updated 28 May 03


1) LATEST NEWS: Highlights Get our hottest new fact sheet: FCRA under fire-- No "Reauthorization" needed, but that's not what industry lobbyists are saying. May 03 CALPIRG survey of police officer views on identity theft. PIRG's latest (19 Sept 02) testimony before Congress on privacy. Opt-Out under GLB, PIRG testifies on financial privacy, along with privacy supporters Phyllis Schafly of Eagle Forum, ND State Rep. Jim Kasper, state Attorneys General Hatch (MN) and Sorrell (VT). New CALPIRG Report on financial privacy (Aug 2002), Optout scams continue, FTC rules in favor of privacy coalition in Microsoft XP complaint, US courts uphold Gramm-Leach Bliley and FCRA. North Dakota citizens reinstate strong financial privacy law in ballot victory over powerful financial interests in June.

3) FINANCIAL PRIVACY RIP-OFFS MN Attorney General settles with Fleet (June 2002) settles with telemarketer Memberworks (4/00)

1) LATEST NEWS MAY 03: Get PIRG's latest fact sheet on Financial Privacy and Fair Credit Reporting: Federal Fair Credit Reporting Act is under fire: Industry lobbyists are preparing a major 2003 assault on the federal law that guarantees accuracy and privacy of credit reports. In 1996, in a major Congressional compromise, the law was strengthened in some ways, but a large part of the law was subjected to new and onerous federal preemption (no state can enact stronger laws). Our champions reluctantly agreed, only because the preemption expires on 1 January 2004 and they desired to enact the strengthening amendments. PIRG's position: Let the preemption expire so states can pass effective privacy protection laws. But a phalanx of industry lobbyists representing the credit bureaus, the banks, the credit card companies, and finance companies are already lobbying Congress to extend and expand the preemption. Here's PIRG's latest (November 2002) legislative fact sheet on financial privacy and FCRA.

CALPIRG REPORT: 1 May 03 Policing Privacy: Law Enforcement's Response To Identity Theft
-- Police identity theft and financial fraud experts agree with PIRG: banks and department stores are sloppy. Cleaning up their practices will help fight identity theft.

SURVEY'S KEY FINDING: Law enforcement officers feel new policies are necessary to help deter identity theft:

• More than 85 percent of officers responding felt that credit lenders should meet stricter requirements to ensure that credit is not extended to identity thieves. 1 May 03

SENATE BANKING COMMITTEE HEARING ON GLB AND FINANCIAL PRIVACY (19 SEPT 02) See or read PIRG's testimony to the full Senate Banking Committee in favor of strong financial privacy laws. A video of the hearing (RealAudio required) is available at the Senate Banking Committee -- witness order -- VT AG Sorrell, industry witnesses Cate and Dugan, MN AG Hatch, ND State Representative Jim Kasper, Eagle Forum President Phyllis Schlafly, U.S. PIRG's Ed Mierzwinski, on behalf of 10 leading consumer and privacy groups. We have PIRG's testimony up in pdf with footnotes. Privacy Rights Clearinghouse has PIRG's coalition testimony up in html, with footnotes. The committee has the full hearing, also including coalition partners Jim Kasper (R-ND-state legislature) and Phyllis Schlafly and AGs Mike Hatch (MN) and William Sorrell (VT) up. Chairman Paul Sarbanes (D-MD) is author of the key "states' right fail safe" amendment to Gramm-Leach-Bliley allowing states to enact stronger financial privacy laws. Privacy champion Richard Shelby (R-AL) also on committee.

CALPIRG study documents 2002 financial privacy notices worse that 2001 notices. See press release. CALPIRG and Consumers Union are supporting SB 773 (State Senator Jackie Speier, to strengthen GLB. Current version of proposal would require an opt-in for most third-party sharing and an optout for all affiliate and other third party (joint marketing partners) sharing.

