Daily Journal Staff Writer
SAN FRANCISCO — You probably wouldn’t tell a complete stranger your phone number, age or annual income.
But your bank might.
The spotlight is shining on the issue of consumer financial privacy this year. Congress forced banks to send customers fat envelopes explaining their privacy policies. More than half the states considered new laws to stop banks from selling information about their customers. California lawmakers tried, but failed, to pass one of the country’s toughest financial privacy laws.
California plaintiffs lawyers hope they can police consumer privacy without the help of the Legislature. A group of private lawsuits are quietly wending through state courts, asserting that some of the country’s biggest banks and credit card companies broke several laws when they sold customer information.
The suits accuse the banks of reaping millions by exposing customers to identity theft and subjecting them to annoying telemarketing calls. They seek a court order stopping such sales and a refund of all profits from the practice.
“The relationship between a consumer and a bank is one of utmost confidence,” said Bonny Sweeney, a lawyer in the San Diego office of Milberg Weiss Bershad Hynes & Lerach who is involved in several of the suits.
“Sure, a customer gives up some confidential material, but his expectations are that the bank will keep it confidential. Customers have no expectation that a bank will sell this information for tremendous profit.”
The lawsuits invoke a hodgepodge of legal theories, citing the state’ constitutional guarantee of privacy, its broad unfair
ROBERT LEVINS/ Daily Journal
Opt-out notices for consumers are “in a big brochure, in fine print, in a language that an attorney couldn’t understand,” says Los Angeles plaintiffs’ lawyer Reuben Yeroushalmi. “[They’re] pretty much nonexistent.”
business practices act and a common-law tort first conceived in response to the popularization of cameras.
Judges have certified nation—and statewide classes against some defendants, and most of the claims have been bundled together before San Francisco Superior Court Judge Richard Kramer. The judge will hear a critical summary judgment motion next week that should indicate whether such claims are viable.
Each defendant offers a slightly different argument, but the banks generally claim there’s nothing confidential about basic information such as name, age and telephone number. They also argue that the transfer of such information amounts to commercial free speech protected by the First Amendment.
Many say the customers consented to such a sale because they were told when they opened an account that it might happen, and they have the opportunity to opt out if they choose.
“The vast majority if not all commercial banks don’t share information outside their corporate family,” said Leland Chan, general counsel for the California Bankers Association. “I’m surprised at these lawsuits. They seem very exploratory, a search to test some new theories of liability. It seems like quite a stretch.”
The sale of customer demographic information is nothing new. Businesses have long sold customer lists to advertisers. But the size of the business has grown recently as technology makes it easier to gather, search and send huge amounts of the information. Experts say the sale of such lists is now a multimillion-dollar industry. The financial services industry considers it lucrative enough to spend about $12 million for lobbyists in California alone, according to the San Francisco Chronicle, in an attempt to defeat the state’s privacy bill.
The sellers include banks, insurance companies, credit card companies and even some retail stores that offer their own credit programs. The buyers want to use the information as a marketing tool, usually to peddle travel, entertainment, rental car or financial services.
According to the complaints against them, the lists for sale include names, addresses, phone numbers, account numbers, account status and balance, marital status, occupation, credit limit, credit balance and purchase information. Minnesota Attorney General Mike Hatch first exposed the practice in 1999 when he sued U.S. Bancorp, charging it with sharing customer information with a telemarketing firm without customer consent. A number of other attorneys general joined the lawsuit, which settled for about $4 million.
The case prompted Congress to draft the Gramm-Leach-Bliley Act, passed in 1999, which required banks to disclose their privacy policies to customers. The policies, as articulated today on many company Web sites, reserve wide latitude to use customer information. One credit card company, for example, claims it only shares information with two kinds of companies: financial services companies and non-financial services companies.
Revelations about such marketing practices led to a wave of lawsuits from an unlikely alliance of plaintiffs lawyers, including a group of Los Angeles attorneys whose practice focuses mainly on Proposition 65 work: Reuben Yeroushalmi, Kamran Ghalchie and Tina Wolfson. Also filing several suits are lawyers from San Diego’s Milberg Weiss.
They’ve targeted some of the biggest names in the business, including Wells Fargo, Citibank, GE Capital, Bank of America, Capital One and Household Finance. Courts have certified classes against Wells Fargo and Citibank.
