COMMENTS ON THE GLBA INFORMATION SHARING STUDY
SUBMITTED BY THE ATTORNEYS GENERAL OF

Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Florida, Georgia, Idaho, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Northern Mariana Islands, Oklahoma, Oregon, Puerto Rico, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, the Corporation Counsel of the District of Columbia, and the Hawaii Office of Consumer Protection

     Pursuant to the notice published by the U.S. Department of the Treasury on February 15, 2002, regarding the Study on Information Sharing Practices Among Financial Institutions and Their Affiliates, we, the undersigned Attorneys General, submit the following comments.

     The States urge the Department of Treasury to recognize the important privacy concerns raised when a financial services firm shares a consumer's confidential  information with its corporate affiliates.  In light of the expanding array of fields in which bank holding companies may now have affiliates, and because some large financial institutions have hundreds or thousands of affiliates, sharing information among affiliates is similar to sharing with unaffiliated third parties, in that consumers do not expect that their confidential information will be sold or shared with companies with which they do not believe they are doing business.

     In particular, the States urge the Department of Treasury to take the following into account in developing its recommendations:

I.          BACKGROUND

A.         Federal Law on Affiliate Sharing

      In 1999, Congress passed and the President signed into law the Gramm-Leach-Bliley Act (GLB).1   GLB made several fundamental changes to the laws governing the financial system, including easing the limits on the types of financial institutions that may be affiliated with one another. 

     GLB also established some baseline rules governing the circumstances under which financial institutions may disclose personal information about consumers with whom they do business.  GLB generally requires that a financial institution provide a clear and conspicuous notice of its privacy practices, an explanation of how the consumer can "opt out" before sharing their non-public information with unaffiliated third parties, and the opportunity to opt out, unless certain exceptions apply.2

     The Fair Credit Reporting Act sets standards for the collection, communication, and use of information that constitutes a "consumer report," generally defined as a communication of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. 3

     In 1996, Congress adopted amendments to the FCRA that, among other things, specifically exclude from the definition of a consumer report "any report containing information solely as to transactions or experiences between the consumer and the person making the report." 4  This information could include, for example, detailed information about a customer's purchases made on a credit card issued by the financial institution, as well as the customer's outstanding balance, whether the customer is delinquent in paying bills, and the length of time a customer has held a credit card.5 

     The amendments also exempt from the definition of a "consumer report," the communication of other information among affiliated companies – that is, information other than transaction and experience information that would ordinarily be considered a consumer report – if certain conditions are met.  Examples of categories of such other information include data:

Examples of the types of information that might exist within each of these categories include a consumer's:   

     The federal FCRA permits a financial institution to freely share this other customer information among affiliated companies if two specified conditions are satisfied.8  These conditions are:

(1) clear and conspicuous disclosure to the consumer that information may be shared among affiliated companies; and

(2)  consumer opportunity, prior to the time that the information is communicated, to direct that such information not be communicated among the entities.9 

     Failure to comply with the conditions for affiliate sharing under the federal FCRA can result in liability and render the financial institution a consumer reporting agency under the federal FCRA.  A consumer reporting agency is subject to various legal obligations to maintain and safeguard consumer information, including limitations on the purposes for which information can be sold or distributed.10  Consumer reporting agencies are also required to provide consumers an opportunity to review information maintained about them, as well as establish particular error resolution procedures and consumer complaint mechanisms.11  Therefore, a financial institution that wishes to share customer information with its affiliates, that is not limited to transaction and experience information and that otherwise meets the definition of "consumer report," without the burden of complying with the requirements on consumer reporting agencies, must adhere to the FCRA opt out conditions.

B.        State Law on Affiliate Sharing

     Vermont is the only state that has a law directly regulating affiliate sharing.  Vermont's state Fair Credit Reporting Act "consent provision" requires that no "person" may obtain a credit report about a consumer unless the report is obtained pursuant to a court order or consumer consent.12   This consumer consent requirement applies with equal force to credit reports shared among affiliates. 

     Vermont's FCRA exempts "transactions or experiences" information from the state's definition of "credit report."13  Consequently, Vermont law, like federal law, allows affiliates to share transaction and experience information without any notice to a consumer and without any way for a consumer to prevent the sharing.

