Californias Financial Information Privacy Act, known as SB1, is about to send shock waves through IT shops everywhere. The bill was overwhelmingly passed in the California state legislature Aug. 19 and was signed by Gov. Gray Davis last week. With the coming of the new law, IT departments need to get to work closing off applications and databases to ensure customer privacy.
In short, SB1 requires "opt-in." Financial institutions must get customers authorization to share or sell personal and financial data with third-party companies with whom the customers have no prior agreement. Customers can also "opt-out," meaning that institutions will be required to offer customers a chance to prohibit the sharing or selling of personal and financial information with their affiliates or other financial institutions with whom they have agreements.
The bill also requires consent verification, which means financial institutions will have to take steps to ensure that those from whom they obtain personal and financial information about customers have followed similar notice and consent rules.
Meeting the tough requirements to prevent data sharing isnt the hardest work that IT will face as a result of the new measure. They must make company executives understand that unless they go beyond the laws measures, a confusing patchwork of state and federal laws is likely to come on the books.
How did we get into this mess? The 1998 repeal of the Depression-era Glass-Steagall Act, which mandated the separation of banks, brokerage houses and insurance companies, has fomented a frenzy of consumer financial information sharing. With the advent of affiliated-yet-separately-regulated financial services companies, consumer data now gets passed around so these different entities can cross-sell to one anothers customers.
Just one things wrong. Companies havent asked consumers for permission.
Sure, weve all been inundated with little slips of paper in our credit card bills, mortgage statements and brokerage reports telling us, as FleetBoston recently told me, "Protecting your privacy is important to us. We want you to understand what information we may gather and how we may share it."
These privacy notices provide, in practice, a license to circumvent customers desire for privacy, thereby letting integrated companies sell them everything from insurance to retirement plans. Rather than taking a "Pirates of the Caribbean" approach to consumer privacy, companies should instead use technology to allow consumers to make decisions about how their private information is used.
SB1 is likely to become a model for future state and federal legislation. It doesnt preclude affiliated companies from sharing information; it simply requires consumer permission to share. Companies should jump on this opportunity, offering maximum control over their financial information as a competitive advantage. An example: Companies could put a link on their bill presentment screen called "privacy controls" that opens a page where consumers can indicate interest in sharing information to gain special deals on insurance. Since consumers review and pay bills monthly, financial institutions will have at least 12 guaranteed page views per year to appeal to consumers to share information in an informed way.
One consequence if companies dont get ahead of the privacy curve is that different states legislation will create a labyrinth of cumbersome privacy requirements. What would happen if a person were to conduct business in several states, each with different privacy requirements? Companies would have to track where the consumer was on a per-transaction basis. Companies would have to show that they collected and legally shared information only in the states in which they were allowed to do so. Better to just tell people what information your company collects and give the consumer controls over how the information is shared.
By taking consumer privacy seriously, your company can build relationships with consumers based on trust. Doing so will keep you out of a coming legal maelstrom—and it will be good for business.
Senior Analyst Cameron Sturdevant is at firstname.lastname@example.org.