Financial Privacy: How to Read Your "Opt-Out" Notices

A new federal law gives you some minimal rights to protect your personal financial information. Fact Sheet 24 describes the Financial Services Modernization Act ("Protecting Financial Privacy in the New Millennium: The Burden Is on You," www.privacyrights.org/fs/fs24-finpriv.htm). It outlines the steps you must take if you want to "opt-out," that is limit the sharing of your customer data with other companies.

The law gives you the right to prevent a company you do business with from sharing or selling certain sensitive information to non-affiliated third parties. The term "opt-out" means that unless and until you inform your bank, credit card company, insurance company, or brokerage firm that you do not want them to share or sell your customer data to other companies, they are free to do so.

When this law was debated in Congress, consumer advocates argued unsuccessfully for an "opt-in" provision. This stronger standard would have prevented the sharing or sale of your customer data unless you affirmatively consented. Unfortunately, the opt-in standard did not prevail. That is why we emphasize in Fact Sheet 24 that the burden is on you to protect your financial privacy.

What is the first step I can take to protect my personal financial information?

Now is not the time to toss bill inserts and documents containing lots of fine print into the trash unread. Starting July 1, 2001, and once a year thereafter, banks and other financial services companies must mail privacy notices to their customers.

Pay attention to the mail you receive from your bank, insurance company, credit card company, and brokerage firm. Look for words such as "Privacy Notice," "Privacy Policy," and "Opt-Out Notice." You might receive such notices via e-mail or the company’s website if that is the way you normally do business with them.

Will the notice explain the new law and the rights it gives me?

Not in so many words. Some companies may use the notice as a marketing opportunity. Instead of referring to your rights under the law, you may see statements at the beginning of the notice such as these: "Because we respect your privacy…," or "In order to provide you with the best services..." However, make no mistake: The rights described in the notices are yours under federal law and companies must give you this notice.

Should I assume the notice is about my rights under the Financial Services Modernization Act?

The notices you receive will actually be a combination of your opt-out rights under two federal laws -- the Financial Services Modernization Act (also known as Gramm-Leach-Bliley, or GLB, after the Congressmen who introduced it) and the Fair Credit Reporting Act (FCRA). The notice may not identify either of these laws by name, so you must be able to identify the words and phrases associated with each law.

An important difference is that GLB allows you to opt-out of information-sharing only with non-affiliated third parties and not with a company’s affiliates. The FCRA allows you to opt-out or prevent a company from sharing "creditworthiness" information with its affiliates. (To learn more about the your rights under the Fair Credit Reporting Act, read Fact Sheet 6, "How Private Is Your Credit Report?" www.privacyrights.org/fs/fs6-crdt.htm)

The following table may help to explain the differences between the opt-out opportunities in the two laws. The terms used in this table are further explained below.

I received a privacy notice that said my bank does not sell my information to third-party nonaffiliates. But later in the notice, it says they share information with third-party nonaffiliates "as permitted by law." Can I opt-our or not?

Probably not. The law contains exceptions to your right to opt-out to information sharing with third-party nonaffiliated companies. You cannot opt-out if your company shares information with an outside company that provides services for your company such as check printing. More troubling is the loophole that enables the company to enter into joint marketing agreements with outside companies. Such sharing of information is "permitted by law" and you have no right to opt out.

Will the notice tell me exactly what information the company has about me?

No. The notice need only be general in nature, and an identical notice will be sent to all the company’s customers. Do not expect to see anything that applies specifically to you.

You will have to read between the lines. If a notice says that the company collects information from applications you filled out, think about the kinds of information you are required to give on an application for credit or a loan.

Will some information be on all privacy notices?

Yes. Keep in mind, there is no standard form. There are, however, certain key words and phrases that you are likely to see in all notices. You will often see the following words in bold type.

