Session One: Data Base Study
What are consumers perceptions of (1) the benefits and risks associated with the collection, compilation, sale and use of this information and (2) appropriate uses of such information?
According to the Boston Consulting Group Survey, many consumers (70%) are highly concerned with the collection, compilation, sale, and use of their personally identifiable information. Most consumers believe that the personally identifiable information which they give online will eventually be sold. One in four give false information online, and nearly half will not give information when requested.
eTRUST understands that there may also be benefits to both merchants and consumers by the dissemination of this information. For example, merchants will be able to better inform consumers of products and services which directly correlate to their desires or needs.
eTRUST believes that an appropriate use of this information would be one in which the consumer knew what would happen to his or her personally identifiable information before it was given, and could therefore make an informed decision about its use.
Are there means to address any privacy or other legal interests implicated by the collection, compilation, sale, and use of information from these data bases? If so, please describe?
A Company who licenses an eTRUST mark will be bound by the terms of that agreement; specifically, to treat personally identifiable information exclusively in the manner which was disclosed to the consumer. eTRUST foresees several possible means of protecting the consumers' privacy or legal interests in this information. The first would be to remove the Company from the eTRUST program and publicly announce their non-compliance. The second would be to pursue the company for breach of contract. Finally, eTRUST would report a gross infraction of the eTRUST program to the Federal Trade Commission or a State Attorney General, for prosecution for fraud.
How should the benefits of the collection, compilation, sale, and use of information from these data bases be balanced against privacy or other legal interests implicated by such practices? Are there other ways to obtain these benefits without implicating privacy or other legal interests?
eTRUST believes that a self-regulatory system of disclosure, backed by an assurance and enforcement process, which informs the consumer of the potential uses of his or her information, would allow companies to obtain the benefits of collection without implicating the consumer's privacy or other legal interests.
Is the ultimate use of the information disclosed to the subject individuals? At what point in time is the use of the information disclosed? What is the content of such disclosures? Is there any information that should be added to these disclosures? If so, please describe.
A company licensed under the eTRUST Program must describe, in a standardized Privacy statement, what kinds of personally identifiable information it is collecting, with whom the company is sharing that information, and for what purpose the company is collecting that information.
The use of the information is disclosed to the consumer prior or concurrent to the time he or she is solicited for personally identifiable data, by means of a recognizable and "clickable" trustmark.
In addition, the consumers are informed whether:
Should the collection, compilation, sale, and use of information from these data bases be subject to additional regulations or laws? If so, what regulatory or legal requirements are appropriate.
eTRUST believes that if there is an appropriate role for the government it could be in prosecuting fraud and deception. Voluntary systems of standards or ratings, whether for privacy or content, are more likely to be effective when backed up with strong government enforcement against misstatement as either deception or fraud. While wrongdoers could be prosecuted under the current framework, it is foreseeable that future enforcement may require additional regulations or laws.
Have data base operators undertaken self-regulatory efforts to address concerns raided by the collection compilation, sale and use of sensitive consumer identifying information.
Several companies have taken the lead in addressing this issue. In addition to eTRUST's founding companies, over 500 companies have applied to become part of the eTRUST program. In particular, AT+T, Tandem, CyberCash, and independent investor Dan Lynch have each contributed $100,000 to sponsor the eTRUST initiative.
In addition to eTRUST, many other companies have self-made Privacy statements in place.
What is the content of principles recommendations, or guidelines that have emerged? To the extent that industry associations have developed recommendations, or guidelines, are they permissive or mandatory for association members? What sanctions are imposed for non compliance? How many association members have implemented them?
At present, eTRUST has avoided recommendations or guidelines for online Privacy. Instead, eTRUST simply requires that a member must accurately disclose what kinds of information a member company is gathering, with whom they are sharing that information, and for what purpose they are collecting that information. Some of the sanctions for non-compliance have been discussed above: public humiliation, removal from the program, and possible remedies for breach or fraud. Currently, there are 50 members of the eTRUST Pilot, and over 500 wait-listed applicants.
Have such principles, recommendations or guidelines been effective in addressing concerns associated with the collection, compilation, sale, and use of sensitive consumer identifying information? How can the effectiveness of self-regulation in this area best be measured.
eTRUST has received consistent positive feedback on its Pilot program. eTRUST will continue to monitor the success of the initiative by conducting an annual privacy index, measuring the efficacy of eTRUST, and the effects that self-regulation of privacy issues have had on consumer confidence.
What efforts are underway to educate consumers about sata bases containing sensitive consumer identifying information?
Education is one of the three pillars of the eTRUST Program. eTRUST plans to expend a significant portion of its 1 million dollar budget on consumer education and brand recognition. In particular, Wired Magazine ventures has agreed to dedicate $100,000 of advertising to promote eTRUST and educate consumers. As eTRUST is a non-profit venture, any profits made will also be channeled back into consumer education.
What are or should be the principle messages of such efforts?
eTRUST believes that consumers should be aware that giving personally identifiable information is a matter of choice, and that such information has significant value. In addition, consumers should be educated as to ways in which bad actors may siphon personally identifiable information without their permission, and be given the means to protect themselves. Finally, consumers should be able to know and recognize the difference between good and bad actors in the Privacy sphere, and transact with them accordingly.
How can education efforts best be implemented?
Education can best be implemented by broad cooperation between industry groups, the government, and consumers. To this end, eTRUST has partnered with NCSA and Verisign, and is working with PICS, P3, the Better Business Bureau, Shop.org, and others. Goverment cooperation or endorsement of eTRUST would also be effective in assuring and educating consumers that Privacy is an important issue.