FTC: Consumer Privacy Comments Concerning Privacy Rights Clearinghouse --P974806
Privacy Rights Clearinghouse 5384 Linda Vista Rd. #306 Voice: (619) 298-3396 E-mail: bgivens@privacyrights.org San Diego, CA 92110 Fax: (619) 298-5681
Web: www.privacyrights.org
Follow-up Comments of Beth Givens, Project Director July 11, 1997 Federal Trade Commission "A Critique of the Individual Reference Services Industry Principles" Thank you for the opportunity to follow-up on the comments provided at the June 10, 1997, workshop session on the data base industry. (A copy of those remarks is attached.) I will provide a critique of the privacy principles presented by the individual reference service industry at the June 10th workshop. My comments focus on five issues: accountability, accuracy, access, consumer education, and feedback. Accountability, Accuracy and Access Two interrelated aspects of accountability deserve attention: (1) How will we know when self-regulation is working? (2) How will the practices of the reference services industry be monitored? A shortcoming of the self-regulatory approach, at least as promulgated to date, is the lack of any benchmarks for success. Unless some tangible goals are imposed on the reference services industry, we will not be able to determine if in fact self regulation is working -- that is, if it is effective in safeguarding the privacy of those individuals whose personal information is compiled and disseminated by information vendors. The Direct Marketing Association's (DMA) Mail Preference Service (MPS) exemplifies this particular shortcoming.(1) The MPS was established by the Direct Marketing Association in 1971, over a quarter century ago. Consumers who do not want to receive unsolicited mail register their name and address with this centralized data base. Mailers use this list on a voluntary basis to "suppress" these names from their own lists. Does the MPS work? From the standpoint of many callers to the Privacy Rights Clearinghouse (PRC) hotline who have used the MPS, the answer is "no." Consumers see little to no reduction in volume of unsolicited mail after registering with the MPS. The only category of mail for which the MPS has any noticeable effect is catalog mail. Another way to assess whether or not the MPS has been successful is to look at the numbers of mailers that use the service. The major nationwide mailers are the most likely to use the MPS. But large categories of mailers do not take advantage of the MPS. These include local mailers, the "resident" mailers, many charities, as well as many prize and sweepstake promoters. In addition, not even the totality of DMA members use the MPS. If meaningful goals were imposed on direct mailers, with sanctions for not complying, perhaps the MPS could in fact be effective. For example, the goal of x% of MPS subscribership by direct mailers, y% of resident mailers, z% of charities over certain sizes, and so on, could be established as benchmarks to determine if in fact self regulation is working vis-a-vis direct mail. Several comparisons can be noted between the direct marketing industry's poor record of self regulation and the privacy principles proposed by the reference services industry. The first concerns the portion of the industry that has adopted the privacy principles. Only eight information vendors have initially signed on to the principles. If the Federal Trade Commission has not already done so, it should consider conducting a survey of all such companies in order to monitor whether or not they adopt the principles in the coming year (one year is the amount of time the initial eight companies have said they will need to implement the principles). The PRC and other contributors of pre-workshop comments have listed several such information vendors. There are no doubt many more. A second comparison involves the principles themselves, and whether or not they are adequate to safeguard individuals' privacy. The Direct Marketing Association issued its set of industry privacy principles in 1994, "The Fair Information Practices Manual." Yet key provisions are still not practiced by a large number of direct marketers, for example disclosure notices and consent opportunities. And some provisions do not go far enough (for example, the emphasis on opt-out opportunities rather than opt-in). The privacy principles of the reference services industry also illustrate similar shortcomings. In my testimony during day one of the FTC privacy workshops, I raised the issues of "access" and "accuracy," by relaying two cases: individuals who have been unable to obtain employment because of allegedly inaccurate information in data bases used by the employers and because those job applicants have not been able to gain access to that information in order to determine its accuracy. (See the June 10th comments, attached to these comments.) Principle XI on access states that data subjects are to be told the nature of the information that the reference services make available in their products and services, but does not address access to the actual information, that which is needed in order to determine if the records are accurate or if the records of the correct John Smith were obtained. If accuracy of personally identifiable information is to be ensured (accuracy is Principle III), then the data subjects must be accorded some means to access those records easily and at reasonable cost. A third comparison between the direct marketing industry's poor record of self regulation and the proposed reference services principles involves the lack of sanctions for noncompliance. We have received numerous calls to the hotline in which consumers ask what can be done about direct mailers who repeatedly