The Surprising Virtues of the New Financial Privacy Law

Abstract

The financial privacy law passed by Congress in 1999 has been the target of scathing criticism. Financial institutions have complained about the high costs of the billions of notices sent to consumers, apparently to widespread consumer indifference. On the other side, privacy advocates have condemned the law as woefully weak. This article disagrees with the criticisms. Part I describes the main provisions of Title V of the Gramm-Leach-Bliley Act, showing a better match with basic privacy principles than many have realized. Part II explores the history of how GLB became law, placing the enactment into the context of a historic peak of privacy policy activity in the late 1990s. This history draws on my dual perspective, as an academic who has written extensively about financial and other privacy issues, and as the Clinton Administration's Chief Counselor for Privacy during the period. Part III looks at the most hotly contested issue in the privacy debate, the rules for sharing personal information with affiliated entities and third parties. GLB establishes a basic rule that information can flow freely within a financial institution and to its affiliates. Customer choice - an opt out ability to prevent sharing - applies for transfers to non-affiliated companies. The article argues that an to that principle of customer choice, the joint marketing exception should be repealed. It then explores the knotty issue of how to handle data sharing in today's vast financial conglomerates, suggesting possible statutory modifications. Part IV looks at the much-maligned notices that financial institutions have sent out in compliance with GLB. The critics have accurately complained about the legalistic and detailed language in the current notices. The critics have largely overlooked, however, important benefits from these notices. Publication of the notices and the new legal obligation to comply with them have forced financial institutions to engage in considerable self-scrutiny of their data handling practices. Many firms have hired a Chief Privacy Officer or made other institutional changes. The current notices, even in their imperfect form, have reduced the risk of egregious privacy practices. And improved notices, with a plain-language short form on top, would enhance accountability while also communicating far more clearly with ordinary customers. In short, there are surprising merits of the GLB privacy provisions. Considerably more was accomplished in the Act than observers would have predicted in the spring of 1999 or than critics have recognized to date. Important flaws do exist, but specific and achievable changes in the statute and implementing regulation can go far toward reducing the magnitude of those flaws.