• Affiliate. Refers to a company that is owned or controlled by the same people or parent company as the one sending the opt-out privacy notice to you. An affiliate is often referred to as a company in the same "corporate family." You cannot opt out of affiliate sharing under GLB. But under the FCRA you can opt-out of having information about your creditworthiness shared with company affiliates. (See Creditworthiness below.)
• Collect. Tells you what information the company collects about you and where it gets the information.
• Creditworthiness. Refers to information about how you pay your bills (are you current or overdue?), your credit score, and the risk of giving you credit. You may opt-out of affiliate sharing under the FCRA. (See Affiliate above.)
• Joint Marketers. Refers to non-affiliated third parties and affiliates that have entered into an agreement with your company to sell you products. An example, would be if your credit card company enters into an agreement with another company to sell you insurance against loss on your credit card account. You cannot opt-out of the sale or sharing of your customer data with Joint Marketers.
• Non-affiliated Third Party. Refers to all companies, individuals, and organizations that are not affiliates. You can opt-out under GLB.
• Nonpublic Personal Information. See Personally Identifiable Financial Information.
• Personally Identifiable Financial Information. Refers to information that may be connected with you and your accounts. For example, information that combines your name with your account balance or income would be personally identifiable information. This phrase comes from GLB and you may choose to opt-out of sharing or sale of this information but only as it pertains to third-party non-affiliates.
• Publicly Available Information. Refers to information that your financial institution has a reasonable basis to believe is lawfully made available to the general public. For example, your telephone number is public information unless you have an unlisted number. You cannot opt-out.
• Service Providers. Refers to a company hired to perform a service such as preparing account statements or printing checks for your company. You cannot opt-out.
• Share, Disclose, or Provide. Tells you what the company does with your personal information. "Share," "disclose," and "provide" will usually be used with the words "affiliate" and/or "non-affiliated third party." When used with the term non-affiliated third party, it is quite likely that your information may be rented, usually on a one-time-use basis. You will seldom see the word "sell" unless the company says it does not sell your information to third party non-affiliates.
• Transaction and Experience. Refers to information that may include such things as the charges you make on your credit card or the checks you write. This phrase comes from the FCRA. You cannot prevent the company from sharing this information with affiliates under either the FCRA or GLB. However, under GLB you can opt-out of the sharing or sale of this information to a third-party non-affiliate.

Privacy advocates strongly opposed this loophole in the FCRA because "transaction and experience information" is often highly personal and very sensitive. Think, for example, of the entries in your check register. When you write checks to medical facilities, religious organizations, political candidates, charitable organizations, and so on, you are revealing a great deal of information about yourself. The same can be said of the purchases you make on your credit cards. Your monthly statement can read like a mini-autobiography. Yet, such information can be shared with company affiliates without your permission.

Will the notice tell me exactly what is meant by the above words and phrases?

Probably not. Most of these words and phrases have been given definitions in laws and regulations. However, companies have been instructed to provide the form in easily readable plain language so you will seldom see complete legal definitions.

Will the notice tell me what to do if I want to opt-out?

Yes. This is one of the requirements of both GLB and the FCRA. The notice will most likely give you three choices:

• Send a letter or return an attached form to an address given in the notice.
• Call a toll-free number given in the notice.
• Opt-out online if that is the way you normally do business with the company.

My bank’s privacy notice gives a toll-free number to call to opt out, but I’d rather send a letter. Is this okay?

Federal regulations explain that you must follow the procedure to opt-out that is provided in the company’s privacy notice. So you cannot be guaranteed of successfully opting out if you choose another method of contacting the company. However, if you want to follow the procedure provided by the company, such as calling the toll-free number, and then write a letter in addition, go ahead. In this way, you will have a written record of your request. Some companies may be more willing than others to accept an alternative opt-out procedure.

I received a privacy notice that has a pre-addressed form to tear off and send back in order to opt-out. On the back of the form, I must fill in my name, address, account number and Social Security number. I don’t want to send such personal information in the mail for anyone to see. Will my opt-out request be processed if I put the form inside an envelope? What if I provide only the last four digits of my Social Security number?

We agree that consumers should not be required to mail such personal information on a postcard. As we have said many times in other publications, your Social Security number is the key to identity theft if it gets into the wrong hands. Your financial company may honor your opt-out request without a complete Social Security number or if you insert the card into an envelope. But, it’s best to check with the company before altering their procedures. Such flexibility would indicate that your company wants to comply with the spirit as well as the letter of the law.

