Privacy Notices and
The Federal Trade Commission's 2002 Privacy Agenda
Howard Beales, Director
Bureau of Consumer Protection
Federal Trade Commission
Thursday, January 24, 2002
San Francisco, California
The views expressed by Howard Beales do not necessarily reflect the views of the Commission, or any individual Commissioner.
FTC's 2002 PRIVACY AGENDA
We have made privacy protection a priority in the Bureau of Consumer Protection.(1)
To a great extent, our new agenda builds on the past work of the agency on privacy.(2)
However, we have also changed the focus of the program somewhat.
For example, in the past the Commission's privacy program was focused primarily on information collection.(3)
In contrast, we believe that the focus should be on misuse of information. Certainly, when surveys ask consumers if they are troubled by the extent to which their information is collected, they usually say yes. However, we believe that the reason consumers worry is concern about the potential adverse consequences of various uses of that information.
These consequences include a variety of very real risks. There can be physical consequences. That is why parents do not want information on the whereabouts of their children to be out there - freely available to anyone, and why many people list their telephone numbers using just a first initial and last name. There are also economic consequences, ranging from identity theft to erroneous denial of credit, insurance, or employment based on inaccurate or incomplete information. And there are unwanted intrusions - phone calls that disrupt the dinner hour or computers littered with "spam." We believe it is important to focus our resources on stopping the kinds of practices that cause these types of harm. In some case this means more enforcement, in others in means new initiatives.
Similarly, although the Federal Trade Commission's past focus was primarily directed to online privacy,(4) our focus on consequences leads us to view privacy through a broader lens. Adverse consequences can occur whether the information was originally collected online or off. The risk of identity theft is real, and the consequences are the same, whether the thief steals your credit card number from an online website or from your mailbox. Thus, many of our initiatives focus on the misuse of personal information collected offline as well as information collected online.
Finally, our approach is built on an explicit recognition of the trade-offs involved in privacy regulation. The events of September 11 make it clear that privacy is not, and cannot be, an absolute right. We are all willing to make practical compromises between privacy and other desirable goals such as greater security. The same is true in the commercial arena. Sharing information offers tremendous benefits, ranging from instant credit approval, to the convenience of a consolidated financial statement, to lower costs of processing transactions. We should not sacrifice such benefits needlessly.
As a result of this new focus, the FTC's 2002 privacy agenda includes a number of major law enforcement and education initiatives that focus on reducing the adverse consequences to consumers. Let me highlight several recent accomplishments.
Elli Lilly Settlement
First, just last Friday we announced an important settlement with Eli Lilly and Company, which addresses the company's unauthorized disclosure of personal information that was collected from consumers.(5)
In brief, our complaint alleged that Lilly unintentionally disclosed the E- mail addresses of 669 users of its Prozac.com and Lilly.com websites by not taking appropriate steps to protect the confidentiality and security of that information. This was very sensitive information, where release could have serious adverse consequences for the consumer involved.
The settlement requires Lilly to establish a security program to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality or integrity. The program is modeled to large extent on a rule proposed last August to implement the Gramm Leach Bliley Act (the "GLB Safeguards" rule).(6)
Lilly is the Commission's first case involving security. As this case demonstrates, a fundamental aspect of protecting privacy is the security and confidentiality of personal information. Our action is intended to make clear, that companies making privacy and security promises, must keep their word, and put in place internal security measures that are appropriate to their business operations and to the sensitivity of the information they collect.
Let me say that not every security breach will result in Commission action. Rather, we will look carefully at the type of information involved and at how the security breach occurred. But when companies collect sensitive personal information and promise to keep it secure, we will be closely examining any unauthorized disclosures to figure out how it happened and whether it could have been prevented.
Proposed Telemarketing Sales Rule Amendments
A second major action was our announcement this week of proposed amendments to our Telemarketing Sales Rule to address two specific privacy problems.(7)
First , the proposed amendments establish a centralized, one-stop, national "do-not-call" registry to enable consumers to eliminate most telemarketing calls just by calling a toll-free number and putting their phone number on the registry. This proposal directly responds to consumers' desire to be free of unwanted intrusions. It focuses on letting consumers who wish to do so avoid the consequences of unwanted telemarketing calls, rather than regulating the information sharing that generates telemarketing lists.