ignore their requests to be taken off the mailing list (Dataquick is an example of such a mailer). We tell them there is no law which requires mailers to comply with such requests (except for mail considered to be pornographic). And we direct them to the industry trade association, the Direct Marketing Association, but warn them that the DMA itself does not have the ability to enforce compliance with consumers' requests, especially if the entity is not a member. The principles proposed by the reference services industry likewise lack discussion of sanctions for noncompliance. This is a major failing of the self regulatory approach. A significant challenge facing the FTC is to determine ways in which sanctions can be imposed within a self-regulatory framework. To conclude this discussion of accountability, accuracy and access, the PRC makes three recommendations. First, we recommends that the FTC determine goals or benchmarks which it expects the information industry to achieve in a given period of time. Without such markers, we will never be able to determine if self regulation is indeed working. Second, we recommend that the FTC indicate to the reference services industry whether or not the proposed principles go far enough to adequately safeguard individuals' privacy. Perhaps it should promulgate some standards which the information vendors should be expected to adopt. And third, we recommend that the FTC explore ways in which meaningful sanctions can be imposed. Consumer Education and Feedback(2) Given the above comments, I am not convinced that self regulation has worked to date. And I do not expect it to be effective in the future unless there are effective tools for ensuring and measuring compliance. Nonetheless, if the self-regulatory approach is ultimately embraced by the FTC, a mechanism for consumer education must be implemented. In a self-regulatory environment, consumers must know the "lay of the land." What expectations regarding protection of their privacy should they have? How will they know when an information vendor is not taking adequate steps to protect their privacy? How will they know what actions they can take regarding entities that violate their privacy? Consumer education can go a long way toward explaining the "lay of the land" to consumers. Laudably, the principles proposed by the reference services industry include education. Principle I states that "[i]ndividual reference services should individually and through their industry groups make reasonable efforts to educate users and the public about privacy issues, the types of services they offer, and the benefits of the responsible flow of information." The PRC recommends that while industry education efforts are important, consumer education must also be provided by independent entities in order to avoid serving the interests of industry (or of government for that matter). In addition, consumers must have a trusted feedback mechanism they can use so their experiences with information vendors -- both the good and bad -- are documented. The market provides one kind of feedback mechanism, but an imperfect one: entities which violate consumer privacy might lose business and/or suffer the consequences of negative publicity. A more reliable mechanism would be an independent body or bodies to which consumers can provide such feedback. At the risk of appearing self-serving, I encourage the FTC, industry and others to investigate the model provided by the Privacy Rights Clearinghouse -- a nonprofit organization which conducts research and makes information available to consumers, and which also serves as a feedback loop for both government and industry entities. Granted, a program as small as the PRC is not able to serve the educational and feedback needs of a nation. But on a larger scale, the PRC model deserves attention. When examining the role of an independent consumer education body(ies), policymakers must also determine how to fund such an entity(ies) to provide long-term stability and avoid conflicts of interest. [For further information, see Comments of the PRC, submitted in June 1996 at the FTC Consumer Privacy workshop.] This concludes my written comments in follow-up to the June 10, 1997, workshop on the reference services industry. Thank you for this opportunity. Panel II - - Benefits and Risks of Computer Reference Services Comments of Beth Givens, Project Director Thank you for the opportunity to participate in this workshop. I am going to discuss some actual cases that have come to the consumer hotline of the Privacy Rights Clearinghouse -- for your information, a service that has been in operation since October 1992, nearly 5 years. But first, let me preface my discussion of risks with some observations about the database industry. The information vendor industry is virtually unregulated. There is little oversight of these companies, and little accountability for their practices. In addition, the information vendor industry is virtually invisible, not to us here today, but to most Americans who know nothing about these companies. Nonetheless, these companies hold an increasing amount of sensitive personal information about nearly each and every one of us. What do I mean when I say that the database industry is unregulated. The companies that comprise this industry are not governed by a code of Fair Information Practices. The data subjects do not have a rights of disclosure, access and correction like they do with their credit reports. Nor do they have the ability to learn who has accessed their files. Nor is there a time limit put on the disclosure of negative information. Nor are there penalties for misuse of personal information. What are the risks for the