Table of Contents

• Don't opt out on your right to opt out
• One-year report card for children's online privacy
• How COPPA protects kids
• Protecting public safety - but at what cost to privacy?
• Guest Columnist: Privacy now
• Is your life an open book? - Public records on the Internet could violate your privacy
• Web aggregators: questions about privacy and liability

Don't opt out on your right to opt out

By Linda Sherry

Since early this year, financial institutions have been mailing "privacy notices" to their customers in compliance with a new federal law. They give you the right to remove your name from marketing lists ("opt out"). These notices might look like junk mail, but if you dislike unsolicited mail and telemarketing calls it would be a mistake throw them away.

The privacy notices must reach customers by July 1 and be mailed out annually thereafter. They are to let you know how, when and for what purpose the company shares or sells information about you and your accounts with other companies. The notices also spell out-albeit in fine print and legalese-your right to remove your name from marketing lists.

Often your personal account information is shared with unaffiliated companies in the normal course of business-when your checks are printed or when your account statement is prepared and mailed, for example. You can't stop this from happening.

But you do have control over whether companies sell your name and sensitive personal data, such as your home address, phone number and account information, to other businesses that would like to sell you something.

The privacy notices are required by the Financial Services Modernization Act, a new law that is also known as "Gramm-Leach-Bliley" after the three congressmen who introduced it. The law revokes the Glass-Steagall Act, a Depression-era legal barrier preventing the consolidation of banks, insurance companies and brokerage firms under a single corporate ownership.

The repeal of Glass-Steagall is spawning financial supermarkets selling checking accounts, stocks, mutual funds and life insurance under a single name.

Privacy notices

Under the law, you have the right to ask the company to remove you from sales lists. Your right to opt out is described in the privacy notices you've been receiving.

Anyone who does business with a bank, credit union, brokerage, insurance company, auto lender and/or mortgage company must get the notices. But so far, people who actually follow the instructions for opting out have been few and far between-as few as one percent of customers by some accounts. For one thing, you might have gotten dozens of notices, and each company requires that you contact it separately in order to opt out.

Privacy notices are already notoriously difficult to understand. "These notices are not easy reading," said Cher McIntyre, Consumer Action's director of advocacy. "But if you don't plow your way through, or at least contact the company and ask for a layperson's translation, information about your income, debts, payment history, bankruptcy, hospitalizations and more can be sold to the highest bidder."

Frank Torres of Consumers Union, speaking at a congressional hearing on privacy earlier this year, called the Gramm-Leach-Bliley law a "privacy free-for-all."

For instance, when you write checks, make purchases on your credit cards or use your health insurance, you are revealing a lot about yourself. Your financial records might contain information about your medical history, political affiliations, charities you support or things you buy, such as medications, alcohol or magazines. Under the law, this information can be shared with or sold to third parties unless you opt out.

"Complete strangers can, for a price, have access to your most intimate secrets," Torres warned.

Not plain English

Mark Hochhauser, a Minnesota-based consultant who specializes in helping companies create materials that are easy to read, looked at 34 privacy notices and concluded that the majority had unreasonably long sentences, numerous uncommon words and illegible type styles and fine print.

"If consumers are unable to easily see, read and understand these privacy notices, how can they make informed decisions regarding a bank's use of their personal information?" asked Hochhauser.

His report, "Lost in the Fine Print," is on Privacy Rights Clearinghouse's site (www.privacyrights.org).

The big loophole

While opting out is important if you want to prevent information about you from being sold to outside companies, it cannot protect you when a company shares information with its affiliates, such as subsidiaries and business partners. Industry lobbyists fought hard for this loophole, which by industry standards fits nicely with the new law that allows all sorts of financial institutions to share a corporate roof.

However, another federal law, the Fair Credit Reporting Act, allows you to prevent a company from sharing information about your credit history with its affiliates. This includes information about on-time and late payments on your bills as well as any data about your credit risk (credit scores) compiled using the information in your credit reports on file with credit reporting agencies.

Depending on the financial institution, you may have to opt out separately under the Financial Services Modernization Act and the Fair Credit Reporting Act.