North Dakota citizens, on 11 June 02, won a ballot question defeating an anti-privacy law passed by the banks in the 2001 session. The bank-passed legislative law overturned an existing strong opt-in financial privacy law. The ballot victory (63-37) reversed the bank-passed law and reinstated the old law. Citizens organized into a grassroots coalition Protect Our Privacy to defeat bank propagandists handily. Incredibly, banks falsely alleged that overturning their industry-favorable weak new law would prevent consumers from being able to use credit cards or ATM machines. Here is a link to a ND Attorney General opinion rejecting that deception. Banks also ran TV ads depicting a "Wall around North Dakota" if they retained their strong law. The wall would allegedly block firms from offering good deals to ND citizens. Congratulations, North Dakota!

2) Here's a link to PIRG's most detailed fact sheet on the 1999 Gramm-Leach-Bliley Act. The bill allowed states to enact stronger financial privacy laws, because its privacy protection was so weak. GLB allowed banks to merge with insurance companies and stock brokerages, creating one-stop financial supermarkets. Recognizing the privacy problem, Congress included Title V, which established a loophole-ridden notice and optout provision. As long as covered institutions annually disclosed (starting no later than July 2001) information sharing policies, they could share confidential non-public personal information with affiliated companies, non-affiliated third parties with which they had joint marketing arrangements, and other third parties. The notices had to give consumers the limited right to opt-out (say no to) the sharing with "other" third parties only. Even if a consumer said no, sharing with affiliates and joint marketing partners could continue. The law included the Sarbanes (D-MD) amendment, allowing states to attempt to enact stronger privacy laws.

On 16 July 2002, the DC Circuit of the US Court of Appeals, upheld an April 2001 US Court DC District ruling in Trans Union LLC v. Federal Trade Commission, Civil Action No. 00-2087 (now known as Trans Union II, consolidating Trans Union vs. FTC and IRSG vs. FTC) that the privacy rules issued under GLB are constitutional. These are very important privacy law decisions generally as well as important to upholding the GLB rules. In July and August 2000, two credit bureaus as well as the association including credit bureaus and other data dealers known as the Individual References Services Group had sued to overturn the FTC's powerful new pro-privacy rule giving consumers the right to protect their Social Security Numbers if they opt-out with their financial institution.

The Trans Union/IRSG faction sued to overturn FTC's final privacy regulation under Gramm-Leach-Bliley . Most critically to these data dealers, the rule (see pages 79-82)  narrows the so-called "credit header" loophole which allows credit bureaus to sell confidential information derived from credit reports outside the restrictions of that law. Credit bureaus and other IRSG members sell credit headers including your name, address, social security number and other information to Internet information brokers, private detectives, debt collectors and others. The sale of credit headers is a violation of Fair Information Practices, which require that consumers be given control over the use of their personal information. Also, credit headers have been linked to identity theft and stalking. It is easy for stalkers (see Amy Boyer information below) or identity thieves to find an information broker to  Unfortunately, as the Amy Boyer case points out, the firms' procedures are so lax that identity thieves and stalkers posing as private detectives can easily obtain social security numbers.  An April 2000 CALPIRG report, Nowhere To Turn, and September 2000 Congressional testimony by CALPIRG  on identity theft and May 2000 testimony by USPIRG on Social Security Number privacy discuss the problem in greater detail. Under the final FTC rule, banks will not be allowed to provide credit headers to credit bureaus unless consumers are given the right to opt-out of having their confidential information shared or sold with third parties. In addition, in a recent order against the credit bureau Trans Union for illegally selling credit reports for target marketing,  the FTC also held that credit headers cannot include dates of birth, since age is a credit-related criterion in credit scoring. In April 2001, the US Court of Appeals for the DC Circuit upheld the Trans Union order, and on 10 June 02, the US Supreme Court denied Trans Union's cert. petition to have the case reviewed. Justice Kennedy did file a relatively rare dissent to the usual summary dismissal orders ( no opinions generally are filed) joined by Justice O'Connor. The upshot of the denial by the Supreme Court is that Trans Union, which had for ten years pursued a crass litigation strategy that allowed it to continue the lucrative sale of confidential credit reporting information for illegal marketing purposes in defiance of the FTC's original 1993 order, must finally stop selling credit reports outside of the FCRA.

