Data sharing notices should specify existing privacy preferences


It’s bad enough that businesses make us opt out from having our personal information shared with others. But even more insulting, they often make the opt-out process as inconvenient as possible in hopes that we’ll just give up and let them do as they please.

That can mean hiding opt-out links in out-of-the-way places on websites. Or it can mean just confusing you about where you stand, privacy-wise.

Zuzu Spadaccini was left wondering after he received a recent letter from Chase Bank — an experience that millions of Californians possibly share every year in their dealings with financial institutions.


First came a bulk-mail letter to Spadaccini’s Fairfax District home. It didn’t look like anything out of the ordinary. “It basically looked like junk mail,” Spadaccini, 59, told me.

It wasn’t. Opening the envelope, he discovered it was a notice informing him of “important privacy choices.”

“If we do not hear from you,” it warned, “we may share some of your information with affiliated companies and other companies with whom we have contracts to provide products and services.”

Wait a minute, Spadaccini thought. Didn’t I already opt out from data sharing years ago?

“It seemed like they were telling me I had to do it all over again,” he said.

The California Financial Information Privacy Act requires banks to send out notices every year informing customers about their privacy choices. It also specifies that if a consumer opts out from having his or her data shared, “that direction is in effect until otherwise stated by the consumer.”

Seems clear enough. Opt out once and you’re opted out forever.

Or are you?

“Unless you say ‘No,’ we may share personal and financial information about you with our affiliated companies,” Chase’s notice said. “Unless you say ‘No,’ we may share personal and financial information about you with outside companies we contract with to provide financial products and services.”

Erik Syverson, a Los Angeles privacy lawyer, said the notice could easily confuse people about the status of their privacy preferences.


“If you’ve already opted out, you may be wondering if you have to do it again,” he said.

Logging in to his Chase account online, Spadaccini found a blank slate. He was instructed to check a series of boxes if he wanted to opt out from having his information shared. “It was like my earlier preferences hadn’t even been recorded,” he said.

That got me thinking, so I checked the websites of the various financial institutions I do business with. Not one had a prominent link to setting my privacy preferences.

More important, not one allowed me to confirm my existing preferences. Like Spadaccini, I too encountered a blank slate each time, with each company inviting me to register my preferences from scratch, even though I’d already opted out with all of them.

This is obviously nuts.

Last week, I wrote about a new privacy-enforcement division being set up by California Atty. Gen. Kamala D. Harris. Its job is to crack down on security leaks and computer breaches that endanger people’s privacy.

But things are so messed up, businesses are required by law to scare you annually with notices that your information could be shared unless you act, yet they provide no way to check the status of any previously registered privacy preferences.

“There’s probably a reason for this,” said Christopher Blanchard, a Burbank privacy lawyer. “It wouldn’t be in the best interest of the financial institution to allow you to easily change your mind.”


Gary Kishner, a Chase spokesman, acknowledged that the company’s website doesn’t allow customers to confirm their existing privacy preferences. All you can do is start from the beginning and set them again if you’re unsure.

But Kishner said that “those settings are set until the customer chooses to change them.”

So why send out potentially misleading notices that make it look as if you’re no longer opted out?

Chase does it, Kishner replied, because the state of California requires that notices be sent every year. Apparently, it would be too complicated (read: costly) for the bank to personalize notices to reflect each customer’s privacy settings.

At my request, the state attorney general’s office reviewed the California Financial Information Privacy Act and concluded that there’s no provision requiring banks to inform customers of their established preferences. It’s apparently an aspect of things that lawmakers overlooked when drafting the legislation.

This is a loophole that needs filling. Otherwise consumers will be needlessly confused every time they receive an obligatory annual notice informing them that their personal info could be shared. Their only recourse, as a spokeswoman for the attorney general put it, is to “opt out again every year.”

That’s not what the law requires, and it’s not how consumers should be treated. Someone in Sacramento should step up and fix this.


David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @LATlazarus. Send tips or feedback to