| Donald P. Brewster Assistant General Counsel March 31, 2000 Donald S. Clark, Secretary Re: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 -- Comment Dear Mr. Clark: Conseco Finance Corp., is a diversified financial services company ("Conseco") that as part of its overall business plan will provide delivery of financial services over the Internet to businesses and consumers. We appreciate the opportunity to submit its views concerning the proposed Gramm-Leach-Bliley Act Privacy Rule (the "Proposed Rule"), 16 CFR Part 313, issued by the Federal Trade Commission ("FTC") on March 1, 2000. 65 Fed. Reg. 11174-11195. As the FTC noted, the Proposed Rule would implement the privacy provisions of the Gramm-Leach-Bliley Act (the "Act"), Subtitle A of Title V of Pub. L. 106-102, with respect to all institutions under the jurisdiction of the FTC. Because the FTC has jurisdiction over all "financial institutions" not otherwise regulated under the Act, and because our members are not only banks, thrifts, insurance companies and broker/dealers, but also technology companies which are subject to FTC jurisdiction to the degree they are subject to the Act at all, we believe we can provide the FTC with a useful perspective on the impact of the regulations on a wide variety of providers of financial services over the Internet. We have confined our comments to the topics which Conseco believes have the most significant impact upon the electronic delivery of financial services. As pioneers of a new way of delivering financial services, our members keenly understand the need to set standards to respond to consumer demand for privacy, especially in the context of the Internet. Our comments reflect not only our strong commitment to protecting consumer privacy, but also our desire to assure compliance with privacy law. In order to do so, our company and all affected parties need to know the boundaries of the Proposed Rule. Crucial Definitions Need Refinement With these general comments in mind, we think it vitally important for the FTC to refine the definitions that determine the scope of the Proposed Rule. Currently, the ambiguities in these definitions make it difficult for businesses to know whether they are subject to the Proposed Rule, and if so, to what degree. Under the Act, the FTC is responsible for regulating all those businesses that are not already regulated by a banking, securities or insurance regulator -- in other words, all those businesses that are "financial institutions" exclusively because of their activities. Some businesses may still not be aware that the Proposed Rule applies to them. Companies that, unbeknownst to themselves, have become subject to privacy regulations about which they had no notice and no opportunity to comment may be unable to comply. Even companies which are aware that aspects of their activities may be subject to the proposed regulations, will be severely handicapped in commenting on or complying with the regulations unless they have a more specific statement of which aspects of their activities are contemplated to fall within the scope of the regulations' requirements. As you can appreciate, leaving such matters to speculation makes meaningful comment on the proposed regulations almost impossible. For this reason, we wrote to the Board of Governors of the Federal Reserve System (the "Board"), in a letter dated March 6, 2000, asking for clarification of those definitions that the Board has exclusive authority to define. While the Board, on March 10, 2000, issued an Interim Rule which provided a broad outline of activities permissible for a financial holding company under the Act, the Interim Rule does not provide a sufficient degree of specificity to permit potentially affected companies to know the boundaries of their activities which might be subject to the privacy provisions of the Act. Based upon your request for comment, we believe that the FTC recognizes the need for bright-line standards clarifying the scope of the Proposed Rule with respect to companies under the Commission's jurisdiction, and we urge the FTC to work with the Board to respond with greater specificity to the questions presented below. What is an activity "financial in nature"? The Proposed Rule applies to "financial institutions," as well as to "other persons" that receive nonpublic personal information from financial institutions. Proposed § 313.1(b). The Proposed Rule defines a financial institution as "any institution the business of which is engaging in activities that are financial in nature as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))." Proposed § 313.3(j)(1). Section 4(k) of the Bank Holding Company Act permits a financial holding company to engage in any activity that:
12 U.S.C. 1843k(k)(1). Financial activities include, not only those specified in Section 4(k), see 12 U.S.C. 1843k(k)(4)(A)-(E), but also those activities that:
12 U.S.C. 1843k(k)(4)(F), as well as those activities that the Board has determined by Board regulation or interpretation to be usual in connection with the transaction of banking or other financial operations abroad. 12 U.S.C. 1843k(k)(4)(G). Footnotes 2 and 3 to the FTC's section-by-section commentary on the Proposed Rule suggest that the Board's Regulation Y and Regulation K determine the content of these last two categories of activity. See 12 CFR 225.28, 12 CFR 211.5(d). We are not confident that the definition found in the Proposed Rule will be limited to that created by Board regulations. Without a clarification, the definition of an activity "financial in nature" may depend not only upon Regulation Y and Regulation K, but also upon the numerous and lengthy orders and interpretations issued by the Board prior to November 13, 1999. Given the possibility of such a reading of the language of the Proposed Rule, it is not clear what the FTC, and indeed the bank regulatory agencies as well, consider to be the baseline definition of an activity "financial in nature" -- the category that, more than any other, defines the scope of the Proposed Rule. Even if it were clear that the scope of coverage of the Proposed Rule were limited to relevant sections of Regulation Y and Regulation K, those regulations are so broadly worded that they do not provide adequate guidance to assist businesses in determining whether they are subject to the Proposed Rule. [example?] We think it important that the FTC, in coordination with the other agencies promulgating privacy regulations, specifically list the activities that are considered "financial in