Today, Congresswoman Maxine Waters (D-CA), Ranking Member of the Committee on Financial Services, gave the following floor statement in opposition to H.R. 2396, a bill that would reduce requirements for financial institutions to provide privacy notices to their customers:
As Prepared for Delivery
I rise today to speak in opposition to H.R. 2396, the “Privacy Notification Technical Clarification Act.”
Contrary to the bill title, this bill is far from a “technical clarification.” So, I want to be very clear about what this bill would actually do. H.R. 2396 would reduce the meaningful and clear disclosures that financial institutions must currently provide to their customers every year, even if those companies share their customers’ nonpublic personal information broadly with nonaffiliated third party companies. Unlike other privacy bills Congress has considered, this bill comes with no guardrails whatsoever to discourage the company from broadly sharing consumers’ sensitive, personal information.
While the bill provides several alternative mechanisms to deliver privacy reminders, one option would result in the customer receiving no written disclosure at all.
The current annual privacy notices serve as a reminder describing a customer’s right to restrict the sharing of their nonpublic personal information to nonaffiliated third parties and information about how to exercise this right, if they so choose. This privacy right was created in the Gramm-Leach-Bliley Act (GLBA), which was signed into law in 1999. I served on the GLBA conference committee so I know firsthand that the initial and annual privacy notices in GLBA were enacted partly in response to public concerns about the sale of personal data for marketing purposes that were highlighted in a number of legal actions brought by state attorneys general at the time. In 1999, for example, there was a settlement between the Minnesota Attorney General and U.S. Bank resolving allegations that the bank misrepresented its practice of selling highly personal and confidential information about its customers to telemarketers.
These concerns are just as relevant today. In fact, I find the timing of the consideration of this bill very troubling, as it is being brought to the floor just months after the massive Equifax data breach. In the Equifax breach, 145.5 million Americans had their social security numbers, dates of birth, and other sensitive financial and personally identifiable information exposed to thieves.
Equifax is not the only major credit bureau to experience a large data breach. About two years ago, Experian -- one of the other three major credit bureaus in this country -- had a breach that exposed millions of T-Mobile customers’ information. These breaches are on top of a long list of other breaches we have seen at other companies where sensitive customer information was compromised.
Consumers have called on their representatives in Congress to enact tougher laws that would strengthen their control over their personal information, not weaken it. Consumers are increasingly wary about the unfettered sharing of their personal information by financial firms to nonaffiliated third parties that can result in consumer profiling, fraud, aggressive target marketing, and identity theft. Unfortunately, this bill goes in the opposite direction.
Instead of working to strengthen consumers’ privacy protections, H.R. 2396 would ease obligations on financial institutions to provide notices to their customers describing their privacy practices and policies and, importantly, fully explaining to these customers their right to restrict the sharing of their information to nonaffiliated third parties. This is commonly referred to as a consumer’s right to “opt out” of having a financial institution share their information to companies that are outside their common corporate structure or organization. These nonaffiliated third party companies are generally not ones that the consumers have an existing relationship with, meaning that they have not received a product or service from the company in the past.
Now the proponents of H.R. 2396 may say the bill has nothing to do with Equifax, or that Equifax would not be covered if the amendment being offered later today is agreed to. But the bill would roll back privacy notice requirements for many financial institutions that engage in vehicle financing, including megabanks like Wells Fargo, even if they broadly share their customers’ nonpublic personal information with other companies.
So let’s discuss Wells Fargo and their auto lending practices and their work with nonaffiliated third parties. Earlier this year, the Democratic Staff of the Financial Services Committee produced a report on Wells Fargo’s egregious misconduct, which has resulted in extensive consumer harm. For example, Wells Fargo charged over 570,000 customers for auto insurance policies they did not need, which resulted in at least 20,000 customers, including active duty service members, having their vehicles inappropriately repossessed. These auto insurance policies were provided through a nonaffiliated third party company called National General. The bank has also demonstrated a clear pattern of misusing millions of their customers’ information to open accounts in their name without their permission. So why should Congress consider relaxing the privacy requirements for a recidivist bank like Wells Fargo?
Let me also address arguments that suggest “customers don’t read these notices anyway.” As I have discussed, I think consumers are paying closer attention now after the Equifax incident. Proponents may say that a company posting a link on their website isn’t so bad; the Consumer Financial Protection Bureau allowed for it. But the Consumer Bureau’s rule provided an alternative to the annual privacy notices for companies that do not share data in ways that trigger consumers’ opt-out rights under the law.
Over the last decade, Congress has heard repeatedly from banks and credit unions that if a company does not share personal information with a nonaffiliated third party that allows consumers to opt out from having it shared, and if they do not change their privacy policies, they should be exempt from the annual notice requirements. In those instances, the customer does not have the ability to opt out of having the information shared. After several years of research and debate, we made that targeted change in the last Congress.
Since then, other companies, specifically captive auto finance companies, have made the case that they should have more flexibility satisfying the annual notice requirement because they have a unique, and close relationship with automobile dealers they work with, that still requires them to send the annual notice. This nonaffiliated third party relationship triggers consumers’ right under the law to opt out and not have their information shared. I offered an amendment in Committee that would have granted this targeted relief, but it was rejected. So while I appreciate that H.R. 2396 provides flexibility to captive auto finance companies, the bill is not limited to them and goes much, much further.
Mr. Chairman, over 30 consumer, community, privacy and civil rights groups have publicly opposed this bill, including U.S. PIRG, and so do I. This is an area where more study is needed before policymakers craft sweeping changes. The bottom line is I believe we should not open the door too widely, at this time, to give this same degree of flexibility to all financial institutions, including recidivist banks like Wells Fargo. Furthermore, there needs to be more, not less, privacy protections and consumer control relating to personal information following the massive data breach at Equifax this year.
For all of these reasons, I urge opposition to H.R. 2396. I reserve the balance of my time.