      In contrast, before financial institutions can share "other" information about Vermont consumers with their affiliates under Vermont law, the institutions must obtain affirmative consent – or opt in – from the consumer. Failure to comply with Vermont's FCRA consent provision can subject financial institutions to civil penalties.14

II.         Risks to Consumers Relating to Sharing of Confidential Information with Affiliates or Nonaffiliated Third Parties (Treasury Question #3)

      The States believe that the current practices allowed under GLB are insufficient to protect consumers and pose considerable risks to them.  The provisions allowing sharing of encrypted account numbers and other forms of billing information for marketing purposes are particularly troublesome.  Moreover, the notices issued by financial institutions under GLB have been dense and require a high reading level to comprehend, resulting in consumer confusion and inability to exercise informed choice.  These views have been the subject of previous comments by various states to the federal regulatory agencies.15

     The information held by financial institutions about their customers is highly valuable.  While the financial institutions might not disclose this highly valuable information to their competitors, they do disclose this information to marketing partners and third parties for the purpose of jointly marketing products and services unrelated to the customers'  current service selection, and even unrelated to the particular type of services performed by the financial institution itself.  The resulting harm to consumers from this type of information sharing stems from the tactics sometimes used in marketing new products to the consumer, who usually does not realize that the marketer already has the consumer's credit card number, or access to the credit card account through an encrypted number or other unique means of identification.

      In the spring of 1999, the Minnesota Attorney General announced a settlement with U.S. Bank, resolving allegations that U.S. Bank misrepresented its practice of selling highly personal and confidential financial information regarding its customers to telemarketers.  One year later, thirty-nine additional states and the District of Columbia entered into a similar settlement.16  The multi-state investigation focused on the bank's sale of customer information, including names, addresses, telephone numbers, account numbers, and other sensitive financial data, to marketers.  The marketers then made telemarketing calls and sent mail solicitations to the bank's customers in an effort to get them to buy the marketers' products and services, including dental and health coverage, travel benefits, credit card protection, and a variety of discount membership programs.  Buyers were billed for these products and services by charges placed on their U.S. Bank credit card.  In return for providing confidential information about its customers, U.S. Bank received a commission of 22%  of net revenue on sales with a guaranteed minimum payment of $3.75 million.

      Subsequent to the U.S. Bank case, Congress authorized financial services companies to sell or give their customers' nonpublic personal information to both joint marketers and third party telemarketers.  GLB specifically prohibits financial institutions from sharing an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.17

     However, the regulations adopted to implement GLB allow financial institutions to sell or share encrypted credit card numbers.  The federal agencies' rules implementing this section on sharing of account numbers sets forth two "examples," the first one of which states:

Account number.  An account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the bank does not provide the recipient with a means to decode the number or code.

C.F.R. § 40.12(c) (emphasis added). 

      Thus, a telemarketer or other recipient of an encrypted account number is able to notify a financial institution that a particular consumer indicated a desire to purchase an item, and cause the consumer's account to be charged, without ever asking the consumer for permission to charge the account.  The financial institution then uses its decode mechanism, which it never shared with an unaffiliated party, to determine which account to charge.  The possibility for unauthorized charges and fraudulent practices in such circumstances is greatly increased over situations where the consumer must affirmatively give a credit card number for the account to be charged. This type of marketing is known as "preacquired account" telemarketing.

      Preacquired account telemarketing is inherently unfair and susceptible to causing deception and abuse, especially with elderly and vulnerable consumers.  Preacquired account telemarketing turns on its head the normal procedures for obtaining consumer consent.  Other than a cash purchase, providing a signature or an account number is a readily recognizable means for a consumer to signal assent to a deal.  Preacquired account telemarketing removes these short-hand methods of consumer control. The telemarketer not only establishes the method by which the consumer will provide consent, but also decides whether the consumer actually consented. 

      The Federal Trade Commission, in its recent Notice of Proposed Rulemaking regarding the Telemarketing Sales Rule, has proposed prohibiting "preacquired account" telemarketing.18  A group of States recently filed comments with the Federal Trade Commission that strongly support this proposal.19  In their comments, these States noted that the consequence of this fundamentally unfair selling method is clear.  An example cited by the States in their comments is worth quoting extensively here:

Fleet Mortgage Corporation, for instance, entered into contracts in which it agreed to charge its customer-homeowners for membership programs and insurance policies sold using preacquired account information.  If the telemarketer told Fleet that the homeowner had consented to the deal, Fleet added the payment to the homeowner's mortgage account.  Angry homeowners who discovered the hidden charges on their mortgage account called Fleet in large numbers.20  A survey, taken by Fleet of its customer service representatives, is attached as Exhibit "A."  Approximately one-fifth of all calls by Fleet customers were about these preacquired account "sales." Customers overwhelmingly told Fleet that they did not sign up for the product, and wanted to know how it was added to their mortgage accounts without their approval, consent, or signature.

