In 1999, when U.S. Bancorp was sued by the Minnesota attorney general for selling customer information to a telemarketing firm, it suddenly became the poster child for banks that seemed to violate customers’ privacy routinely.

It settled the suit by agreeing to pay a $3 million fine and to stop selling customer account numbers and other data to third parties. Jack Grundhofer, who was then chief executive officer and is now chairman of U.S. Bancorp, described how the legal slap had prompted much soul-searching: “As the trust of our customers is the bedrock of our business, our decision to stop these practices was made easily and quickly,” he said at the time.

Though the bank took some concrete steps to change its ways — rewording the privacy policy, halting the offending marketing practices, and stepping up overt verbal support for privacy — the end result is that U.S. Bancorp’s privacy policy and practices are only a shade different from those that provoked the attorney general’s wrath. Instead of directly supplying customers’ account numbers along with their personal information such as names, Social Security numbers, and other details to a telemarketing firm, U.S. Bancorp will provide the encrypted account numbers of people who have not opted out (and most customers have not).

Thus, the third-party telemarketer can continue to sell the same products using the same tactics, but must go through the bank to have a customer’s credit card charged, since the bank must unscramble the account number.

The shade of difference seems to make all the difference between being on the right and wrong sides of the privacy debate, and, in some cases, the law. It also means everything in the world to a customer, because the company to whom they gave their personal information is the only company that gets access to the data, and control is kept local.

“We have looked very carefully to make sure our policy prohibits sharing of account numbers,” said John Blumenfeld, a vice president and senior corporate counsel at U.S. Bancorp. “We give an encrypted customer identifier, which is not the account number. Frankly, U.S. Bancorp ended up refunding quite a bit as part of the settlement of the claim. Some settlements are still in the process of being paid.”

Though U.S. Bancorp’s privacy policy in 1999 promised to keep personal data private, the company shared a lot of information with MemberWorks Inc. of Stamford, Conn., a telemarketer that sells memberships to loyalty programs that let customers earn discounts.

According to the Minnesota attorney general’s lawsuit, U.S. Bancorp handed over to MemberWorks just about any or all information that a customer would want to keep private: bank account numbers, Social Security number, birthday, occupation, marital status, average account balance, and year-to-date finance charges on the customer’s credit card account.

In turn, MemberWorks would use the information to offer customers various types of membership services. If the customer did not call to cancel within a certain period of time, usually one month, an annual fee would be charged to the customer’s credit card.

The practice, which the attorney general calls preacquired account marketing, gives telemarketers the ability to charge a customer’s account even when he or she does not hand over a credit card number. It is a sales technique that has snared many unsuspecting customers, who thought they had not bought anything because they did not give up their number.

Prentiss Cox, an assistant attorney general for Minnesota, said the problem with giving account numbers to marketers — even encrypted ones — is that it takes some of the control for making a purchase away from the consumer, who usually must present money, a check, or a credit card to make a purchase.

Mr. Cox called the practice “tawdry,” and said his office had obtained tape recordings of telemarketers calling the elderly or those with limited English, who clearly did not understand that they were making a purchase. “If I call up an airline, I don’t give my credit card number until I know we have agreed on a transaction. I can withhold consent,” Mr. Cox said. “Now what happens is the consumer is stripped of signaling consent to the transaction.”

Mr. Blumenfeld, the company attorney, said third-party marketers are prohibited from using the encrypted account number to charge customers. “They cannot make a charge without getting authority from the customer to do so,” he said. “We give the marketers an encrypted number that can be used to identify the customer, so if a sale is made, the marketer can say, ‘We sold insurance to customer XYZ,’ and give us back the encrypted account number.”

From that information and the cost of the product, he said, the bank can facilitate the transaction. “In most cases, we will see the order form from the customer.”

Next Tuesday: How U.S. Bancorp coped with the lawsuit.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.