Despite the loophole, privacy advocates recommend that you ask the companies you do business with to remove your name from marketing lists. Beth Givens of the Privacy Rights Clearinghouse, a San Diego-based non-profit advocacy organization, says, "No one can stop you from asking."

Opting out

The Gramm-Leach-Bliley law and the Fair Credit Reporting Act require that you be given opt-out instructions. Scan the privacy notices for the words "opt out." In most cases you'll be given a choice of writing a letter or returning a form, calling a toll-free number or visiting the company's web site. If you speak with a representative, be sure to mention that you want to opt out of marketing by "unaffiliated third parties" as well as marketing based on your credit history.

To help you exercise your right to opt out, Consumer Action has prepared a sample letter to send to all companies that send you a privacy notice. You can print it out as a PDF file, and fill in the blanks yourself.

"Even if you have already thrown out some privacy notices, it is not too late to opt out," advised McIntyre. "Make a list of the financial institutions you do business with-banks, credit card companies, brokerages, mortgage lenders, insurance companies, etc.-and contact each one to find out where to send your opt-out letter."

One-year report card for children's online privacy

By Sarah Hinds

The Children's Online Privacy Protection Act (COPPA) just celebrated its first year. Is the law a success? For parents and others concerned about children's privacy on the Internet, there's good news and bad news, according to a study released in April by the Center for Media Education (CME), a non-profit organization that studies the ways in which electronic media affects families and communities.

The first federal law governing Internet privacy, COPPA went into effect April 21, 2000 in an attempt to reduce the amount of "personally identifiable information" being collected online from kids 13 and under.

(COPPA is not to be confused with another federal law, the Child Online Protection Act, or COPA, which is on hold while it awaits an appeal to the Supreme Court. COPA was passed in 1998 to prohibit online sites from making sexually explicit material available to minors. It was challenged under the First Amendment by the American Civil Liberties Union and other plaintiffs and has been struck down twice by lower courts.)

Under COPPA, personally identifiable information is defined to include a child's name, address, e-mail, phone number or Social Security number-any piece of information that could be used to determine the child's identity. In order to comply with COPPA, commercial web sites are not allowed to collect, use, sell or share this kind of information without parental permission.

In addition, sites are required to post an easy-to-find privacy policy and make it possible for parents to restrict the sharing of any information collected about their children. Under the law, sites that violate any requirements are open to enforcement actions and civil penalties. The Federal Trade Commission is charged with overseeing compliance with COPPA.

CME surveyed 153 commercial sites popular with kids, ranging from toy manufacturers to sports teams' web sites.

The good news? Collection of phone numbers and home addresses is down substantially from 1998, when CME first surveyed the kinds of information being collected from children on the Internet. In addition, a majority of sites are posting appropriate privacy policies, which means that they clearly spell out what kind of data is being collected from children and how it will be used.

The bad news? Although the privacy policies are there, two-thirds of the 153 sites surveyed do not make it easy to find them. The links must appear on all pages where children are asked to enter their names or other personal information.

A majority of the sites surveyed did not get parental consent before collecting data. Nor did they notify parents after the fact, as COPPA requires. Thirty-two of the 153 sites surveyed by CME collected information that requires parental notification, but only four of these sites gave parents notice about their right to opt out of marketing offers. (For details about the required parental notice, see "How COPPA protects kids," below.)

The one-year anniversary of COPPA provides a reason to spotlight children's online privacy. Kids who spend time on the Net don't realize the subtleties of marketing and its unintended consequences, said Gabriela Schneider, senior policy analyst at CME.

Free toys and CDs

"Kids are more likely to be lured by incentive-based data collection, such as an offer for a free toy or CD if they give out their e-mail address or phone number," Schneider said. "They don't realize that entering something as simple as their pet's name could result in an onslaught of marketing for pet products."

Kids' buying power has marketers drooling. Jupiter Communications, a market research firm, estimates that young people from five to 12 will spend $100 million online by 2002. Some companies complain that the cost of complying with COPPA (up to $100,000) is forcing them to scale back.

