Although financial institutions have now sent more than a billion privacy notices to consumers, neither the companies that sent them nor the other groups involved in the financial privacy debate are declaring victory.
Consumer advocates are still dissatisfied, and complain that the notices were wordy and confusing. Regulators and lawmakers say they are reserving judgment on the success of the effort.
The financial services companies remain cautious after their first major public exercise in privacy protection. They are still struggling with how to present the notices - which must go out again next year - and with answering their persistent critics, who see little evidence that the costly notification exercise has accomplished much.
"The corporation is now living with privacy," said Agnes Bundy Scanlan, the chief privacy officer at FleetBoston Financial Corp.
The fact that the privacy notices did not prompt a tidal wave of opt-outs could be read as good news for banks, which would prefer that their customers acquiesce to data-sharing practices. While few executives would admit it, the 5% opt-out rate that has been circulating as the unofficial industry figure may well be cause for elation, a sign that people who read the notices were not unduly concerned about their institutions' privacy practices.
The notices, required under the Gramm-Leach-Bliley Act of 1999, were meant to enlighten customers and give them a measure of control. Companies that sell customer information to third parties - as opposed to just sharing it with "corporate affiliates" - were obliged to let customers opt out of this practice. All financial companies, whether they share information or not, were required to lay out exactly how they do use customer data.
The companies, bound by a tangle of legal requirements, say they are doing their best to keep consumers informed and to comply with the law, but that the language of legal obligation does not neatly translate to colloquial English. Moreover, the companies say, low opt-out rates suggest that consumers are ignoring their efforts, already trust them to do the right thing, or care less about the issue than some people might have thought.
Whether or not a greater good has been accomplished, sending and receiving privacy notices will become a familiar ritual. Gramm-Leach-Bliley requires banks and certain other institutions to repeat the privacy mailings annually, and to let customers opt out at any time.
FleetBoston, for one, began mailing notices to more than 20 million customers on March 1, staggering them over the following 10 weeks, so as not to overload the call centers. Most of Fleet's notices were sent as "statement stuffers," but the roughly two million customers who do not get regular statements received individual mailings.
Ms. Scanlan, who has been chief privacy officer at Fleet since the post was created nearly two years ago, said Fleet was not obliged to extend an opt-out, because it does not share nonpublic information about customers with third parties.
So far, Ms. Scanlan said, most calls to the toll-free number listed in Fleet's privacy notice pertain to the opt-out under the Fair Credit Reporting Act, which allows customers to block the sharing of credit-related information (such as credit scores) with affiliates. Doing so can reduce the number of credit solicitations a consumer gets.
Companies took a variety of approaches to the disclosure task. Some, like Fleet, sent them as statement inserts, while others deliberately sent separate mailings. Many companies made them drab and presented them in dry legalese, while others sought to use them as an opportunity to present a mini-advertising brochure, complete with a message from the chairman. Both approaches drew fire from consumer advocates.
Nordstrom Inc., for example, the department store chain that issues both private label credit cards and general-purpose Visa cards, sent something that looks more like a catalogue than a legal statement. The heavy, glossy paper folds out into pastel panels of purple, green, and yellow. Inside is a 10-sentence letter from a Nordstrom marketing executive introducing the retailer's privacy policy.
Outside is a picture of a woman in blue and white sportswear laughing and sipping a latte at the same time. The caption is, "You Shop. We Reward You. It's That Simple." A Nordstrom spokeswoman declined to comment about the design of the company's notice, other than to say that it complies with federal law.
Ms. Scanlan said the law's requirements have prompted most financial institutions to make good faith efforts to scrutinize their data-sharing practices, and to determine how to clearly communicate their policies to customers.
"A lot of institutions did stand-alone mailings," she said. "Many, like we did, conducted focus groups with customers, noncustomers, and employees. And you see privacy officers participating in conferences to talk about their different policies. I'm not certain what else we could do."
Consumer advocates see plenty of room for improvement. Some have complained that lax privacy provisions in the Gramm-Leach-Bliley Act allow distorted privacy notices. If the legislation really mandates "clear and conspicuous" notices, they asked, why are institutions getting away with glossy advertisements and negligible inserts?
Capitol Hill appears to be listening to their concerns. Last month, Rep. John LaFalce, D-N.Y., the ranking Democrat on the House Financial Services Committee, released a draft letter asking regulators to inspect the readability of notices during compliance exams.
Meanwhile, the Privacy Rights Clearinghouse has been pumping out "fact sheets" about privacy notices and how consumers should handle them. The San Diego nonprofit engaged a "readability consultant" to analyze 34 privacy notices sent by financial institutions. His conclusion: The average notice was written at the reading level of a college junior or senior, though Census data show that only 25% of adults have college degrees. The notices were riddled with negatives and too many words per line. Typefaces were small or difficult to read, and there was not enough space between lines.
"Many consumers have received their privacy notices, but because they are stuffed in the envelope with other materials and because they're often in very fine print, customers are largely ignoring them," said Beth Givens, director of the Privacy Rights Clearinghouse.
Ms. Givens said more consumers would be concerned about privacy if financial institutions were straightforward about what they do with customers' data. Privacy notices are so indecipherable, she said, that her organization has posted a guide for how to read them on its Web site.
Preliminary estimates of the number of consumers who have opted out hover around 5%. "It does seem, from listening to peers and regulators, that the opt-out response has been low," said Ms. Scanlan of FleetBoston. "I don't know if that was anticipated, but nonetheless it's been low."
The American Bankers Association asserts that consumers are reading their notices. In an ABA-sponsored telephone survey of 1,000 consumers, two-thirds of those who said they had received notices also said they had read them.
James Chessen, chief economist of the ABA, said he was surprised himself by the response rate. "Many of us thought consumers would say, 'Yeah, that's nice, but I like my bank, I trust my bank, I don't need to read this,' but they are," he said.
Mr. Chessen added, "What makes people queasy is sharing information with unrelated third parties. That applies not just to banks but to any of the companies they deal with."
On the other hand, consumers seldom know if their financial institution may be the source of a solicitation from a third-party marketer. "The consumer just sees the product, they don't think, 'What party is doing this?' but 'Am I getting the kind of service I want?' " Mr. Chessen said. Actually, he added, some consumers show almost no concern about privacy. "It's amazing how many people easily give up a lot of information about themselves for very little benefit."
Next: Have financial institutions failed to make the case for opting in?