New Vermont ‘opt-in’ privacy law faces legal challenge

Beginning next week, financial services companies with Vermont customers will face strict limits on what they can do with the personal data of state residents. These new privacy rules have prompted five insurance industry trade groups to jointly file a lawsuit against state officials, while also warning that the rules will hike business costs and hurt customers.

Vermont’s rules set an “opt-in” standard, requiring affirmative customer consent for sharing customer data in certain instances. Financial institutions in the United States generally follow the federal Gramm-Leach-Bliley law, which allows the “opt-out” standard, meaning that unless the customer tells a bank, securities firm or insurer not to share data, the institution can do so.

Vermont’s privacy rules mean that companies must adapt their customer systems to recognize the Green Mountain State’s unique regulatory provisions.

“The industry can just assume that everybody with a Vermont ZIP code has opted out,” said Elizabeth Costle, the commissioner of Vermont’s Banking, Insurance, Securities and Health Care Administration. “That’s the easy way to fix your computers.”

That’s exactly what companies might do. Instead of adapting systems to meet the state’s rules, they are warning that Vermont residents may be excluded en masse from the kinds of offers and information that data sharing allows.

“It would be a long time before anyone could afford to put in an opt-in system that would meet the goals of what [Costle] laid down,” said Stephen Durkee, the privacy implementation officer at Citigroup Inc. in New York. “So effectively, everybody in that state will have to be treated as if they opted out.”

Vermont’s rules illustrate the limits of the Gramm-Leach-Bliley Financial Modernization Act, which took effect last July, and underscore industry fears that states may adopt differing privacy rules, hiking compliance costs. The federal law didn’t pre-empt a state’s ability to adopt tougher privacy standards.

“I think Gramm-Leach-Bliley very specifically said that states can have a stricter standard,” said Costle. “That’s fairly unusual in legislation. We’re not going against [the law] at all. We’re specifically complying with it.”

Most notably, Vermont’s standards require an opt-in decision for the sharing of information with third parties — typically marketing agreements that financial institutions use to round out service offerings to customers.

Vermont’s rules are a broader application of the state’s existing banking privacy laws and not the result of legislative action. The insurance trade groups filed suit Jan. 30, challenging Costle’s authority to make those changes, which take effect Feb. 15.

“The feeling is that the commission usurped legislative authority,” said Jack Dolan, a spokesman for the American Council of Life Insurers, one of the groups involved in the lawsuit.

Opt-in is seen as a tougher standard because it forces companies to sell consumers on the idea of information sharing. It also requires development of systems to recognize state law variances and to train employees. In contrast, opt-out offers are usually ignored; only 2 percent to 3 percent of consumers opted out in response to the privacy notices mailed out this past summer, according to federal and industry sources.

Even if the insurance industry succeeds in blocking Vermont’s law, it won’t end the debate. New Mexico is considering similar rules, and 13 states have pending opt-in privacy bills, including Arkansas, California, Florida, Hawaii, Illinois, Massachusetts, Minnesota, North Dakota, New Hampshire, New Jersey and New York, according to the Internet Alliance, a Washington-based group.

Costle said she believes she acted correctly and that the lawsuit will fail. Perhaps more important, the commissioner is convinced that residents want stronger privacy protections than those set in federal law.

“If you talk to the average U.S. citizen or Vermonter, they want their information protected,” she said.