To Schneider, the cost of complying is not an issue. "Something as important as children's privacy is not something I want to put a price tag on," she said.

CME's survey found sites that use creative ways to engage kids, gather information and still protect the family's privacy. As an example, she mentioned Nickelodeon's Nick.com, which allows anonymous nickname registration.

'A good first step'

Schneider advises that we should continue to pay keen attention to children's electronic privacy. "COPPA is a good first step, but we need to keep a close eye on data collection in new media forms, as well as to investigate the differences in marketing aimed at teens as compared to younger kids," she said.

For more information about how to protect kids' privacy on the Internet, visit the FTC's "Kidz Privacy" site (www.ftc.gov/kidzprivacy) and CME's site (www.kidsprivacy.org).

Tips for worry-free surfing

Parents can do a lot to protect their kids' privacy online. Here are some suggestions:

• Set clear guidelines about which sites your children can visit online and which sites are off-limits, just as you would with television programming.
• Consider using a software filter that allows you to block certain sites.
• Look for web site privacy policies and read them carefully.
• Instruct kids not to give out information about themselves or your family without asking you first.
• Bookmark all sites your child visits regularly, and jot down user names and passwords, in case you want to contact the company.
• Keep the computer in a central area of the house, where you can monitor your kids as they surf the Net.
• Go online alongside your kids and talk about the features of different sites you visit.
• Educate your child about marketing and commercials-while they seem like entertainment, ads really are trying to sell something, whether or not you need it or can afford it.

How COPPA protects kids

By Linda Sherry

The Children's Online Privacy Protection Act (COPPA) regulates web sites directed at children 13 and under, and requires the sites to obtain verifiable parental consent before collecting personal information from children.

COPPA also prohibits companies that run sites of interest to children from making the collection of personal information a requirement for participating in activities online.

Such sites must obtain parental consent when and if kids are asked to give information that identifies themselves, such as their name, home address, telephone number or e-mail address.

Parental permission is also required before companies can send sales solicitations to a child or add a child to marketing lists that will be shared or sold to other companies.

"COPPA tries its hardest to limit marketing to kids," said Cher McIntyre of Consumer Action. "But you can't really see who's using your site. Kids can lie about their age and go anywhere they want on the Internet. Protecting children's privacy online involves a lot more-there are just too many loopholes."

Under the law, sites designed to be used by kids 13 and under must post a privacy policy. It must be available through a link on the web site's home page and at each area where personal information is collected. Web sites that are geared to appeal to both children and adults must post the privacy notice on the home page of the children's section.

Parents have the right to narrowly limit the kinds of marketing material they will allow their children to receive, and to expect notification if the company wishes to market another kind of product instead. If a parent has given permission to send a child information about computer games and it wants to share or sell the child's name with a soft drink company, new parental consent must be obtained.

No consent needed

No consent is required if sites are:

• Responding to a one-time request or message from the child.
• Providing required COPPA notices to parents.
• Communicating with parents about the child's safety.
• Sending a newsletter or other communications on a regular basis, as long as the site contacts the parents and gives them a chance to say no.

The privacy policies required by COPPA must contain:

• A description of the kind of information collected from children who visit the site.
• An explanation of how the information will be used, including if it will be sold or shared with third parties, such as advertisers, list sellers or product manufacturers.
• A way to contact a representative of the web site.

Parents' rights

Parents are allowed to see the information collected from their children by a web site. Parents may be asked to verify their identities to make sure that children's information isn't given out improperly.

Parents also have the right to delete the information and to revoke any prior consent.

Protecting public safety - but at what cost to privacy?

By Sarah Hinds

Recent technological innovations are making it possible for law enforcement to look for and catch criminals in ways never before imagined. But privacy advocates and civil libertarians caution that these innovations are eroding our privacy. Consumer Action News takes a look at some of these technologies-and why you might want to pay close attention to them.

If you own a cell phone, you'll soon be easy to find, even when you don't want to be. To make emergency calls traceable, cell phones will be equipped with tracking devices to pinpoint a phone's location within 328 feet.