Second, the proposal prohibits telemarketers from receiving from any person other than the consumer any consumer's billing information, or disclosing any consumer's billing information to any person for use in telemarketing. This proposal, if adopted, would prohibit the troubling practice of exchanging lists of credit card numbers and other such "preacquired account information." The record of our rule review indicated that this practice can result in significant economic loss for consumers if it is used to bill consumers for goods or services they did not order. Our action follows up recent enforcement actions by both the FTC and State Attorneys General against firms that misused this information.(8) Again, the proposal focuses on specific information with potentially serious adverse consequences for consumers.
We've also been active in protecting financial privacy. For example, the Nation's credit reporting system is in many ways the key that unlocks the door to credit for consumers. The information in the system is obviously very sensitive and the consequences of having inaccurate information in a consumer's credit report can be severe. The Fair Credit Reporting Act,(9) one of the nation's oldest commercial privacy laws, protects the confidentially of credit reporting information. It ensures that consumers are notified, and given an opportunity to correct erroneous information if they are denied credit or other benefits based on information in a credit report.(10)
Compliance with the adverse action notification provision is central to the successful operation of the statute. Unless consumers receive these notices, they cannot use the Act's disclosure and dispute provisions. One of our efforts has been to monitor compliance with that important provision. Recently we completed a project to check residential landlord's compliance with the provision. What we found was encouraging. Although not perfect, landlords from five major cities that we checked had procedures in place for providing adverse notices to consumers denied rentals because of information in their credit reports. We hope to find equally high levels of compliance in other industries we check. If not, we will take prompt steps, including law enforcement actions, to increase compliance.
A second important part of our efforts to protect consumers' financial privacy have been efforts to control ID Theft.
Just as victims of muggings must replace their lost wallets, so to victims of electronic muggings must refurbish their damaged identities. Unfortunately, this can be a difficult task. To ease this burden we are working with industry to develop a uniform ID Theft Affidavit. Victims can use this affidavit to report fraudulent accounts opened up in their name by an identity theft, instead of having to fill out a separate, distinct form for each creditor. Consumers have demonstrated a strong interest in this approach.
The Role Of Privacy Notices
In protecting financial privacy, notices have been a key part of the government's efforts to respond to consumer concerns. Thus, it is important to understand what privacy notices are, what they can do, and what they can't accomplish.
Having said that it is important, I'll be the first to confess that we don't have all the answers. But I do have some thoughts based on our experience with similar consumer protection issues.
First, privacy notices should be viewed as a means of facilitating competition over privacy practices. Their goal should be to help consumers understand what information is collected about them and what is done with that information, not to simply scare consumers into opting out of information sharing . In many instances, disclosure of information is beneficial to consumers. In everyday transactions consumers routinely disclose information about themselves. And in a growing number of transactions, like grocery store discount cards, consumers readily trade personal information for economic benefits like lower prices.
Even the disclosure of information for marketing purposes can be beneficial to many consumers. The principal types of information used for marketing - lists of people meeting some fairly general criteria - are often minimally intrusive. And the marketing itself can be beneficial to consumers and competition by telling consumers about products or services they may not know about, spurring competition, encouraging product improvements, and lowering prices. Marketing, to paraphrase the late George Stigler, is an immensly powerful instrument for the elimination of ignorance.(11)
To be sure, there are information exchanges that can cause serious problems. The exchange of lists of credit card account numbers, for example, can create real risks of unauthorized charges on the consumer's account. When the exchange of information risks such serious consequences, notice, however clear, may not be enough. That is why Congress prohibited financial institutions from selling lists with account numbers.(12) And it's why the Commission this week proposed to restrict the exchange of such information by telemarketers under the Telemarketing Sales Rule.
Similarly, certain information collection practices, like pretext interviewing, negate the value of privacy policies. Again, the law prohibits that practice(13) and the FTC is actively bringing cases to enforce that prohibition.(14)
Gramm Leach Bliley Workshop
Although well done privacy notices should provide important benefits, there is a lot we don't know about how they work. The most extensive experience to date with privacy notices has been under the Gramm Leach Bliley Act, which requires notices to be sent out annually by a broadly defined group of "financial institutions".(15) It is estimated that more than a billion notices were sent out in the first year under this law. Although the direct and indirect costs of this massive effort are uncertain, they were clearly substantial.
