The economics of financial privacy: to opt out or opt in?

Lacker, Jeffrey M.

A consumer's financial transactions give rise to a wealth of very personal data. Every credit card purchase, every ATM withdrawal, every loan payment, every paycheck deposit leaves an electronic trace at a person's bank. Advances in information technology now allow firms to collate information from disparate sources and compile comprehensive profiles of individual behavior. The resulting databases can allow businesses to target very specific consumer categories--high-income, gun-owning dog lovers, for example--in ways that were never before possible.

When should a bank be able to share information about you with other businesses? Some consumer advocates want to protect consumers' financial privacy by restricting such information sharing. New technologies, they say, have encouraged increased intrusions on consumer privacy, leading to more junk mail, more telemarketing calls, and a heightened risk of identity theft. They argue for tough "opt-in" laws that would require financial institutions to obtain a consumer's explicit consent before sharing personal information about them.

Banks and other financial service providers point out that information sharing provides benefits to consumers by allowing for more targeted marketing and services. The new technologies make it easier for businesses to find consumers that would be interested in buying their specialized products and services--hunting-dog training supplies, for example. Such marketing directly benefits consumers when it results in a voluntary purchase. In addition, greater information sharing can reduce wasteful marketing to consumers that are likely to be uninterested. With these benefits in mind, financial service providers argue for "opt-out" laws that merely require them to give consumers the right to request that their information not be shared.

After vigorous debate, Congress adopted an opt-out requirement for banks and other financial institutions as part of the Gramm-Leach-Bliley Act of 1999 (GLBA), legislation that was designed to encourage financial modernization. Any financial institution that intends to share nonpublic customer information with third parties (companies not related by ownership ties) must give customers an opportunity to deny them permission to do so, or opt out. In addition, financial institutions are required to provide customers with an annual statement of their privacy policy. Consumers received a blizzard of notices in the mall when those provisions were fully implemented in the summer of 2001. (1)

The controversy did not end with the passage of the GLBA. The Act allows individual states to adopt privacy provisions that are stricter than the federal standard if they so desire. California's legislature recently considered an opt-in law that would have required financial institutions to obtain customer permission before sharing information with third parties. Moreover, banks would have been required to give consumers the right to opt out of information sharing with affiliated companies (companies related by ownership ties).

This essay examines the opt-out/opt-in debate from the perspective of the economics of financial privacy. The premise is that a financial institution's privacy policy is a characteristic of the products and services the institution offers. We can therefore apply the well-understood principles governing how markets work when there are important differences in product characteristics. The result is surprising for both sides of the issue: it doesn't seem to matter whether opt-out or opt-in is adopted as the standard. Either way, competitive forces should bring about an economically efficient amount of information sharing. In fact, even in the absence of opt-out or opt-in laws, the amount of information sharing should be economically appropriate. Opt-out/opt-in laws will be irrelevant as long as financial institutions are not prevented from offering customers a range of desirable privacy options.

The broad and multifaceted issues that surround privacy go well beyond the opt-out/opt-in debate. Although this essay is narrowly focused on the latter, the general principles outlined here have a much wider application. At a fundamental level, opt-out versus opt-in is really a question about the proper allocation of "rights" in contractual relationships--a customer's right to privacy versus the right of a financial institution to share its information. The answer economics provides is that whether rights are allocated in accord with opt-out or opt-in is irrelevant, as long as consumers and financial institutions are free to agree to an alternative arrangement if it suits them. Most financial privacy questions concern the specification of rights of various parties in contractual relationships. The irrelevance result of this essay thus should carry over to other related settings; laws and regulations providing more (or less) "privacy rights" should generally have little effect on consumers' financial privacy. (2)

1. PRIVACY IN THE FINANCIAL MARKETPLACE

Financial privacy can be thought of as a bundle of characteristics associated with a particular financial service. A bank that does not share nonpublic customer information with third parties is providing its customers a service with different characteristics from a bank that does share such information. How do markets work when products or services differ in their characteristics?

In well-functioning competitive markets, consumers selecting among products with different bundles of characteristics are willing to pay more for products with characteristics they value. Some characteristics make a product more costly to provide. Producers are willing to supply products with more costly characteristics only if they are compensated for the additional cost. One would expect to see products with characteristics for which a customer's willingness to pay exceeds the incremental production cost. For example, some people are willing to pay more for a car with a built-in CD player, but CD players are costly. It is logical then that consumers whose willingness to pay exceeds the cost of the CD player would own cars with CD players.