nature," in order to establish firmly the scope of the Proposed Rule. This list should, to the extent possible, avoid vague catch-all phrases that give no notice to businesses that they may be "financial institutions" under the Act. If possible, the FTC should define the activities on its list by reference to well-known statutory benchmarks, so that it does not inadvertently multiply definitions. For example, if the FTC wishes to include certain real-estate related activities in its list of activities "financial in nature," it should define those activities by reference to the specific businesses to be covered, such as: "provision of title search services," "provision of title insurance," "rendering of credit reports," "provision of appraisals," "provision of mortgage insurance," and so forth. Having established such a list, we believe that the FTC should exclude from coverage of the regulation any activity that is not specified on this list. If, in the future, the Federal Reserve expands the list of activities which are "financial in nature," and the FTC determines that such services, when provided by entities which are not financial holding companies or their subsidiaries, should be subject to the regulations, it could expand the list of covered activities accordingly. As a matter of principle, we believe that it is appropriate to maintain a level playing field with all companies providing like services treated alike for the purpose of compliance with the privacy rules. Standards for Developing List of Covered Activities We also think it important that the agencies charged with developing privacy regulations establish principles to govern the definition of activities "financial in nature," for purposes of the privacy regulations. We understand that the Board is bound by statute to take into account certain specific considerations in establishing what will be defined as an activity "financial in nature or incidental to a financial activity" for Bank Holding Company Act purposes. 12 U.S.C. 1843(k)(3). However, not every activity in which a financial holding company may engage is appropriately within the scope of the privacy regulations. If that is the case, as we think it is, the FTC may want to except certain activities determined by the Board to be "financial in nature" from the scope of the privacy provisions of the Act.(1) In doing so, the FTC will need to make such exceptions pursuant to a consistent set of standards. There are many possible dividing lines between activities that are financial in nature and those that merely facilitate financial activities. An activity that involves taking an application, or obtaining information directly from a consumer, or offering a product or service, would appear to be a "primary" activity. By contrast, an activity that merely facilitates such a primary activity, and that can also facilitate non-financial activities, would not appear to be the proper subject of the Proposed Rule. Providers of such facilitating activities include certification authorities for digital signatures, computer software and hardware manufacturers and distributors, Internet portals, and cable or wireless transmission companies.(2) Such companies undertake activities that facilitate financial activities but that would not appropriately be described as financial activities themselves. It may be that financial institutions using these facilities should require them by contract to respect the privacy of information which the financial institution entrusts to them, but to define these companies as "financial institutions," would stretch the meaning of those words beyond what we believe the authors of the Act could reasonably have intended. What does it mean to be "significantly engaged in financial activities"? It is clear that the FTC is aware of the importance of defining the category of "financial institution," because the Proposed Rule provides an example and a list of excluded persons as well as the definition itself. See Proposed § 313.3(j)(1), (2), (3). In the Proposed Rule an entity is a financial institution, according to the example, "if it is significantly engaged in financial activities, such as a retailer that extends credit by issuing its own credit card directly to consumers." Proposed § 313.3(j)(2). The commentary to this language states that "[t]hus, a retail business that issues its own credit card directly to consumers is a financial institution engaged in the extension of credit, but a retail business that merely establishes lay-away or deferred payment plans is not a financial institution." 65 Fed. Reg. 11176-11177. The distinction made in the commentary is not evident in the language of the Proposed Rule, and the principles upon which the distinction is made are not evident to the reader. We urge the FTC to make clear whether it is adopting a de minimis standard for the level of financial activities that makes a business a financial institution, as its use of the phrase "significantly engaged" suggests, or whether it is merely restating that certain activities are "financial in nature" for purposes of the Proposed Rule, as the commentary suggests. If the FTC is adopting a de minimis standard, we urge it to establish the de minimis level explicitly. If the FTC is merely restating that certain activities bring a business within the scope of the Proposed Rule (e.g., merchant credit cards are covered and lay-away plans are not), we urge it not to use the ambiguous phrase "significantly engaged in financial activities," but rather to take the opportunity to specify those activities that a business per se becomes a financial institution by engaging in. Alternatively, the FTC could provide significant clarity by rephrasing its example to read "if an institution is directly engaged in financial activities" and providing an example of direct vs. Indirect engagement. What is a "financial product or service"? In many respects, what constitutes a "financial product or service" is inextricable from who is a "financial institution." The definitions are very similar. The proposed regulations define a financial product or service as "any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))." Proposed § 313.3(k)(1). Like the definition of "financial institution," this merely refers to a broad but ill-defined category, providing no certainty in determining what is covered by the Proposed Rule. And, as we suggested above, we urge the FTC to resolve this lack of certainty by adopting a list of those products or services that are "financial," in order to establish the scope of the Proposed Rule. A bright line dividing financial from non-financial products and services would permit businesses to offer both, confident that they could provide non-financial products and services outside the scope of the Proposed Rule. We have suggested two such bright lines above: financial products or services for purposes of the Act are those that an institution provides directly to consumers; or financial products or services for purposes of the Act are those that are primarily financial, rather than merely facilitative of financial and non-financial services. It is important not only to have certainty about when something is "financial," but also for when something is a "product or service" for purposes of the Proposed Rule. Not every facility provided to a consumer to assist with respect to a financial decision would appear to us to be appropriately designated as a financial service subject to the regulation. For instance, if a website provides consumers with a mortgage calculator or stock quotes, but does not charge for the use of the facility or retain any information regarding the consumer, should such a facility be included within the scope of the regulation's definition of financial product or service? It may well be that providers of such free facilities will want to provide the public with privacy assurances, but to the extent that these activities are subjected to regulatory requirements, the legal cost of assuring on-going compliance with privacy rules may have a chilling effect on the offering of such free facilities. The FTC will never know what free facilities were not offered as a result. When does a person obtain a product or service "for personal, family or household purposes"? Another aspect of the definition of a consumer that requires clarification concerns determining what the purpose of the financial product or service is. The Proposed Rule states that an individual who obtains a financial product or service "that is to be used primarily for personal, family or household purposes" is a consumer. Proposed § 313.3(e)(1). Products or services delivered over the Internet, however, are not always self-evidently for personal, family or household purposes -- such as accounting software, bill-paying services or investment advice. We would urge the FTC to state that a financial institution may rely on the reasonable representation of a consumer as to the use to which a product or service will be put, for purposes of compliance with the Act. From whom does a person obtain a financial product or service? A final aspect of the definition of a consumer that could be clarified concerns whom the consumer obtains the financial product or service from. A wholesale provider of financial products or services may be said to provide them to consumers, but because the provision is indirect the wholesaler may have no knowledge of the consumer and no contact with the consumer. In such a situation, there may be no compelling reason for the wholesaler to consider compliance with the Act, so long as the wholesaler does not receive any nonpublic personal information concerning the consumer. From our experience of Internet financial services, we can think of numerous examples, such as the provision of financial accounting software -- purchasers of which should not be considered consumers with respect to the wholesaler unless the wholesaler takes registration or warranty information from the consumers. In addition to wholesale providers of services, there is an additional category of financial services providers which provide services to consumers only indirectly. For instance, an appraisal service may be hired by a lender to prepare a property valuation, and a consumer will pay for such service, yet the appraisal company has contact only with the lender. While the lender might be expected to bind the ancillary service provider by contract to respect the privacy policies of the lender vis-a-vis its customers, it is hard to understand how the appraiser would apprise the consumer of its privacy policy, since it would ordinarily not have direct contact with the consumer. In a home financing context, there are a number of such ancillary service providers, and the proliferation of privacy notices which the consumer would receive may be confusing to the consumer, who views himself as a customer of the lender, not the lender's vendors. A final category of company that does not actively provide financial services to consumers also deserves to be free from the requirements of the Proposed Rule, namely those companies that host software that consumers can access on the Internet. Such companies do not have any interaction with the consumer, and are better analogized to software vendors whose products are available at retail outlets. These companies are simply using the Internet as a distribution channel for their software, as contrasted with companies that engage in on-going interactive financial relationships with consumers over the Internet. Again with the intention of creating regulatory certainty, we would urge the FTC to state that an individual is a consumer only with respect to those financial institutions to which the individual directly provides nonpublic personal information. What constitutes a "continuing relationship" with a consumer? Another definition that we would like the FTC to clarify is that of a "customer" of a financial institution. The Proposed Rule defines a customer by reference to a "customer relationship," which in turn is defined as "a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer[.]" Proposed § 313.3(h), (i)(1). Although the definition contains numerous examples, it does not make clear what constitutes a "continuing relationship." Specifically, obtaining a financial product or service in an "isolated transaction such as" using an ATM, cashing a check or making a wire transfer does not establish a customer relationship. Proposed § 313.3(i)(2)(ii)(A). At the same time, purchasing an insurance product or obtaining advisory services for a fee per se establishes such a customer relationship, presumably even if the insurance product or advisory service is obtained in an isolated transaction. Proposed § 313.3(i)(2)(i)(B), (G). This suggests, either that the FTC regards certain isolated transactions as not creating a customer relationship, or that the FTC understands the meaning of an "isolated" transaction in such a way as to exclude a one-time purchase of an insurance product or of investment advice. By not specifying which of these