Viewpoints: Clinton-Gore Plan Expands Privacy Too Far

The Clinton-Gore privacy plan released by the White House on April 30 contains a series of proposals that would significantly expand existing law.

Noteworthy is its extraordinary effort to integrate state attorneys general as well as plaintiff's lawyers into the enforcement of federal privacy law. Most significant are the proposed amendments to the landmark Gramm-Leach-Bliley Act, passed by Congress just last November; and for which implementing regulations were issued last week and this week.

The Clinton plan would require that a consumer "opt out" before "nonpublic personal information" can be shared between affiliated "financial institutions"; the opt-out ban now in the new law applies only to nonaffiliated third parties.

The plan would also redefine "nonpublic personal information," possibly to preempt the regulatory flexibility contained in Gramm-Leach-Bliley regarding otherwise public information.

Moreover, it would bar the disclosure of consumer "personal spending habits" as well as "individually identifiable health information" to either affiliates or nonaffiliates of financial institutions, absent their affirmative consent.

On the latter point, it is important to note that the plan's language would also preclude, absent the consumer's affirmative consent, the use of "identifiable health information" in a decision by a financial institution whether to "offer, provide, or continue a financial product or service." On the surface, this might appear to be a laudable goal, but when examined more closely it gives rise to concerns about sound and widely accepted risk management practices.

There are other disturbing precedents to consider as well.

For example, this language appears to reflect an attempt to go beyond privacy protection to regulate the legitimate business activities of a financial institution. By defining "identifiable health information" to include "any information, including demographic information … that … relates to the … past, present, or future payment for the provision of health care," the plan would bar financial institutions from making decisions that take into account a consumer's health-care payment history unless the consumer allows them to do so.

Elsewhere in the plan are draconian attempts to further engage the plaintiff's bar and state attorneys general.

For example, the plan makes a financial institution's "failure to comply with any of its policies or practices," whether intended or not, a violation of law. For financial institutions not otherwise regulated at the federal level, it translates that violation, as well as any other violation of the plan, into the netherworld of an "unfair or deceptive practice" in violation of the Federal Trade Commission Act.

This term opens the doors to litigation nirvana by allowing enforcement of alleged Gramm-Leach-Bliley violations by the FTC, by the "attorney general of the state" or by "an officer authorized by the state." This latter phrase appears aimed at expanding enforcement authority still further, to include state privacy czars or ombudsmen, both of which have been popping up in state privacy proposals, as well as even more local authorities whom state legislatures so designate.

The Clinton-Gore plan would enable these authorities, whether public or private, to initiate lawsuits for injunctive relief or money damages, including "other relief as the court may deem appropriate," such as punitive damages and - you guessed it - attorney fees.

In addition, many states, including California, adopt violations of the FTC Act as alleged violations of their own law, and thereby shoehorn their laws on standing into federal law. Under California law, for example, private individuals may bring class actions for "unfair practices," as defined by the FTC Act, while still others can add "willfulness" and turn such violations into criminal misdemeanors. All of which, under the Clinton-Gore privacy plan, would be enforceable in either federal or state court.

Given the evolving breadth of the meaning of "financial institution," the administration surely contemplates that these enforcement provisions can, and likely will, become even more onerous over time. Gramm-Leach-Bliley's privacy provisions were not limited to institutions with bank or insurance charters alone, and even prior to its adoption, the Federal Reserve Board had interpreted the term to include such nontraditional financial activities as real estate brokerages, data processors, and travel agencies.

Since the OCC and the OTS have allowed banks to migrate into a variety of e-commerce businesses, including Internet service providers, they may also be covered - even if they do not reside in a bank or thrift.

Now, in the post-Gramm-Leach-Bliley environment, the definition of financial institution is virtually certain to continue to expand, eventually overtaking the view, already advocated in some states, that any distinction between financial and non-financial activity should be erased and that coverage should hinge on the mere possession of personal data.

The recent debate in Washington State is a case in point.

The Washington bill - the product of a collaborative effort by the state's attorney general, Christine Gregoire (who also happens to be president of the National Association of Attorneys General) and the plaintiff's bar - used the term "information custodian" to define the covered entity as "all nonpublic commercial entities that maintain data containing personal information or sensitive information about consumers."

The legislation failed, though it passed the state Senate, but public initiatives aimed at continuing the effort into the fall election cycle are now under way.

The Clinton-Gore privacy plan also is a remarkably transparent attempt to import portions of the European Privacy Directive, which also creates a privacy czar in every member state and authorizes private rights of action, into the United States. It is a sure sign of things to come in the not-so-distant future, and it deserves our careful scrutiny.

Mr. Boyd is a lawyer in Alston & Bird's Washington, D.C., office. He is a member of the law firm's financial services practice group and leads the firm's legislation and public policy practice group.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER