Privacy Disclosure Requirements: Boon or Bane?
Après Reg P: Le Deluge–You’ve Got (Lots of) Mail
The booming US economy demonstrates the public benefits of developing our information technology industries. The rapid, free flow of information enhances organizational productivity, stimulates economic growth, helps check inflation, and empowers consumers. But to many people, it also generates strong privacy concerns. Congress has listened to them and decided to flood consumers with new privacy disclosure notices. This exercise will cost businesses and consumers billions of dollars and discourage the availability of information-intensive products and services. It will undermine the benefits of the information society by overloading most consumers’ mailboxes and inboxes with useless and irrelevant information. Clearly, a fresh look at the benefits and costs of privacy disclosures is merited.
New Law Mandates Disclosures. The Gramm-Leach-Bliley Act (P.L. 106-102), enacted last November, requires financial institutions and a wide variety of other businesses to issue new privacy disclosure notices to consumers. The notices must be “clear and conspicuous” and disclose in detail the institution’s privacy policies if it shares customers’ non-public personal information with affiliates or third parties. Such disclosures must take place when a customer relationship is first established and annually as long as the relationship continues. The new law also requires telling existing customers and customer prospects of their right to opt out of sharing non-public personal information with third parties, with limited exceptions.
Congress assigned to the federal bank regulatory agencies, the National Credit Union Administration, the Federal Trade Commission, and the Securities and Exchange Commission (after consulting with representatives of state insurance authorities) the task of drafting regulations to implement the new Act. The proposed sets of regulations by the various regulatory agencies, collectively known as “Reg P,” were released for public comments, and they will probably take effect later this year or early next year.
Exhaustive Detail. Reg P spells out the disclosure requirements in exhaustive detail. For example, it defines a clear and conspicuous notice as “a notice that is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.” To meet this standard, a financial institution should present the information in clear, concise sentences, paragraphs, and sections; use short, explanatory sentences and bullet lists; use definite, concrete, everyday words and active voice; and avoid multiple negatives, legal and highly technical business terminology, and boilerplate explanations. The regulation also suggests that financial institutions use plain-language headings, easy to read typeface and type size, wide margins and ample line spacing, boldface or italics, and highlighting.
Furthermore, the notices must include the “categories” of non-public personal information the financial institution collects or discloses, its privacy protection and security policies, the types of third parties with whom it will share the information, and an explanation of the right to opt out.
Consumers Inundated. Reg P will inundate consumers with multiple privacy notices from their banks, credit unions, finance and mortgage companies, insurers and insurance agents, retail merchants, credit card issuers, securities brokers, mutual funds, oil companies, phone, gas, cable TV and electric utilities, Internet service providers, and others. Because of Reg P’s unique nuances, many of these companies will send a privacy notice to their customers for each account, product, or service they own. And because they might process consumer information for each product in different data centers in different ways, share it differently with third parties, attend to it with different lawyers, and package it in different jargon, each such notice unavoidably will put most consumers in a spin. The burden of reading hundreds of pages of complex notices with scores of instructions surely will crush most of them.
Americans already routinely ignore a plethora of notices that hit them everyday–at work, in transportation facilities, when buying, in government offices, on reams of documents, and on and on. They are so overloaded with notices that they have long since learned to look the other way. They don’t read loan documents, rental agreements, or the signs everywhere telling them how to protect their rights or avoid numerous types of harm. There is no reason to believe that they will change their ways when dozens of privacy envelopes arrive in their mailboxes.
Non-customer applicants and prospects for credit and other financial services would also receive privacy notices. Consequently, some people could get at least 40 to 50 privacy notices a year, some of them running several pages. Households with two or more people could receive over 100 notices annually.
Five Billion Notices. If we assume that, on average, each of the 103 million US households will receive 30 to 50 privacy notices, that comes to a staggering 3 to 5 billion notices annually. At a cost of 25 cents to prepare, print, and mail the notice as an insert with a customer statement, the annual price will range between $750 million and $1.25 billion. These estimates do not include customer service and other administrative expenses–for example, the cost of adding paper inventory, rewriting software, printing, processing, postage and handling, adjusting operating machinery, and customer service.
Chum for Legal Sharks. Add to these costs the legal expenses for interpretation, drafting, and defense of the class action lawsuits Reg P is sure to spawn. The trial bar is likely to test every aspect of a company’s implementation of the regulation’s requirements. They will fault the degree to which notices are clear and conspicuous; in plain language; diluted by other materials; descriptive of third party categories, security policies, or opt-out rights; sent to the right consumers at the right time; or consistent with other notices from the same company.
In total, the cost to the financial services industry for Reg P could easily exceed $2 billion a year. The industry inevitably will pass these costs on to consumers in the form of higher prices or reduced services. Is the trade off worth it to consumers? Do consumers want to pay the price for Reg P? Unfortunately they won’t have any choice. They won’t be able to opt out of receiving multiple privacy notices. Instead, most consumers will discard the notices without reading them. So, the objective of providing greater privacy protection will not be achieved despite the high cost of disclosure.
The federal regulators seem to have ignored the cost-benefit balance in the proposed regulation. They have grossly underestimated the costs of compliance with Reg P. For example, the FTC estimates the average annual labor costs associated with the paperwork burdens on the 100,000 businesses it regulates to be $87.3 million, based on 4.03 million burden hours. The OCC estimates the total annual regulatory burden on the 2400 banks it regulates to be 108,000 hours, based on an average of only 45 burden-hours per bank, per year, but it gives no cost estimate.
Keep It Simple, Not Stupid. Simplification of disclosure requirements, and reduction in the volume and content of notices, are likely to be more effective means for providing meaningful information to consumers while reducing costs. For example, the following simple, clear, privacy notice would be of greater value to consumers and more cost-effective than the detailed requirements of the proposed regulation:
If you want to know what personal information we collect or disclose, and how to opt out of such disclosures, please contact us by phone, fax, e-mail, or regular mail.
Such a statement would be readily understandable by most consumers. The costs to financial institutions of providing this notice would be negligible.
In summary, Congress, the states and the regulators should evaluate the benefits and costs of consumer privacy disclosures. Instead of mandating that consumers be overwhelmed by a blizzard of disclosures, privacy notices should only be provided to consumers on demand. Before Regulation P is implemented, a thorough cost-benefit analysis should be conducted, and the disclosure process should be simplified.
Peter Gray is chairman of the Internet Consumers Organization and previously was director of government relations for Citicorp. Duncan MacDonald is a consultant to various business organizations on such topics as privacy and data protection, alternative dispute resolution, and bankruptcy reform. He previously was general counsel of card products, Europe and North America, for Citibank.
If you would like to receive CEI On Points by e-mail, please contact us at [email protected].