The privacy statements sent out by your credit card issuer each year are easier to understand than they used to be, but many consumers jeopardize their privacy by not taking the time to read them and control how their information is shared, experts say.
If you have a bank account or credit card, you’ve received at least one annual notice in the mail outlining that institution’s privacy policies. That’s because the Gramm-Leach-Bliley Financial Modernization Act of 1999 mandated that financial institutions, including banks and credit card issuers, must send customers a notice each year that explains what personal information the company collects, how the company protects that information, who the company intends to share it with and how customers can opt-out of having the information shared.
The original compliance date of the act’s privacy notices was in July 2001, so the annual notices tend to hit mailboxes in early summer.
While privacy statements have been hard to decipher in the past, “there are relatively new short form notices that are being utilized by financial institutions that make it a lot easier to understand exactly what you can and cannot opt out of,” says Paul Stephens, director of policy and advocacy with the Privacy Rights Clearinghouse.
While the annual statements may be easier to understand, the underlying privacy policies aren’t as consumer friendly as they can be, some experts say. For one thing, the Gramm-Leach-Bliley Act doesn’t give consumers absolute control over what information is shared.
Consumer rights to privacy
According to the act, consumers can opt out of having their personal information shared with unaffiliated third parties or companies that are not part of the same corporate group as your financial institution.
However, there are a number of limitations on the type of information you can control.
- The law doesn’t cover information that is shared with affiliates of your financial institution. For example, if a parent company owns both a bank and a mortgage company, you don’t have the right to opt out of having your information shared between those entities.
- The law also doesn’t give consumers the right to opt out of having information shared that is considered public information, such as that which can be obtained via government records, websites or other forms of media.
- You can’t opt out of having your information shared with a nonfinancial service provider — a company that your bank hires to service your account or help process transactions.
- You can’t opt out of having information shared with companies your financial institution has joint marketing agreements with. If your bank has teamed up with another company to sell financial products or services, you’re fair game.
Companies have incentives for sharing your information. With financial institutions looking for new sources of revenue, “they can take your personal information and monetize it,” says Stephens.
On occasion, consumers may want their information shared with their credit card issuer’s affiliates. When the bank shares this information with partners, those partners can better target products and services to you. For example, 20-somethings just out of college might be keenly interested in financial products that could help them pay off their car loans faster, and less in information about retirement accounts. Sharing data helps the companies send appropriate offers and not pummel you with irrelevant junk. “By sharing the information, you’re not going to get this broad-based kind of advertising for anything and everything,” says Robert Rowe, vice president and senior counsel for the American Bankers Association.
For example, Floyd Aaron of Baltimore says he reads his privacy statements every year but he’s never opted out because, “I know who my bank partners with and know there may be a particular service I can benefit from,” he says.
Taking proactive control
The statement will provide instructions on what you can opt out of and how to do it. Different financial institutions have different guidelines for doing so, which can range from calling a toll-free number to sending a letter via postal mail. If you don’t follow your card issuer’s instructions, “it’s possible that your opt-out request might not be recognized,” Stephens says.
If you don’t understand the privacy statement, “we encourage customers to call us directly if they have any questions,” says Steve O’Halloran, a spokesman for Chase.
Issuers typically give you a certain period to opt out before they start sharing information, but you can still opt out at a later time by following that financial institution’s instructions. If you inadvertently throw out the statement, many financial institutions post a copy online.
Some consumer advocates have urged consumers to write their own opt-out letters to financial services companies if they don’t like their privacy practices. Other experts question whether that’s an effective use of your time. “I think large financial institutions in particular may not even know how to handle that letter,” says Stephens.
Joanne McNabb, chief of the California Office of Privacy Protection, points out that even if a letter won’t change the policy, “I think it’s good for [financial institutions] to hear from their customers.”
Some states go beyond the Gramm-Leach-Bliley Act and require consumers to be given the option to opt in to having their information shared. In that case, if the consumer does nothing, the information does not get shared. California is one such state, so “if a bank wants to share my information with a travel agency, they have to sell me on it,” says McNabb.