GLB Deadline Pushing Some States
to Ease Privacy Rules

Last year state legislatures across the country were considering more restrictive rules governing the use of personal financial data. Although the privacy fervor has only marginally subsided, a more practical mood seems to have taken hold in several states. In particular, both North Dakota and Vermont are considering bills that would repeal "opt-in" rules that require financial institutions to get affirmative consent from customers before sharing their data with unaffiliated companies. Other states with opt-in rules such as Alaska, Connecticut, Florida, Illinois, Maine and Massachusetts could follow.

Pushing states to re-think their privacy statutes is the looming July 1st deadline for compliance with the privacy rules mandated by the Gramm-Leach-Blilely Financial Modernization Act (GLB). Under GLB financial institutions must disclose to consumers their privacy policies and give them the opportunity to opt out of having their personal data shared with non-affiliated companies. GLB does not prohibit states from adopting more stringent privacy rules, but the potential for a patchwork quilt of privacy rules confronting institutions that operate nationally has provided a reason for re-visiting more restrictive state laws already on the books. Such is the case in North Dakota. Similarly, the 1993 Vermont Financial Privacy Act applied disclosure and opt-in rules only to banks, but not other financial institutions. Now that all financial institutions are covered by GLB, new legislation has been proposed in Vermont to bring the state statute in line with the federal rule so as to prevent disparate treatment of banks vs. insurance and brokerage firms.

The seemingly innocuous debate over opt-in vs. opt-out in fact has dramatic implications for target marketing and nascent Customer Relationship Management (CRM) strategies. Privacy advocates often portray an opt-in approach as giving consumers greater privacy protection than opt-out. But, in fact, both opt-in and opt-out give consumers the same degree of control over the use of their personal data. Under both systems the customer makes the final and binding determination about data use. However, there is a stark difference between opt-in and opt-out systems in terms of their cost.

An opt-out system presumes that consumers do want the benefits (greater convenience, wider range of services and lower prices) facilitated by a free flow of information between companies, and then allows people who are particularly concerned about privacy to block the use of their information. Put another way, the opt-out system sets the default rule to "free information flow" and lets privacy-sensitive consumers remove their information from the pipeline. In contrast, an opt-in system presumes that consumers do not want the benefits stemming from free flows of information and thereby turns off the information flow, unless consumers explicitly grant permission to use the information about them.

By setting the default rule to "no information flow", an opt-in system restricts the information lifeblood on which today's economic activity depends. Companies that seek to use personal information to enter new markets, target their marketing efforts, and improve customer service must rebuild the pipeline by contacting one customer at a time to gain their permission to use information. Consequently, an opt-in system for giving consumers choice over information usage is always more expensive than an opt-out system. Opt-in requires that every consumer be contacted to gain an explicit consent. In contrast, opt-out is less costly because it infers permission if consumers don't explicitly object. Consumers who are either indifferent about the usage or for whom it matters so little as to not be worth the trouble of responding remain in the pipeline.