Last month, we held a "workshop" to explore initial experiences under the GLB notice provisions. Appropriately titled "Get Noticed", the workshop was hosted by the FTC and the seven federal financial regulatory agencies charged with implementation of the statute .(16)
The workshop was very successful. Almost 600 attendees registered for the workshop. Panel participants represented a wide variety of backgrounds and interest: from financial institution privacy officers, to privacy advocates, marketing experts and even a nutrition labeling researcher from the Food and Drug Administration.
Key Findings From Workshop
Let me share with you some of the key findings of the workshop.
Privacy notices must be written for consumers
First, and perhaps most important, we learned that privacy notices need to be written for consumers. That's their intended audience, not the regulators who prescribed them or the lawyers who will dissect them. I think there is agreement that in general the first round of GLB notices didn't score very well in the "consumer friendly" column. In part, that is because notices were too frequently seen as regulatory compliance documents, not consumer information documents.
Common elements of consumer friendly notices
Second, we learned that more successful consumer notices involve some common elements:
- They start with a clear, concise statement of purpose that tells people why they should be interested in reading the document,
- They use plain language instead of legalese, and
- They take full advantage of visual design features that divide information up into pieces and make it easy to find and read.
Consumer friendly notices need to be tested on consumers
Third, and really a corollary to the points I've made above, we need to recognize that drafting effective privacy notices is as much of a communication challenge as a regulatory issue. Think about what companies do when they are really trying to get a consumer's attention and convey information to them. They don't use long, information dense forms, nor do they turn to 8 ½x11 sheets of paper with multiple check boxes. So too, the companies that seem to have done the best at drafting these notices approached the task the way they would a marketing campaign -- focusing on getting their customers attention and providing them with clear understandable information. And, just as a company wouldn't launch a major advertising or marketing program without testing it on consumers, so too more successful companies tested their privacy notices with actual consumers.
Challenge of Applying These Principles to Financial Privacy Disclosures
These are, of course, pretty standard consumer communication principles. For privacy notices, however, we also heard that their application can be particularly challenging for a number of reasons.
From the industry perspective, the information flows in the financial industry are both complex and dynamic. More than one company has told us that one of the hardest parts about compliance is figuring out what it was they actually did with the information they collect, let alone trying to describe that process to consumers. And the challenge of explaining these information flows is further complicated by the exemptions and distinctions in the statute that are themselves hard to explain.
Communication is equally challenging from the consumers' perspective. Consumers are busy. They don't want to read lots of notices, from lots of financial institutions, about lots of accounts, with lots of very detailed information sharing practices about each account. We have to find a way to simplify the process. To do that we also have to understand what consumers' concerns are. Although we know consumers have a high level of concern about the privacy of their financial data, we don't know exactly what those concerns are.
Towards a Better Notice
These are all limitations on how successful any notification process can be. What kinds of responses to them are possible? Our workshop suggested at least three.
Learn From Experience
First we have to recognize that responses need to be dynamic. GLB privacy notices are an annual event. If government and industry didn't get it right the first time, the annual nature of the notices gives us the opportunity to improve on them in the future. Moreover, repeated exposure to information itself improves communication. Thus, the annual notice requirement will help improve communication and keep important choices in front of the consumer.
Second, we need to educate consumers, about privacy in general, about financial privacy in particular, and about the notice process. Notices will work better as consumers learn what's coming and why it matters. This education will occur over time, as well.
Third, we need to research the results. What does make a more effective privacy notice, and most crucially, does that more effective notice actually address consumers privacy concerns or make a difference in the choices consumers make? Does it affect behavior? We don't really know the answers to these questions yet. Hopefully ongoing research will help us find out.
The efforts to develop effective nutrition labeling may provide a paradigm for what we can accomplish here and what we cannot accomplish. The FDA's nutrition labeling program establishes a standard for nutrition comparisons, and is frequently cited as the model of a successful government effort to communicate complex information to consumers.(17) But in looking at the nutrition labeling experience, it is important to understand that today's nutrition label was not created overnight. Indeed the first nutrition labels were created in the early 1970s.(18) Thus the current program was based on decades of experience and, as we learned at our workshop, extensive consumer and market testing during its evolution. Moreover, one reason nutrition labeling works is because consumers know what to look for. The nutrition label is backed by years of extensive public and private consumer education on nutrition. In contrast such education efforts on privacy have only just begun.
There is another key difference between nutrition labels and privacy notices. Nutrition labels set a standard of what information must be included, but they also exclude a great many nutritional details. Simplifying or standardizing privacy notices would likewise require omitting some details. At this point, however, we have little idea which details consumers care about and which areas don't matter.
Finally, we also need to remember that, although nutrition labels are a wonderful source of detailed information about a product, what gives them their real impact is marketing built around the label. It isn't the fine print grams of fat on the side of the box that drives consumer choices, it's the "Fat Free" claim emblazoned across the front. Similarly, privacy notices can provide valuable details. But unless consumers care enough to choose companies based on their privacy practices, notices will have a [very] limited impact. Some of that marketing is starting, but it is too soon to assess its impact. For example, one credit card advertises "no telemarketing," and some ISP's are promoting their privacy practices. Ultimately, the most important choice consumers will make about privacy is the choice of who to do business with.
What Won't Help
If there are a number of steps we can take to improve the current situation, there are also a number of things that I believe won't help.
More Privacy Notices
First, more privacy notices aren't necessarily better. I understand that many would like to take steps to provide consumers with "better" notices in the short run. I think that it is clear, however, that adding additional notices and forms to those consumers are already receiving is unlikely to help. Many consumers are already confused. Multiple forms and notices are unlikely to improve the situation. At some point multiple disclosure documents will simply exacerbate rather than reduce consumer confusion. Adding another form to the stack of paper that must be signed to open a new account, for example, may simply obscure important choices, rather than highlighting them.
Rigidly Prescribed Disclosure Formats
Second, rigidly prescribed disclosure formats aren't the answer. I understand that the experience with GLB notices is that many of them were hard to read, comprehend and act on. And I also know that for some consumer disclosure problems, carefully researched standardized forms have proven useful. But based on our workshop, and our general experiences in consumer protection, we are not at a point now in the privacy area where that approach will likely be successful.
The overwhelming message of our workshop was that there is more than one way to communicate effectively. Good communication vehicles must be flexible and tested on a broad range of consumers. Forms drafted by committees of lawyers are unlikely to be an adequate substitute for extensive consumer testing. Moreover the annals of consumer protection history are littered with unsuccessful attempts to specify in precise detail the level of clarity required in disclosure only to have them misunderstood by consumers, or defeated by clever printers. How many consumers have read the bold "Do Not Remove Under Penalty of Law" tags on their mattress and thought that this warning applied to them? In one of our cases here in California, the Court ordered a marketer to send all of his customers notices that his product probably didn't work. The Court told him what to say and how large the type size should be, only to have him print the notice in a virtually unreadable "Olde English" type face.
The one size fits all approach to privacy notices also risks homogenizing privacy choices, rather than differentiating firms that truly excel at providing privacy. Competition based on privacy policies presupposes differentiation but the one-box disclosure approach imposes homogeneity.
Although with careful research we could perhaps design a format for today's choices, information flows in the financial industry are especially dynamic as the removal of depression era restrictions on who can offer what services leads to continuing changes in the structure of the industry. It is almost impossible to predict how the industry will evolve. A standard form adopted today, can't possibly foresee all of these changes, much less accommodate them all. It is also vital that standard form disclosure requirements not impede the industry's ability to evolve. Restrictions on information flows inside a company based on the legal details of how the company chooses to organize itself, run the risk of denying consumers the benefits of greater integration of financial services.
