or because a law requires that it be in a particular form -- more about that a bit later.)

Some notices are better than others. By that I mean, that they tell us things about the company’s practice in a way that we can understand them. Frequently that’s because the (horrors!) marketing folks have gotten involved in the process. (Disclaimer: I have been a marketer. I am sympathetic to their desire to make things attractive.) Those folks usually want to design the piece so that you can comprehend the information. They use color and format, font and illustrations to convey organization and to highlight specific content. These types of notices have a higher likelihood of being read and understood.

What problem we were trying to solve?

I still think the idea of notices is a good one. When we first began discussing notices, our idea (as providers of credit, or goods, or services) was that if notice was given of privacy practices and we, as consumers of credit, goods, or service, didn’t like the practice, then we could choose an alternate provider, use the alternatives the provider offered (even if it meant reduced service to us), or another product.

In the notice, a company would describe what information is collected and what is done with it. How and when your information is gathered and what your choices might be depend on where you live.

The regions of the world have very diverse, deeply imbedded cultural differences in determining problems and then in developing the laws that may address them. For instance, we Americans believe in addressing problems as they develop. In Europe, a much more “top-down” culture, they believe in regulating against future harm.

Here in the US, we use what is called the “sectoral” approach to privacy law and regulation. In the financial world, we have the Financial Services Modernization Act of 1996 (Gramm Leach Bliley, or GLB) which addresses how information may travel among financial companies. One important result of GLB was to extend the definition of a financial institution to include more kinds of companies than before. Previously, a financial company was a bank or some similar institution. The new definition includes entities that are “closely related to banking.” That, according to the US Federal Trade Commission includes

“Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities”. (see: http://www.ftc.gov/privacy/glbact/)

GLB requires financial services entities to notify consumers of their policies for collecting and sharing ‘non-public’ personal information. Non-public personal information covers

information that is provided in order to obtain a financial product or service,
that results from a financial transaction, or
that is obtained in connection with providing a financial product or service to a consumer and is not public.

So, telephone directory data, for example, is not covered.

As part of a privacy notice, consumers must be offered the opportunity to refuse to have their information shared with non-affiliated third parties for marketing purposes. The notification must be given when you open a new account and annually thereafter. This means your credit card company can’t share your name and address with an insurance company so they can offer you a great deal on a new insurance policy, doesn’t it? Well, not precisely. If your credit card company is affiliated (for example, owned by the same holding company that owns the insurance company, or has signed an allowed joint marketing agreement with the insurance company), then the information may be shared. GLB’s opt-out provision only addresses non-affiliated organizations.

Recently more attention is being paid to the increasing problem of identity theft (where a fraudster uses your financial credentials to obtain credit without your knowledge or consent) and identity creation (where a fraudster creates a new identity, usually by cobbling together disparate financial information from others in order to obtain credit).

Because of the huge losses to both consumers and companies stemming from these thefts, legislators have been working to refine definitions of what information should be protected. In particular the passage of California’s SB 1386, a law dealing with notification when there has been a breach of information security when unauthorized people may have obtained information about California consumers, enhanced the description of "personal information" to mean

“individual's first name or first initial and last name in combination with (emphasis mine) any one or more of the following data elements, when either the name or the data elements are not encrypted:

Social security number
Driver's license number or California Identification Card number.
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.”

In addition, California’s SB 1 (http://www.leginfo.ca.gov/cgi-bin/displaycode?
section=fin&group=04001-05000&file=4050-4060) asserted that the provisions of GLB (Gramm Leach Bliley) were not adequate to protect California consumers, so additional requirements were put on companies. Included in the additional provisions of SB 1 was a standard form of the notice. Companies could choose to use this notice or, if they did not, must file a copy of their notice with the Office of Privacy Protection. (SB 1 has many more implications for companies doing business with California consumers, but in this column I am only discussing privacy notices.) Many companies, not wishing to call attention to their existence by filing a copy of their notice, chose to use the standard notice, accounting for additional variation in the types of notices that may be given.

Online v. Offline

The notices I’ve been talking about so far are the printed ones. Other laws, rules, and good practice address the online world.

“In June of 1995, the Privacy Working Group of the United States government Information Infrastructure Task Force (IITF) issued a report entitled, PRIVACY AND THE NATIONAL INFORMATION INFRASTRUCTURE: Principles for Providing and Using Personal Information. The report recommends a set of principles (the "Privacy Principles") to govern the collection, processing, storage, and re-use of personal data in the information age.

“These Privacy Principles … rest on the fundamental precepts of awareness and choice:

Data-gatherers should inform consumers what information they are collecting, and how they intend to use such data; and

Data-gatherers should provide consumers with a meaningful way to limit use and re-use of personal information.

“Disclosure by data-gatherers is designed to stimulate market resolution of privacy concerns by empowering individuals to obtain relevant knowledge about why information is being collected, what the information will be used for, what steps will be taken to protect that information, the consequences of providing or withholding information, and any rights of redress that they may have. Such disclosure will enable consumers to make better judgments about the levels of privacy available and their willingness to participate.”

(Except from “A Framework for Electronic Commerce” Released at the White House, 1 July 1997)

Clearly, there are well-written, exemplary online privacy notices that inform the visitor what will be done with any information gathered during a visit. I like the ones at http://www.bizrate.com/content/privacy.html and
http://www.wellsfargo.com/privacy_security/index.jhtml. Obviously, there are those notices that are intended to obscure. And there are those that are intended to be clear, but are obscure anyway.

What Problem Might We Solve Now?

I think we’d all agree that our varying attempts at notices have not been completely successful. And you and I are not the only ones who’ve noticed that we haven’t quite gotten it right yet. The attorneys representing our companies have two jobs:

making sure that every legal I and T is properly dotted and crossed
keeping the company right at the edge of legal practice in a way that most benefits the company.

These goals don’t make for “user-friendly” notices. Consumer advocates, legislators, and we ourselves would like simple statements that we can understand. What to do?

One idea is something called the multi-layered, condensed, or highlight notice. This type of notice would be short but sweet, organized so you can easily look for the part of the notice in which you are particularly interested but linked or accompanied by the “full notice” which would meet the legal community’s needs. Marty Abrams of the Center for Information Policy Leadership of Hunton and Williams (http://www.hunton.com/Resources/Sites/general.aspx?id=45) has been working with the Center’s members to develop notices based on the idea that one notice can not easily served to communicate to consumers and to describe legal accountability. The idea is being discussed among the people involved in Data Protection Authorities in Europe and in the Asia Pacific.

And some of the Center’s members are trying out a first level notice in their online notices. In the financial area, Chase uses a highlight notice that I really like. See http://www.chase.com/cm/cs?pagename=
Chase/Href&urlname=chase/cc/privacysecurity/policy In the consumer products arena, Procter and Gamble provides another one at http://www.pg.com/privnotice/privacyhighlights.html. If you are one of their customers, your response will encourage them to keep it up.

I think we are on the right track here – now we just need to share the idea with enough people to make sure we won’t be making things more difficult, not less. And, of course, we can stay on the right track if we all hunt through the glossy adverts that come in our bills, read the notices (both online and paper), and exercise our privacy preferences.

May 2013

Volume 13, Issue 5