When you dial 911 from your home phone, your address is instantly available to emergency personnel. But these days more and more 911 calls are dialed from cell phones.

While it's important to help victims in an emergency, the technology comes with side effects.

Fries with that?

To recoup costs, cell phone companies want to use the new technology to market to their customers by location. You might be walking or driving in an area thick with fast food restaurants and suddenly receive a cell phone message giving you 20% off if you eat at Burger King instead of McDonald's. If you're close to a department store, your phone might alert you to a sale.

Solicitations are bad enough, but who wants to carry a tracking device? "Most of us want to move around freely and anonymously," said Cher McIntyre of Consumer Action. "What's next? Will employers be able to track their employees' locations 24-hours a day?"

"Location information should be available only to 911 services, not marketers," said McIntyre.

The wide open road?

Automated highway toll systems, such as California's "FasTrak" and the "E-ZPass" in the Northeast make it easy to zip around, but those who value their privacy might want to avoid them.

These systems provide users with a pass that lets them move through toll crossings without stopping to pay. The tolls are charged to a credit or debit card, so the systems record and store personally identifiable information about where and when commuters used their pass.

Such data was recently subpoenaed from FasTrak in a California case in order to prove that a car had been involved in a hit-and-run accident.

E-ZPass got into trouble last year when it was discovered that a web site glitch allowed the driving patterns of all customers to be viewed online.

Candid camera?

Facial recognition technology is one form of biometrics, a term that describes ways to identify humans using unique body features, such as fingerprints or irises. Facial recognition biometrics uses digital photos and computer software to reveal unique measurements of the face.

Beth Givens, director of the Privacy Rights Clearinghouse, said, "Of the many biometrics technologies, facial recognition biometrics is one of the most alarming because it can be deployed secretly, and is therefore invisible to the populace."

Earlier this year the Tampa, FL police revealed that they had secretly snapped photos of attendees at the Super Bowl in order to search for criminals and terrorists.

Despite public criticism over the "Snooper Bowl," Tampa law enforcement authorities like the technology. Late last month, they began using another company's facial recognition program to catch sexual offenders at a local entertainment complex popular with children and teens. The software secretly captures images of four people at a time, and screens them against a database of known sexual offenders.

Viisage, the company that owns the technology used at the Super Bowl (and also at ATMs, casinos and airports), states that it "envisions a day when society could be free from cards, keys, PINs and signatures. A person's face will be the private, secure and convenient password of choice."

Beefing up surveillance

Could someone secretly read your private e-mails or follow you around on the web? Yes-with a court warrant, the Federal Bureau of Investigation (FBI) can install its Carnivore software in the network of any internet service provider (ISP).

Under federal wiretap authority, the FBI can track and record suspects' e-mail and instant messages and the web sites they visit. In the process Carnivore goes through the communications of every subscriber to that ISP.

Most people would see this as an infringement of the right to privacy and Fourth Amendment rights, which protect against unreasonable search and seizure.

Barry Steinhardt, associate director of the American Civil Liberties Union, said that Carnivore is comparable to "allowing government agents to rip open Post Office mailbags and scan every piece of mail in search of one specific letter whose address they already know."

Privacy advocates propose giving ISPs more control, so that only the targeted messages are delivered to the FBI, instead of the FBI sifting through everything in order to find the messages they are looking for.

The status of Carnivore remains up in the air. A review under former Attorney General Janet Reno gave the software the green light, but electronic privacy advocates criticized the review as too lenient.

In June, House Majority Leader Dick Armey (R-TX) sent a letter to Attorney General John Ashcroft about Carnivore: "I believe the FBI is making a good faith effort to fight crime.... But I also believe the Founders quite clearly decided to sacrifice that kind of efficiency for the sake of protecting citizens from the danger of an overly intrusive government."

Guest Columnist: Privacy now

By Ari Schwartz

Center for Democracy and Technology

Sun Microsystems Inc.'s CEO Scott McNealy made waves two years ago when he made this statement about protecting privacy on the Internet: "You have no privacy, get over it."