In Fleet's survey, its phone service employees were asked to describe the "single biggest customer complaint" they received and, it appears, they shared the resentment of these consumers.  Below are verbatim excerpts of the survey responses provided by Fleet employees:

Unethical for Fleet to add opt ins [optional insurance] without my permission/How did this get on my acct.

I know opt is big for profit however there should be a written confirmation to verbal offers and written notification of expiration of trial period.

The fact that people are mad about an increase in their monthly payment because of opt ins

HO knows they are being slammed w/ ins they never authorized.  HO thinks unethical & bad business by us. I agree with the customer.

I hope that FMG makes enough revenue from opt ins to justify all the calls on our 800 line from customers trying to cancel.

What right do we have to add this to their escrow?

Fleet should not allow this to happen. We need to get their permission to draft their account instead of just doing it.

Please change the way that ins is added to account.

Customer should know when we are adding things to their accounts.

They feel this is fraud.  It's a scam.  They never wanted the ins.

     The Federal Trade Commission's proposal to eliminate preacquired account telemarketing should be followed by other federal agencies interested in protecting consumers from the harms of this kind of marketing.

     The above represents but one known example of the risks to consumers from having their information shared, whether with affiliates or third parties. There are other types of risks that are suspected but not yet proven, and undoubtedly still others that are as yet unknown to consumers or enforcement agencies.  The harm suffered may not always be quantifiable; and even where clear economic loss is present, the relationship of that loss to the disclosure of a consumer's confidential information may not be obvious or capable of clear proof.

      It seems likely that, as information sharing increases, the risk of misuse or misappropriation of such information increases as well.  It may well be that the greater the quantity and level of detail of confidential information, and the more entities that possess such information, the higher the chance that the information will be stolen or misappropriated, or used for purposes, such as the improper denial of credit, insurance, or employment.  The States, therefore, urge the Secretary to look beyond the known risks to consumers privacy to identify and evaluate less obvious risks.

III.        Inadequacy of Existing Laws to Protect Customer Privacy (Response to Treasury Question #6)

      In the absence of a complete ban on the use of encrypted account numbers for marketing purposes, existing federal laws subject consumers to the fraudulent practices outlined in Section II, above.

      In addition, existing law is inadequate because it does not provide consumers with an opportunity to exercise a choice with respect to a vast amount of information sharing.  This is particularly troubling in the area of affiliate sharing, where the breadth and number of potential affiliates of financial institutions is breathtaking, yet most consumers will remain unaware of the existence or identity of their financial institutions' affiliates.  Consumers should be given an effective choice, before their information is spread throughout a vast corporate complex.

     Under the FCRA, consumers have no choice as to whether their transaction and experience information will be shared with their financial institution's corporate affiliates.  Moreover, once they are given a notice and opportunity to opt-out,21  all other information can also be shared with the corporate affiliate group.  Thus information about the consumer's income, employment history, credit score, marital status, and medical history can be shared with ease among corporate affiliates. 

      Financial institutions are now allowed to affiliate with a broad spectrum of companies.  The list of activities that are identified by the Federal Reserve Board in its rulemaking as "financial" in nature or closely related to financial activities, and therefore permissible for inclusion within a financial holding company, goes well beyond traditional financial activities, and includes the following: 

(1) lending, exchanging, transferring, investing for others, or safeguarding money or securities;

(2) insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State;

(3) providing financial, investment, or economic advisory services, including advising an investment company (as defined in section 3 of the Investment Company Act of 1940);

(4) issuing or selling instruments representing interests in pools of assets permissible for a bank to hold directly;

(5) underwriting, dealing in, or making a market in securities;

(6) brokering or servicing loans;

(7) leasing real or personal property (or acting as agent, broker, or advisor in such leasing) without operating, maintaining or repairing the property;

(8) appraising real or personal property;

(9) check guaranty, collection agency, credit bureau, and real estate settlement services;

(10) providing financial or investment advisory activities including tax planning, tax preparation, and instruction on individual financial management;

(11) management consulting and counseling activities (including providing financial career counseling);

(12) courier services for banking instruments;

(13) printing and selling checks and related documents;

