Existing Privacy Laws Already Regulate Information Sharing

Some 20 different federal laws already regulate information sharing and provide consumers with a plethora of privacy protections. Five, in particular, play principal roles in regulating information sharing by financial institutions.

Title V of the Gramm-Leach-Bliley Act of 1999 established a set of comprehensive privacy laws at the federal level applicable to any firm that provides financial services. The new law established four new requirements regarding the nonpublic personal information of a consumer:

• Annual Disclosure of Privacy Policy: A financial institution must annually disclose to consumers its policy and practice regarding the protection and disclosure of nonpublic personal information to affiliates and nonaffiliated third-parties.
• Customer "Opt-Out" of Disclosures to Third-Parties: Consumers have the right to prevent the disclosure of nonpublic personal information to a nonaffiliated third-party - commonly referred to as the right to "opt-out." Third-parties may not re-disclose that information.
  
  There are important exceptions designed to resolve the practical problems with an opt-out provision. For example, opt-out does not apply in cases where information sharing is necessary to produce a consolidated customer statement, complete a transaction, or service the customer's account. It also does not apply to information disclosed to market the financial institution's own products or services offered through joint agreements with another financial institution.
• Prohibition on Disclosure of Account Information: A financial institution may not disclose account numbers to any nonaffiliated third-party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
• Regulatory Standards to Protect Security and Confidentiality: Financial institution regulators are to establish "standards" (related to the physical security and integrity of customer records) that would (1) ensure the security and confidentiality of customer records; (2) protect against any anticipated threats to the security of such records; and (3) to protect against unauthorized access to such records that could result in substantial harm or inconvenience to the customer.

The law also established rulemaking and enforcement authority for federal banking agencies, the National Credit Union Administration, the Securities Exchange Commission (SEC), the Treasury Department, and the Federal Trade Commission (FTC) each to prescribe implementing regulations for their respective institutions.

The law also makes it a federal crime to fraudulently obtain or cause to disclose customer information from a financial institution. This provision is aimed at the abusive practice of "pretext calling," in which someone misrepresents the identity of the person requesting the information or otherwise misleads an institution or customer into making an unwitting disclosure of customer information.

The Fair Credit Reporting Act (FCRA) contains many important privacy safeguards. It gives consumers the ability to stop the sharing of their credit application information or other personal information (obtained from third-parties, such as credit bureaus) with affiliated companies. The law permits sharing of information with affiliates regarding the consumer's performance on the loan or other "experience" resulting from the relationship between the consumer and the financial institution.

Moreover, it is important to note that the FCRA allows only affiliated companies to share such application or credit bureau information, after provision to the customer of notice and an opportunity to opt-out. If a financial institution were to share such information with an unaffiliated third-party, it could become a consumer reporting agency subject to burdensome, complex and onerous requirements of the existing FCRA.

The FCRA also mandates that other notices be provided to consumers in connection with the sharing of information. For example, financial institutions are required to notify consumers when adverse action is taken in connection with credit, insurance, or employment based on information obtained from an affiliate. This notice must inform the consumer that he or she also may obtain the information that led to the adverse action simply by requesting it in writing.

The FCRA also gives consumers the power to stop unwanted credit solicitations by blocking the use of their information from pre-screening by consumer reporting agencies. Pre-screening is the process in which a consumer reporting agency prepares a list of consumers who, based on the agency's review of its files, meet certain criteria specified by a creditor who has requested the prescreening. The FCRA also mandates that providers of credit include disclosures with every solicitation explaining that the offer results from a pre-screening and that the consumer has the right to be excluded from future pre-screenings by notifying the consumer reporting agency.

The Electronic Fund Transfer Act and its implementing regulation require that consumers be informed about a financial institution's information-sharing practices with regard to all accounts that may incur electronic fund transfers. This would include virtually all checking, savings and other deposit accounts.

Financial institutions are required to provide consumers with extensive disclosures at the beginning of the consumer's relationship with the institution. As part of these initial disclosures, each financial institution must state the circumstances under which it (in the ordinary course of business) will disclose information concerning a consumer's deposit account to third-parties. For purposes of this requirement, the term "third-parties" also includes other subsidiaries of a financial institution's parent holding company.

4. The Right to Financial Privacy Act

Historically, the most significant privacy concern of consumers relates to government access to their financial records. The purpose of the Financial Privacy Act is to protect consumer records maintained by financial institutions from improper disclosure to federal government officials or agencies.

Specifically, the Act currently prohibits disclosure to the federal government of records held by certain financial institutions without providing notification to the consumer whose records are sought and the expiration of a "waiting period," during which the consumer may challenge and prevent disclosure through legal action.

The Telephone Consumer Protection Act (TCPA) gives consumers the right under federal law to stop telemarketing calls from a particular company.

Under TCPA, companies can make telemarketing calls to residential telephones only if:

• the call occurs between 8 a.m. and 9 p.m. (local time at the called party's location);
• the caller provides certain identifying information to the consumer; and
• the company maintains a company-specific "do-not-call" list of persons who do not wish to receive telephone solicitations made by or on behalf of the company.

If a consumer wishes to opt-out of future telemarketing calls from a particular company, the consumer only need indicate that he or she does not wish to be called again. The company then must add the consumer's name to the company's "do-not-call" list.

In addition, TCPA protects consumers by restricting the use of automatic telephone dialing devices and prerecorded or artificial telephone messages.

The Direct Marketing Association (DMA) also maintains "customer exclusion files" so that individuals may remove their names from lists compiled or maintained by the agencies and companies that are members of DMA. Names remain in the exclusion file for five years.