Well-functioning markets generally provide goods and services that are appropriate when judged against the benchmark of economic efficiency. With regard to product characteristics, economic efficiency means that a given product characteristic is supplied if and only if the value of that characteristic to consumers exceeds its cost to society. When markets function smoothly, the incentives of producers and consumers are aligned with economic efficiency. Suppliers find it profitable to provide products with the appropriate characteristics, since consumers are willing to pay at least the additional cost. Characteristics for which consumers' valuations fall short of the cost of production cannot be profitably supplied.

Financial privacy is a service characteristic that some consumers prefer. Many consumers harbor deep concerns about privacy in general and financial privacy in particular. According to one recent poll, 56 percent of consumers say they are "very concerned" about potential loss of privacy. (3) Overall, consumers seem to have three main fears. (4) They fear being robbed or cheated by criminals that obtain personal information. They fear embarrassing revelations due to the disclosure of sensitive information. And they dislike intrusive marketing in the form of telephone calls or junk mail. When financial institutions share customer information with outside companies, it can erode customer privacy on all three counts.

Providing greater financial privacy can be costly for a financial service provider because it means foregoing the potential economic value of information sharing. Marketers can make better decisions the more information they have about prospective customers and are therefore willing to pay banks to get it. Better information helps marketers find customers who genuinely may be interested in buying their products and saves them the expense of soliciting consumers who are not. These benefits provide genuine economic value by increasing the probability of a successful buyer-seller match and decreasing the probability of wasting marketing efforts on those who would not be interested.

Consumers that place a high value on financial privacy ought to be willing to pay for high-privacy financial services. If consumers prefer that their bank not share nonpublic information about them with unaffiliated companies, they should be willing to pay for this service characteristic implicitly through lower deposit interest rates, higher loan interest rates, or higher account-related fees. More directly, banks could offer direct inducements--a bonus payment, coupon, or sweepstakes entry, for example--to customers that agree to information sharing. Many nonfinancial firms offer such enticements to customers that return "product registration cards" filled out with their name, address, and other information. Consumers that value financial privacy would pay by foregoing their bank's offer. Similarly, many grocery stores offer cards to customers that qualify them for discounts when they present the cards at checkout stations. In exchange, stores gather data on customer purchases.

Along the same lines, if sharing nonpublic customer information with third parties is economically beneficial, financial institutions should be willing to compensate their customers who allow them to do so. (5) The outside firms with which the information is shared should be willing to pay an amount up to the information's value to them. The financial institution should then be willing to pass this along to their customers in the form of higher interest rates on savings, lower interest rates on loans, or lower fees. More directly, they should be willing to simply pay those customers who agree to share an amount up to the incremental value of the information.

Ideally, the economic benefits of financial privacy should be balanced against the economic costs. When the economic value of sharing nonpublic customer information with third parties falls short of the value consumers place on preventing that information sharing, economic efficiency would dictate that no information sharing takes place. Similarly, when the economic value of sharing nonpublic customer information with third parties exceeds the value consumers place on preventing it, economic efficiency would dictate that information sharing should take place. If the market for financial privacy is well functioning, then we should see an economically efficient amount of financial privacy.

2. DOES THE MARKET FOR FINANCIAL PRIVACY WORK WELL?

Is there anything different about financial privacy? Are the markets for financial privacy poorly functioning in the sense that they deliver outcomes that are not economically efficient? There does not appear to be any plausible reason to think so.

For markets to misfunction in this sense, one of two conditions must exist: either a divergence between the value of a product characteristic to consumers and their willingness to pay it, or a divergence between the cost to suppliers of providing that characteristic and the overall cost to society. Divergences could be caused by externalities, monopoly power, or verification problems.

An externality occurs when an action by one group affects the well-being of others that do not transact with that group. For example, burning leaves in my front yard raises the risk of fire for my suburban neighbor. (6) Externalities are often invoked to explain a broad range of government laws and regulations--prohibiting suburban leaf burning, for example.

Is there an externality in the market for financial privacy? No, it doesn't appear so. Sharing nonpublic customer information about a consumer affects that consumer's privacy but not the privacy of other consumers. The sharing institution is a counterparty of the affected customer, and either can withdraw from the relationship. The two of them have ample opportunity to take information sharing into account when setting the terms of their relationship. Thus no parties are affected by the information sharing except those who are participants in the transaction.