Attached is a sample letter you may use if you want to opt-out by mail. Use this letter if one of the choices the privacy notice gives you is to send a letter to a specific address. Or use the letter if you want to make a written record to follow a toll-free call or an online opt-out request. Note that the sample letter asks the company not to share your information with affiliated companies or with joint marketers. The company is not obligated to comply with these additional requests. However, including such requests lets the company know that you do not approve of its sharing information with affiliates or joint marketers.

What is the easiest and cheapest way for me to opt-out?

Unless you do business online, the easiest and cheapest way to opt-out is to call a toll-free number. Not all companies have provided toll-free numbers, however. And companies are not required to provide prepaid postage for you to return your opt-out instructions by mail.

Can I opt-out under the FCRA and GLB at the same time?

It depends. If the company gives you a toll-free number, the same number will likely appear in two places:

• In connection with your right under GLB to opt-out of information sharing with third-party non-affiliates.
• In connection with your right under the FCRA to opt-out of sharing your "creditworthiness" information with affiliates.

If you call the toll-free number, an automated system is likely to give you two opt-out choices. Follow the instructions to opt-out under both GLB (non-affiliated third parties) and the FCRA (creditworthiness).

If you talk to a person at the number, be sure to mention both opt-out laws and the phrases associated with each if that is your choice. You may use the attached letter as a guide on what to say if you want to speak to a representative of the company.

Online, you should be given the same two opt-out choices. If you are familiar with the words that apply to each of the opt-out laws, you should be able to easily follow the online instructions.

Do I have any other opt-out choices?

Although it is not required, the notice may enable you to not receive marketing offers for products or services from that company or its affiliates. Follow the instructions in the notice if you do not want to receive such offers. (See PRC Fact Sheet No. 24(c ), "How to Shop for Financial Privacy," www.privacyrights.org/fs/fs24c-ShopFin.htm.)

In Fact Sheet 24, we noted that a major weakness of GLB is that it does not give you the opportunity to prevent your financial services companies from sharing your data with its affiliated companies. However, there’s no stopping you from asking anyway. In the following sample letter, we include language that you may use if you want to request that your bank, credit card company, insurance company, or brokerage firm refrain from sharing your personal data with its affiliates and joint marketing partners.

The Privacy Rights Clearinghouse’s Financial Privacy Guides:

Fact Sheet No. 24. "Financial Privacy in the New Millennium: The Burden Is on You," www.privacyrights.org/fs/fs24-finpriv.htm. An overview of the Financial Services Modernization Act, also known as the Gramm-Leach-Bliley (GLB) Act.

Fact Sheet No. 24(a). "Financial Privacy: How to Read Your "Opt-Out" Notices," www.privacyrights.org/fs/fs24a-optout.htm. How to decipher the legalese and make sense of privacy notices.

Fact Sheet No. 24(b). "Take the Cloze Test: Readability of a Financial Privacy Policy," http://www.privacyrights.org/fs/fs24b-ClozeFinancial.htm. Take a standard reading test and determine for yourself if financial privacy notices are readable.

Fact Sheet No. 24(c ). "How to Shop for Financial Privacy," http://www.privacyrights.org/fs/fs24c-ShopFin.htm. A guide to finding companies that take extra steps to protect your financial privacy.

Fact Sheet No. 24(d). "Frequently Asked Questions About Financial Privacy," www.privacyrights.org/fs/fs24d-FinancialFAQ.htm. Answers questions that many consumers have asked of the PRC about the opt-out notices and other aspects of the law.

"Lost in the Fine Print: Readability of Financial Privacy Notices," by Mark Hochhauser, readability consulting, www.privacyrights.org/ar/GLB-Reading.htm. An analysis of opt-out notices using standard readability tests.

See also Fact Sheet No. 6. "How Private Is My Credit Report?" www.privacyrights.org/fs/fs6-crdt.htm. An explanation of your rights under the federal Fair Credit Reporting Act.

How to order these guides. If you do not have Internet access and want to obtain any of these guides, please send a check or money order for $1.50 per guide to the Privacy Rights Clearinghouse at the address listed on page one. Be sure to indicate which of the guides you wish to order.

