1. Why the Financial Privacy Law is Better than People Think Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9, 2002

2. Overview of the Talk n The Critiques of Gramm-Leach-Bliley n In praise of GLB n Two needed improvements: – Repeal the joint marketing exception – Better notice n Conclusion

3. Background n My experience as banking law and cyberlaw professor n 1999 -- Chief Counselor for Privacy, as GLB was enacted n 2000 -- Regs promulgated & Administration proposed stronger privacy protections n History of this in the paper

4. I. The Critiques n Industry critique – Expensive to comply – Accomplishes little n Privacy advocate critique – Illusion of privacy protection – Accomplishes little n My view: GLB privacy a flawed but significantly positive step

5. II. In Praise of GLB n Look at Fair Information Practices n Notice – Yes for affiliates and third parties – Fin. Institution responsible for stricter promises n Choice/Limit Secondary Use – Limits on transfer of account numbers – Opt out for 3d parties – But, key weaknesses

6. Fair Information Practices (cont.) n Access – Yes, in practice (you see your bank balance) n Security – Yes, in practice – New standards under GLB n Enforcement – Yes, up to $1 million/day and bank examinations

7. In Praise of GLB n Notice, choice, access, security, enforcement n Broad definition of covered financial institutions n State laws can be stricter – An engine for continued change – Possible state tort & contract suits

8. II. Secondary Use, Joint Marketing, and Affiliate Sharing n Fair information principles – Expect primary use of information, such as to process my checks – Dont expect secondary use of information, such as to tell my boss about my checks n GLB adopts formal approach – If crosses corporate boundary, more likely to be secondary use triggering choice

9. Some transfers arent secondary use n Principal/agent is OK – On behalf of the principal – Principal must assure confidentiality – Efficient -- allows principal to choose in-house or independent contractor for printing the checks

10. Joint marketing exception n Weak limit on secondary use – To any financial institution n Definition is broad – Notice to consumers n Notice is vague – Contractual promise of confidentiality n Enforcement not clear n Recipient can use it for any purpose

11. Joint marketing exception n Bait and switch n Promised as solution for small banks – Citi sells insurance & mutual funds through affiliates – Smallville Bank uses outside firms for that – Political demands for parity for Smallville Bank

12. The Bait and Switch n Chase uses joint marketing n 30 of 44 major online banks use it n Target.com as an example of the blending of retail and financial services:

13. Target.com: We may enter into agreements with other institutions to market products or services jointly between us … We may need to give a financial institution partner the following types of information: Identification and contact information (for example, name, address, and telephone number). Account transaction and experience information (for example, balance, purchase, and payment information).

14. Solutions on Joint Marketing n Repeal it. – Clinton Administration supported this. n Create a true small institution exception – We do this for other rules in financial services – Would not apply to large financial institutions who have the large and sensitive databases

15. III. Notices n Industry critique – Over 1 billion notices – Opt outs <5% – Many trees gave their lives for no purpose

16. Privacy Critique n Rep. LaFalce: Most financial institutions have employed dense, misleading statements and confusing, cumbersome procedures to prevent consumers from opting out. n College-level prose n Hard to compare institutions n Hard to opt out

17. Why Notices are Surprisingly Good n They help stop egregious practices – The history of U.S. Bank and the rest – Promises now legally enforceable n The biggest effect -- internal changes – Know your practices requirement – Chief privacy officers – Upgrade IT systems – Employees learn that privacy is part of their job description

18. Better Notices n Plain English notices on top – Proxy cards -- short, simple, action-oriented n Detailed notices about internal policies – Bank examinations to the detailed policies – Institutions are bound by the details – Can supplement disclosure requirements over time n Support for the 2-tiered approach at recent agency hearing

19. Concluding Thoughts n GLB is better at fair information practices than most have realized n Broad coverage n State laws and dynamic for updating n Thwarts egregious practices n Pushes internal procedures for improvement n In short, far more than many have seen