Subject: S7-6-00 comments Date: 03/12/2000 12:06 PM The proposed Rules are totally inadequate and wrong-minded. re: 248.1 Paragraph (a) -- The only acceptable rules will be those which begin from the premise of "OPT IN", and *not* "opt out". The proposed Rule only serves to further place the burden of privacy protection on the consumer, rather than on those who would violate that right to privacy. re: 248.1 Paragraph (b) -- The scope is too narrow. By restricting the scope to only "financial product[s] or service[s]", the Rule allows for loopholes whereby a company could offer a product or service, claim that it was not "financial" in nature, and thereby be free to disclose the private information about its customer. Recent changes in laws which now permit financial institutions to engage in virtually any other (i.e.: non-financial) business activity ensure that this sort of violation will almost certainly occur. re: Section 248.4 Initial Notice to Consumers of Privacy Policies and Practices Required There is a serious timing problem with the proposed Rule. An institution could easily process a new customer account and begin dissemination of that customer's private information before the customer even had the opportunity to "opt out". The proposed 30-day period is inadequate in any number of normal situations (e.g., people being on vacation, etc.) Once the information has been released to the public or to any other party, the effect cannot be "undone". This kind of timing problem clearly illustrates why OPT IN is the only acceptable approach to privacy protection. There is no possibility of a timing problem when "opt in" is used, since the financial institution would not be permitted to act until a positive notice of permission had been received from the consumer. re: Section 248.5 Annual Notice to Customers Again, this is inadequate and places the burden of continuing to opt out on the consumer. A consumer's choice to "opt out" must be permanent and revocable only by a subsequent instruction from the consumer to the contrary. re: Section 248.9 Exception To Opt Out Requirements for Service Providers and Joint Marketing There must be NO commercial exceptions; only law enforcement should have the right to examine private, personal, information, and then only by written authorization in the form a search warrant issued from a basis of probable cause. re: Paperwork reduction OPT IN is inherently more efficient than any "opt out" approach. No annual/periodic notices are required. In addition, excessive numbers of requests from financial institutions requesting that customers allow them to release information should be treated as harrassment. /s/ Thomas H. Thiersch Concord CA