Dave Algoso
Policy Associate
Federal regulation riddled with loopholes has left large bank conglomerates and other financial institutions with too much leeway to share consumers’ private information and too little responsibility for the consequences. Financial Privacy in the States documents the growing concerns that Americans have about financial privacy, presents a survey of state laws that have helped fill regulatory gaps in the financial privacy sphere, and provides an estimate of the economic burden consumers currently bear as a result of inadequate privacy safeguards.
Federal regulation riddled with loopholes has left large bank conglomerates and other financial institutions with too much leeway to share consumers’ private information and
too little responsibility for the consequences.
This report documents the growing concerns that Americans have about financial privacy, presents a survey of state laws that have helped fill regulatory gaps in the financial privacy sphere, and provides an estimate of the economic burden consumers currently bear as a result of inadequate privacy safeguards.
Misuse of Personal Financial Information Is a Growing Threat
· The collection, selling and sharing of consumers’ personal financial information for secondary commercial use has escalated as a result of a number of factors including: industry consolidation; regulatory changes that have allowed banks, insurance companies, and other financial services to become affiliated through common ownership; and technological advances that have made the creation and distribution of massive consumer databases possible.
· Financial institutions routinely profit by sharing and selling consumers’ private financial information without their consent. Last year, the financial services industry pocketed $937 million in California alone from the sale and sharing of consumers’ private information, according to an analysis of data by the Direct Marketing Association.
Consumers Bear the Billion-Dollar Brunt of Inadequate Privacy and Security Protections
As a result of having inadequate privacy safeguards, we calculate a cost to consumers of $18.7 billion annually, or an average of $175 per household, in monetary outlays and lost time. (See tables on pages 26 and 27.)
· A recent survey by the Federal Trade Commission indicates that one in ten American adults (27.3 million) has been a victim of identity theft in the past five years, and
nearly 10 million have been victims in the past year.
· Consumers lost more than $5 billion in out-of-pocket expenses and about 300 million hours of time (worth $4.6 billion at the current average hourly wage) last year due to
these crimes, which overwhelmingly involve the misuse of personal financial information.
· One in six Americans say they have bought privacy protection services or products (at an estimated average cost of $75 annually) to avoid identity theft, check credit
reports, or surf and shop online anonymously, fueling a growing national market estimated to be worth $2.5 billion annually.
Under current federal law, the average consumer has no ability to stop the sharing of his or her personal financial information among financial affiliates. While relatively strong protections are in place to control how private information is used by other industries (including medical, cable television, and video rental), federal law passed in 1999 (the Financial Services Modernization Act, also known as Gramm-Leach-Bliley) allows financial institutions to share, sell, and otherwise use consumers’ private financial information without consumer knowledge, consent, or control. This law fails to implement the widely recognized Fair Information Practices, described below.
States Have Led the Way In Adopting Fair Information Practices As Law
Some states have led the way in ensuring consumers’ personal financial information is protected by Fair Information Practices. These practices include:
Giving consumers access to and notification about data that is collected about them:
· In seven states (Colorado, Georgia, Maine, Massachusetts, Maryland, New Jersey, and Vermont), legislatures have made it easier for consumers to dispute and correct inaccurate data by providing them one free copy of their credit report each year, and some state laws require quicker reinvestigation and resolution of consumer disputes.
· Congress enacted similar legislation when amending the Fair Credit Report Act (FCRA) by passing the Fair and Accurate Credit Transactions Act (FACT Act) late in 2003. As a result, national credit bureaus must provide free reports upon request within 15 days of the request. States are preempted from increasing the frequency of the provision of free reports (free report laws in Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont are “grandfathered”).
Giving consumers control over how their personal information is used:
· Opt-in: Vermont and Alaska have adopted laws that require financial services companies to obtain express consent from the consumer before they may share private information with affiliates or third parties (with some exceptions). Alaska, California, Connecticut, Florida, Illinois, and Vermont have extended consumers the right to opt-in for information sharing with third parties only.
· Opt-out: California law also empowers consumers to choose not to have their information shared with financial affiliates. The FACT Act also made permanent the federal preemption in FCRA against states regulating the sharing of information among affiliates. However, the interplay between this provision and the federal Gramm-Leach-Bliley Act, which specifically authorizes state action, has not been determined and is likely to be addressed through future court rulings.
Giving consumers the legal ability to correct errors in their personal data files and obtain redress from data furnishers if their information is misused or is inaccurate:
· California and Massachusetts have adopted stronger-than-federal laws increasing liability of data users and furnishers for inaccurate data they provide to credit
bureaus or use in credit decisions.
Giving consumers other rights to ensure against the misuse of their data:
· California requires collectors of computerized data to notify any individuals whose data may have been acquired by an unauthorized person.
· Starting January 1, 2005, California consumers may request that a business disclose the details of information shared with third parties, and the business must
comply or provide the consumer a cost-free means to opt out of all future sharing.
States and Companies With Strong Privacy Protections Can Do Good While Doing Well
Industry research has argued that protecting privacy may have negative economic impacts. While a comprehensive economic analysis is beyond the scope of this report,
several indicators contradict these claims:
· When compared with other states, “opt-in” states and states with added responsibility for data furnishers experienced lower average bankruptcy rates and lower average mortgage interest rates.
· One survey of financial services institutions (including community banks and credit unions in addition to the largest national banks and credit companies) has
shown that up to 25% of these institutions currently operate without selling or sharing their customers’ information.
Policy Associate
Policy Analyst