QWEST: January 02 QWEST FINALLY AGREES!! Who you call is your own business, not Qwest's! What about Ameritech and Verizon? On 28 January, Qwest capitulated after a barrage of consumer complaints and postponed its controversial plan to share customer records without consent. See PIRG Release. Consumers opening their phone bills in 14 western states had complained loudly and widely after finding an unintelligible notice that their local phone company Qwest (formerly US West) had claimed the right to share intrinsic details of their personal calling records with marketing partners unless the consumer says no, or opts-out. PIRG has long opposed the Qwest plan, and, with other groups, is urging the FCC to replace it with an opt-in. Unfortunately the company is currently taking advantage of a US appeals court decision (US West vs. FCC) overturning previous FCC rules that had required Qwest to first get your informed consent first (opt-in). What you can do: (1) Send email fccinfo@fcc.gov to the FCC urging them to reinstate the opt-in requirement. (It has the legal authority to do this, while still complying with the court.) The FCC wants your comments. Qwest has only postponed its plan until the FCC finishes its rulemaking. (2) If you are an Ameritech or Verizon customer, look at your phone bill. You should opt-out with your phone company. You should also urge them to follow Qwest's lead and postpone or cancel their own plans to share your information. For more information, see EPIC's website on telephone company information sharing. (30 Jan 02)

Fix the Privacy Notices: On 26 July 2001 PIRG joined other consumer and privacy groups in a petition drafted by Public Citizen Litigation Group urging the 6 federal financial regulatory agencies to use existing authority to order banks and other firms to make opt-out privacy notices intelligible. PIRG's position remains that fixing the weak opt-out is a stopgap measure, until new legislation requiring a meaningful opt-in regime is adopted. Privacyrightsnow! On 21 June 2001, a PIRG-backed coalition announced a new website to help consumers say no to banks selling their confidential information. By 1 July, all banks, insurance, stock and other financial firms must provide notices of the information sharing policies, but the notices are purposely deceptive "gibberish." The coalition includes EPIC, CFA, Public Citizen, Privacy Rights Clearinghouse, and the consumer advocates Remar Sutton and Ralph Nader. See the June press conference live in RealAudio videostream at the coalition site.

PIRG continues (in Aug 2002) to receive complaints about the email floating around the Internet regarding 1-888-5-OPTOUT: We are disappointing that the FTC, which promised a year ago to look into the 1-888-opt-out issue, has done nothing. The e-mail? No, it is not a scam, but it is confusing. 1-888-5-OPT-OUT ((888) 567-8688) is a legitimate toll-free number that connects you with a service run jointly by 4 national credit bureaus (although they don't clearly say so when you call) that have a legal right to sell your name for credit card (and insurance) solicitations --unless you call this number and say no. (You know, "You have been pre-approved for this credit card.") The credit bureaus were ordered by Congress to create this shared one-call opt-out system in 1996. Nothing in the law requires credit bureaus to collect SSNs, and we've asked the FTC to stop that. Check our web page and find out more about the other financial firms opt-out that actually did take effect on July 1st -- it explains the credit bureau opt-out, too! Find out more about the weird emails from our colleagues at Privacy Rights Clearinghouse.

Microsoft XP/Passport Found Unfair and Deceptive. FTC issues settlement order upholding EPIC/PIRG et al complaint. (08 Aug 02). U.S. PIRG on 26 July 01 joined the Electronic Privacy Information Center (EPIC) and 10 other groups in filing a Section 5 complaint to the Federal Trade Commission alleging that the product is marketed in an unfair and deceptive manner that invades privacy. Link to complaint on EPIC site. On 15 August 01, with new information, the groups filed an amended complaint (EPIC site).

