January 18, 2001, 9:27 AM — The U.S. Government Department of Baby Steps has issued a draft set of proposed rules that would ensure -- in some particular, narrow circumstances -- that you may be able to control the distribution of some of the electronic information about you. The government says it wants your opinion of the proposed rules.
In 1996 Congress passed and President Clinton signed the Consumer Reporting Reform Act (CRRA). This act modified the Fair Credit Reporting Act of 1970 to deal with some aspects of the electronic age and of the new ability for banks and other financial institutions to merge and exchange information about their customers. In a fit of usual Congressional brilliance, the 1996 act mandated that customers be able to opt out (that is, say "thanks, but no thanks") of certain types of data transfer, but prohibited federal agencies from issuing guidelines to say what complying to the law meant in detail. Congress changed its mind last year and gave the feds a green light to help.
Now the Treasury Department's Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Treasury Department's Office of Thrift Supervision have gotten together to tell us what the law means in practice. They have produced a 65-page set of proposed guidelines. The size is somewhat misleading because each of the agencies has its own, essentially identical, version of a 10-and-a-half-page set of guidelines. Why they could not issue just one set of guidelines I do not know (see www2. fdic.gov/epc/faircredit/). The agencies are asking for comments on the proposed rules by Dec. 4.
These proposed rules are amazing for what they imply. The rules spend a lot of time defining terms like "clear and conspicuous," "reasonably understandable" and "reasonable period of time." It is clear that the agencies have had a lot of experience dealing with institutions that do everything they can to comply only with the letter of regulations while trying to circumvent their intent. For example, they feel they need to explicitly say that sending an e-mail notice to someone who has not said he wants to get e-mail from a bank cannot be considered a reliable means of notification.
To me the rules look OK in the context of the CRRA. They basically say you can tell the bank not to share particular kinds of information with other parts of the same company. This specifically does not include transaction information such as credit card purchases, which they can distribute. In the context of the privacy issues facing Internet users this is a small step indeed, but it seems to be in the right direction. Still, you should take a look for yourself and send in your comments.
Disclaimer: To cover the bases, Harvard often seems to try all directions simultaneously. But the above compass is mine.