Chairman Tauzin

Prepared Witness Testimony

The House Committee on Energy and Commerce

W.J. "Billy" Tauzin, Chairman

 Link to Committee Tip Line: Fight Waste, Fraud and Abuse
   

 

 

How Do Businesses Use Customer Information: Is the Customer’s Privacy Protected?

Subcommittee on Commerce, Trade, and Consumer Protection
July 26, 2001
09:30 AM
2322 Rayburn House Office Building 

 

 
 

Mr. John Ford
Chief Policy Officer
Equifax Inc.
1550 Peachtree Street, NW
Atlanta, GA, 30309

I.          INTRODUCTION 

Mr. Chairman and members of the Subcommittee, I am John Ford, Chief Privacy Officer for Equifax. I want to congratulate you, Mr. Chairman, and the members of your subcommittee and its excellent staff for the thoughtful and thorough manner in which your subcommittee is reviewing the information privacy issue. 

In this statement, I briefly describe Equifax; our commitment to protecting consumer privacy; and, from the Equifax perspective, the sources, content, and uses of marketing data and the associated protections. 

I recognize that the primary purpose of this hearing is to better understand the flow of data in the marketing process. Beyond that, it is my intent to discuss this process in a way that supports Equifax’s view that personal information, when collected and used for marketing purposes,

provides important benefits to consumers, to businesses, and to our economy.  Further, the potential privacy risks and harm arising from the use of personal information for marketing purposes are small, are already subject to effective privacy safeguards, and need not be subject to further privacy regulation at this time.  

II.        EQUIFAX 

            A.        Background 

Founded in 1899, Equifax is the oldest and largest of the companies that provide consumer information for credit and other risk assessment decisions.  These activities are regulated under the Fair Credit Reporting Act and dozens of related state statutes.  In addition, Equifax Direct Marketing Solutions, formerly part of Polk, maintains the largest marketing database of lifestyle and compiled data in the world.   At the outset, I want to emphasize that the personally identifiable information in our consumer-reporting database is entirely separate and distinct from information contained in our marketing databases. In fact, the databases are managed by totally separate Equifax companies. 

            B.        Equifax’s Longstanding Commitment to Privacy           

More than a decade ago, Equifax was one of the first U.S. companies to develop and adopt a meaningful privacy policy.  At the risk of sounding flippant, we were privacy before privacy was cool. As a responsible steward of information, our commitment to consumer privacy has remained steadfast.  We remain committed to three Core Values, described in greater detail in Section III.D. below, in order to foster the fair and ethical use of data.  We support self-regulatory and marketplace initiatives to balance the substantial benefits of the free flow of information and the legitimate concerns about the privacy of personally identifiable data, and we seek opportunities to work with governments, consumers, and businesses to forge effective solutions to the complex information-use issues worldwide. 

C.                 Equifax Products  

Equifax believes that the marketplace can offer solutions that enlighten, enable and empower our customers and consumers to address effectively some of the information-use issues today.  So, increasingly, Equifax is providing products directly to consumers to assist them in understanding their credit profiles and to empower them to fight identity theft and manage their fiscal health.  For example -- 

·        Equifax’s Score Power gives consumers access to their actual BEACON credit score, along with an explanation of how that score is used by credit grantors and recommendations about how consumers may “improve” their score.  

·        Equifax’s Credit Profile gives consumers online access to the information in their Equifax credit file.  

·        Equifax’s Credit Watch provides consumers with online notification of changes to their credit file within twenty-four hours, thereby providing early detection of potential identity theft.  

·        Equifax’s eIDverifier patent-pending product permits consumers to use information from their consumer credit report to establish their identity virtually instantaneously in a reliable and secure manner so that they can obtain products and services online. This service deters identity theft and fosters trust in e-commerce by facilitating an electronic handshake between a known consumer and the online vendor.  Subsequent online transactions are encrypted, further enhancing trust and protection. 

III.       MARKETING AND PRIVACY  

            When assessing privacy risks and harm, at least four key topics are relevant: 

1.      Source. Is the source of the information reputable and does it put the record subject on notice that information is being collected?

 2.      Content. What is the content of the information – is the information aggregated or anonymous or is it personally identifiable and is it sensitive? 

3.      Use. Will the information be used to benefit the individual or does its use put the individual at risk for adverse, substantive action? 

4.      Privacy Protections. Are there privacy protections already in place to eliminate or minimize privacy risks? 

When it comes to marketing, the answers to all of these questions, I believe, support the reasonable conclusion that the privacy risk or harm is minimal; the benefits to consumers, to business and to the economy are substantial; and little basis for more governmental regulation exists. 

A.        Sources            

Equifax provides information to its customers for marketing purposes from the following categories of data sources, in conjunction with an array of analytical services. 