Fact Sheet 24A -- Attachment
Sample Opt-Out Letter

(Use this letter if the company provides you the option of writing a letter. This letter may also be used if you want to follow a toll-free call or an online opt-out with a written request.)

[Date]

[Your address]

[Name of company]

[Company’s address as shown in the privacy notice]

RE: Opt-Out Instructions for Account #______________

Dear [name if given in the privacy notice]:

Following are my instructions with regard to your information sharing and sales policies:

You do not have my permission to share my personally identifiable information with non-affiliated third party companies or individuals. I am asserting my rights under the Financial Services Modernization Act (the Gramm-Leach-Bliley Act) to opt-out of any sharing or sales of my information by your company.

You do not have my permission to share information about my creditworthiness with any affiliate of your company. I am asserting my rights under the Fair Credit Reporting Act to opt-out of any sharing of this information by your company.

[Optional] I do not wish to receive marketing offers from your company or its affiliates. Please delete my name from all marketing lists and databases.

[Optional] Your company’s privacy notice states you may otherwise use my information as "permitted by law." I wish to limit other uses of my personal information by your company and its affiliates. In particular:

You do not have my permission to disclose any information about me, including transaction and experience information, to your affiliates.

You do not have my permission to disclose any information about me in connection with joint marketing agreements between your company and another company.

Thank you for respecting my privacy and honoring my choices regarding my customer information.

Sincerely,

[Your signature]

[Your name]                                         [Keep a copy of the letter for yourself.]

How Private Is My Credit Report?

Credit reports are a gold mine of information about consumers. They contain Social Security number, date of birth, current and previous addresses, telephone number (including unlisted numbers), credit payment status, employment, even legal information. Ordering your credit report once a year and knowing your credit reporting rights are among the most important steps you can take to safeguard your privacy.

The federal Fair Credit Reporting Act (FCRA) as well as state laws restrict who has access to your sensitive credit information and what uses can be made of it. These federal and state laws also set the standards for the operation of credit reporting agencies, called "CRAs" or "credit bureaus." The CRAs have also adopted voluntary guidelines to improve consumer services. Significant changes to the FCRA became effective in October 1997, and are included here. To learn more about the 1997 amendments to the FCRA, see www.privacyrights.org/fs/fs6acrdt.htm

What is in my credit report?

Your credit report is actually a credit history. It is created by data about you from many different sources. Companies that have granted you credit make regular reports about your accounts to the three main CRAs: Equifax, Experian (formerly TRW), and Trans Union. If you are late in making payments, those to whom you owe money such as utilities, hospitals, landlords and others may report this information to the CRA. Your bank may inform the CRA if you overdraw your account or do not make credit card, auto loans, or mortgage payments on time. Your credit report may also contain information about delinquent child support payments. The FCRA allows CRAs to report records of convictions of crime. However, it is not the practice of any of the three main CRAs to report criminal convictions on credit reports. Such information may, however, be reported in connection with an employer background check.

In addition, your credit report contains your name and any name variations, your address, and previous addresses, telephone number, Social Security number, year and month of birth, and employment information. Information in your report also includes matters of public record such as civil judgments, tax liens and bankruptcies. Because you have the right to know who has inquired about your credit file or has requested your report over the last six months, any copy of the report you receive must also include the identity of all such inquiries. Inquiries related to pre-approved offers, as well as your own inquiries, are not available to credit grantors. However, they are included in credit reports that you order for yourself.

Can a credit reporting agency deny my application for credit? How do credit scores affect my application?

CRAs do not make decisions regarding a consumer’s creditworthiness. Rather, the CRA compiles reports of what your file contains and passes that along to the potential credit grantor.

Credit decisions are, in fact, generally made based upon a number of factors that comprise a "score." Inquiries made in connection with your applications for credit may also be a factor in your score. If, for example, you have applied for several credit cards or loans in a short period of time, this may result in a lower score. Inquires made in connection with pre-approved credit offers or those you make yourself should not result in a reduced score.

