Consumer privacy, as we once knew it, is dead
American privacy, in its original formulation, is deader than a doornail — or at minimum is anachronistic. And it is about time that we confront this new reality.
At the end of the last century, we were comfortable with the idea that our confidential information was entrusted to sacred guardians, financial institutions, who would zealously protect both our financial privacy and other personal information. Today, despite almost daily reports of data theft and data manipulation by technology purveyors and outright data thieves, adherents of outdated privacy concepts (e.g., governmental entities and politicians) have refused to confront the reality that our understanding of personal privacy needs to be closely re-examined — and a new national policy on privacy rights must be developed and adopted.
During the latter part of the 20th century, several developments created a false impression that privacy was a paramount national policy. First, by judicial precedent or by statute and regulation, many states recognized a right to financial or personal privacy, or both. The protection of privacy was primarily reflected in data security breach laws, which generally require holders of data to notify citizens of data breaches.
The result of this approach has been a proliferation of data breaches by nonbanks for which liability has been minimal. This is because most courts have held that a data breach without provable damage is not actionable — instead, companies experiencing data security breaches must merely establish monitoring systems at credit reporting agencies. Moreover, since practically every American has experienced several thefts of his/her data, a very effective strategy when defending data security breaches is requiring complaining parties to prove that any identified harm is traceable to the data breach under scrutiny — and not other similar data breaches involving the same affected individuals.
Although there has been little in the way of a comprehensive approach to privacy rights under federal law, a notable exception was the enactment of Title V of the Gramm-Leach-Bliley Act in 1999. Title V established that banks and other regulated financial institutions notify their consumer customers about the institution’s privacy policies, as well as provide some limited ability for the consumer to limit the sharing of his or her data with affiliated entities and third parties.
Although banking institutions have done a better job of protecting customer information — they don’t want to lose their marketing edge by passing along valuable data to others — even this limited privacy protection is threatened. Data scrappers and similar entities who obtain consumers’ specific permission to obtain privacy information held by a bank can analyze and manipulate that data for the consumer. (Many banks now recognize that objecting to data scrapping is a losing battle and are now cooperating with these business entities.)
"Banks are now being swept up in an enormous paradigm shift that is inescapable."
The technology sector has accelerated the capturing of privacy information in a manner unimaginable less than a decade ago. The ability of electronic applications to scour the internet for inadvertent disclosure of personal financial information permits the legal collection of this data so that it can then be used in marketing based on complex algorithms. Moreover, the global social media companies have created a database of consumer information that is predictive of consumer behavior — and actively market this data to third party businesses and academics for analysis.
This use of so-called big data might be benign or present the potential for significant abuse. For example, Facebook is now accused of allegedly providing consumer data that was ultimately misappropriated to influence the last U.S. presidential election. (On March 25, Facebook’s founder, Mark Zuckerberg, published an ad in which he said he was sorry.) Because the use of consumer data outside of the regulated financial system is based upon contractual undertakings, the potential for abuse abounds. Given the proliferation of privacy policies that virtually no one reads, it is somewhat comical to believe that most Americans actually understand what they’ve signed online.
Banks are now being swept up in an enormous paradigm shift that is inescapable. Consumer data has become a commodity for nonbanks, while banks remain limited by outdated privacy rules that have placed them at a competitive disadvantage. A national debate is necessary to address what it now means to hold consumer information, how it can be manipulated, sold and employed in marketing efforts, both internally and by third parties. Nomenclature needs to be adopted that homogenizes and equates notions of data security with privacy rights across the federal and state systems. Importantly, a level playing field should be established that provides a common scheme for regulation and enforcement that is understood by the public at large. (While beyond the scope of this article, in the same manner that some functions of banks are based upon the public utility model, social media and other large accumulators of consumer data might be regulated in the same manner.)
In the meantime, the conclusion is inescapable: An individual’s privacy rights, as created 20-30 years ago, no longer exist. Yet banks continue to be restrained by outdated privacy laws that don't apply to new competitors. Among these new competitors are social media giants and data repositories capable of extraordinary analysis of consumer behavior, utilizing consumer data authorized by consumers or available in the public realm.
Based upon its decades-long role of protecting customer data, the banking industry should actively participate in this debate to determine new rules governing whatever emerges as our nation’s view of privacy and the protection of personal financial information.