two possibilities it embraces, however, the FTC creates uncertainty as to precisely when an ordinary consumer becomes a customer of a financial institution. For example, would a purchaser of financial software be considered a consumer, given that he or she obtained the software in an isolated (i.e. one-time) transaction? Or would such a purchaser be considered a customer, given that the software would be of at least as much on-going value to the purchaser as a piece of investment advice? In the interest of regulatory clarity, therefore, we urge the FTC to take one of two courses. It could list the transactions that do not create a customer relationship, stating whether the provision of software for consumer use does or does not, rather than using "such as" language that leaves this crucial question up to individual businesses with varying appetites for litigation risk and varying concern for consumer needs. Or the FTC could define what it means by an "isolated" transaction rather than merely providing examples. Defining an isolated transaction as one that does not impose on-going legal responsibilities (other than ordinary product liability and warranty responsibilities) upon the financial institution with relation to the consumer would appear to encompass the FTC's examples, while providing enough guidance to allow businesses not covered by any of the FTC's specific examples to know how to comply. What is "nonpublic personal information"? Another definition crucial to determining the scope of the Proposed Rule is that of "nonpublic personal information." The difficulty of producing a satisfactory definition of the term is clear from the fact that the FTC is still considering two alternative definitions. Alternative B appears to be the version most popular with the other agencies empowered to write regulations for the Act; the Board, for example, did not even mention the existence of Alternative A in its release of proposed regulations implementing the Act for the subsidiaries of bank holding companies. [cite] Given the importance of having a uniform rule that applies in the same way to all financial institutions, whether chartered or unchartered, depository or non-depository, we think that the FTC should adopt Alternative B. Congress intended for the agencies writing regulations implementing the Act to "assur[e], to the extent possible, that the regulations prescribed by each such agency and authority are consistent and comparable with the regulations prescribed by the other such agencies and authorities." Pub. L. 106-102, § 504(a)(2). Consistency and comparability are impossible if one of the principal operational definitions of the regulations is not identical for all of the regulatory agencies and authorities. Given the support that Alternative B has from other agencies, such as the Board, we urge the FTC to adopt Alternative B as well. In addition to ensuring consistency and comparability, the FTC's adoption of Alternative B will result in a far more workable regulatory scheme. As noted in the FTC's commentary, Alternative A would greatly expand the category of nonpublic personal information. 65 Fed. Reg. 11177-78. While it is undeniable that this would increase the scope of the Proposed Rules, this is not the main reason we oppose the use of Alternative A. Businesses can deal with rules that apply broadly, so long as it is easy to determine just how broadly they apply, which is exceptionally difficult to do with Alternative A. Under Alternative A, nonpublic personal information does not include "publicly available information." Proposed § 313.3(n)(1)(i), (o)(1)(iii). Publicly available information, however, includes only information that is "obtained from" government records, widely distributed media, or government-required disclosures. Proposed § 313.3(p)(1). This suggests that information will avoid the definition of Alternative A only if the financial institution actually obtains it from a qualifying public source and, more importantly, can show that it did so. This, in turn, requires that a financial institution keep track of not only the information it obtains but also the source of each piece of information. If a financial institution cannot document where it originally obtained a piece of information, it cannot determine whether the Proposed Rules apply to that information by consulting records in the public domain to see if the information is publicly available. In the absence of virtually error-free record-keeping, therefore, Alternative A would keep a financial institution in a near-permanent state of uncertainty as to the usability of its own records. It may be argued that uncertainty breeds prudence, and indeed a prudent financial institution in such a situation could well decide not to distribute most information because of this uncertainty. But institutions not concerned with legal compliance would undoubtedly seek to exploit this uncertainty rather than respecting it, leading to a situation where businesses seeking to comply with the law would be penalized for that spirit of compliance by having to compete on unequal terms with their noncompliant competitors. No one profits from such a game of regulatory "chicken" except scofflaws and litigators. What information is "personally identifiable"? Even if the FTC decides to use Alternative B, we urge it to take the opportunity to sharpen the definition of nonpublic personal information by clarifying what constitutes "personally identifiable financial information." See Proposed § 313.3(o). Although the definition is elaborate, including numerous examples and several specific exclusions from the category, it does not address the fundamental question of when information can be said to be "personally identifiable." Logically, the phrase would appear to mean that information directly linked to an identifiable individual is covered by the Act, while information not so linked is not covered. We believe that so long as the information is not identifiable, it should not be protected. This would be in keeping with the FTC's interpretation of the Fair Credit Reporting Act, under which information that would otherwise be a consumer report, but which has been "coded ... so that the consumer's identity is not disclosed" is not a consumer report. 