The practice of credit scoring is widespread and growing. Until recently, consumers have seldom gained access to their credit score and have not been able to learn the factors that went into the scoring. But a new law in California gives mortgage applicants a right to see their credit score (California Civil Code 1785.10, 1785.15-1780.20, SB 1607 in the 2000 legislative session). And the credit industry is voluntarily loosening its grip on the credit score because of legislative and marketplace pressures. To learn more about the topic of credit scoring, see the Federal Trade Commission’s (FTC) information at www.ftc.gov/bcp/conline/pubs/credit/scoring.htm. Additional information can be found at the Fair, Isaac and Co. (FICO) web site (www.fairisaac.com). FICO is the leading developer of scoring methodology. The credit score is often called a "FICO."

Is there anything that cannot be in my credit report? How long can information be reported?

Certain pieces of personal information cannot be in your credit report:

• Medical information (unless you give your consent).
• Notice of bankruptcy (Chapter 11) that is more than 10 years old.
• Debts (including delinquent child support payments) that are more than seven years old.
• For California residents, records of arrest, information, or misdemeanor complaints must be removed after seven years. But under federal law, records of criminal convictions may remain on a credit report indefinitely.
• Age, marital status, or race (if the request is from a current or prospective employer).

Certain kinds of information may remain on your report indefinitely. If, for example, you are applying for credit, insurance or employment above the dollar limits noted below, information can be reported beyond the usual seven to ten year deadlines.

• A credit transaction involving, or which may be expected to involve, an amount of $150,000 or more.
• Information about a job with a salary of more than $75,000.
• An application for credit or life insurance for more than $150,000.
• Tax liens that are not paid.

Who has access to my report?

Anyone with a "legitimate business need" can gain access to your credit history, including:

• Those considering granting you credit.
• Landlords.
• Insurance companies.
• Employers and potential employers (but only with your consent).
• Companies with which you have a credit account for account monitoring purposes.
• Those considering your application for a government license or benefit if the agency is required to consider your financial status.
• A state or local child support enforcement agency.
• Any government agency (limited usually to your name, address, former addresses, current and former employers).

Generally, only an employer or prospective employer needs your written consent to obtain a report. An exception is Vermont where any user needs your oral or written consent. In practice, most potential creditors ask for your permission to review your report. Your permission is not required when inquiries are made in connection with a pre-approved credit offer.

Can I find out what is in my credit report?

Absolutely. Your right of access is mandated by federal and state laws. You may obtain a copy of your report by writing or calling the three CRAs. In addition, Experian and Equifax now offer online access to credit information. Ordinarily, there is a charge of $8.00 - $9.00 in most states for your credit report. The charge is $8.00 if you live in California and free if you live in Colorado, Georgia, Maryland, Massachusetts, New Jersey or Vermont.

There are certain times when you are entitled to a copy of your report free, no matter where you live. In the event of an adverse decision related to your employment, the employer is required to give you a copy of your report. Otherwise, the free report should be requested from the CRA. You are entitled to a free credit report:

• If you have been denied credit (you must request a copy within 60 days).
• If you are unemployed and intend to apply for employment in the next 60 days.
• If you are on public welfare assistance.
• If you have reason to believe your file contains inaccurate information due to fraud.
• If an adverse decision related to your employment has been made based in whole or in part on information contained in the report.
• If your report has been revised based upon an investigation you request.

To get a copy of your report you will have to give the CRA certain information. The information you need to provide may vary slightly, depending on the CRA you contact.

• Full name (and if a Jr., Sr., or II)
• Social Security number
• Driver’s license information
• Current address and your address within the last five years
• Date of birth
• Signature
• Home telephone number
• Employer

For a copy of your report write, call, or connect online with:

You may also obtain a copy of your credit report from companies who contract with the CRAs to sell their products. Many of these products are available on the Internet. Some companies sell a merged version of all three reports. They also provide credit monitoring services that alert you to activity on your report, such as any new credit accounts, the placement of negative information, inquiries from creditors, and so on. To find such companies, use an Internet search engine and look for "credit reports" and "credit monitoring." Be careful to examine these companies and their offers carefully. You will be asked to disclose sensitive personal information in order to obtain your report. Do your homework before signing on the dotted line. And do not fall for the promises of "credit repair services" and "credit doctors" who advertise on television and on the Internet. The vast majority of such services are ineffective, even illegal. Additional information on credit repair services is provided below.