"Public goods" are a type of externality that can result in inefficiency and are defined by two properties. They are nonrivalrous, meaning that one person's use does not detract from the ability of another to use it. And they are nonexcludable, meaning that one cannot prevent people from using it. A lighthouse is a classic example of a public good: one ship's use does not prevent another ship's use, and you cannot prevent a ship from using it. (7) Information is nonrivalrous because one person's use does not prevent another from using the same information. But information is excludable because you can prevent people from obtaining it. Therefore financial information is not a public good.

Monopoly power is another possible cause of market misfunction. When a firm is sheltered from competitive pressures it can raise prices and restrain supply. Similarly, a protected monopolist may find it profitable to supply too little of a desired product characteristic when customers are prevented from seeking preferred characteristics from other suppliers. This problem may have been relevant to the banking industry decades ago when competition was severely limited by regulatory restrictions on pricing, entry, and geographic expansion, but these restrictions have been largely dismantled. As a consequence, the market for financial services is now widely judged to be relatively competitive. Thus it seems unlikely that banks or other financial institutions are manipulating privacy policies because of significant monopoly power. (8)

A third potential cause of market misfunction stems from the difficulty of verifying whether a financial institution is living up to its stated privacy policy. A customer that receives junk mail or telemarketing calls may have a hard time discerning where the marketer obtained the information. The spelling of a name or address can be altered slightly in order to trace information sharing, but this technique is obviously limited. In cases of identity theft it is often impossible to determine exactly how the identity was stolen after the fact.

Do verification problems interfere with the efficiency of the market for financial privacy? Not necessarily. Note that there are a number of mechanisms to help ensure that an institution lives up to its privacy commitments, despite the difficulty of observing whether or not it has done so. First, an institution that fails to comply with its stated financial privacy policy may be liable for "unfair and deceptive trade practices." If caught, the institution would be subject to civil litigation as well as regulatory action by the Federal Trade Commission. The potential legal costs can deter noncompliance, even if the probability of detection is small. There is nothing particularly unique about financial privacy in this regard. Consumers often rely on hard-to-verify commitments by the firms they patronize--a commitment to product quality, for example.

Second, institutions that wish to attract customers for whom privacy is important will want to convince those customers of their organization's commitment to its privacy policy. Such institutions will have an incentive to cultivate and safeguard their reputation as a high-privacy entity. At least one prominent bank has advertised a "no telemarketing" promise, indicating that banks are capable of actively competing on the basis of their privacy policies. (9) Third parties can evaluate a financial institution's compliance, just as Consumer Reports independently assesses the quality of consumer products. The potential for embarrassing media publicity also motivates an institution to live up to its commitments. Standard industry practice is for a firm that rents its mailing list to approve every mailing or telemarketing script that is used. Evidently firms believe that at least some consumers could trace marketing contacts to them, with possibly detrimental effects on their customer relationships.

While reputational considerations and laws on trade practices can go partway toward ensuring that a firm is faithful to its stated privacy policy, some would argue that these mechanisms are inherently limited and imperfect. Enforcement is often costly and compliance is rarely 100 percent. Do these imperfections warrant legislative restrictions aimed specifically at information sharing? No. Any entity attempting to verify and enforce a financial firm's privacy commitments will confront the same imperfections. A governmental effort to enforce a ban on information sharing, for example, will face the same verification difficulties--costly enforcement and incomplete compliance--as would any private parties. So a government ban on information sharing would have no advantage; in fact, it would have the disadvantage of possibly preventing economically useful information sharing.

The market for financial privacy therefore appears to work fairly well. This means that we should expect economically efficient outcomes: information will be shared if and only if the economic benefits of information sharing exceed the value consumers place on preventing information sharing.

3. OPT-OUT VERSUS OPT-IN

Provided the market for financial privacy works fairly well, it should not make much difference whether we adopt an opt-outlaw or an opt-in law. Either way, an economically efficient level of information sharing will result. Why is this so?

