EPIC logo

Before the
Federal Trade Commission
Washington, D.C. 20580

In the Matter of
Interagency Proposal to Consider
Alternative Forms of Privacy
Notices Under the Gramm-Leach-Bliley Act
FTC File No. 034815

COMMENTS OF THE
ELECTRONIC PRIVACY INFORMATION CENTER
March 29, 2004

We applaud the Gramm-Leach-Bliley Act (GLBA) Agencies for holding
this rulemaking designed to simplify privacy notices issued under
the Act.[1] In July 2001, EPIC and seventeen other consumer
organizations filed a petition with the GLBA Agencies, urging them
to adopt requirements of clear, concise language for privacy
notices, and to require more effective measures to allow consumers
to opt-out from financial information sharing.[2] Improving notice is
an important first step to meeting the goals of the 2001 petition.
The second step-to improve the measures by which individuals can
opt-out, also is important. Thus, we renew our call to require more
effective measures to opt-out from financial information sharing.

In Addition to Clear Notice, Individuals Need Simple, Effective Ways
to Opt-Out

The Gramm-Leach-Bliley Act (GLBA) has placed the burden of
opting-out squarely on the consumer in order to safeguard personal
information. Information is shared with non-affiliates and other
third parties unless, after receiving notice, the consumer takes
action and tenders an objection.

An opt-in standard would place the responsibility on the financial
institutions that ultimately benefit from the disclosure of private
consumer information. An opt-in practice would prevent private
information from being shared with third parties unless consumers
first agreed to the information sharing. Such an opt-in process
would eliminate unknowing or unwanted disclosures of private
individual consumer information.

The combined results of surveys by Star Systems, Inc. (an ATM
company) and E-Loan (an on-line lender) reveal that most consumers:

*would want an opt-in before information is shared with
non-affiliates
*would want the ability to block data sharing even among affiliates
*desire a private right of action against financial entities for
violation of their privacy interests.[3]

Star Systems, Inc. found that 57% of the survey participants were
concerned about financial services corporations sharing data with
their partners or third parties and 62% of the respondents were
concerned that financial institutions were sharing private financial
data with affiliated companies.[4] The survey by E-Loan found that
66% of survey participants favored an opt-in strategy, and 80%
indicated that they were "not at all comfortable" with their
financial institutions selling their private information to other
entities.[5]

In the absence of legislation mandating an opt-in procedure, we can
look to successful opt-out implementations for guidance in improving
privacy. We believe that the recently-created FTC Telemarketing
Do-Not-Call Registry is an example of a user-friendly opt-out
implementation. According to FCC Chairman Michael K. Powell, over
730,000 people added their telephone numbers to the Registry on the
first day it was available to the public.[6] Nearly 50 million
Americans have added their home and cellular telephone numbers to
the Registry as of September 2003.[7] This number comprises about 17%
of all Americans (based on U.S. population statistics as reported by
the Census Bureau) as opposed to the 5% opt-out rate for the
financial services industry concerning limiting the sharing of
private consumer data.[8]

Individuals have opted out because the process is simple. It only
requires a two-step process, and the opt-out extends to virtually
all telemarketers.

Financial services institutions have not implemented opt-out
mechanisms that compare favorably to the Do-Not-Call Registry.
Rather, individuals are confronted by opt-out procedures that differ
at every institution. Furthermore, there is no central place where
one can opt-out of all financial information sharing. Instead,
individuals must opt-out at every institution. Because financial
services institutions have not implemented user-friendly, effective
opt-out mechanisms, we again urge the GLBA agencies to require more
simple procedures for opting out.

Finally, we urge the agencies to consider creating a unified opt-out
system that could combine telemarketing, financial services, FCRA
prescreening, and other opt-out mechanisms that are created in the
future. Opt-out has been deemed by some to be more efficient for
the economy, but the diverse array and procedures for different
opt-out mechanisms is not efficient for the individual. Individuals
would benefit from a single portal from which they could control
enrollment in the telemarketing Do-Not-Call Registry, all
Gramm-Leach-Bliley opt-outs, the FCRA prescreening and new affiliate
sharing opt-out, and even private-sector opt-out mechanisms that
currently are difficult to locate and employ, such as the various
IRSG "choice" mechanisms used by ChoicePoint, Acxiom, and other data
brokers.

Privacy Notices Should Start With A Call to Action

We think it is critical to inform consumers first that they must
take action in order to protect their privacy.

In the Joint Petition, we offered examples of such initial
statements:

"WE ARE ALLOWED TO DISCLOSE YOUR PRIVATE INFORMATION TO OTHER COMPANIES UNLESS YOU TELL US NOT TO."

"YOU HAVE A RIGHT TO PREVENT US FROM DISCLOSING YOUR PRIVATE INFORMATION TO OTHER COMPANIES."