Supreme Court restricts ID theft victims rights to sue. (Link to decision in TRW vs. Andrews, decided unfavorably by the Court 13 Nov 2001) Fair Credit Reporting Act had allowed victims to sue within two years of discovery of identity theft or error. TRW victory now limits consumer redress to within two years of the date of the error by the credit bureau, even though the Federal Trade Commission has recently documented (in a report and charts) that at least 20% of victims do not even discover the identity theft for two years. See PIRG's latest identity theft report Nowhere To Turn, April 2000. On positive side, numerous bills have been introduced in Congress to overturn decision. The Senate Judiciary Committee has approved S. 1742 (Cantwell (D-WA), which extends the statute of limitations, but only for id theft victims, not victims of mistakes, to 5 years. Brief Amici Curiae (Friend of the Court) of US PIRG, National Association Of Consumer Advocates, National Consumer Law Center, Privacy Rights Clearinghouse, AARP and Consumer Federation Of America in support of identity theft victim Adelaide Andrews. TRW won even though the Federal Trade Commission has recently documented (in a report and charts) that at least 20% of victims do not even discover the identity theft for two years. Posted 1 June 01

Groups urge 6-step online privacy plan: Letter of 30 May 01 from PIRG, EPIC and other groups urging new FTC chair Timothy Muris, confirmed by the Senate on 25 May, to take six key steps to protect privacy.


  • Amy Boyer Law Is Trojan Horse PIRG Fact Sheet (pdf). President threatens veto over anti-privacy Amy Boyer Social Security Number provision (link to White House press release).
  • Essay by USPIRG (1998) analyzing why sale of Social Security Numbers by IRSG (the supporters of flawed Amy Boyer Law) violates privacy rights. 17 Oct 00 Letter from 12 groups opposing flawed Amy Boyer Law (Sen. Gregg) on Social Security Number privacy.  Bill would preempt strong state laws without protecting Social Security Numbers or tragically -- without protecting the next Amy Boyer from the next Internet stalker -- bill is moving. Original letter from 10 groups opposing proposal (11 Oct 00)

    1/01 Coalition urges that President, Congress endorse privacy legislation based on Fair Information Practices: Link to full release on EPIC website. EXCERPT "We therefore recommend the adoption of a comprehensive framework for privacy protection to safeguard the rights of Americans in the years ahead. The framework includes:

    4 Dec 00: PIRG FILES COMMENTS ON FCRA "OPT-OUT FOR SO-CALLED 'OTHER' INFORMATION:" While the financial privacy regs under the new Gramm-Leach-Bliley law do NOT give consumers the right to control information-sharing among affiliates related to their experience and transactions with the bank, a previous 1996 amendment to the Fair Credit Reporting Act (FCRA) granted consumers the right to opt-out of sharing of "other" information among affiliates that is obtained from credit reports, consumer applications, references, etc. The bank agencies recently proposed a rule on the matter and PIRG argues that other information is defined too narrowly..

    PRIVACY REGS DELAYED: A broad-based coalition of groups including US PIRG, the ACLU, the Free Congress Foundation, the Eagle Forum, and Consumers Union sent a letter to banking regulators condemning a delay in new financial privacy rules required by the Gramm Leach Bliley Act. On 12 Nov 99, the President signed S. 900, the Gramm-Leach-Bliley Financial Services Modernization Act.  S. 900, as passed into law, legalizes Orwellian privacy intrusions of our daily financial lives, with virtually no consumer protections.  The weak privacy provisions  in Title V of the bill only require disclosure and provide for an optout only for some third party sharing and selling of your confidential information. Incredibly, despite the inadequacy of the new law's privacy provisions, in May, when the banking regulators and the Federal Trade Commission issued final rules to implement the law, they used broad regulatory authority to delay the law's effective date from November 2000 to July 2001.

    PRESIDENT PROPOSES OPT-IN/OPT-OUT APPROACH: In a commencement speech at Eastern Michigan University in May 2000,  the President proposed his new financial privacy bill. Although his proposal is not as strong as the Markey-Shelby package,  it recognizes that the most important information (all medical records and sensitive financial records held by a financial holding company) should be subject to opt-in consent and other information should be subject to opt-out choice. The President's bills close the Gramm-Leach-Bliley loophole that limits opt-out rights to unaffiliated third parties, and subject all transactions, either with internal affiliates or ANY third party, to either opt-in or opt-out protection. In May, Representatives John LaFalce (D-NY) and Ed Markey (D-MA) and 24 others introduced HR 4380, implementing the President's proposal. In the Senate, Senators Pat Leahy (D-VT), Paul Sarbanes (D-MD) and 7 others introduced the bill, S 2513.