Last year, McNealy said that while he still felt his earlier statement was true, the Internet was actually safer because "you can encrypt things" and "provide controlled access" to halt unwanted spying. So, do we have no privacy as a result of the digital revolution, or are we better off than we would be otherwise?

The privacy expectations of Americans have never before been so out of line with the privacy reality. This disparity produces the privacy anxiety that we have all felt at one time or another when we've wondered, for example, why a company wants our Social Security number.

Although companies have long been able to track our store purchases, they have never been able to infer our personalities from disparate data as they can on the web.

Yet, the Internet does offer new tools that could lead to greater privacy protection. The Center for Democracy and Technology (CDT) has put together this "Top Ten List" to help consumers protect themselves:

1. Look for privacy policies on web sites.
   Web sites can collect a lot of information about your visit. Sites that ask you to provide even a small amount of personal information can tie the data you give to your browsing habits. Today, most web sites post a privacy policy that tells you at least some basic information about the site's practices. When you go to a web site that has no privacy policy, write and tell the company that you are a user of their site, privacy is important to you and you would like to see them post a policy.
2. Opt-out of unwanted information sharing.
   Many online companies provide you with the option to get off (or "opt-out" of) the lists that share your information. Some companies enable users to easily opt out—users are often able to do so online. A number of companies go a step further and ask your permission ("opt in") before sharing personal information that they have collected. Often, however, companies make opting out difficult or virtually impossible: addresses are buried, one cannot opt out online, etc. CDT has created a one-stop web site—http://optout.cdt.orgto make opting-out as easy as possible for many well-known companies.
3. Get a separate account for your personal e-mail.
   Frequently, online users do not realize that e-mail sent from their work accounts is likely to be an open book to their employers. Even if you send e-mail from your home, copies are often stored on your employer's main computer server. Your boss has a legal right to read all correspondence in this account or on your work computer. Getting a separate account for home allows you to check your personal messages without using your workplace e-mail server.
4. Teach your kids that giving out personal information online means giving it to strangers.
   Several years ago, a number of web sites encouraged children to give information about themselves or their family; some enticed kids with games and free gifts. A law went into effect last year that requires companies to gain parental consent before collecting personal information from children under 13 years old. If you are concerned about a web site collecting information from children without consent, you should communicate your concern to the Federal Trade Commission at .(JavaScript must be enabled to view this email address).
5. Make sure that online forms are secure.
   Ensuring that your information is stored and transferred in secure ways is one of the keys to protecting your privacy. Fortunately, browser companies have realized the importance of data security; most browsers indicate whether the accessed page allows secure transfers. The commonly used graphic is a lock—locked is secure and unlocked is not secure. The graphic appears in the bottom corner of the browser screen; clicking on the lock will give you more security information about the page. Don't input sensitive information about yourself on web pages that are not secure.
6. If you share a computer, clear your memory cache after browsing.
   After you browse the web, copies of all accessed pages and images are saved on your computer's memory. While these copies make subsequent visits to the same sites faster, the browsing record has grave implications for personal privacy, particularly if you share a computer or browse at work. You can delete most of your online trail by emptying the cache regularly. Information on how to do this can be found in your browser's "Help" index under "Cache."
7. Reject unnecessary cookies.
   Cookies are information files that enable web sites to store information about your visit on your hard drive. Cookies inform site operators if you have visited the site and, if you have obtained a username and password, cookies remember that information for you. Many of the "personalized" search engines use cookies to deliver news topics you select; sites often use these same preferences to target you with ads. Furthermore, cookies can be used to track you online and enable a profile of you to be created without you realizing it. The newest web browsers, due out this summer, will have better tools to help you manage and block unnecessary cookies.
8. If you have a broadband connection (such as DSL and cable), use a firewall.
   Broadband connections to the Internet are always on and often have a constant identification number. Therefore, you have to be more concerned about intruders (hackers) gaining access to your computer. Most cable and digital service providers know about this problem and can help you find a good security program (called a "firewall") that is easy to install.
9. Keep your e-mail private—use encryption.
   E-mail can be easily rerouted and read by unintended third parties; messages are often saved for indefinite periods of time. Presently, there exist technologies that allow you to encrypt your messages in order to protect their privacy. Some e-mail programs have encryption built in. Pretty Good Privacy (PGP), a popular encryption software, is free for non-commercial use.
10. Use anonymizers while browsing.
    From the moment you type in a web address, a log is kept with information about your visit. Every day, most of us walk down the street without being recognized or tracked, but such luxury is not available online. Tools that help you achieve greater anonymity are available at the SafeNet.com and Anonymizer.com web sites.