"BUT IF YOU STILL DO NOT RESPOND WITHIN 30 DAYS, WE MAY BEGIN SHARING YOUR INFORMATION. YOU WILL STILL HAVE THE RIGHT TO TELL US TO STOP AT ANY TIME. BUT ONCE WE HAVE SHARED INFORMATION WITH OTHER COMPANIES, WE CANNOT GET IT BACK FROM THEM OR STOP THEM FROM USING IT."[9]

Research has demonstrated that a majority of consumers who receive
notices in the mail from their financial institutions discard the
notices or do not read the notices in their entirety.[10] The case of
Ting v. AT&T is illustrative of this phenomenon. As a response to
detariffing, AT&T developed a new standard customer contract.[11]
AT&T mailed customer service agreements (CSAs) to approximately 18
million of its residential customers by including the agreements in
the same envelopes with their billing statements.[12] There was no
indication on the envelopes that they contained what amounted to new
contracts.[13] There was a high probability that customers would open
the billing envelope.[14] A reasonable person who was a member of this
cohort, however, would not likely expect that a new contract would
be found in the billing envelope, and therefore would have discarded
it.[15] Had AT&T printed a statement on the billing envelope alerting
the customers that a new contract was included, customers would have
been more likely to read the CSA.[16]

AT&T's remaining forty-two million residential long-distance
customers received the customer service agreement by mail in a
separate envelope labeled "ATTENTION: Important Information
concerning your AT&T service enclosed."[17] AT&T conducted its own
quantitative study and concluded that approximately 25% of its
customers were not even likely to open the separate mailing, and an
additional 10% would not even skim the CSA contained in the separate
mailing.[18] AT&T concluded that only about 30% of its customers
would actually read the entire customer service agreement.[19]

AT&T's research showed that reliance on opt-out was sure to result
in consumer inaction. "Assent by non-action" was introduced by
AT&T.[20] Customers were advised that they did not need to take any
further action.[21] The cover letter stated: "Please be assured that
your AT&T service or billing will not change under the AT&T Consumer
Services Agreement; there is nothing that you need to do."[22] Because
the new CSA and detariffing were treated as "non-events," it is
likely that, of the customers who opened either mailing, a large
number did not read the CSA at all or did not read it completely and
with understanding.[23]

The company's market research produced the following
recommendation:

"In the letter it should be made clear that this agreement is being
sent for informational purposes only. The fact that no action is
required on the part of the customer needs to be made. A strong
link establishing that this information is not a "call to action" on
the part of the customer should be clearly stated in the
letter...Customers should understand that the mailing is being sent
to comply with a federal mandate and does not imply any change in
their relationship with AT&T."[24]

Instead of the purposeful approach taken by AT&T to de-emphasize the
fact the detariffing and the new customer service agreements were
"events," AT&T should have directly informed their customers that
they were entering into a new contract with the company.[25] "From the
perspective of affecting a person's legal rights, the most effective
communication is generally one that is direct and specific. In this
case, that would have been to boldly place on the separate mailing
envelope at least the message that a new contract was enclosed
rather than the generic 'Important Information' notification."[26]

The District Court held that this case involved more than merely a
shift from resolving customer disputes in the court system to an
arbitration process.[27] Moreover, the court found that AT&T was
literally "re-writing the legal landscape on which its customers
must contend."[28] This writing was indirect, unspecific, and
evasive, by treating a new contract as a "non-event" and minimizing
the need to take action on the part of the consumer. In ordering a
permanent injunction, the court characterized AT&T's actions as
follows:

"Aware that the vast majority of service related disputes would be
resolved informally, AT&T sought to shield itself from liability in
the remaining disputes by imposing Legal Remedies Provisions that
eliminate class actions, sharply curtail damages in cases of
misrepresentation, fraud, and other intentional torts, cloak the
arbitration process with secrecy and place significant financial
hurdles in the path of a potential litigant. It is not just that
AT&T wants to litigate in the forum of its choice - arbitration; it
is that AT&T wants to make it very difficult for anyone to
effectively vindicate her rights, even in that forum. That is
illegal, unconscionable and must be enjoined."[29]

The experience in Ting v. AT&T strongly suggests that consumer
notices would be more effective if they started with a call to
action. Without calling the consumer's attention to the need to
take action, many consumers will simply throw away short notices.

The Opt-Out Instructions Should be free of Multiple Negatives, and
Should Clearly Explain How to Take Action

The manner in which privacy options are presented to the consumer is
crucial to the rate of response. Bellman, Johnson, and Lohse
conducted a systematic study exploring the influence of question
framing and default answers on consumer action.[30] Participants were
members of the Wharton Virtual Test Market, which is an online
cohort of 30,000 Internet users representative of the Internet-user
population in the United States.[31]

Bellman, Johnson, and Lohse found that the way a question was asked
had a strong influence on results. "[Their] experiments show the
format of privacy questions can influence a consumer's apparent
agreement with privacy policies. Opting-in does not equal
opting-out, and answers are influenced by the default option."[32]

Their research demonstrated that an online organization can use a
combination of question framing and default answers to nearly ensure
that visitors to the site will consent to whatever it is that the
organization is asking of consumers such as to share private
information.[33] Marketers can take advantage of consumers who are
inattentive by setting a default radio button with the "yes" answer
that they desire from consumers already activated.[34] Consumers may
also view the default answer as the more popular or correct
answer.[35]

If an organization's goals are to truly separate interested from
uninterested consumers, Bellman, Johnson, and Lohse recommend using
radio buttons with no defaults on web pages.[36] Otherwise, a large
number of default answers will merely be misleading and not of much
value to corporations.