    In 1999, following revelations about financial privacy invasions by banks, their telemarketers, and their affiliated stockbrokers, privacy advocates led an unsuccessful fight on the House floor to add strong opt-in privacy protection to sweeping new legislation creating powerful, one-stop financial supermarkets. On 12 Nov 99, the President signed S. 900, the Gramm-Leach-Bliley Financial Services Modernization Act. The new bill, S. 900, as passed into law, unfortunately legalizes Orwellian privacy intrusions of our daily financial lives, with virtually no consumer protections. The anti-privacy, anti-consumer exceptions are unacceptable.

    Here's a link to PIRG's most detailed fact sheet on Gramm-Leach-Bliley.

    A broad coalition of organizations had supported bi-partisan efforts to strengthen that bill. The coalition includes consumer groups such as US PIRG, Consumer Federation of America and Consumers Union, civil liberties groups such as the ACLU, privacy groups such as the Electronic Privacy Information Center, and family organizations such as the Free Congress Foundation and Eagle Forum. The coalition continues to work with Senators Richard Shelby (R-AL) and Richard Bryan and Representatives Ed Markey (DMA) and Joe Barton (R-TX) and others to pass real privacy protection bills.

    For more information on financial privacy, see Rep. Markey's Financial Privacy and Senator Shelby's financial privacy pages. Also see syndicated Post-Newsweek financial columnist Jane Bryant Quinn's column on the need for stronger laws: http://www.washingtonpost.com/wp-srv/business/longterm/quinn/columns/072299.htm


    In June 2002, the Minnesota Attorney General settled with Fleet. More information to follow.

    In December 2000, Minnesota Attorney General Mike Hatch sued Fleet Mortgage, affiliated with the big bank holding company, FleetBoston:  "The suit accuses the company of sharing customers' home mortgage account numbers and other personal information with telemarketers. The suit also alleges that Fleet actively participated with these companies in a deceptive telemarketing program aimed at Fleet's mortgage customers." Link to MN Fleet Mortgage press release, Link to  MN Fleet Mortgage complaint.

    In June 1999, Minnesota had sued US Bank for allegedly selling customer information (social security numbers, credit card and checking account numbers, as well as detailed account-related information, including how and where you use your credit card, ho much money was in each of your accounts, etc) to a telemarketer, which made deceptive calls to customers and stuck them with the bill for junky products they did not want; the bank pocketed a cool $4 million plus a 22% commission. Links to:
    MN US Bank complaint
    MN US bank settlement and judgment news release
    MN US Bank judgment

    In the settlement reached with US Bank, the company agreed to tougher rules than what Congress did. The bank agreed to give consumers an opt-out from all inside-the-bank sharing and outside-the-bank sharing or selling of information. Congress merely gave consumers disclosure for inside sharing and most outside selling and sharing, and a loophole-ridden opt-out for some outside sharing and selling.

    MINNESOTA ATTORNEY GENERAL SETTLES WITH TELEMARKETER MEMBERWORKS: On 19 April 2000, the state settled with the third party telemarketer the bank used, Memberworks. Link to MN Attorney General Memberworks complaint and settlement The suit was filed after General Hatch had already filed and settled a suit with US Bank (see above).  In the complaint against MemberWorks, Hatch alleged the company used consumersâ personal financial information, such as checking account or credit cards numbers, account balances, addresses and phone numbers, to conduct direct mail and telemarketing campaigns to Minnesota consumers on behalf of US Bank. According to its filings at the SEC, in 1998, Memberworks had contracts with 19 of the 25 largest banks in the country. Recently, US Bank settled with 39 other state attorneys general.

    In 1998, NationsBank (since merged with Bank of America) was fined $7 million for securities law violations of sharing customer info with its subsidiary affiliate, NationsSecurities. The affiliate convinced low-risk customers to buy uninsured, high-risk investments, and many senior citizens lost portions of their life savings.
    http://www.sec.gov/enforce/adminact/337532.txt will give you the grimy details.