While consumers should be following these tips, privacy-enhancing tools and consumer vigilance alone cannot enforce baseline standards for privacy. Without basic protections in law, individuals will not be able to fully use these technologies. To rebuild public trust, we must know that "bad actors" will be punished and that certain minimum privacy expectations can be met.

So aside from the hyperbole, Sun Microsystems' CEO is partly correct: Americans lack the privacy protections they believe they should have, and the Internet is well suited to user-control technologies that can make the situation better. Yet McNealy's view is incomplete. A third component of the privacy solution must be found in enforceable rules implementing fair information practices: notice; choice; limitations on collection, use and disclosure; access; and accountability.

So get over it, Mr. McNealy. Americans care deeply about privacy, and they expect law as well as consumer products that live up to their privacy expectations.

Ari Schwartz is senior policy analyst at the Center for Democracy and Technology (CDT), a Washington, DC-based non-profit advocacy organization. CDT works to promote democratic values and constitutional liberties in the digital age. For more information, visit the CDT web site (www.cdt.org) or call (202) 637-9800.

Is your life an open book?
Public records on the Internet could violate your privacy

By Sarah Hinds

Would you put your name, address and phone number up on the web? How about your Social Security number or the details of your bankruptcy?

Most people would not, given how accessible the Internet is to people all over the world. However, this information and more could be included in the public record, which is increasingly accessible via the Internet.

Public records include a variety of things, ranging from property ownership information to birth certificates to arrest records. Public records are available to anyone who wants to look at them—provided they have the time, money and transportation to get to the courthouse or government agency where the records are kept.

These obstacles have traditionally kept public records out of the reach of most people, or "practically obscure," as the Supreme Court dubbed them in 1989. However, since the advent of the Internet, some very sensitive public records are only a click away.

Bankruptcy public records often include sensitive personal and financial information, such as Social Security numbers, mothers' maiden names and medical records—sometimes even tax returns or bank account numbers. And yet in many states, this information can be accessed for free on the Internet.

This could leave debtors open to identity theft, a type of fraud in which thieves obtain credit in your name by using stolen pieces of your personal information, such as Social Security numbers.

"Given the current epidemic of identity theft, how can anyone justify posting any document on the web that contains a person's Social Security number?" asked Ken McEldowney of Consumer Action. "Why don't we just lay out a welcome mat for crooks?"

Putting bankruptcy records online leaves people vulnerable to unwanted and even fraudulent marketing attempts. For example, fraudulent home equity lenders often target people who have recently declared bankruptcy by scouring courthouse public records. If these records are only a click away, crooks have a victim list at their fingertips.

Consumer Action found several regional bankruptcy court sites, including southern Indiana and eastern Washington, listing Social Security numbers of individuals who had filed for bankruptcy relief. The sites allow online searches by case number or name. The results instantly deliver each debtor's Social Security number to your screen.

"It's appalling how easy it is to access these extremely sensitive records," said McEldowney.

Court records are accessible through the PACER system, which stands for Public Access to Court Electronic Records. A simple registration process gains access to PACER and allows you to see records online.

Not every court's records are available electronically. But this could change in the coming years: a pilot electronic-filing program developed by the U.S. Courts is set to expand its network from nine courts to almost all of the country's 94 judicial districts by 2003. The Judicial Conference of the United States, which dictates policy for the federal court system, is currently deliberating the privacy issues after receiving hundreds of protests.

Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego, CA-based non-profit advocacy organization, pointed to the commercial information brokers who compile and sell bankruptcy lists. She suggested that the brokers should be required to notify individuals when their bankruptcy records are accessed.

