The privacy notices banks are required to send their customers each year could be in for a major overhaul.
Eight agencies that regulate financial services are beginning to question nearly every aspect of the notices, which were mandated by the Gramm-Leach-Bliley Act of 1999. Regulators took their first crack at rules implementing the law in 2000, but the first notices in mid-2001 were roundly criticized as confusing or worse.
"The notices, I've said, are the largest mandated junk mail in American history. They're about as useful to Americans as socks on a rooster," Federal Trade Commission Chairman Timothy J. Muris said last month.
A proposal the agencies published Dec. 30 in the Federal Register aims to change that by bringing uniformity to the notices and making it easier for consumers to compare privacy policies among institutions.
The eight agencies have offered four options. Two use a checklist format in which a company would list possible information-sharing practices and indicate with a yes or a no whether it engages in that practice.
A third option is a template to distill a company's privacy policy into brief bullet points. It outlines six categories of information that should be covered, such as "information shared" and "your preferences," but would allow a company to describe its practices in whatever terms it chooses.
The fourth option is a pair of forms that would let consumers know they have the right to ask a company not to share their personal information with any other company or affiliate.
David Medine, a partner at the Washington law firm Wilmer, Cutler & Pickering and a former FTC official, applauded the plan.
"This will provide two benefits: … clear disclosure to consumers, but also clearer guidance to financial institutions on how to write these privacy policies," he said. "Uniformity can be very beneficial to financial institutions. Everyone is struggling with how to phrase things in the right way."
Privacy disclosures vary greatly. Some institutions boil their policies down to about 300 words, while others use 1,200 to explain the data they collect and how they share it both internally and with other companies.
Under each of the four options in the regulators' proposal, customers would be sent privacy-policy summaries of just a few hundred words. Customers interested in viewing a bank's full privacy policy would be directed to a branch or Web site. The agencies are collecting comments on the plan through March.
Martin E. Abrams, the executive director of the Center for Information Policy Leadership at the Atlanta law firm Hunton & Williams LLP, said his research shows that consumers find the template-based system the most useful, because the format makes it easy to compare competing firms' privacy policies.
The policies "really should be an instrument that drives comparison in the marketplace," he said.
Pointing to similar notices prepared by J.P. Morgan Chase & Co. and Proctor & Gamble Co., Mr. Abrams said the template format helps consumers compare the policies of companies in completely different industries.
Bankers skeptical that consumers would trust a single disclosure format when dealing with companies that have products as diverse as money market accounts and snack foods should simply look to the supermarket aisles, he said.
"You can compare Pepsi and Coke by the food label, but when you go to macaroni and cheese, you're familiar with the food label, so you can compare macaroni and cheese to Coke," Mr. Abrams said. "I can't necessarily pick up a notice from large bank A and compare it to large bank B."
At least so far, bankers say they are unfazed by the plan.
John J. Byrne, the senior counsel and federal compliance manager at the American Bankers Association, said the proposal simply mirrors changes already taking place in the industry. "A lot of banks have made adjustments over the last couple of years and made improvements on their own."
Robert G. Rowe 3d, the regulatory counsel at the Independent Community Bankers of America, said the proposed changes would likely be beneficial but are too late. "If this came out when the [Gramm-Leach-Bliley] rules came out in 2000, it would have been tremendous, but a lot of the bankers have gotten to the point where it's like, 'Hey, we're used to it now. Just leave it alone.' "
Consumer advocates support the proposal - to an extent.
Edmund Mierzwinski, the consumer program director at the U.S. Public Interest Research Group, said banks should be allowed to send customers the privacy summaries only as an introduction to their policies, not as a replacement for them.
Industry lawyers said that because Gramm-Leach-Bliley was so specific, regulators may not have the authority to replace the required privacy notification with a summary.
And that likely means the agencies will move slowly, said L. Richard Fischer, a partner at Morrison & Foerster LLP in Washington. "They don't want the wrath of Congress."
Still, Mr. Muris of the FTC and others question whether efforts to overhaul the privacy notices are relevant.
"At the end of the day, most people aren't going to make the investment in reading the notices, no matter how simple you make them," he said.