How will I know if there is negative information in my report?

The best way to determine if you have negative information in your credit report is to order a copy and check it carefully. For a thorough review, you should check with all three CRAs since there may be some variations in the file each CRA maintains on you. This should be done at least once a year. Because the crime of identity theft is on the rise, we recommend that you check at least one of your credit reports each six months.

You should also check your credit report when you know it is going to be used to make important decisions, such as applying for an automobile or home loan, renting an apartment or applying for a job. Reports should be ordered at least one to two months before you apply for credit or intend to rent. At these crucial times, you do not want to be surprised to find that your report contains negative information, especially if that information is inaccurate.

A creditor has the duty to report only accurate, complete and updated information to a CRA. For example, if you close an account voluntarily, your creditor must report this fact in order to distinguish it from an account that is closed for nonpayment. If you disagree with a creditor's report of negative information, the creditor must put a notice of that dispute in your file before reporting to the CRA.

What can I do if there are errors in my report?

There is no denying that errors can and do appear in credit reports. The July 2000 issue of Consumer Reports cited a study where more than 50% of the credit reports checked contained errors.

There are two main reasons errors may appear on your credit report. One is when you have been mistaken for another person with a similar name and their information ends up in your file. The other more serious cause of error is fraud. Someone may have intentionally gained access to your personal information and obtained credit in your name. Instances of identity theft are increasing. See PRC Fact Sheet No. 17, "Coping with Identity Theft" www.privacyrights.org/FS/fs17-it.htm and Fact Sheet 17a, "Identity Theft: What to Do if It Happens to You" www.privacyrights.org/FS/fs17a.htm.

Both state and federal laws provide you with the right to have errors corrected. Credit bureaus are regulated under the California Consumer Credit Reporting Agencies Act (California Civil Code section 1785 et seq.), the laws of other states, and the federal Fair Credit Reporting Act (15 USC 1681 et seq.). For information on the law in your state, contact your state’s consumer protection bureau or office of the Attorney General. National credit bureaus must have a toll-free number so you can contact them with your questions. Also, credit reports must provide an address to request an investigation of inaccurate information.

Once you have notified a CRA of your dispute, both federal and California law allow 30 business days for an investigation. The bureau must consider all the relevant evidence you give it, and errors must be corrected. If the CRA cannot verify negative information, it must be deleted from your file. You are entitled to receive a free copy of your corrected report. You may ask the credit bureau to send a corrected report to anyone who has requested your file in the past six months, as well as to anyone who has requested it in the last two years in relation to employment.

If you disagree with the result of the CRA’s investigation, you have the right to submit a 100-word explanation. The credit bureau must include the explanation in your file although the negative information will not be removed.

Some consumers who have had errors corrected find the incorrect information reappears in their files at a later date. Both federal and California laws require credit bureaus to notify the consumer within five days of reinserting information. Negative information cannot be reinserted into your file unless the credit bureau takes the added step of having the source of the information certify that it is complete and accurate. Credit bureaus must provide the subject of the report with a toll-free number to dispute the reinsertion and the opportunity to include a dispute statement. However, even if you have had errors in your report corrected, it is wise to periodically check your credit report to make sure the errors do not reappear.

Can I have negative information deleted if the entry is not an error?

After seven years, negative information in your report should automatically be deleted. Under federal as well as California law, the seven years begins 180 days from the date of the original delinquency. A Chapter 7 bankruptcy should be deleted after 10 years from the filing date. A Chapter 13 bankruptcy, which includes some debt repayment terms, remains on your credit report for seven years. Otherwise, negative information will remain in your file for the period allowed by law. However, you may include in your 100-word explanation any extraordinary circumstances that led to the negative information, such the loss of a job or illness.

Companies or individuals promising quick fixes are almost always fraudulent. The important thing to remember is that no one can have accurate information removed from your credit file. The law offers some small protection to consumers who deal with so-called "credit doctors" or "credit repair clinics." Such companies are prohibited from charging a fee before completing a promised service.