16 C.F.R. § 600.3, Commentary to the Fair Credit Reporting Act, Comment 4-B to Section 603(d). While these arguments suggest that this is already a justifiable interpretation, the language of the Proposed Rule does not completely eliminate ambiguity. For example, "personally identifiable financial information" includes "account balance information, payment history, overdraft history, and credit or debit card purchase information." Proposed § 313.3(o)(2)(i)(B). We urge the FTC to specify that this information, like that identified in the other examples, meets the definition only when it pertains to an identifiable consumer. A mere list of account balances without names or other personal identifiers attached cannot help a third party market to the holders of those accounts or otherwise violate their privacy. It should therefore be made clear that such information is not personally identifiable financial information. As a result, a financial institution may disclose such information without violating the Proposed Rule. In addition, a third party receiving personally identifiable information may scrub that information of personal identifiers and redisclose it without violating the limits on redisclosure and reuse, and without causing the financial institution that provided it with the information to violate those limits either. See Proposed § 313.12. If the business disclosing such anonymous information wants, for its own tracking purposes, to "identify" each piece of data by the encrypted name or account number of the consumer, we do not think this information should be considered subject to the Act unless and until it is decrypted. Businesses do not need personally identifiable information for such purposes as refining automated underwriting software and enhancing the accuracy of demographic market analysis, but they do need information that is accurate and nonduplicative. Aggregated financial information, stripped of personal identifiers, constitutes the database from which risk models are constructed and refined. These models guide lenders in determining how much interest to charge on individual loans, in order to cover the risks associated with lending, while offering the most competitive rates (that is, the lowest rates consistent with the institution making a profit). The less information is available, the less predictive these risk models can be. And when lenders cannot rely upon their risk models, they tend to charge higher rates, in order to avoid losing money to unanticipated or incorrectly quantified risks. Consumers profit from accurate risk models, which are only possible with access to accurate information. We urge the FTC to permit the free distribution of aggregated or otherwise depersonalized data, as a way of permitting financial institutions and others to continually refine their risk models in order to keep consumer costs low. Because of this benefit to consumers, and because of the lack of a corresponding risk, businesses with such information should be able to provide it to businesses that need it. So long as this information does not identify consumers, and cannot be used to target individual consumers for unwanted attention, distribution of this information should not be subject to regulations intended to protect consumers from such direct attention without their consent. What information is "derived using personally identifiable financial information"? Following this line of reasoning, another way in which the FTC could sharpen the definition of nonpublic personal information would be by specifying that, for a "list, description or other grouping of consumers ... derived using any personally identifiable financial information" to be covered by the Proposed Rules, it must be a list, description or grouping of identifiable consumers. See Proposed § 313.3(n)(1)(ii). If a business sells impersonal demographic information, and another business uses that information to create a list of consumers, the first business should not be held liable as a distributor of information under the Act. If the first business actually compiles a list of consumers, or a list which allows the recipient of the information to readily identify individual consumers, then it should be subject to the Act. Any other result would have the effect of turning the demographic information itself into nonpublic personal information, despite its impersonality. Notice and Opt-Out Requirements Need to Include Guidance Specifically Applicable to the Internet Context While clarifying key definitions is important for financial institutions that do business with consumers over the Internet, we believe that the FTC must take other actions as well in order to make the Proposed Rule Internet-friendly. Specifically, it must provide guidance concerning compliance with the notice and opt-out provisions of the Proposed Rule that make these requirements meaningful under the special circumstances of the Internet. The Act provides that "a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, of such institution's policies and practices...". PL 106-102 Section 503(a). In this regard, we note that the Congress did not establish any more stringent standard for delivery of privacy policy disclosures "on-line" than in an "off-line" context, but it appears that the FTC has inadvertently established a higher bar for doing business on line than for doing business off-line. Actual Notice The Proposed Rule provides two examples concerning the requirement that a consumer receive "actual notice" of a business's privacy policies and practices. A business can reasonably expect a consumer to receive actual notice if the business "post[s] the notice on the electronic site and require[s] the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service[.]" Proposed § 313.4(d)(5)(i)(C). A business cannot have such an expectation if it "send[s] the notice via electronic mail to a consumer who obtains a financial product or service with you in person or through the mail and who does not agree to receive the notice electronically." Proposed § 313.4(d)(5)(ii)(B). The FTC may believe that these two examples establish a rule concerning what constitutes effective electronic notice that is both predictable and even-handed in its treatment of electronic and paper disclosures. In fact, the two examples leave several significant problems unaddressed: C May a business provide the privacy policy by e-mail to a consumer who consents to such delivery? We think that it should be permitted to do so, and we think that the second of the examples noted above implies this by negative inference. An institution should not be required to give electronic notice exclusively using a pop-up screen that requires response before proceeding, which would effectively require acceptance before proceeding. Limiting electronic disclosure to