(14) community development or advisory activities;

(15) selling money orders, savings bonds, or traveler's checks;

(16) providing financial data processing and transmission services, facilities (including hardware, software, documentation, or operating personnel), data bases, advice, or access to these by technological means;

(17) leasing real or personal property (or acting as agent, broker, or advisor in such leasing) where the lease is functionally equivalent to an extension of credit;

(18) acting as fiduciary;

(19) providing investment, financial, or economic advisory services; and

(20) operating a travel agency in connection with financial services.22  

     Thus the types of businesses with which traditional financial institutions may now affiliate themselves, in addition to banking, insurance and securities brokerage, include:

     Also included among the list of permissible affiliates are institutions that are "significantly engaged in financial activities," are:

      GLB further expanded the activities that were permissible under one corporate umbrella, as it allowed insurance, securities and banking institutions to affiliate with each other. 

      The number and breadth of affiliates currently associated with some of the country's major financial institutions is astounding.  Attached to these comments are the corporate affiliate lists for CitiGroup, Inc., Bank of America Corporation, and KeyCorp,25 which serve as three examples of the level of affiliation at large and mid-sized banking institutions in this country.  Bank of America lists 1,476 corporate affiliates; CitiGroup lists 2,761 corporate affiliates; and KeyCorp lists 871.   A perusal of these corporate affiliate lists demonstrates that these holding companies appear to be involved in widely disparate activities, including insurance, securities, international banking, real estate holdings and development, and equipment leasing.  Some of these affiliate operations may, in the normal course of their business, gather highly personal health information about consumers.  A consumer holding a credit card with the lead bank or a property and casualty insurance policy with a major insurer in any of these affiliate groups would not expect that his or her transaction and experience information would be spread throughout the corporate affiliate structure for the purpose not of servicing the consumer better, but for the purpose of marketing products to the consumer.

     The States believe that the only appropriate mechanism for giving consumers control over sharing of information within such broad affiliate groups is to require that consumers be given an effective choice as to whether or not their information may be shared with affiliates.

IV.        Inadequacy of Current GLB Notices to Protect Consumers' Privacy (Response to Treasury Question #7)

     The States believe that current GLB and FCRA notices are woefully inadequate.  Consumers have been greatly confused by the dense information in the notices, which require a high education level to comprehend.  As a result, consumers have not been adequately informed about their rights to opt out of information sharing among affiliates or with third parties.

     Both GLB and the FCRA require that notices about information sharing practices and information about how consumers can exercise their opt out rights must be written in a "clear and conspicuous" manner.26    The federal regulatory agencies have not yet issued any guidance on how these two notice requirements work together.  Many financial institutions have incorporated their affiliate sharing notices required under the FCRA within their notices about sharing of information with unaffiliated third parties required under GLB.

      The opt-out notices provided by financial institutions in their effort to comply with GLB and the FCRA have not been "clear and conspicuous," as those terms are commonly understood.  Opt-out notices mailed by many financial institutions have been unintelligible and couched in language several grade levels above the reading capacity of the majority of Americans.27  Experts have highlighted the inadequacy of such statements.  Mark Hochhauser, Ph.D., a readability expert, reviewed sixty GLB opt-out notices.  Dr. Hochhauser determined that these notices were written at an average 3rd or 4th year college reading level, rather than the junior high level comprehensible to the general public.28  For example, the notice sent to customers by one financial institution stated:

If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law).29

      Recent surveys demonstrate that consumers either never see and read such complicated opt-out notices, or they don't understand them.  A survey conducted by the American Bankers Association30 found that 41% of consumers did not recall receiving their opt-out notices, 22% recalled receiving them but did not read them, and only 36% reported reading the notice.  Another survey, conducted by Harris Interactive for the Privacy Leadership Initiative, announced its results in early December 2001.31  The Harris Survey indicated that only 12% of consumers carefully read GLB privacy notices most of the time, whereas 58% did not read the notices at all or only glanced at them.  The Harris Survey further indicated that lack of time or interest and difficulty in understanding or reading the notices top the list of the reasons why consumers do not spend more time reading them.