data subjects? We have received numerous calls from people wondering if information in databases somewhere might by preventing them from getting work. They tell of repeated interviews, sometimes even second interviews, and then they're dropped, with no information given to them as to why. One individual, whose name is Bronti K., was out of work for several years. His profession was department store clerk, and he held several jobs successfully. But he was no longer able to land a job and didn't know why. In desperation, he demanded of one employer to know why he was turned down. He was told that a database they used indicated that he had been caught shoplifting from a department store. When Bronti put the pieces of the puzzle together, he realized that the identification documents in his wallet that had been stolen some time ago had been used by a thief who was impersonating him, a thief whose criminal record was now his. Bronti has since hired an attorney and is suing the database company, EMA/SPA, and the department store that put the shoplifting data into his record. The trial is set for this coming fall in Los Angeles Superior Court. He is still not able to find work as a department store clerk, perhaps because of his long period of employment and because he's now seen as a troublemaker. The second case concerns a man who for many years was successfully employed in the construction business. His name is Ron D. He was seriously injured and had to leave construction work. He was retrained to work with computers, but has not been able to find work for 7 years. He has had many interviews, even second and third interviews, but has been ultimately turned down by all his potential employers. He is certain that information about one of his brothers, who happens to be a drug addict and felon, is tripping him up. His brother's name is close to his, and their Social Security Numbers are one number apart. But he has not been able to find a single employer who will tell him the source of information being used to make their hiring decisions. One employer did admit to using an outside source. We suggest to people like this that they find a company that accesses the various data bases of the information vendors and conduct a thorough background check on themselves, spending maybe $100 to $200 if they indeed want to be thorough. And they should also check to see if there are criminal records inaccurately attributed to him. However, even if they hire someone to conduct a background check on themselves, they might not yet know for certain if they are finding the exact same information that their potential employers have found, especially if it comes from a company like EMA/SPA that is collecting information from a certain industry. This situation is reminiscent of Franz Kafka's work of fiction, THE TRIAL. I think there could be a nonfiction version of his book based on cases like Ron's and Bronti's. It could be called THE JOB. These cases point up several risks of the information vendor industry being unregulated.
Ron, the man who's unfortunate to have a criminal for a brother, has been told by a career counselor at a service run by San Diego County, to not bother to look for work until he can ferret out the source of the bad data. So far, he's not been able to do so. I should point out that both Bronti and Ron are seeking jobs in the retail industry that pay from $5 to $7 an hour. Pre-screening for these types of jobs is becoming somewhat automated, almost like the credit screening that is done when you apply for instant credit -- simply a yeah or nay, with no underlying reasons given. I am convinced we are going to be seeing more cases like these as the amount of data compiled in the various data bases increases. And I think the reason we at the Privacy Rights Clearinghouse don't hear of more cases like these is that the process is invisible to individuals. A further point: None of these data holdings are consensual -- whether it's public records information or the credit header information. All the more reason to have this industry regulated with a code of Fair Information Practices. Just a quick run-down of some other risks: Another harm or risk is identity theft, the ability of an imposter to obtain personal information like the Social Security number and use it to fraudulently apply for credit cards in the victim's name, order a credit report, and so on. Another harm: tracking down victims of stalking or domestic violence -- people have had to relocate to escape the stalker. A simple credit header search can be quite effective in locating these people. Credit header files are nonconsensual. You do not have the ability to opt out of them. I think they should fall below the line and be regulated by the FCRA, the same as the rest of the credit history. Or at the very least, individuals should be allowed to opt in to such commercial data sources. A further harm of these data bases is to people who have sensitive occupations: law enforcement, taxation authorities, people who work for abortion clinics, mental health professionals, teachers, parole officers and so on. Thank you for the opportunity to present these comments. That concludes my remarks. 1. Personally identifiable marketing data is not considered to be part of the reference services industry, as explained in the "White Paper: Individual Reference Services" (Piper and Marbury, June 10, 1997). The direct marketing industry is discussed here in order to exemplify the shortcomings of the self-regulatory approach. This section on the DMA's MPS is taken from the PRC's Day Two pre-workshop comments for P954807. 2. This discussion is adapted from the PRC's written pre-workshop comments for Day Two, P954807. |