Commentary: Why Privacy Notices Are a Sham

Do you like junk mail? Look forward to getting telemarketing calls during dinner? Enjoy reading electronic messages about herbal remedies and get-rich-quick schemes?

If so, then you should be grateful for the Financial Services Modernization Act of 1999, the landmark legislation that allowed banks, insurers, and brokers to join forces. The law made it possible for people to get their credit cards, checking accounts, investments, home loans, and health insurance from one company. That's convenient. But the act also gave finance companies the power to make extraordinarily detailed portraits of their customers simply by merging files about their income, assets, debts, health, spending habits, and other data. This sensitive information is increasingly becoming a public commodity because of the new law. That's scary--and a big reason why so many strangers are invading your life to try to sell you stuff you don't want.

YOUR MOVE. The legislators who wrote the act were aware this might be a problem. So they insisted that the law include some privacy protection. At the time, civil-rights groups suggested giving people direct control over their personal information. Specifically, they wanted to force companies to get permission from their customers before selling personal data. But this idea sent industry lobbyists into orbit. They warned that such a proposal--which would have created a so-called opt-in system--would cost them a fortune to administer.

So the industry proposed another approach: putting the burden on consumers to protect themselves. Rather than forcing companies to get permission before sharing personal data about their customers, lobbyists suggested that consumers should be required to sign an "opt-out" form barring financial institutions from selling the information. Companies trumpeted this as a free-market solution. Don't have Congress write regulations protecting people, they argued. Rather, tell consumers about threats to their privacy--and let them make their own decisions. So long as there was full disclosure, they claimed, everything would be fine.

The finance industry won this battle, and the unsavory fruit of its lobbying campaign is now appearing in your mailbox. Over the past several weeks, you have probably received more than a dozen privacy notices. But there's a good chance you have missed many of them. Because Congress didn't require companies to mail the notices separately, they're frequently bundled in with other paperwork and wind up in the trash. Even if you have noticed them, odds are you didn't read very far. The notices are about as easy to digest as car warranties. They're packed with legalese, written in small print, and violate almost every known rule about how to make complex ideas comprehensible to the average consumer. "Every week, I get a letter from somebody telling me that I've just won $1 million. If I throw that away, there's no way I'm going to read one of these," says Alan L. Dorris, an Atlanta industrial engineer who designs warning labels.

So far, the opt-out forms are being returned by about 1 in every 20 consumers. The American Bankers Assn. has the nerve to say this is because people aren't all that worked up about privacy. Please. The real reason opt-out rates are so low is because the notices are designed to be ignored.

BAD START. In fact, they make a mockery of the fundamental idea behind the opt-out approach: that consumers will be protected if companies fully disclose what they do. Disclosure is meaningless unless people understand what's being disclosed. If they don't, then the choice purportedly being granted--to opt out of having private details sold like gum balls--becomes an empty one.

There's no doubt finance companies could do a better job if they wanted to. Look at a sales brochure for, say, a variable annuity. The same principles used to inform people about sophisticated financial products should also be applied to privacy notices: plain English, lots of white space, no legalese.

Regulators also need to draft rules ensuring that these design edicts are followed, just as they have done with insurance and credit-card sales pitches. So far, the agencies supervising the notices--a task force including the banking agencies, the Securities & Exchange Commission and the Federal Trade Commission--have been part of the problem. Their initial round of regulations was confusing, the model language impenetrable. But there's still time to make amends. Congress has required regulators to review the notices and suggest improvements in 2002. Next time, let's hope they get it right.

By Mike France

    Before it's here, it's on the Bloomberg Terminal.