FTC Proposal Would Widen Data Privacy Protections

The Federal Trade Commission Thursday proposed new rules to protect consumers’ financial privacy that could apply to a wide range of businesses not usually thought of as financial institutions.

Under the rules, travel agents, retailers, manufacturers, property appraisers and tax advisors could face the same new restrictions on collecting and using some information about their customers as banks, brokers and insurers.

Congress included a range of privacy protections in a historic overhaul of Depression-era U.S. banking laws enacted last year. The legislation requires financial firms to disclose their policies on collecting, using and protecting customer information and to give customers the ability to block the transfer of any nonpublic personal information to unaffiliated third parties, such as marketing firms.

It provides for the various bank, securities and insurance regulators to write and enforce privacy rules for these sectors, while the FTC is responsible for all other businesses engaged in “financial activities.”

That’s a very broad term that can cover the range from extending loans--such as a retailer who issues own-label credit cards or manufacturer who leases directly to consumers--to providing financial advice or even travel services.

“The broad concept of financial activity results in a corresponding broad scope of financial institutions that may be subject to the Act’s requirements,” the FTC notes in its proposal. “Numerous entities not traditionally considered financial institutions are included in the definition.”

That could be a problem for businesses who may not have expected to fall under the new privacy rules and who have not, as most banks already have, begun developing policies and procedures to handle the change.

“The implications are quite sweeping,” said Thomas Vartanian, a privacy expert who heads the financial services practice at the Washington law firm of Fried, Frank, Harris, Shriver & Jacobson.

“What it forces every financial institution, which of course is now a broadly defined term, to do is an inventory of where they get their data, how it comes in and how it goes out,” he said. “That is going to be, I think, a massive undertaking for most organizations.”

The FTC rules also closely mirror those already issued by federal banking regulators in taking a fairly tough line in interpreting the scope of the privacy protections themselves.

Even the fact that someone is a customer of a financial institution would be considered personal, protected information, stopping businesses from selling customer lists to marketers--currently a common practice--without offering each customer the ability to opt out of the disclosure.

The rules also essentially leave open whether even publicly-available information, like telephone numbers and addresses, can be freely disseminated.