Editorial: Privacy ‘safeguards’ are pathetic

Monday, June 25, 2001 | 9:15 a.m.

In 1999 Congress overhauled the nation's financial services laws, throwing out Depression-era prohibitions that had prevented banks, insurance companies and securities firms from merging. But privacy advocates warned that such consolidations could endanger privacy rights. After all, these financial institutions could swap sensitive information about customers, including Social Security numbers and medical records, to affiliated companies and outside marketers. In a sop to privacy advocates, a provision was inserted into the legislation that allowed for the creation of a regulation to require financial services companies to let their customers know that they could block the sharing of this information.

Well, the letters informing customers of their privacy rights are just now going out and guess what's happening? Some members of Congress are telling federal regulators that not only are the letters confusing, but that they also may be discouraging people from taking action to protect their privacy rights. Rep. John LaFalce, D-N.Y., says that in some cases the privacy terms are printed so small in the notices that older Americans with limited eyesight may have trouble reading them. It also doesn't help that sometimes the notices are written in legalese, rendering them difficult to understand, or that they come enclosed with other information, such as billing statements, making it difficult to even find them.

LaFalce wants federal banking regulators to look into the complaints of consumers and direct the financial institutions to send out better notices. While this would be an improvement, the reality is that even this wouldn't go far enough. What Congress should do is amend the financial services legislation and shift the burden of privacy protection, which now rests with the consumer, and place it on the businesses where it belongs. Customers of these companies shouldn't be forced to request privacy. If a company wants to shop around a customer's personal data, then the company should get the customer's permission first. Period. That's the cleanest, fairest remedy to prevent sweeping privacy violations.