Givens also said that bankruptcy courts should be required to notify debtors that their personal information can be obtained online or through physical examination by commercial information brokers.

Other privacy advocates call for a change in the definition of "public" information, so that sensitive data, such as Social Security numbers, are not part of the public record.

To make your opinion heard on whether or not public records belong on the Internet, contact your state and federal lawmakers. To find your federal lawmakers, go to the Thomas site (http://thomas.loc.gov). Visit "State and Local Government on the Net") for one-stop access to state and local government Internet sites.

Web aggregators: questions about privacy and liability

By Linda Sherry

Having your financial life online can get complicated. User names and passwords are a pain to remember and it can be a hassle going from web site to web site. That's where companies that provide "account aggregation" come in. Give them access to all your accounts and your balances and other information are displayed on one screen.

Sounds convenient. But can aggregators keep this motherlode of information from prying eyes? The jury is still out. While aggregators are serious about encryption and firewalls, their duties under laws that protect consumers from fraud and marketing abuses are not so clearly defined.

Account aggregators are "financial institutions" under the privacy provisions of the Gramm-Leach-Bliley Act, the financial services modernization law now in effect. (See lead story.) But it is still unclear how consumer protections against fraud and unauthorized use fit in, so caution is advised.

Under federal law, bank customers are not liable for unauthorized or fraudulent transactions. But when you use an aggregator, you voluntarily give the company your account numbers and personal identification numbers (PINs). Would consumers be liable for losses if a leak at the aggregation company resulted in misappropriated funds? So far, there is no official consensus on this point.

Linda Golodner of the National Consumers League pointed out in a white paper created by the electronic payments network Star Systems that major aggregation companies seem to be serious about security and privacy. "[But] all of this is strictly voluntary... everyone is going to have to play by the same rules and be subject to the same consumer protection regulations. Until then, [they] should disclose on their web sites in big bold letters which consumer protection regulations do or do not apply."

When third party account aggregators first hit the scene a couple of years ago, banks were not pleased. Financial institutions were alarmed about liability, security and the possibility that customers would no longer visit their web sites. But there has been consolidation among third party account aggregators, and many banks now offer aggregation services themselves.

When a bank acting as an aggregator receives information from another bank it can't legally use that information for marketing or sales without letting customers know.

Aggregators are covered by the privacy provisions of the Gramm-Leach-Bliley Act. But questions have arisen about how they must comply. When they work for banks, are they affiliated companies or third-parties?

Financial institutions have to provide customers with privacy policies and a description of their marketing practices, and give them a chance to limit the sale or sharing of information about themselves and their accounts with unaffiliated companies. (When customers limit a bank from using their information this way, it is called "opting out.")

But if aggregators are considered to be affiliates because they have direct marketing agreements, customers have no opt-out rights.

Theoretically, a bank could state in its privacy policy that it will sell and share information obtained from other banks via its aggregation customers—and hope for the best. If customers don't bother to opt out, the financial institution has a green light.

One-stop account information

Account aggregation is possible because of a technology called "screen scraping." When you register with an account aggregator, you give your bank and brokerage account numbers, log-in information and personal identification numbers (PINs). This allows the aggregator to consolidate the information for you. Special software programs visit other sites, log in and access your financial information. For the purposes of consolidation, the aggregators "scrape" only what they need.

The best known aggregator is Yodlee.com, which recently acquired its major competitor, Vertical One. Many banks and web sites offer account aggregation using Yodlee's services, including MyCiti.com, a division of Citigroup, and Yahoo.com.

Yodlee also has software that lets you track your accounts on web-enabled cell phones and hand-held computing devices like Palm and Handspring.

Currently, aggregators provide "look only" services—no transactions can be performed. If you want to transfer money, or sell or buy stocks or mutual fund shares, you can click on the account name to be linked to the company that established the account.

Services vary among companies. Some aggregators consolidate all your bills and remind you when payments are due. Others have the ability to crunch your account history and financial life into neat pie charts and graphs that show at a glance your various investments or how much you spent on food or entertainment last year.