The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules

Abstract

The Gramm-Leach-Bliley Act (GLB Act) of 1999 sought to provide new rules for financial privacy. Only a few years after the GLB Act's enactment, however, it appears to have failed as far as privacy protection is concerned. The Act has pleased neither privacy advocates nor the financial industry. It may, in fact, be a rare legislative feat to have a single statute create so many diverse critics so quickly. This Article examines the GLB Act and its shortcomings through reference to and refinement of theoretical work regarding the law of incomplete contracts. The key scholarship concerns information sharing and "defaults," or background rules, for filling gaps in agreements. We explore three possible kinds of defaults: majoritarian, information forcing, and norm enforcing. This Article finds that the GLB Act's privacy safeguards are highly problematic as examples of either a majoritarian or information forcing default. The GLB Act also raises difficulties if evaluated as a background rule that seeks to enforce norms. In our judgment, information privacy should be conceptualized as a norm constitutive of a democratic society. The access to personal information and limits on it help form the nature of the society in which we live and shape our individual identities. For example, the structure of access to personal information can have a decisive impact on the extent to which certain actions or expressions of identity are encouraged or discouraged. Our concept of "constitutive privacy" suggests that information privacy is a kind of commons that requires some degree of social control to construct and preserve. Default rules, when viewed from this normative perspective, should have a limited role in norm enforcement because of the current poor functioning of the privacy market between consumers and financial institutions. In particular, the presence of bounded rationality along with coordination problems makes default rules a risky choice in this context of information privacy. Under such conditions, the law should generally seek to minimize harms that flow from reliance on bargaining among consumers and data processors. In this Article's final section, we explore ways in which to make the GLB Act's mandatory rules more flexible, and we propose possible revisions to the existing "notice and opt-out" default in the GLB Act. Finally, we revisit the GLB Act's opt-out requirement. We propose to improve upon this requirement by using social science research concerning the power of "frames." We also discuss the possible merits of a shift to an opt-in requirement.