Under an opt-outlaw, banks that value information sharing will be willing to provide inducements to get high-privacy customers not to opt out because information sharing can lower the cost of providing banking services. Similarly, automakers are willing to discount the price of cars without CD players, since these cars are less costly to build. Banks will be willing to pay an amount up to the incremental value of sharing the customer's nonpublic information. If that falls short of the value the customer implicitly places on privacy, then the customer will decline the inducement and opt out. In that case, the economic value of the information sharing is less than the cost to the customer of yielding this bit of privacy, and information sharing is not economically efficient. Alternatively, the customer may feel that the value of the inducement exceeds the value of preventing information sharing, in which case the inducement is accepted and the customer does not opt out. Here, the economic value of the informati on sharing exceeds the cost to the customer of yielding this bit of privacy, and information sharing is economically efficient.

Under an opt-in law, the reasoning and the result are exactly the same. Banks will be willing to provide the same inducement to get a customer to opt in as they would have provided to get a customer to refrain from opting out--up to the economic value of the information sharing. If that amount exceeds the value that the customer places on preventing information sharing, then information sharing will take place and is economically efficient. Otherwise the customer will refuse the enticement; in this case information sharing is not economically efficient and will not take place.

In fact, the same reasoning applies in the absence of opt-out or opt-in laws. If the law is silent on whether banks need to seek permission to share nonpublic information with third parties, banks nonetheless could decide to do so on their own. If some customers truly care about information sharing with third parties, they will seek out banks that give them the option of preventing it. If information sharing is economically useful, banks will find it more costly to serve customers that insist on preventing it. Competition will force banks to pass along the increased cost to high-privacy customers. Ultimately, an economically appropriate amount of information sharing will take place, with or without opt-out or opt-in laws.

The difference between opt-out and opt-in standards is like the difference between treating CD players in cars as standard equipment or as an add-on option. If CD players are an option, one would expect the price of the option to reflect the incremental cost. If instead CD players are standard equipment, the discount for cars without CD players should reflect the incremental cost. It should not make a difference whether car buyers have to ask to get a CD player in their car or ask not to have one. Either way we should see a market-clearing quantity of cars with CD players.

The debate between proponents of opt-out and opt-in seems predicated on the view that the choice would affect how many consumers would prevent information sharing. The hypothesis seems to be that fewer consumers would opt out under an opt-out standard than would fail to opt in under an opt-in standard. This could well be the case, but it would be evidence that many consumers are relatively indifferent about information sharing by their financial institution; they would not bother to opt out, nor would they bother to opt in. If this is true, then little is at stake for these consumers. Those who would neither opt out nor opt in evidently place little value on preventing their financial institution from sharing nonpublic information about them. The economic efficiency implications of the choice between opt-out and opt-in would therefore be negligible for them as well, even if participation rates differed significantly.

4. AN ALTERNATIVE LINE OF REASONING: THE COASE THEOREM

The knowledgeable reader may have noticed that the logic of this essay is closely related to the insights that Ronald H. Coase presented in his celebrated paper "The Problem of Social Cost." (10) (This paper was cited by the Royal Swedish Academy of Sciences in awarding him the 1991 Nobel Prize in Economics.) Coase wrestled with the issue of externalities, the same issue as in my leaf-burning example. Before Coase's paper economists generally believed that, absent government intervention, externalities would result in inefficient outcomes because one party (I, for example) would ignore the cost (increased fire hazard) that his action (leaf burning) imposed on another party (my neighbor). The contribution of Coase was to notice that the two parties could negotiate an efficient solution to the externality problem as long as the relevant rights were clearly assigned. For example, if I am entitled to burn leaves, my neighbor could offer to pay me not to, or could offer to help me dispose of them by some other met hod. Alternatively, if I am required to obtain my neighbor's permission to burn leaves, I could offer to pay my neighbor. If the value to me of burning leaves is less than the value to my neighbor of my not burning leaves, then my neighbor will pay me not to do so in the first case. In the second case, I will be unwilling to offer my neighbor enough money to get permission to burn leaves. Either way we get an efficient outcome; I don't burn leaves. The general proposition is that (under certain conditions) any well-defined allocation of property rights leads to efficient outcomes. This result is often called the Coase Theorem.

The application to financial privacy should be clear. Opt-out and opt-in are just different allocations of property rights. Opt-out means financial institutions have the right to share information; customers can ask them to stop. Opt-in means customers have the right to no-information-sharing; financial institutions can ask them for permission to share. Either way, according to Coase, the prediction is an efficient amount of information sharing.