A better alternative for help with re-establishing good credit is to contact a member agency of the National Foundation for Consumer Credit, such as the Consumer Credit Counseling Service. These nonprofit groups have offices in most cities. To find the office nearest you, call or write:

Beware of other credit repair services. Generally they promise a lot, charge a lot and, deliver little. For more information about credit repair services see www.ftc.gov/bcp/menu-credit.htm

Can the information in my credit file be used for any other purposes ?

Yes. The practice of generating and selling lists for use in "pre-approved" credit and insurance offers is allowed by law. Trans Union, Experian and Equifax all engage in selling lists of consumers who meet certain criteria in order to receive a "firm" offer of credit or insurance. This is the source of the many pre-approved credit offers most consumers receive in the mail. "Pre-approved" and so-called "firm" offers of credit, however, can be somewhat misleading. A creditor may legally look at your report before making the offer. If you respond, the creditor may again access your report before you are actually granted credit. They can deny your credit application at that time. This is explained in the fine print on the pre-approved offer.

The law does not allow CRAs to compile and sell information from credit reports for the purpose of direct marketing. Although CRAs have engaged in this practice in the past, the Federal Trade Commission, on March 1, 2000, ruled that Trans Union violated the FCRA by the sale of personal credit information for target marketing purposes. To read the FTC’s full opinion, see www.ftc.gov/opa/2000/03/transunion.htm. Trans Union has appealed the FTC’s decision and the matter is now under review in federal court. Equifax states it does not sell lists used for direct or target marketing. Experian, on the other hand, sells lists of consumers to marketers derived from consumer surveys, demographics sources, and public records. Experian states that it does not sell information obtained directly from credit reports for marketing purposes. See www.experian.com/directmktg/lists.html.

You can remove your name from any list compiled by a CRA, whether the list is for pre-approved credit offers or direct marketing. To "opt-out," that is, to remove your name from mailing lists compiled by credit bureaus, call the toll-free number all CRAs are required by law to maintain for this purpose: (888) 5OPTOUT or (888) 567-8688. This phone number can be used to remove your name from the list of all three CRAs. You may also write to the CRA, and the CRA may also provide an online means for opting-out.

The 1997 amendments to the FCRA allow a subsidiary of a bank holding company to share its customers’ credit reports and information from credit, employment, or insurance applications with other affiliates of that company. The 1997 amendments to the FCRA give you a right to opt-out of the sharing of affiliate information. Look for opt-out instructions in the fine print of your credit card bills and bank statements. You will be provided with an address to contact to alert financial services companies of your opt-out preferences. The FCRA amendments require that if an adverse action is taken based on affiliate-shared information, you are to be notified. The consumer organization U.S. PIRG ( www.pirg.org ) states that affiliate sharing is among the most controversial changes to the FCRA. It could result in the establishment of bank subsidiaries that act like credit bureaus but are exempt from the act.

A loophole in the FCRA enables the credit bureaus to sell the "directory information" from credit reports, called "credit headers." This information includes name, address, previous addresses, telephone number, date of birth, and Social Security number. The FCRA’s opt-out provision that applies to pre-approved offers of credit does not apply to credit headers. You are not able to opt-out of the sale of your credit header information by the CRAs. This information is sold to many information brokers who in turn sell it for a variety of investigative purposes. The sale of credit headers is highly controversial. Several bills have been introduced in Congress to prohibit the sale of headers, or at the very least to restrict the sale of Social Security numbers, which are contained in credit headers.

What can I do if my rights under the FCRA have been violated? Where can I complain?

You may sue a CRA or a company that provides data to a CRA in federal or state court. If you win, you may be entitled to recover an amount for damages you have actually incurred or a maximum of $1,000, whichever is greater. You may also recover court costs and attorney fees.

In addition to filing your own lawsuit, you may complain to the FTC or your state Attorney General’s Office. Although government agencies do not represent individual citizens, agencies charged with enforcing laws such as the FCRA do investigate reported violations. In most cases, an agency’s primary source of information is complaints from the public.