      Those consumers that do read the GLB notices have voiced numerous complaints, raising concerns that the financial institutions' unintelligible notices are an attempt to mislead them.32  The opt-out approach promulgated under GLB has proven so problematic that the federal agencies that administer the regulations under GLB convened an Interagency Public Workshop to address the concerns that have been raised "about clarity and effectiveness of some of the privacy notices" sent out under GLB.33  The agencies noted that consumers have complained that "the notices are confusing and/or misleading and that the opt-out disclosures are hard to find."34

      Where the vast majority of consumers don't even read opt-out notices, and those who read the notices cannot understand them, it cannot be said that they are able to understand their rights and exercise their choices intelligently.  As a result, the Attorneys General of 44 States and Territories called on the FTC and other federal regulatory agencies to create standard notices and require much simpler language so that consumers could understand them.35

5.             Conclusion 

      The signatory States appreciate the efforts of the Department of Treasury to obtain the views of consumer advocates with respect to sharing of confidential information among corporate affiliates.  We would be interested in continuing to consult with the Department with respect to these issues as the Department's study progresses.

     

Bruce M. Botelho

Attorney General of Alaska

 

Janet Napolitano

Attorney General of Arizona

     

Mark Pryor

Attorney General of Arkansas

 

Bill Lockyer

Attorney General of California

     

Ken Salazar

Attorney General of Colorado

 

Richard Blumenthal

     

Attorney General of Connecticut

 

Robert R. Rigsby

Corporation Counsel

District of Columbia

 

Robert A. Butterworth

Attorney General of Florida

     

Thurbert E. Baker

Attorney General of Georgia

 

Stephen H. Levins1

Acting Executive Director

State of Hawaii

Office of Consumer Protection

     

Alan G. Lance

Attorney General of Idaho

 

Tom Miller

Attorney General of Iowa

     

A.B. "Ben" Chandler III

Attorney General of Kentucky

 

G. Steven Rowe

Attorney General of Maine

     

J. Joseph Curran, Jr.

Attorney General of Maryland

 

Tom Reilly

Attorney General of

     

Massachusetts

 

Jennifer Granholm

Attorney General of Michigan

 

Mike Hatch

Attorney General of Minnesota

     

Mike Moore

Attorney General of Mississippi

 

Mike McGrath

Attorney General of Montana

     

Frankie Sue Del Papa

Attorney General of Nevada

 

Philip T. McLaughlin

Attorney General of New Hampshire

     

David Samson

Attorney General of New Jersey

 

Patricia Madrid

Attorney General of New Mexico

     

Eliot Spitzer

Attorney General of New York

 

Roy Cooper

Attorney General of North Carolina

     

Robert Tenorio Torres

Attorney General of N. Mariana Isl.

 

W. A. Drew Edmondson

Attorney General of Oklahoma

     

Hardy Myers

Attorney General of Oregon

 

Anabelle Rodriguez

     

Attorney General of Puerto Rico

Sheldon Whitehouse

Attorney General of Rhode Island

 

Mark Barnett

Attorney General of South Dakota

     

Paul Summers

Attorney General of Tennessee

 

John Cornyn

Attorney General of Texas

     

William H. Sorrell

Attorney General of Vermont

 

Christine O. Gregoire

Attorney General of Washington

     

Darrell V. McGraw Jr.

Attorney General of West Virginia

   
     

1Of the states listed, Hawaii is not represented by its Attorney General.  Hawaii is represented by its Office of Consumer Protection, an agency which is not a part of the state Attorney General's Office, but which is statutorily authorized to represent the State of Hawaii in consumer protection actions.  For the sake of simplicity, the entire group will be referred to as the "Attorneys General," and such designation as it pertains to Hawaii, refers to the Executive Director of the State of Hawaii Office of Consumer Protection.