The Coase Theorem has its limitations, however. It is said to hold only if "transaction costs" are zero; in other words, any agreement that is in the mutual interest of the parties is actually agreed upon. Transaction costs are the difficulties associated with actually reaching an agreement among the affected parties. It may be costly to communicate and coordinate among a large number of parties, for example. When transaction costs are significant, the assignment of property rights can affect efficiency. One premise of this essay, as I discuss later, is that the costs of opting out are negligible, in which case the Coase Theorem applies. (11)

The logic of this essay, however, differs subtly from Coase's analysis. Coase envisioned bargaining between affected parties. As a result, the assignment of property rights could alter the distribution of net benefits, even if that assignment had no effect on efficiency. For example, if I have the right to burn leaves, I get paid not to burn them; yet if I need permission, I earn nothing when I don't burn them. I am better off in the first case, while my neighbor is better off in the second case. The assignment of rights thus alters the relative wellbeing of my neighbor and me, even though either assignment leads to efficient leaf-burning decisions. In competitive markets, in contrast, the assignment of contractual rights generally does not affect people's well-being. The choice between opt-out and opt-in determines which rights are, by default, bundled together with financial services. Under either regime, competition and free entry implies that both high-privacy and low-privacy financial services will be av ailable at prices reflecting their true cost. In competitive markets, the choice of regime should have no effect on the net cost of financial services with particular characteristics, just as a law mandating that CD players be sold separately should have no effect on the total price of cars with CD players. The efficiency implication of Coase's famous theorem carries over to competitive markets, however, and buttresses the case made here: market mechanisms should work well at providing an efficient level of financial privacy.

5. OPT-OUT IN PRACTICE: FEW CONSUMERS DO

During the first half of 2001, many banks began mailing out the privacy notices required by the GLBA. Those that share nonpublic customer information with unaffiliated companies are required to give their customers the opportunity to opt out of third-party information sharing. Although there is only limited evidence so far, press reports suggest that the response rate is rather low. According to the trade publication American Banker, industry estimates of the number of consumers who have opted out "hover around 5 percent." (12) One survey of savings banks showed that more than half were experiencing an opt-out rate of one percent or less. (13)

Opting out does not appear to be very hard. The financial privacy regulations require that financial institutions give customers a "reasonable means" of exercising their right to opt out. The regulations even offer examples of acceptable and unacceptable methods. Providing a toll-free number to call or supplying a mail-in card for a check-box response are deemed reasonable means. Requiring a customer to write his or her own letter is not deemed reasonable.

Despite these requirements, critics claim that opting out is difficult because privacy notices are complex, confusing, and hard to read. (14) Food labels are often cited, in contrast, as a simple, well-understood notice system. Some financial institutions, however, are actively working toward simpler and clearer privacy notices. (15) Apparently, they view that it is in their business interest to make their notices as agreeable to their customers as possible. Many institutions sent privacy notices for the first time in 2001, and some experimentation and learning seem to be taking place. Perhaps opt-out rates will rise as GLBA privacy notices are refined and consumers learn about what they contain.

Nevertheless, the fact that so few bank customers are currently taking the relatively easy step of opting out seems to indicate that most consumers now place a negligible value on preventing financial institutions from sharing nonpublic information about them with third parties. A small fraction of consumers feel strongly enough to take advantage of the opt-out option. This group appears to place a significant value on guarding their financial privacy. But for a broad majority of Americans, the value they place on financial privacy does not exceed the inconvenience of exercising their right to opt out. (16)

This pattern--about 5 percent of people willing to take action to protect their privacy--is consistent with other evidence on consumers' privacy preferences. The Direct Marketing Association, a marketing industry trade group, offers consumers the ability to opt out of telephone or mail marketing by their members. The 4.2 million participants in their telephone opt-out program represent about 4.2 percent of U.S. households with telephone service. The 4.0 million participants in their mail opt-out program represent about 3.8 percent of total U.S. households. (17)

A very low opt-out rate is also consistent with other choices consumers make with regard to privacy. Few consumers disable cookies when browsing the Internet. (Cookies are small files that a Web site places on a user's computer to enable tracking the user on subsequent visits.) Few consumers read privacy notices. Many consumers readily provide their credit card number over the phone or to a waiter. (18) The picture that emerges, then, is that a few consumers place significant value on preventing information sharing by their financial institutions, but the broad majority of consumers are relatively indifferent.