We can extend this research to the offline world to recommend that
privacy notices clearly and simply present opt-out choices. Sample
language might read:

CHECK HERE TO OPT-OUT OF INFORMATION SHARING [ ]

Puffing Should be Prohibited; Characterizations of Trust or Quality
in the Privacy Notice Should be Legally-Binding

Privacy notices are inappropriate for puffing or saccharine
depictions of corporate "families," "trusted" third parties, etc.
Privacy notices define the legal relationships between individuals
and corporations. Therefore, representations in the notice should
be legally-binding. A characterization of a information-sharing
partner as "trusted" should carry with it legal burdens. It should
be a representation that the financial service company has evaluated
the information sharing partner, and takes responsibility for its
use of personal information.

Similarly, financial services institutions should not be able to
claim that they are "committed to privacy" and engage in highly
privacy-invasive practices, such as pre-acquired account number
telemarketing. Representations in the privacy notice are taken
seriously, and therefore should be drafted seriously. Claims that a
company is "committed" to privacy, or claims that privacy is a
"priority" are material representations to consumers. Actual
practices should match these representations.

Clear Examples of Information Sharing Would Improve Notices

Financial services corporations should provide clear explanations to
the consumer of how their private information will be utilized by
the corporation. For instance, the representation "we share
personal information with trusted third-parties to provide better
services to you" is meaningless and perhaps untrue.[37] Individuals
would benefit more from representations such as: "We sell your
personal information to marketers for telemarketing, direct mail,
and e-mail solicitations."

The Short Notice Should Be Fully Consistent With the Long Notice

The GLBA requires financial institutions to "provide a clear and
conspicuous disclosure" of their privacy policies to the consumer.38
To that end, short privacy notices should be written in plain
language and be consistent with the long notice.

The Agencies Should Consider a Checkbox Format that Allows
Comparison and Scoring Across Financial Institutions

A standardized checkbox format for explanation of the privacy
practices would allow individuals to easily compare privacy policies
at different institutions. Furthermore, values could be assigned to
the checkboxes, thereby allowing a score to be derived from the
institution's practices.


1 Interagency Proposal to Consider Alternative Forms of Privacy
Notices Under the Gramm-Leach-Bliley Act, 68 Fed. Reg. 75164 (Dec.
30, 2003) [hereinafter Joint Proposal].
2 GLBA Petition for Rulemaking, Jul. 26, 2001, available at
http://www.epic.org/privacy/consumer/glbpetition.pdf
3 Paul Schwartz & Ted Janger, The Gramm-Leach-Bliley Act,
Information Privacy, and the Limits of Default Rules, 86 Minn. L.
Rev. 1219, 1237-8 (2002), at
http://www.paulschwartz.net/minn-final.pdf.
4 Id. at n83 (citing "Not-So-Private Banking," Privacy Times,
January 7, 2002, at 3-4).
5 Id. at n83 (citing "Poll: Californians Want Speier Bill," 22
Privacy Times, February 27, 2002, at 6-7).
6 "Do Not Call Registry Faces Tougher Challenge: Second Judge Blocks
List, Citing Free Speech Concerns," available at
http://www.cnn.com/2003/ALLPOLITICS/09/25/congress.no.call/.
7 Id.
8 Lee, W.A., "Opt-Out Notices Give No One a Thrill," American
Banker, July 10, 2001.
9 Joint Petition at 11.
10 See generally Ting v. AT&T, 182 F. Supp. 2d 902 (2002).
11 Ting at 910.
12 Id. at 912.
13 Id.
14 Id.
15 Id.
16 Id.
17 Id. at 912.
18 Id.
19 Id.
20 Id. at 913.
21 Id.
22 Id.
23 Id.
24 Id. at 911.
25 Id.
26 Id.
27 Id. at 938.
28 Id.
29 Id. at 938-939.
30 Bellman, S.J., Johnson, E.J., and Lohse, G.L., "To Opt-In or
Opt-Out? It Depends on the Question," Communications of the ACM,
February 2001, Vol. 44, No. 2 at 25.
31 Id.
32 Id. at 26.
33 Id.
34 Id.
35 Id.
36 Id. at 27.
37 See Comments of the Electronic Privacy Information Center to the
Federal Trade Commission Workshop on Information Flows, FTC File No.
P034102, Jun. 18, 2003, available at
http://www.epic.org/privacy/profiling/infoflows.html.
38 15 USC § 6803(a) (2003).


EPIC Privacy Page | EPIC Home Page

Last Updated: March 29, 2004
Page URL: http://www.epic.org/privacy/glba/shortnotice.html