The suits are filed under a wide variety of laws. Experts say there’s very little case law dealing directly with financial institutions accused of reselling customer information, and so plaintiffs have many alternative theories to pursue.
“It’s all legally innovative because it’s all relatively new,” said California Deputy
Attorney General Susan Henrichsen, who works in the office’s consumer law section. “There are all kinds of different consumer interests implicated, so there’s room for a lot of different approaches.”
Many of the claims might be influenced by people’s expectations of privacy, said Daniel Solove, a professor at Seton Hall Law School who wrote one of the few casebooks on privacy law. The California Constitution claim, for instance, hinges on whether the plaintiff had a reasonable expectation of privacy, and whether the revelation was “an egregious breach of … social norms,” according to past state Supreme Court decisions.
The answers depend on the court’s attitudes, Solove said, and how the lawyers frame the question.
“Some courts might say, ‘So what, they disclosed that you like horses?’” he said. “The problem is that when you collect enough information, it becomes a kind of digital biography, and it can be pretty telling. If someone discloses a book I own, that doesn’t seem to be a big deal. But if you know every single item I own, that’s incredibly telling about who I am—and maybe more offensive to reveal.”
Another claim plaintiffs raise is based on a tort originally conceived in the late 19th century to fight the privacy threat posed by the Kodak camera.
The tort is called “public disclosure of private facts” and was first conceived by legal scholars who urged a new tort of privacy invasion when Kodak developed a cheap and portable camera that threatened to bring photography to the masses.
Solove says the California bank plaintiffs may have trouble using the old tort to fix the modern problem. One potential problem is that the “private facts” must be published, and courts might not deem it a publication when two companies swap lists.
Defendants also argue that they don’t disclose any confidential information; they merely turn over the same information people reveal about themselves every day when they answer the phone or display their driver’s licenses.
They also point to the federal GrammLeach-Bliley Act as a defense. The act permits information-sharing as long as a company explains its policies and gives customers a chance to “opt out,” or keep their information private. The defendants say they comply with the law.
“It comes down to a question of fact,” Chan said. “If you go to a bank, and the bank discloses to you when and how they share information, and the bank gives you a
right to opt out of that sharing, and the bank acts consistent with its statements, is that a reasonable violation of your privacy?
“The law preserves one’s reasonable expectation of privacy. It doesn’t guarantee that one can live on an island.”
Plaintiffs note that the federal law explicitly allows for states to impose stricter privacy laws, and they claim that the California Constitution is one such instance. They also say defendants should be held liable for all activity before the federal act required disclosure. The statute of limitations would allow the plaintiffs to reach back as far as 1995.
Finally, plaintiffs say the opt-out notices are so obscure and inscrutable that customers can’t be expected to understand them, let alone respond.
“If they do provide something, it’s on Page 16,” Yeroushalmi said. “It’s in a big brochure, in fine print, in a language that an attorney couldn’t understand. … It’s pretty much nonexistent.”
The defendants argue that the sharing of information is commercial free speech protected by the First Amendment. They point to a recent 10th Circuit opinion holding unconstitutional an FCC order restricting a business’ ability to share customer information. U.S. West v. Federal Communications Commission, 182 F. 3d 1224 (1999).
The same lawyers have had some success against other banks, reaching settlements with Union Bank and California Federal Bank. In those cases, the banks agreed to issue clearer or more specific notices and to stop reselling customer information for two years. (Yeroushalmi said he hopes the state Legislature will have passed stricter laws by then.)
The pending cases seek a court order stopping the banks from disclosing customer information without customers’ written consent.
They also seek disgorgement of the money earned from the sales, general and punitive damages and attorneys’ fees.
The two coordinated cases in San Francisco Superior Court are Consumer Privacy Cases, J.C.C.P. 4211 and Capitol One Cases, J.C.C.P. 4191. Privacy law experts agree: We’re likely to see more such cases.
“As more people learn about legal protections, [lawyers] will think of different ways to bring lawsuits,” Solove said. “We are seeing the birth of a field as it comes to national awareness. Privacy is starting to be treated as a separate, collective body of law.”
Originally Published by the San Francisco Daily Journal on September 27, 2002. Click here to view the original article in PDF.
A Professional Law Corporation
Based in Beverly Hills, Calif.