NOTICE: This is an archived press release. Information contained on this page may be outdated. Please refer to our latest press releases for up-to-date information.

Post date: January 16 2001

Fleet Bank Agrees To New Privacy Protections

In a continuing effort to protect the privacy of consumers throughout the state, Attorney General Spitzer today announced that a national financial institution has agreed to adopt new and important protections for its customers.

FleetBoston Financial Corporation resolved concerns raised by Spitzer's office regarding its use of customer financial data by adopting a new privacy policy requiring a customer's affirmative approval, commonly referred to as an "opt-in," prior to sharing non-public personal information with third parties for marketing purposes.

"Fleet's new privacy policy is a positive step forward in advancing the goal of protecting the financial privacy of consumers across the nation, and I commend Fleet for taking this action," Spitzer said.

Fleet's new privacy reforms come as a result of Spitzer's objections to Fleet's sharing of customer account information with marketing companies without providing full prior disclosure to its customers.

A new federal law, the Gramm-Leach-Bliley Act, requires financial institutions to provide a privacy policy to its customers and a procedure for its customers to "opt-out" of having non-public personal information shared with non-affiliated third parties. This protected information includes: credit line; last transaction date; number and amount of purchases per year; cash advances; amount of finance charges; and a consumer's credit card balance.

Under Fleet's new policy, the bank will not share personal information about its individual account- and credit card-holders without their informed, voluntary, specific and documented consent. This policy provides more comprehensive protection for consumers because it gives them direct control over whether their personal information can be shared. Spitzer promised rigorous monitoring of the policy's implementation, particularly the manner in which consumers' consent is obtained.

Fleet's sharing of consumer's information will now be limited to that which is specifically authorized by the consumer and only on a product by product basis. Fleet also will adopt controls to ensure that any shared information will not be used beyond the purposes of the consumer's specific authorization.

In January 2000, Spitzer's office settled allegations against Chase Manhattan Bank USA that it violated its own privacy policy by failing to clearly disclose to its customers that the financial institution shared information about its customers with third parties that were marketing non-financial products.

Since that time, Spitzer's office has entered into agreements with two national telemarketing companies, MemberWorks, Inc. and BrandDirect, Inc., settling allegations of deceptive business practices. These telemarketing companies were given access by various lenders to account-holders' financial information. When these telemarketing firms solicited the account-holders for memberships in discount clubs using negative options plans, in many cases they failed to notify consumers that they already had access to credit card numbers, and if consumers did not affirmatively cancel in a "free trial period," their credit cards would be billed.

Financial privacy has remained a top priority for Spitzer since he advanced his comprehensive privacy agenda last year. Spitzer authored and proposed legislation that would require financial institutions use an "opt-in" before sharing customer account information. Other proposed legislation in the privacy agenda includes:

  • Information Brokers: would mandate that consumers have an opportunity to review any data information brokers have acquired about them and "opt-out" of having their information shared;
  • Internet Privacy: would require"opt-in" consent before web site operators could exchange information gathered about a site visitor;
  • Junk E-mail: would require "spam" marketers to provide consumers with an "opt-out" to stop future unsolicited e-mail advertisements;
  • Credit Reporting: would (1) require that a person procuring a credit report for resale disclose to a consumer reporting agency the permissible purpose of the end user; (2) require that those who resell consumer credit reports to follow procedures to ensure that the report is used for permissible purposes only; and (3) forbid the furnishing of header or biographical information for use in direct marketing transactions not initiated by the consumer where the consumer has opted out;
  • Identity Theft: would criminalize ID theft and would recognize consumers as true victims by allowing them to sue for damages.

Fleet also agreed to contribute $100,000 towards a consumer privacy rights education campaign.

This case was handled by Assistant Attorneys General Stephen Mindell, Shirley Stark and Jane Azia of the Consumer Frauds and Protection Bureau.