[1] Pub. L. No. 106-102.
[2] See 15 U.S.C. §§ 6801-6809 (1999).
[3] 15.U.S.C. § 1681a(d)(1)
[4] 15 U.S.C. § 1681a(d)(2)(A)(i).
[5] OCC Advisory Letter 99-3 (March 29, 1999).
[6] See 65 Fed. Reg. at 63,129.
7 See 65 Fed. Reg. at 63,129.
8 See Federal Reserve Regulatory Service, Questions and Answers about the Fair Credit            Reporting Act, The Financial Institution as a Consumer Reporting Agency, FRRS 6-1605.
9 15 U.S.C. § 1681a(d)(2)(A)(iii).
10 15 U.S.C. § 1681b.
11 Consumer reporting agencies are required to provide consumers access to all information, except credit scores, maintained in the consumer's file upon request.  15 U.S.C. § 1681g(a)(1).  In the event a consumer questions the accuracy or completeness of any information in the consumer's file, the reporting agency must conduct a reinvestigation.  15 U.S.C. § 1681i.
12 9 V.S.A. § 2480e(a)(1) and (2).  "Person" is defined in Vermont law as including "any natural person, corporation, municipality, the state of Vermont or any department, agency or subdivision of the state, and any partnership, unincorporated association or other legal entity."  1 V.S.A. § 128.
13 9 V.S.A. § 2480a(2)(A).
14 9 V.S.A. §§ 2480f(c) and 2458 states that the Vermont Attorney General may, in the event of a violation of the Vermont FCRA, obtain an injunction; a civil penalty of not more than $10,000 per violation; an order for restitution; and reasonable costs and fees.  9 V.S.A. § 2480f(b) states that, in the case of a "willful" violation by a "person" of the Vermont FCRA, a consumer may obtain actual damages or $100, whichever is greater; injunctive relief; punitive damages in the case of a willful violation; and reasonable costs and attorneys fees.
15 Comments of Attorneys General of 44 States and Territories Submitted to the FTC Regarding GLB Notices, February 15, 2002; Comments of Attorneys General of 34 States and Territories submitted to OCC, OTS, FRB and FDIC Regarding Joint Agencies' Proposed Rules, March 2000.  Both sets of comments can be found at www.naag.org.
16 The basis for the states' action was their charge that U.S. Bank misrepresented its privacy policy to its customers. In some account agreements provided to its customers, the bank listed the circumstances under which information would be disclosed, but failed to include any reference to the bank's practice of providing such information to vendors for direct marketing purposes.  In other instances, the bank had specifically represented that customer information would be kept confidential. 
17 Gramm-Leach-Bliley Act, Pub. L. 106-102, Nov. 12, 1999, 113 Stat. 1338, Section 502(d).
18 67 Fed. Reg. 4491.
19 Comments of 52 Attorneys General, the District of Columbia Corporation Counsel, and the Hawaii Office of Consumer Protection Regarding Proposed Amendments to the Telemarketing Sales Rule, April 12, 2002, available at www.naag.org.
20 The mortgage statements issued by Fleet hid the charges under the rubric "opt. prod." at the very bottom of the bill in small print, such that it was extremely difficult to discover the charge or discern the purpose of the charge.  For consumers on auto-draft from their checking or other bank account, Fleet gave no written notice of the charge.
21 The inadequacies of these notices are discussed in Section IV, below.
22 # 1-5 are from U.S.C. § 4(k); #6-16 are from 12 C.F.R. § 225.28; and #17-20 are from 12 C.F.R. § 211.5(d).
23 16 C.F.R. § 313.1 (b)
24 16 C.F.R. § 313.3 (k)(2)
25 These lists, as well as other corporate affiliate lists for bank holding companies can be obtained at http://132.200.33.161/nicSearch/servlet/NICServlet?$GRP$=INSTHIST&REQ=MERGEDIN&MODE= SEARCH.
26 15 U.S.C. § 6802(b)(1)(A); 15 U.S.C. § 1681a(d)(2)(A)(iii).
27 See Robert O'Harrow, Jr., Getting a Handle on Privacy's Fine Print: Financial Firms' Policy Notices Aren't Always ‘Clear and Conspicuous,' as Law Requires, The Washington Post, June 17, 2001, at H-01.
28 Mark Hochhauser, Ph.D., "Lost in the Fine Print: Readability of Financial Privacy Notices," http://www.privacyrights.org/ar/GLB-Reading.htm (2001).
29 See Hochhauser, supra n.27. 
30 Available at http://www.aba.com/Press+Room/bankfee060701.htm
31 Available at http://www.ftc.gov/bcp/workshops/glb (hereinafter "Harris Survey").
32 Harris Survey.
33 Interagency Pubic Workshop, "Get Noticed: Effective Financial Privacy Notices", http://www.ftc.gov/bcp/workshops/glb/ ; see also Press Release, "Workshop Planned to Discuss Strategies for Providing Effective Financial Privacy Notices," http://www.ftc.gov/opa/2001/09/glbwkshop.htm (Sept. 24, 2001). 
34 See Joint Notice Announcing Public Workshop and Requesting Public Comment, "Public Workshop on Financial Privacy Notices," at 3.
35 See Comments of 44  Attorneys General  to Federal Trade Commission Regarding GLB Notices, dated Febrruary 15, 2002, available at www.naag.org.