Comments gathered by the U.S. Treasury indicate that Americans have plenty of complaints about a recently enacted law that requires customers to opt-out if they want to keep financial institutions from sharing their data.
Top items on the grievance list: opt-out notices hidden in thick junk mailings, confusing legal language and the potential for invasive sales tactics.
A coalition of 37 state attorneys general went so far as to assert that "current law does not adequately protect consumers' privacy."
The public feedback, collected over the past two months, centered on the implementation of the Financial Modernization Act of 1999, otherwise known as the Gramm-Leach-Bliley Act, a controversial law backed by the financial services industry that extended the ability of banks, securities firms and insurance companies to enter each other's businesses.
Among its requests, the Treasury asked respondents to comment on the "potential risks for customer privacy" when financial firms share information. Prior to the act's passage, Depression-era statutes limited interaction between banks, brokerages and insurance firms.
"There's quite a bit of awareness that greater clarity is necessary for the consumer," said Susan Hart, a financial economist at the U.S. Treasury, who said the agency received about 50 responses during a comment collection period that ended May 1.
A portion of those comments are online.
Hart said she hopes financial service firms themselves will respond to concerns raised by several privacy advocates and consumer groups. If not, it will be up to regulators.
Although it would take an act of Congress to make any changes to the Financial Modernization Act itself, Hart said regulatory agencies may publish more detailed guidance on how to comply with the law. One likely area of attention is a provision that requires financial services firms to send out annual notices to customers enabling them to opt out of data-sharing agreements.
Such steps will probably not be sufficient to quell critics, however. Privacy advocates, including the Electronic Privacy Information Center (EPIC), had pressed prior to the bill's passage for an opt-in system that would require companies to get permission from customers before sharing data.
In a 23-page position paper submitted last week, EPIC, the Privacy Rights Clearing House, US PIRG and Consumers Union pointed out the dangers of weakly regulated data sharing among giant financial firms.
"When customer databases from these giant entities are combined, the result is a mega database containing a vast amount of financial, medical and other sensitive information," the paper states.
By combining this data with other information easily obtainable from outside sources, a financial institution could compile a comprehensive profile of each individual customer with a single keystroke, the report said.
Other respondents complained that institutions didn't make the opt-out procedure clear to customers.
"I believe opt-out is a sham that provides no privacy protection," wrote one respondent, Franklin Terry Elder of Juneau, Alaska. "It has resulted in privacy notices that do not command attention, are simply stuffers in statements along with advertising, are hard to understand and follow, and have different and sometimes difficult procedures to actually opt out."
Financial institutions argued that the opt-out system, along with the ability to share or sell a larger amount of data, may actually help customers as well as boost banks' bottom lines.
In one letter to the Treasury, an e-trade executive argued limiting information sharing between financial institutions and affiliates would make it significantly more expensive for the companies to operate and roll out new services.
"Costs would increase since marketing would be less effective, in that campaigns would not reach the right customers," the company wrote.
EPIC was quick to point out examples of data exchanges gone awry, including one case of a bank that sold its database, including credit card numbers, to a convicted felon. The felon, in turn, fraudulently charged the credit cards for access to Internet pornography sites.
For now, privacy advocates are turning their attention to the second annual opt-out notice mailing season. This year, financial institutions have until July 1 to inform customers of their right to remove their name from data-sharing programs.
This time around, attorneys general from 37 states are pushing the federal government to require that notices be couched in simpler language.
Last year, the attorneys general said, an American Bankers Association survey found that 41 percent of people never even recalled getting an opt-out notice.
Many people, it turned out, mistook the forms for mere junk mail.