such a narrow technological solution would mean that the electronic opt-out was an opt-in for all practical purposes. This violates Congressional intent. If a business wants to use opt-ins, for customer relation purposes or to establish consumer consent to sharing (useful for FCRA purposes), then it should be able to. But such an opt-in should not be mandated for electronic disclosures, given that it is not required for paper disclosures. We would like confirmation, in the form of a specific example or regulatory language, that any mode of delivery specifically agreed to by the consumer is permissible. C Must a business provide a separate notice for each site? We think that there should be no limitation on the range of Internet addresses or sub-addresses covered by any particular privacy policy disclosure, so long as it is clear to the consumer which addresses or sub-addresses the disclosure does cover. But currently, the only guidance the Proposed Rule provides refers to a notice on a single "site," without defining what constitutes a site. The FTC needs to make clear that a privacy policy disclosure can apply as broadly or as narrowly as a business wishes it to (subject to the requirement that the limits of applicability of the notice be clear), in order to avoid tying the Proposed Rule to the current technological standard for what constitutes a "site." C Must a business post a separate notice for each instance in which it provides a financial product or service over the Internet? Again, we think there should be no limitation on the range of products or services to which any particular privacy policy disclosure applies. If a business wishes, it should be able to use a single privacy policy disclosure with reference to as many or as few products or services as it wishes, again subject to the requirement that the limits of applicability of the notice should be clear. Because of the technology available to providers of financial services over the Internet, commonly known as "cookies," it is possible to know whether a privacy policy disclosure has been provided to a particular computer user before. Using such technology, it is possible to provide a small number of comprehensive privacy policy disclosures, rather than bombarding a consumer with repeated requests that he or she read and acknowledge privacy policy disclosures before making each request for a financial product or service. This increase in efficiency would cause no diminution in the consumer's privacy protection. We urge the FTC to make clear that such comprehensive disclosures and such monitoring technology are permissible under the Act. Significantly, this option of using a cookie to avoid repetitive privacy policy
disclosures is extremely consumer-friendly: the consumer could delete the cookie at any
time, prompting the financial institution to deliver another round of disclosures. If
properly disclosed to the consumer, the use of a cookie for this purpose would assure the
consumer of receiving privacy disclosures when the consumer wanted them. Although the Proposed Rule may leave unanswered other Internet-related questions about actual notice, we think these are the most important, and we urge the FTC to clarify its position on all of these. The flexibility of Internet technology, its ability to parcel out responsibilities among numerous parties, and its ability to provide linkages among diverse product and service providers are all aspects that provide significant benefits to consumers. The FTC should not permit these same aspects to confer contingent legal liability on Internet financial services businesses through lack of regulatory clarity. Co-Branded Products and Services In the same way, it would benefit providers of financial services over the Internet if the FTC were to clarify how to comply with the Act in a situation, common on the Internet, where a financial product or service is provided through a co-branded website. The Proposed Rule does not discuss co-branding at all. However, it appears to contemplate a rough parity whereby the provision of one financial product by one business produces the need for one privacy policy notice. Under such a logic, it would appear that a product or service provided through a co-branded site, if truly provided by both of the co-branded entities and not by one as the agent of the other, would require two notices. We do not think this solution is consumer-friendly, and we think instead that it should be possible for the co-branded businesses to provide a single privacy policy notice applicable to both businesses. We have noted above that we see no harm in permitting businesses to provide blanket notices that cover more than one product or service, so long as those notices are clear about what they cover. By the same token, there would appear to be no harm to consumers if two businesses provided a joint disclosure, so long as that notice clearly and accurately described both institutions' policies. Such joint disclosure would be more convenient and comprehensible to the consumer than receiving a series of (possibly contradictory) disclosures from individual participants in the co-branded site. Based upon its benefits and its lack of harm, joint disclosure in such circumstances should explicitly be permitted. Joint Accounts Another area that we think it important for the FTC to clarify concerns delivery of privacy policy notices to persons setting up or holding joint accounts. The Proposed Rule does not specifically discuss how the notice and opt-out requirements apply to joint accounts, and the FTC has requested comments on the issue. 