The following text is copyright 2000 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Your opinion counts?
By Scott Bradner
The U.S. Government Department of Baby Steps has put out a draft of a set of proposed rules that would ensure that in some particular narrow circumstances you may be able to control the distribution of some of the electronic information about you. They say they want your opinion of the proposed rules.
In 1996 Congress passed and the President signed the Consumer Reporting Reform Act (CRRA). This Act modified the Fair Credit Reporting Act of 1970 to deal with some aspects of the electronic age and of the new ability for banks and other types of financial institutions to merge and exchange information about their customers. In a fit of the normal Congressional brilliance the 1996 Act mandated that customers be able to opt-out (i.e. say "thanks but no thanks") of certain types of data transfer but prohibited Federal agencies from issuing guidelines to say what complying to the law meant in detail. Congress changed their mind last year and gave the feds a green light to help.
Now the Treasury Department's Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Treasury Department's Office of Thrift Supervision have gotten together to tell us what the law means in practice. They have produced a 65 page set of proposed guidelines. The size is somewhat misleading because each of the agencies has its own, essentially identical, version of a 10 and a half page set of guidelines. Why they could not just do one I do not know. (see http://www2.fdic.gov/epc/faircredit/) The agencies are asking for comments on the proposed rules by December 4, 2000.
These proposed rules are amazing for what they imply. The rules spend a lot of time defining terms like "clear and conspicuous," "reasonably understandable," and "reasonable period of time." It is clear that the agencies have had a lot of experience dealing with institutions that do everything they can to comply only with the letter of regulations while trying to circumvent their intent. For example they feel that they need to explicitly say that sending an email notice to someone who has not said they want to get email from a bank can not be considered a reliable means of notification.
To me the rules look OK in the context of the CRRA. They basically say that you can tell the bank not to share particular kinds of information with other parts of the same company. This specifically does not include transaction information such as credit card purchases which they can distribute. In the context of the privacy issues facing Internet users this is a very small step indeed but it seems to be in the right direction. But you should take a look for yourself and send in your comments if you find you have any.
disclaimer: To cover the bases, Harvard often seems to try all directions simultaniously but the above compass is mine.