6. OPT-OUT IN PRACTICE: FEW BANKS PAY

Financial institutions do not appear to be offering inducements to customers to get them to refrain from opting out. This suggests that the economic value of sharing nonpublic customer information is relatively low. Otherwise financial institutions would find it worthwhile to compensate their customers for their cooperation. In fact, not all institutions are even engaged in information sharing that would trigger the opt-out requirement. A survey of savings banks found that fewer than one-third needed to send out opt-out notices. (19)

Banks do not lack opportunities to share customer information. There is an active market for consumers' names, addresses, and other personal information. Individual merchants rent their customer lists to marketers, often through list brokers. Credit bureaus offer selections from their databases based on age, income, occupation, family status, net worth, type of automobile, religion, and so on. According to its Web site, Equifax even offers a selection based on a person's carburetor type. American Express offers customer lists selected on the basis of purchase patterns--shoe buyers that spend more than $1000 annually, for example. Lists are available from magazines, membership organizations, book clubs, and merchants. (20)

Apparently, the market for consumer information does not provide banks with sharing opportunities that would make it worthwhile to offer material rewards for consumer cooperation. A glance at the prices for such information suggests why--prices are relatively low. Rates for lists of merchandise buyers, for example, appear to be relatively consistent, ranging from 8 cents to 13 cents per name as of early 2001. Base prices at one large credit bureau range from 1.65 to 4 cents per name per mailing, depending on volume, with add-on charges for additional selection criteria ranging from .25 cents per name for length of residence, title, or gender to 2 cents per name for net worth. Thus the value to a financial institution of sharing nonpublic customer information might not be large enough to warrant offering a significant sum to customers.

7. WHY IS FINANCIAL PRIVACY AN ISSUE NOW?

Applying economics to financial privacy leads to the conclusion that financial markets can provide an appropriate balance between consumers' desires for privacy and the economic value of information sharing. If this is true, then why do surveys show widespread consumer concern about privacy yet few consumers taking action to opt out of information sharing? And why has there been such clamor for privacy legislation in the past few years, culminating in the financial privacy provisions of the GLBA?

The dramatic changes in communications and computing technologies in recent years might help explain why so many recent surveys report consumer concern about privacy. Financial institutions have always possessed detailed information about their customers. Moreover, active markets for customer lists have been around for decades. (21) Only recently, however, has the collation and analysis of information from disparate sources become highly automated. This technological advance allows more targeted marketing efforts; a company can solicit high-income, gun-owning dog lovers, for example. The resulting improvement in marketing success rates appears to have led to an increase in the number of mail and telephone solicitations.

Before the technological developments that lowered the cost of manipulating databases, assembling such detailed consumer profiles was not economically feasible. Consumers came to view the limited nature of information sharing by financial institutions as an implicit part of their contractual relationship, relying on the practical obscurity of what other firms knew about them. (22) Since widespread information sharing was impractical then, few surveys asked how consumers felt about it. New technologies have dispersed the fog of practical obscurity that formerly surrounded many consumer transactions. The privacy concerns that appear in consumer surveys could represent ex post regret at the lack of contractual constraints on information sharing. This conflicts, however, with the evidence cited earlier indicating that most consumers do not feel strongly about information sharing. Alternatively, perhaps consumer preferences haven't changed, but consumers are merely asked about them more often today. Now that inter firm information sharing is economically viable, we see surveys on the subject.

Economists are often skeptical of survey evidence on consumer preferences, but it is not the sincerity of consumers' responses that is in doubt. Surveys rarely confront consumers with the cost consequences of their choices. When asked whether they desire greater privacy without reference to cost, they are likely to say "yes"--more of a good is generally preferred to less, after all. But when confronted with real-life choices, many consumers decide that the benefits of greater privacy are outweighed by the costs. One recent study found a dramatic disparity between consumers' stated privacy preferences and their actual online behavior. (23) Participants answered many "highly personal" questions, despite having stated that privacy was important to them. The discrepancy between widespread consumer "concern" and the willingness of many consumers to readily compromise their privacy could well reflect the gap between the artificial choices implicit in survey questions and the real choices consumers actually face. (24)

8. CONCLUSION

The economics of financial privacy is based on the notion that a financial institution's privacy policy is a characteristic associated with the products and services the institution offers. In well-functioning markets, prices reflect product characteristics; consumers are willing to pay more for characteristics they value, and producers charge more for characteristics that are more costly to supply. Consumers that value financial privacy ought to be willing to pay for privacy policies that they prefer. And if it is economically beneficial to share information with other companies, financial institutions ought to be willing to compensate their customers for permission to do so. The fact that few banks seem to be paying customers not to opt out is strong evidence that the economic value of information sharing is relatively small. And the fact that so few consumers are opting out, despite the low cost of doing so, is evidence that few consumers place a significant value on preventing information sharing.

