WASHINGTON - The Federal Trade Commission published a financial-services privacy rule on Friday, setting forth new regulatory guidelines that will for the first time regulate the information-sharing practices of some Internet sites. The new rule could provide a clue as to the tenor of the testimony that the commissioners will give before Congress on the broader question of online privacy in coming weeks.
The 159-page rule outlines mandates some "financial institutions" to notify customers about the collection of personal information and to offer some a choice as to how that data is shared. Issued under authority granted by the Financial Services Modernization Act of 1999, the FTC's rule covers businesses such as online mortgage brokers, real estate brokers and tax preparers, which aren't already covered under similar rules issued under the same law by other federal agencies, such as the Federal Reserve. The FTC's rule is scheduled to take effect July 1, 2001. (For a PDF version, click here.)
As early as next week, the commissioners will release to Congress a broad new online-privacy report. Last summer, a majority of commissioners recommended that Congress let industry keep policing itself for the time being, but since then, the commission has launched several privacy probes into leading Internet sites such as Amazon.com and Yahoo.com.
Furthermore, an internal survey of Web sites' privacy policies conducted in March is expected to provide grist for a change in the commission's stance. Only 20 percent of the Web sites surveyed comply with the FTC's standards for fair-information practices, and FTC staff members are reportedly now telling the commissioners that they should ask Congress for new legislation. While not rejecting continued industry self-regulation outright, the commissioners are expected to heed the advice of their staffs and tell Congress that it should enact new laws aimed at governing Internet privacy.
In Friday's rule, the FTC used a broad definition of financial services based on banking laws that include a host of activities "closely related" to banking, such as financial-data processing, sales of financial software and property-appraising services.
The rule applies to data collected as part of the sale or provision of a financial product or service. Companies covered by the rules are required to give notice to consumers as to what personal, nonpublic information is collected. The companies also must reveal with whom they share the data. Covered information includes data collected by a "cookie" file that tracks a consumer on the Web, according to the rule. In another example, the rule also covers information a person provides when applying for a mortgage loan online, even if the loan isn't granted.
A company like Intuit that sells financial software directly to consumers would be covered, as would a Web site that offers its own branded credit card or leases cars directly to consumers. Companies that give consumers access to their credit card bills or other financial data online would be covered as a financial-data processor, according to the rule.
The rule also requires that the notification policy simply can't be posted on a Web site. Rather, the company must verify that consumers have seen it. For example, companies might require that the consumer click on a button acknowledging the policy before they can purchase a financial product.
Finally, the rule states that consumers must be given the right to prohibit sharing of their personal information with unaffiliated third parties. The limit applies only to information gathered as part of the sale of the financial product or service, and only to information that is not otherwise publicly available. The rule makes an exception for data such as financial-account numbers that are provided to third-party marketers selling products or services on behalf of financial institutions.
