Growing fears over ambiguities in the Gramm-Leach-Bliley Act have drawn a belated flurry of notification efforts from several companies that offer services that might fall under the law. But for many, that realization may come too late.
"As a matter of law, there will be tens of thousands of companies that aren't in compliance," said Reed Freeman, an attorney at Collier Shannon Scott, a Washington-based law firm. "This is a problem because the agencies have interpreted the law to go way beyond what Congress had in mind...There is a provision that arguably can cover software."
In a last-minute bid to comply with the law, online portal Yahoo last Thursday and Friday notified thousands of its financial services customers of its privacy policies via pop-up messages on its Web sites. Similarly, America Online over the last couple of weeks has been sending privacy notices via e-mail and pop-ups to customers of its MyAccounts and MyPortfolio services.
Privacy has been a central issue for companies operating on the Web--despite a lack of federal privacy laws regulating practices online. The economics of many Web businesses are pinned to the collection of consumers' personal information. But this information gathering has become a topic of heated debate among marketers and privacy advocates, who warn against the pitfalls of storing such data. Although Congress has discussed legislation, the industry is largely relying on self-regulation to provide consumer safeguards for privacy.
The Gramm-Leach-Bliley Act, a financial reform law that goes into effect Sunday, contains provisions that address the collection and sharing of nonpublic personal information with third parties. It also requires companies to give consumers an opportunity to "opt out" of passing personal information to third parties.
Privacy experts say the law will unearth a host of problems for financial services companies, which often have many business units with multifarious partnerships.
The law was meant to require banks, mortgage companies, insurance companies, credit-card issuers, financial planners and tax preparers to "protect against hazards or unauthorized access" to their customers' personal information.
But other companies are concerned that they also must comply. For example, some law firms have notified clients about their privacy practices because of client relationships that require the disclosure of financial activity. Department stores that issue customer credit cards, such as Macy's, are also required to notify customers of standards and give them an option to opt out of any information-sharing practices.
"If you're a large company engaged in a financial services activity, the safest thing is to assume you are covered and behave accordingly from a compliance standpoint," said Oliver Ireland, an attorney at Morrison Foerster, a San Francisco law firm.
Companies operating largely online are required to give "clear and conspicuous" notice of privacy practices related to the act. Yahoo and AOL interpreted that by pushing notices out to their customers via e-mail or pop-up Web pages. Conversely, Microsoft updated its Web site. But Ireland said that may not be enough.
"You're supposed to design your system so that you're pretty sure they're going to get the notice," he said. "Just posting a privacy page is risky, especially if you have no agreement from consumers that they're going to get all their privacy information from that page."
Still, others say there shouldn't be much cause for concern for companies that are not clearly financial institutions.
"As a practical matter, the (Federal Trade Commission, which will enforce the law) and agencies will use their resources to bring cases where there have been obvious violations of the law. You will not see a host of suits challenging trivial violations or challenging companies who would be covered under an expansive reading of the law," Collier Shannon Scott's Freeman said.
Nevertheless, privacy experts warn that financial services companies operating online may have problems complying with the law because of technology limitations. The ability to detect whether someone has opted out of data-gathering practices has not been perfected and could put companies in a vulnerable position with regulators. Advocates also caution that companies should scrutinize data-collection practices and privacy safeguards.
"The easiest place for a regulator to find out if a company is complying with the law is at the Web site level," said Larry Ponemon, a privacy expert and former head of PricewaterhouseCoopers' privacy practice. "They can use technology to scan what kind of tracking technologies, if any, are being used and look at what kind of controls are built in to protect consumer privacy."
Because of this, many companies could find themselves on the wrong end of the law in the next couple of months.
"Many companies have been slow-moving trains and not been responsive to the law. Now the law is here, and the regulators are ready to roll," Ponemon said.