This line of reasoning also leads to a stark and surprising conclusion: the choice between opt-out and opt-in standards is irrelevant. Under an opt-out standard, banks could pay customers to refrain from opting out, while under an opt-in standard banks could pay customers to opt in. Either way, financial markets should deliver an efficient amount of information sharing. One puzzle remains, however: Why is financial privacy such a controversial issue if few consumers care enough about preventing information sharing to take simple steps to prevent it? Nevertheless, the economics of the issue is clear--financial privacy laws like the GLBA accomplish less than either privacy advocates or their critics presume.

(1.) The deadline for compliance was July 1, 2001. For more information on the financial privacy provisions of the GLBA, see the Federal Trade Commission's Web site (Federal Trade Commission 2002). The privacy provisions of the GLBA apply to any institution engaged in activities that have been deemed "financial in nature or incidental to such financial activities" under the Bank Holding Company Act. This means that whenever the Fed and the Treasury determine that an activity is financial in nature and therefore a permissible activity for a financial holding company, the entire financial industry is brought under the privacy provisions of the GLBA.

(2.) For other economic analyses of financial privacy. see Kahn, McAndrews, and Roberds (2000) and Bauer (forthcoming).

(3.) National Consumers League (2000).

(4.) Research by Alan Westin, as cited in Paul (2001).

(5.) See Kovacevich (2000).

(6.) One could argue that the two parties could negotiate an efficient solution to this problem; my neighbor can simply pay me not to burn leaves, or can sue me if the fire spreads. For additional explanation see the section on the Coase Theorem.

(7.) Coase (1974) pointed out, however, that coastal lighthouses are often funded from fees charged to ships using nearby ports, so even the services of lighthouses are at times excludable. A lighthouse is therefore only a public good when ships cannot be excluded from using its services if they do not pay--for example, in settings where most ships are on long-distance voyages.

(8.) If financial institutions were exercising market power and this resulted in inefficient financial product characteristics, a more appropriate remedy would be for regulators to ensure effective competition rather than regulate service characteristics. Moreover, it would appear inconsistent to regulate service characteristics on the grounds of impediments to competition while not regulating service prices.

(9.) The phrase appeared in television advertising for Capital One during November 2001. As of this writing (January 17. 2002), the company's home page prominently features the following description of their "New No-Hassle Card": "9.9% Fixed APR on Everything, No Telemarketing, No Annual Fee."

(10.) Coase (1960).

(11.) The costs are negligible in part because of the regulations that require financial institutions to provide customers with a "reasonable means" of opting out. In a sense, then, this part of the allocation of property rights has efficiency implications consistent with the Coase Theorem. The reasonable-means provision appears to be an efficient choice since it minimizes the "transaction costs" of opting out. Friedman (2000) applies Coase's approach to a broad array of privacy issues in which transaction costs are nonnegligible.

(12.) Lee (2001).

(13.) America's Community Bankers (2001).

(14.) See transcripts and supporting documentation from the workshop on effective privacy notices hosted by the Federal Trade Commission and the federal financial regulatory agencies (Federal Trade Commission 2001).

(15.) See the presentations by Marty Abrams, John Dugan, Patricia Faley, and David M. Klaus at the privacy notices workshop along with the public comments submitted by Walter Kitchenman, Vance Gudmundsen, and Steve Bartlett in connection with the event (Federal Trade Commission 2001).

(16.) One could argue that consumers are just lazy, but this reasoning leads to the same conclusion; the value they place on financial privacy is not enough to motivate them to opt out.

(17.) The three main credit bureaus also offer a program through their trade group that allows consumers to opt out of pre-approved credit offers, but the credit bureaus do not release statistics on the number of consumers opting out.

(18.) According to a recent survey, 24 percent of consumers protect their privacy by disabling cookies (Harris Interactive Inc. 2001). An American Bankers Association poll found that 36 percent of consumers said they had read their bank's privacy notice (American Bankers Association 2001).