65 Fed. Reg. 11182. We think that any specification of requirements for joint accounts must take into account the reality that most "joint" applications involve one person doing a disproportionate share of the applicants' work. This is clearly the case in the Internet context: a joint application is submitted from a single computer with a single keyboard. The notice and opt-out requirements should reflect this reality, permitting a financial institution to provide a single notice and a single opt-out for a joint account, covering all information provided in connection with that account. The financial institution should be able to provide that notice and opt-out to any joint account holder, leaving it to that person to consult with the other joint account holders about whether to opt out. And any one of the joint account holders should be able to exercise the opt-out, restricting distribution of the information associated with the account. In such case, the FTC would recognize by rule the legitimacy of a presumption that a communication from any joint account holder was a communication on behalf of all. The alternative, requiring that every joint account holder receive a notice and opt-out, would be unworkable for businesses and unfriendly to consumers. Providing multiple disclosures would be cumbersome even with paper applications. Financial institutions would have to keep track of whether all, or only some, of the joint account holders had opted out. And if joint account holders disagreed about opting out, or if one was more prompt than the others in returning the opt-out form, financial institutions would be in the impossible position of having to winnow information from the joint account, restricting the distribution of information personal to one, but not all account holders. The procedure would be even more difficult with electronic applications, given the need to designate specific computers as being under the control of specific persons for purposes of sending notices and receiving acknowledgments or opt-outs. And the only effect all this complication would have on consumers would be to draw out the period of uncertainty during which a consumer could not know whether all the information pertaining to an account was or was not restricted by opt-out. We see no benefit to providing such a cumbersome solution, and we urge the FTC instead to make clear that only one notice need be sent for a joint account. Maximizing the Efficiencies Created by Electronic Delivery of Notices We applaud the FTC's willingness to permit privacy policy notices to be delivered electronically with the consent of consumers. With the clarifications we have noted above, we think that electronic delivery will quickly become the most popular method for consumers to obtain privacy information and for businesses to comply with the Act. It will become clear, if it is not already, that duplication of electronic delivery of notices with delivery of paper copies, as has been proposed by some, is entirely unnecessary -- a position that we strongly adhere to, and which we think the FTC should clearly endorse in the Proposed Rule. In order to maximize the efficiencies of electronic commerce, however, it is important that businesses be able to track electronically to whom they have delivered privacy policy notices, in order to avoid needless duplication. Doing so not only saves businesses time and money, but also saves consumers from receiving redundant disclosures every time that they log on to a website they have visited before. If consumers receive too many unnecessary disclosures, they stop paying attention to any disclosures, including the ones they should pay attention to. In addition, electronic tracking creates evidence of delivery with which to determine the business's compliance or noncompliance easily and decisively. With this in mind, we think that the Proposed Rule should explicitly permit financial institutions to track the electronic delivery of privacy policy notices by electronic methods such as the use of cookies, with notice to consumers but without opt-out by consumers. Regulatory support for the use of such technology will permit the Internet financial services industry to meet consumer privacy expectations without sacrificing the efficiencies of electronic commerce. Establishing Electronic "Reasonable Opportunity" Standards for Opt-Outs Finally, the Proposed Rule should clarify the issue of what, in the context of the Internet, constitutes a "reasonable opportunity" for a consumer to opt out. The Proposed Rule provides two examples of a reasonable opportunity. With a customer, a financial institution may mail the notices required in ... this section to the consumer and allow the consumer a reasonable period of time, such as 30 days, to opt out. Proposed § 313.7(a)(3)(i). In addition, in an isolated transaction, a financial institution may provide the consumer with the required notices at the time of the transaction and request that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction. Proposed § 313.7(a)(3)(ii). The FTC has solicited comments on whether an additional example "in the context of transactions conducted using an electronic medium would be helpful." 65 Fed. Reg. 11182. We think that an additional example would be helpful, given that the two examples in the Proposed Rule leave so many possible consumer relationships unaddressed. Specifically, the FTC should provide clear guidance that applies to situations in which a financial institution provides electronic notices to its customer, and in which a financial institution provides electronic notice to a consumer in connection with something more than an isolated transaction. The reasonableness of the response period for electronic notices should not be measured by the slower pace required in connection with notices being mailed. Electronic delivery is a reliable delivery mechanism, and delivery failures are easy to detect and correct, so there is no reason to require a financial institution to wait thirty days to permit a consumer or customer to respond to an electronic notice. At the same time, because the privacy policy notice may be a complex document, it may not always be appropriate to require the consumer or customer to read, acknowledge and consent immediately as a condition to proceeding with the transaction. We therefore urge the FTC to insert at least one additional example, establishing that what constitutes a reasonable opportunity in the electronic context is some period significantly less than thirty days, though longer than that given to a consumer in an isolated transaction. We think three days is a period appropriate for both consumers and customers. The federally mandated cooling-off period for certain persons borrowing on the security of their principal dwellings is currently three days. 15 U.S.C. § 1635(a). If three days is reasonable time to decide about such a significant issue, it should be reasonable time for the consumer or customer to make the decision whether to permit nonpublic personal information about himself or herself to be distributed. Guidance as to Legal Liability Having clarified the definitions crucial to determining compliance, and having clarified the requirements for providing electronic notice and opt-out, the FTC can complete the job of making compliance with the Act in the Internet context possible by answering some of the legal liability questions left open by the Proposed Rule. Limit Liability for Third Party