Business: Banks privacy protection alerts easy to miss
Banks privacy protection alerts easy to miss
By law, every financial institution must give its customers the right to "opt out" of having certain information shared with outside companies. But the information in mailed privacy statements often is overlooked or simply too hard to decipher.
TAMPA -- Most Americans say they don't like banks sharing personal information about them.
But few are seizing an opportunity to do something about it, even though that opportunity is being dropped into their mailboxes.
For the first time, every financial institution in the country is being required to mail customers a copy of its policy on sharing customer data. And the banks must give customers the right to "opt out" of having certain information shared with outside companies, typically by calling a toll-free number or writing the bank.
The mass mailings, often tucked as inserts into monthly statements, picked up in earnest the past few months as banks race to beat a July 1 deadline. Most big banks, such as Bank of America and Citigroup, are well into the process.
The response of customers so far? A big yawn.
Some banks estimate the response rate at less than 1 percent. At First Union bank, spokeswoman Mary Eshet said it might be partly because many customers trust their banks.
Not likely, say privacy advocates, who offer a slew of other reasons: privacy statements getting lost in a sea of junk mail; inertia; confusion; and a voice-mail nightmare greeting some customers who try following directions to opt out by calling a toll-free number.
"What we're hearing from consumers primarily is that they're not even seeing the notices in the first place," said Tena Friery, research director with the non-profit consumer group Privacy Rights Clearinghouse.
Part of the low response undoubtedly lies with the privacy mailings. The same banks that routinely offer bold, hard-to-miss invitations to buy extras such as credit card insurance are turning out privacy statements that are an eye-glazing jumble of small print and legalese.
Mark Hochhauser, a consultant in Minnesota who specializes in determining the "readability" of documents, had a field day poring over 17 sample privacy statements.
Notices to consumers ideally should be written at a junior high level. Hochhauser found consumers would need the reading skills of a college junior or senior, on average, to understand the statements. Some were at graduate school level.
"The notices were supposed to be written in a "clear and conspicuous' style so they would be "reasonably understandable,' " Hochhauser said. "Instead, the statements I reviewed were poorly written with too many long sentences and too many uncommon words."
Even the headline on many of the pamphlets -- "A statement about our privacy policy" -- fails to alert customers that this is a chance to exercise their privacy rights.
After statements are deciphered, Hochhauser said, there may be other problems in cutting the privacy ties. In one case, he called a toll-free number three times before he was able to opt out.
With the low response, "people will conclude that consumers really aren't interested in privacy," Hochhauser said. "It's not true."
Friery of the Privacy Rights Clearinghouse cited polls showing between 80 percent and 90 percent of Americans are concerned about privacy. "That doesn't really square with a slow response rate," she said.
Chris Hunter of Republic Bank in St. Petersburg is well aware of the concerns over how statements are phrased.
As general counsel for Republic, the biggest bank based in the Tampa Bay area, Hunter is point person for drafting a privacy statement to ship to the bank's customers this month.
Working in-house, he intends to spend only $8,000 on the project, compared with about $40,000 for a typical bank Republic's size and far less than the hundreds of thousands of dollars doled out by the megabanks.
If Republic is later than others in getting the word out, it hopes to make up for it in clarity.
"We've tried to tailor it down," Hunter said, "speaking in first person instead of third, not using a bunch of legalese."
Hunter thinks banks should guard customer data but questions if the massive paperwork exercise goes too far. "Like many regulations that Congress comes up with," he said, "this all begins with the sins of a few predatory lenders out there, so now the entire industry has to pay for it."
The notice requirement, which banks fought unsuccessfully, is part of the Gramm-Leach-Bliley law, the sweeping financial modernization act passed in 1999.
The legislation requires banks, credit card companies, brokerage firms, insurance companies and other financial institutions to send the notices to all their customers. The notices are supposed to explain the kinds of information the companies collect, how they use customer information and how customers can opt out of having that information disclosed, sold or leased to outside companies.
The two biggest banks in Florida, Bank of America Corp. and First Union, are among those that already have internal policies against sharing information with third parties, so there is little for customers to opt out of. But in a victory for the banks over consumer groups, the law does not give customers any say over the banks' common practice of sharing certain basic information with their own subsidiaries, such as a brokerage or insurance arm.
States have the option of passing their own, more restrictive privacy policies, but only a few states have looked at the issue so far. And the financial industry is lobbying Congress for an amendment to the modernization bill that would close that door, preempting states from passing different rules.
Nothing in the new law is likely to ease the suspicions of privacy-conscious bank customers such as Jim Fike.
Fike, a salesman in Tampa, was puzzled last year when he spotted an unauthorized $9.99 charge on his First Union debit card from Protective Network, an Alabama insurance company he had never heard of.
His curiousity turned into anger after a Protective Network representative casually mentioned that his company bought mailing lists and other information from First Union.
"Exactly what I thought was occurring was occurring," Fike said. "First Union was selling this information to various insurance groups. They'll go to any extent to exploit you."
First Union insists it does not sell information to third parties, unlike some of its competitors. Eshet of First Union said the bank's investigation indicates Fike purchased the insurance through Priceline.com and used his First Union debit card to pay for it.
Fike disputes that account as "complete fabrication. . . . The only thing I ever bought on Priceline was groceries."
Adding insult to injury, he said, he later discovered the bank was charging him $2 per call when he called an 800 number several times to resolve the dispute.
"I just don't trust them," he said. He has closed his First Union account.
