Victoria's Secret and Financial Privacy
By Chris Jay Hoofnagle and Emily Honig
Outside the Beltway, it is not well known that a Victoria's Secret catalog is one of the key reasons that Congress included privacy protections for financial information when passing the Gramm-Leach-Bliley Act (GLBA). The GLBA sought to "modernize" financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use.
In a session where House Commerce Committee Members "marked up" a draft version of the GLBA, Representative Ed Markey (D-MA) introduced an amendment that would add privacy protections. The Markey Amendment was strongly opposed by the banking industry. It added "Title V" to the Act, giving individuals notice and an ability to control some information sharing.
Prospects for privacy protection remained dim despite a series of testimonials by Members who recounted their experiences of having their Social Security Numbers and financial information sold. Representative John Dingell (D-MI) complained that the information sharing operated primarily to enrich banks at the expense of individuals' privacy. Referring to a recent speech by then OCC Comptroller John Hawke and a lawsuit brought by Minnesota Attorney General Mike Hatch, Dingell noted that big banks had sold account information to telemarketers who defrauded consumers. Representative Gene Green (D-TX) complained that his mortgage was sold along with his personal information to another bank. Representative Anna Eshoo (D-CA) noted that someone had obtained her Social Security Number and used it to file a false IRS claim.
Critical support for the Markey Amendment came from Representative Joe Barton (R-TX). Barton expressed concern that his credit union had sold his address to Victoria's Secret. Representative Barton noted that he started receiving Victoria's Secret catalogs at his Washington home. This was troubling—he didn't want his wife thinking that he bought lingerie for women in Washington, or that he spent his time browsing through such material.
Barton explained that he maintained an account in Washington for incidental expenses, but used it very little. Neither he nor his wife had purchased anything from Victoria's Secret at the Washington address. Barton smelled a skunk; he reasoned that since he spent so little money in Washington, his credit union was the only business with his address. Barton believed that he should be able to stop financial institutions from selling personal information to third parties, and supported the Markey Amendment. Congress enacted the bill, and now individuals have the right to direct financial institutions not to sell personal information to third parties.
One privacy lobbyist who was present at the markup session, U.S. PIRG's Ed Mierzwinski, recalls: "When the conservative from Texas, Joe Barton, joined with the liberal from Massachusetts, Ed Markey, to support strong privacy protections, normally smug and confident industry lobbyists who don't expect surprises ran from the room to call K Street for reinforcements, but by then it was too late to stop the privacy amendment in committee. The notion of a bank – previously considered by most observers as protecting information and money in its safes, as private as a confession booth or psychiatrist's couch -- instead secretly enabling a lingerie company's direct marketing efforts was a perfect metaphor to advance our cause."
Mierzwinski continued, "Of course, later on, those K Street lobbyists used their leadership connections to deny the committee-passed amendment any sort of fair vote on the House floor. But the incident was a Congressional high-water mark for privacy protection and was a spark-point that helped develop the left-right privacy coalition that continues on Capitol Hill and whose membership reflects the strong support for privacy that resonates through Americans of all political stripes."
A Technical Note
Chances are, Barton's address was not sold by the credit union directly to Victoria's Secret. Financial institutions regularly "furnish" data, including contact information, to credit reporting agencies. That is probably what happened here--the Washington address information was furnished by the credit union to a credit reporting agency, which then sold the address as part of a "credit header" to third parties. Prior to the effective date of the privacy provisions of Gramm-Leach-Bliley, credit reporting agencies sold such "credit headers" for marketing purposes. Credit headers usually have the most up to date address for any given person and they were used extensively by catalog companies and direct marketers to update their lists.
A recent article in Direct Magazine explains that Victoria's Secret is still using financial information collected before the Gramm-Leach-Bliley Act's protections took effect:
"Victoria's Secret's customer file was built through a combination of private label credit card, point of sale, mail order buyer and bank card data that was added before July 2001's Gramm-Leach-Bliley Act restricted the use of such information."
House Commerce Committee, Hearing Record on the Markup on H.R. 10, the Financial Services Act of 1999, Jun. 10, 1999 (The hearing record for this event is still not available online. You can view it yourself, but it will require that you actually leave your computer and visit the Archivist for the Committee. The Markey amendment is discussed on pages 261-273 of the hearing record.).
Complaint in Minnesota v. US Bancorp.
Office of the Comptroller of the Currency, Comptroller Urges Industry to End Abusive Practices And Elevate Customer Service Standards, June 7, 1999.
Richard Levey, Visible Means of Support, Direct Mag., Nov. 1, 2003.
EPIC's Financial Privacy Resources Page has summaries and links to important bank privacy laws, including the Gramm-Leach-Bliley Act, the law that Representative Barton played an important part in improving.
EPIC's Commercial Profiling Page explains how businesses buy and sell personal information.
EPIC's Fair Credit Reporting Act Page explains credit headers and other marketing uses of personal financial information.
These advertisements taken from the SRDS Direct Marketing List Source offer for sale the personal information of the customers of Victoria's Secret. In the top ad, the company charges $110 per thousand names. In this one, the company charges $130 per thousand names.
EPIC Privacy Page | EPIC Home Page
Last Updated: January 25, 2005
Page URL: http://www.epic.org/privacy/glba/victoriassecret.html