What Are All These Privacy Notices?

Updated 28 Aug 01

Have you been wondering about those privacy notices from your bank?

Over the last few months, you have probably received a barrage of "Privacy Notices" from your bank, your credit card company, your investment or securities company, and your insurance company. Although these notices are incredibly difficult to decipher, they do offer you a limited right to protect your confidential financial information. Keep reading!

Your right to opt-out, although weak and limited, is ongoing, not subject to any deadline. Opt-out anytime.

Under the terms of the new law, however, your bank (or insurance company or stock broker or other financial firm) had a 1 July 2001 deadline to notify you of its privacy and information policies and tell you about that right to opt-out. Failing to meet the 1 July 2001 deadline would have meant your bank would lose its continuing right to share. Each year, financial firms must provide recurring annual privacy notices.


The state PIRGs encourage you to take advantage of your new right to opt-out. (1) You can limit your exposure to telemarketing ripoffs that banks and credit card companies are increasingly participating in. (2) You may also be able to prevent your Social Security Number from being sold to information brokers, which could limit your exposure to identity theft and stalkers. Unfortunately, the companies that sell Social Security Numbers are suing to overturn this provision, but, this week, the government won an important round in the courts.


The notice from your bank (or other financial entity) must give you a reasonable right to opt-out by filling in a simple form, calling a
toll-free phone number, or using an e-mail or web form. If your financial institution ONLY offers the right to opt out by writing a letter, it is likely in violation of the law. Please let us know by replying to this e-mail message.


The notices generally describe two types of information banks collect and share and the right to opt-out of sharing either or both types of information. Unfortunately, some banks may make their notices more complex by artificially dividing the information into more than two types.

Type 1: "Experience and transaction" information is everything the bank or other entity knows about you from your account relationship -- how much you owe, whether you pay on time, any medical information held by insurance affiliates, how many and what types of accounts you (and your spouse or other joint account holders) hold, and certain information such as your Social Security Number.

If you opt-out of third party "experience and transaction" sharing, you can prevent the bank from sharing all of this confidential information with nonaffiliated third parties. The most important nonaffiliated third parties are telemarketers and companies that sell Social Security Numbers. Note, however, that the bank will still retain the right to share your "experience and transaction" information with both its own affiliates and certain third parties that are selling services directly on behalf of the bank, as if they were, in fact, affiliates.

Type 2: "Other" information is all other information the bank obtained about you from outside the bank, such as from your application, from your listed references, and from your credit report.

If you opt-out of "other" information sharing, your bank cannot share this information, even among and with its affiliates. This is important to ensure that when the bank or its affiliates make future credit decisions about you, that you have all the rights granted by the Fair Credit Reporting Act to ensure that your credit report is accurate.

Again, PIRG recommends that you opt-out of both the sharing of "experience and transaction" information with nonaffiliated third parties and of "other" information with affiliates.


The notices you've been receiving are required under the terms of a new law that allows these firms to merge together to form so-called one-stop financial supermarkets. The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 is supposed to give financial companies, which are selling more and more products that look alike, greater synergies and cross-selling opportunities.

The law encourages greater sharing of your account information with so-called corporate affiliates and also third parties. However, while the law was being considered, several privacy nightmares were reported in the press. For example:

-- One bank, NationsBank (now Bank of America), paid a $7 million civil penalty to regulators for unfairly sharing confidential information from insured deposit account holders with a securities affiliate. Telemarketers for the securities affiliate were accused of deceptively marketing risky, uninsured hedge funds and derivatives to senior citizens and other conservative holders of certificates of deposit.

-- Another bank, US Bank, paid a multi-million civil penalty to the state of Minnesota for sharing credit card and checking account numbers with an unaffiliated third-party telemarketer, Memberworks. The telemarketer then used deceptive telephone scripts to confuse the bank's customers into agreeing to "trial" offers for junky, tawdry products such as credit life insurance, roadside assistance and credit card protection. The consumers didn't think they'd ordered anything, since they hadn't given out their account numbers. But their bank had, and they were billed as much as $89 for products they did not want or need.

The state PIRG's Privacy Page has details on these privacy nightmares.

The state PIRGs and other consumer advocates and our Congressional champions sought to prohibit information sharing for purposes unrelated to your account, without your affirmative opt-in consent. We believe there is no difference between sharing with affiliates or with third parties, if it is for secondary marketing purposes. We don't oppose all information sharing, only sharing for secondary purposes. Banks should certainly be allowed to have one telephone call center where you can also get information about your securities accounts. Credit card companies should be able to use shared networks to make your transactions happen.

Yet, banks and other financial firms shouldn't be allowed to make decisions about offering you new products without your affirmative consent. Unfortunately, we lost that fight. Instead, Congress merely required financial institutions to provide the detailed notices of information use and privacy policies you are receiving. Congress also provided us with the limited right to opt-out of sharing with nonaffiliated third parties. The right to prevent sharing of "other" information was an existing right.

In our view, notice is not enough. the state PIRGs will continue to work with bi-partisan champions including Rep. Ed Markey (D-MA) and Sen. Richard Shelby (R-AL) to provide consumers with additional protections.


Credit bureaus sell banks lists of consumers who meet certain pre-screened credit criteria. These lists result in 3.5 billion credit offers mailed out annually, or an average of 8 per household per month. Under a separate law, the Fair Credit Reporting Act, you have the right to opt-out of receiving these offers. You can make one phone call to 1-888-567-8688 [1-888-5-OPTOUT] to opt-out of all pre-screened offers -- be sure to select the "permanent" opt-out, not the absurd 2 years-only opt-out. This is a legitimate phone number, required by law-- but see our letter to the Federal Trade Commission in response to the weird emails circulating around the Internet confusing this opt-out with the one above.


PIRG and other groups have urged government regulators to improve the opt-out process. We filed a formal petition in July. No word back yet, except from one obscure agency. Our coalition has a special website devoted to explaining all this in detail -- it includes video clips from our news conference in June condemning the shoddy unintelligible privacy notices.

You can see the state PIRG's latest testimony on information sharing and the new law by going to the web site of the House of Representatives.

See PIRG's main privacy page for more, including a link to our history of financial information sharing.

The state PIRG's Opt-Out Information Page can tell you more.

The web site for the Privacy Rights Clearinghouse contains several detailed
Gramm-Leach-Bliley opt-out fact sheets--here's one.