Adding More Exceptions
One natural regulatory response to concerns about unintended interference with the financial institution/customer relationship has been to include broad statutory and regulatory exemptions to restrictions on information use.(19) These exemptions are often necessary to prevent privacy protections from having unintended negative effects on consumers' ability to obtain the services they want. A check, for example, must pass through many hands on its way back to the consumer, and everyone in the chain needs access to the potentially sensitive information it contains. However, multiple exemptions also complicate the process of accurately describing to consumers what privacy protections they are agreeing to. Careful thought needs to be given to how to accommodate these two conflicting goals in privacy regulation. In the interim, layering of additional Federal or State exemptions on the existing ones is only likely to further complicate privacy notices, further confuse consumers, and further limit their choices.
We are all interested in correcting some of the shortcomings of existing efforts to address consumers concerns about financial privacy, and we should. Let me summarize my remarks with three key principles that should guide our next steps.
First, it takes time to digest significant regulatory changes. Wholesale alteration of the rules governing privacy notices will inevitably change the focus of both the government and the financial industry from the much needed issue of how to improve communications with consumers, to the more pressing issues of implementation and regulatory compliance with the new requirements. We need some reflection and careful analysis of our experiences before we tear up the existing system and start over.
Second, there remains an enormous amount that we do not know. The costs of the first round of notices are still uncertain, and we haven't even begun to address or assess possible indirect costs. Consumers' real concerns remain uncertain, along with the benefits of possible change. We need better information before attempting significant changes.
Finally, we need to focus more clearly on what consequences we are trying to avoid. If the issue controlling the amount or content of junk mail, privacy notices are a very clumsy tool. Any changes should be carefully crafted to control adverse consequences with the minimum possible impact on the benefits of the information age.
Consumer privacy is important. The FTC has and will continue to take an active role in attacking companies that misuse consumer information. We agree that improvements can be made on existing financial privacy notification efforts. But we should do so in ways that simplify the overall problem, rather than making it even more complex.
2. See, e.g. FTC v. Toysmart.com, No. 00-11341-RGS (D. Mass. filed July 10, 2000); Liberty Financial Companies, Inc., FTC Dkt. No. C-3891 (consent order entered on Aug. 12, 1999); GeoCities, FTC Dkt. No. C-3849 (consent order entered on Feb. 12, 1999).
3. See, e.g. Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace. A Report to Congress. (May 2000).
4. Id. at 33-36.
5. In the Matter of Eli Lilly and Co., FTC File No. 012 3214 (January 18, 2002).
6. Standards for Safeguarding Customer Information, 66 Fed. Reg. 4162 (to be codified at 16 C.F.R. pt. 314) (proposed Aug. 7, 2001).
7. Proposed amendments to Telemarketing Sales Rule, 67 Fed. Reg. 4491 (2002), announced January 22, 2002..
8. Federal Trade Commission v. Smolev, et al, No. 01-CV-8922 (S.D. Fla. final order entered Nov. 27, 2001).
9. Fair Credit Reporting Act 15 U.S.C. §1681 et seq. (2001).
10. Fair Credit Reporting Act § 615, 15 U.S.C. §1681m (2001).
11. George J. Stigler, The Economics of Information, J. Pol. Econ., 213-220 (June, 1961).
12. Gramm Leach Bliley Act, 15 U.S.C. §6802(d) (2001).
13. Gramm Leach Bliley Act, 15 USC §682 et seq. (2001).
14. FTC v. Information Search, Inc. and David Kacala, No. AMD-01-1121 (D. Md. preliminary injunction entered May 4, 2001); FTC v. Victor L Guzzeta d/b/a Smart Data Systems, No. CV-01-2335 (E.D. N.Y. preliminary injunction entered Apr. 19, 2001); FTC v. Paula L. Garrett d/b/a Discreet Data Systems, No. H01-1225 (S.D. Tex. preliminary injunction entered May 1, 2001).
15. Gramm-Leach-Bliley Act, 15 U.S.C. §6803 (2001).
16. Public Workshop on Financial Privacy Notices, 66 Fed. Reg. 49742 (2001).
17. Food Labeling, 21 C.F.R. §101.1 et seq. (2002).
18. Peter Barton Hutt, Government Regulation of Health Claims in Food Labeling and Advertising," 41 Food, Drug, Cosm. L. J. 3, 35 (1986).
19. See, e.g. Privacy of Consumer Financial Information, 16 C.F.R. §313.14(a) (2002) (exceptions for processing transactions at consumer's request).