Use of Information A financial institution disclosing information to nonaffiliated third parties that perform services for the institution or function on its behalf must contractually require such third parties to maintain the confidentiality of the information and limit the third parties' use of the information. Proposed § 313.9(a)(2). If a financial institution enters into such a contract, and the third party violates these limitations, it is clear that the third party is in breach of the contract. In addition, the third party is probably in breach of the Proposed Rules, given the limitations on redisclosure and reuse of information. See Proposed § 313.12(b)(2). Both of these outcomes make sense. But we are concerned that, without clarification from the FTC, the financial institution itself will be held in violation as well, despite the fact that it is blameless. Given the strong effect that the threat of even ill-founded litigation has on the growth of new industries such as the Internet, we urge the FTC to make clear that, in the situation outlined above, the financial institution is not liable under the Act for the breach of the confidentiality agreement by its third-party service provider. Effects of Overlapping Federal Requirements and Permissions The Act covers subject matter that has been largely unregulated up to now by the federal government, but a few existing laws and regulations already cover aspects of information-sharing. We would appreciate the FTC providing some guidance as to the interaction of the Act with these existing laws and regulations. Take the Fair Credit Reporting Act ("FCRA"), 12 U.S.C. §§ 1681 et seq. The Act expressly does not "modify, limit or supersede" FCRA, except in minor respects. Pub. L. 106-102, Sec. 506(c). For example, if the FTC believes that a disclosure of information "necessary to effect, administer or enforce a transaction requested or authorized by the consumer" under Proposed § 313.10(a)(1) per se includes all disclosures that, if made by a consumer reporting agency, would be pursuant to a permissible purpose under 12 U.S.C. § 1681b(a). Although the two statutes are distinct, we would urge the FTC to consider how much it is possible to craft rules for the Act that are consistent with the known rules of the FCRA. We also urge the FTC to consider explicitly the interaction of the Act with other federal rules, answering questions such as whether Internal Revenue Service rules governing the use of tax return information preempt inconsistent aspects of the Proposed Rule (and if so, what those aspects are). Postpone the Effective Date of the Act Legal liability will begin to attach to financial institutions as soon as the Act becomes effective. For new consumers and customers, the Proposed Rule establishes an effective date of November 13, 2000, while for existing customers as of that date the financial institution has thirty days in which to provide and process notices and opt-outs. Proposed § 313.16. Given how many businesses still do not realize that they may be construed to be financial institutions covered under the Act, we think it will be extremely difficult to produce widespread compliance with these complicated provisions in such a short period. Even for businesses that are well aware that they are financial institutions, contacting all of their existing customers and processing their opt-out requests by December 13, 2000 will be difficult. Widespread noncompliance despite good faith efforts to comply will do nothing to make businesses understand that they should respect the requirements of the Act. It will also do nothing to make consumers confident that the Act is effective in protecting their personal privacy or giving them choice in the use of their nonpublic personal information. Rather than permitting the Act to appear ineffectual, we urge the FTC to postpone the effective date of the Act to May 13, 2001. Companies would still be encouraged to post their privacy policies voluntarily, at the earliest convenient date. In connection with this postponement, the FTC could clarify the scope of the so-called "transition rule," Proposed § 313.16(b). The Proposed Rule discusses only those persons who were customers of an institution on the effective date. The FTC could make clear that the meaning of this limitation is that persons who were no longer customers of an institution on the effective date, or who had been non-customer consumers prior to the effective date, are not subject to the Act, and that their nonpublic personal information is likewise not subject to the Act. While this interpretation may appear self-evident, in this as in so many of our other comments we believe that a clear regulatory statement is preferable to even a very good interpretative argument. Conclusion For the reasons stated above, we think that the FTC's Proposed Rule, while generally a well-crafted regulatory structure for implementing the Act, could profit from additional clarity at a number of points. We are particularly concerned that the Proposed Rule apply clearly and unambiguously to the sort of situations commonly found when financial products or services are delivered over the Internet. We hope that our comments will be of help in making the final version of the FTC's implementing the Act useful to electronic financial service providers. Very truly yours, Donald P. Brewster 1. It will need to coordinate with the banking agencies in establishing these exceptions, in order to avoid permitting discrimination in the treatment of similarly situated consumers by institutions regulated by different entities. 2. Contrast a transmission company with one that stores information for subsequent transmission, an activity that would appear to come much closer to being a financial activity. The essence of a utility-like communications facility -- as a great deal of Internet activity is -- lies in its automatic transmission of information. The caller or the e-mail sender is in control of what message is being sent, when, how and to whom. It is as instantaneous as technology can make possible. If an institution stores information for subsequent transmission, by contrast, it is acting less like a utility and more like a researcher or an information broker. And if the information it is storing for future transmission is financial information, the institution is acting more like a financial institution. We urge the FTC to adopt this distinction, which would be particularly useful in determining who in the Internet context has responsibilities under the Act. |