While the FCRA is generally enforced on the federal level by the FTC, compliance by those who use or furnish information to a CRA may be enforced by other federal agencies such as the Federal Deposit Insurance Corporation and the Comptroller of the Currency. Complaints of violations of the FCRA may also be filed with those agencies. Other federal agencies with authority to enforce the FCRA can be found at the end of this fact sheet.

To summarize your credit reporting rights, you have the right to :

• Obtain a copy of your credit report (sometimes free).
• Know who has received a copy of your report.
• Dispute inaccurate information.
• Even if negative information is included, to explain the circumstances.
• "Opt-out" to prevent credit bureaus from using your information for marketing.
• Complain to the appropriate government agency or file a lawsuit.

How does an investigative consumer report differ from a credit report ?

Some credit reporting agencies and investigation companies compile what is known as "investigative consumer reports." Such reports are covered under the FCRA and laws in many states. An investigative consumer report can only be used in limited circumstances including employment background checks, insurance, and rental housing decisions. An investigative consumer report does not contain information about your credit record that is obtained directly from a creditor or from you. For example, an investigative consumer report should not contain information about a late payment. This type of report cannot be used to grant credit.

Investigative reports can contain information on your character, reputation, personal characteristics and life style. This information may be gathered through personal interviews with neighbors, friends, associates or acquaintances, as well as a search of public documents such as property and court records.

Because the information in these reports is so detailed and may be sensitive, both federal (FCRA) and state laws impose stricter regulations on CRAs and other investigators that compile investigative reports (federal FCRA, 15 USC 1681d sections 604, 606, and 615; California Civil Code 1786 et seq.). Federal law requires the requester of an investigative consumer report for employment purposes to obtain permission to conduct the report. An exception would be, for example, if an employee were being investigated for possible criminal activity. If the information obtained in the report is used by the employer to make a negative hiring decision, the employer must give the applicant a copy of the report. You have the same rights to correct and dispute inaccurate information in an investigative report as you have in a credit report.

If you want more information on investigative consumer reports used for employment purposes, see www.ftc.gov/bcp/conline/pubs/buspubs/credempl.htm. See also PRC Fact Sheet 16, "Employment Background Checks: A Jobseeker’s Guide," www.privacyrights.org/FS/fs16bck.htm.

FOR MORE INFORMATION

General information:

The federal government agency that oversees the credit reporting agencies is the Federal Trade Commission (FTC). It has developed several informative brochures on credit-related topics. If you have a complaint about a credit bureau, you may report to the FTC online, by mail, or by calling the toll-free number.

The San Francisco-based nonprofit organization Consumer Action provides numerous brochures in several languages on credit-related topics. This organization also maintains a hotline and provides advice and referrals on a variety of consumer problems.

The three credit bureaus are also a source of information. See their addresses and websites above. See also their trade organization, the Associated Credit Bureaus, www.acb-credit.com.

Credit reporting laws :

• California Consumer Credit Reporting Agencies Act: California Civil Code section 1785 et seq. See www.leginfo.ca.gov/calaw.html

• California Investigative Consumer Reporting Agencies Act: California Civil Code section 1786 et seq. See www.leginfo.ca.gov/calaw.html
  
• Federal law -- Fair Credit Reporting Act: 15 USC 1681 et seq. For the full text of the FCRA, see www.ftc.gov/bcp/conline/edcams/fcra/index.html

Government agencies:

• Federal Trade Commission, see above
• U. S. Comptroller of the Currency (800) 613-6743 www.occ.treas.gov
• Federal Deposit Insurance Corporation (202) 393-8400 www.fdic.gov
• Federal Reserve Board (202) 452-3693 www.federalreserve.gov/pubs/complaints
• California Department of Consumer Affairs, (800) 344-9940, www.dca.ca.gov

Consumer organizations:

• U.S. Public Interest Research Group (USPIRG) www.pirg.org/consumer/credit/index.htm
• California Public Interest Research Group (CALPIRG) www.calpirg.org
• Consumers’ Union www.consumersunion.org
• Consumer Action (see above)

The Privacy Rights Clearinghouse acknowledges the assistance of Ed Mierzwinski of USPIRG in reviewing this publication.