(19.) America's Community Bankers (2001).

(20.) For information on lists see Equifax (2001), American List Counsel (2002), and Worldata (2002).

(21.) I recall my father managing rentals of his company's mailing list in the 1960s. The list was kept on "addressograph plates"--metal strips embossed with names and addresses. While these strips could be linked together for automated addressing of mass mailings, any sorting or selection had to be handled manually. The list was rented out through mailing houses that handled the actual printing and distribution. All rentals had to be approved by list owners. Decoys--false names and addresses--were included in the list to provide a means of verification by the list owner.

(22.) Gramlich (1999).

(23.) Spiekermann, Grossklags, and Berendt (no date available).

(24.) Harper and Singleton (2001).

REFERENCES

American Bankers Association. 2001. "ABA Survey Shows Nearly One Out of Three Consumers Read Their Banks' Privacy Notices." News Release (7 June).

American List Counsel. 2002. http://www.amlist.com [17 January].

America's Community Bankers. 2001. "ACB Privacy Compliance Survey." Manuscript (November).

Bauer, Paul. "Consumer's Financial Privacy and the Gramm-Leach-Bliley Act." Federal Reserve Bank of Cleveland Economic Commentary (forthcoming).

Coase, Ronald H. 1960. "The Problem of Social Cost." Journal of Law and Economics 3 (October): 1-44.

-----. 1974. "The Lighthouse in Economics." Journal of Law and Economics 17 (October): 357-76.

Equifax. 2001. TotalSourceXL. Consumer Database (Fall). http://www.equifax.com/business_solutions/information_services/docume nts/Fall_2001_TotalSource_XL_Rate_Card.pdf [17 January 2002].

Federal Trade Commission. 2001. Interagency public workshop entitled Get Noticed: Effective Financial Privacy Notices, 4 December, at The Ronald Reagan Building and International Trade Center, Washington, D.C. http://www.ftc.gov/bcp/workshops/glb/index.html [17 January 2002].

-----. 2002. "Gramm-Leach-Bliley Act: Financial Privacy and Pretexting." http://www.ftc.gov/privacy/glbact/index.htm1 [17 January].

Friedman, David. 2000. "Privacy and Technology." Social Philosophy & Policy 17 (Summer): 186-212.

Gramlich, Edward M. 1999. "Statement to the U.S. House Subcommittee on Financial Institutions and Consumer Credit of the Committee on Banking and Financial Services." 21 July 1999. Federal Reserve Bulletin 85 (September): 624-26.

Harper, Jim, and Solveig Singleton. 2001. "With a Grain of Salt: What Consumer Privacy Surveys Don't Tell Us." Manuscript, Competitive Enterprise Institute (June).

Harris Interactive Inc. 2001 "A Survey of Consumer Privacy Attitudes and Behaviors." Manuscript.

Kahn, Charles M., James McAndrews, and William Roberds. 2000. "A Theory of Transactions Privacy." Working Paper 2000-22. Federal Reserve Bank of Atlanta.

Kovacevich, Richard M. 2000. "Privacy and the Promise of Financial Modernization." The Region 14 (March): 27-29.

Lee, W. A. 2001. "Opt-Out Notices Give No One a Thrill." American Banker (10 July).

National Consumers League. 2000. "Online Americans More Concerned about Privacy than Health Care, Crime, and Taxes, New Survey Reveals." News Release (4 October).

Paul, Pamela. 2001. "Mixed Signals." American Demographics 23 (March): 45-49.

Spiekermann, Sarah, Jens Grossklags, and Bettina Berendt. No date available. "Stated Privacy Preferences versus Actual Behaviour in EC environments: A Reality Check." Manuscript, Humboldt University.

Worldata. 2002. Worldata & WebConnect Online Datacard Library. Online database. http://www.worldata.com [17 January].

The author is Senior Vice President and Director of Research. This article first appeared in the Bank's 2001 Annual Report. It benefited from the comments of the author's colleagues in the Bank's Research Department, especially John weinberg. Marvin Goodfriend, Laura Fortunato, Ned Prescott, Aaron Steelman, and John Walter, and from the assistance of Elise Couper. The views expressed are the author's and not necessarily those of the Federal Reserve Bank of Richmond or the Federal Reserve System.