At Equifax, most of the personally identifiable information provided for marketing purposes comes from consumer self-reported data.  For example, Equifax’s Survey of America and our online survey, RightOffers (www.rightoffers.com), give millions of consumers an opportunity to voluntarily provide information about themselves and the members of their households and to exercise choice in what kind of marketing offers they receive.  Another source of self-reported data included in the Equifax marketing databases is product registration cards.  On a voluntary basis, consumers may provide information about themselves by responding to lifestyle or buying preference questions included on paper product registration cards, electronic product registrations, or Internet registrations.  

Other data sources include third-party data sources such as public record repositories and other government agency data sources (e.g., land records, certain license information such as hunting and fishing licenses, and census data), and other types of reputable third-party sources including those using publicly-available data such as telephone white pages or other directories and exchanges. 

In essence, our databases contain personal or aggregated data about individuals or households that is self-reported, inferred through sophisticated modeling procedures, or obtained from reputable third-party sources, including public record or publicly-available sources. 

B.        Content 

The vast majority of information held by Equifax for marketing purposes is not personally identifiable information.  Information does not have to be personally identifiable in order to be useful to marketers.  Marketers can successfully market their products and services on the basis of predictive, aggregated information.  Whether aggregated data is appended to a client’s list of names and addresses, offered with our analytical services, or used to develop a predictive model, the key purpose is to help companies market products and services to consumers who are likely to be interested.  This information is very valuable to marketers for predicting consumer spending patterns.  Consumers benefit because they receive only those offers in which they are likely to have an interest.  What’s the result: Consumers become aware of new products and services, businesses sell more products more cost-effectively and the economy grows. 

While the vast majority of information held by Equifax in its marketing databases is not personally identifiable, as indicated above, Equifax’s marketing databases do contain some name and address information.  Naturally, marketers must have name and address information in order to communicate their offers directly to consumers.  It is important to note, however, that the information included within the Equifax marketing databases is not organized so as to be readily and easily retrievable by personal identifiers (i.e., name and address).  

Our marketing databases contain primarily information that is predictive, psycho-demographic information, such as “Zip+4” information—that is, information that describes the characteristics that people who live in a particular geographic area are likely to have, including lifestyle information.  

Even when the information is more granular than geographic “Zip+4” type information, the information describes some of the buying characteristics of a household, not necessarily of a specific individual.  For example, both the Survey of America and the online RightOffers survey provide information that is used as a primary source for our marketing databases.  Both surveys ask participating consumers to provide certain lifestyle information, including information about their leisure activities and hobbies and those of the other members of their household, as well their preferences regarding product categories and/or brands.  In addition, consumers are asked to provide certain demographic information such as marital status, month and year of birth, and occupation for household members.  The information collected from surveys is used in the aggregate to better understand consumer preferences, past buying behavior, and responsiveness to direct marketing. 

Finally, in no instance is the marketing information we collect sensitive personally identifiable information, unless the consumer has voluntarily provided it. Even then, the data pertain to the household, not an individual. 

C.        Uses 

It is very important to emphasize that personal information obtained for marketing purposes is not used for risk assessment purposes. Marketing data is not used to make decisions about whether an individual obtains or retains a job, insurance, or a government license or benefit.  Instead, the information is used merely for the purpose of efficiently shaping the kinds of offers an individual receives. 

Some have suggested that such target marketing provides some consumers with an advantage over others who do not receive the direct mail offer.  It only makes sense that businesses would seek to cost-effectively align their marketing with their markets, achieving the best return possible by focusing on those most likely to respond. The simple truth is that businesses have a limited number of dollars to support marketing campaigns.  Similarly, Members of Congress do not mail campaign solicitations to every constituent but only to those in their party and then only to those who have given before or who are more likely to respond.  In order to accomplish this goal, marketers must direct their offers based upon their understanding of consumers’ buying preferences and willingness to respond to direct marketing offers.  Individual consumers are not excluded from receiving marketing offers.  

In addition, marketers constantly refine their marketing campaigns based upon changes in consumer spending patterns and other predictive information.  As a result, the audience to which a marketer directs its offers may change.  Furthermore, consumers who express an interest in a particular product or service directly to a marketer are likely to be included in marketing campaigns. 

D.        Privacy Protections 

As I said at the outset, Equifax has adopted privacy protections for marketing data that are appropriate to the use and any potential harm.  For example, we provide consumers with notice and opportunities to opt-out (sometimes opt-in) of Equifax’s use of marketing information. We provide consumers who participate in our Survey of America with the opportunity to specify on the Survey how their information may be used.  Survey of America participants may opt-out of receiving future survey questionnaires, product samples and coupons in the mail, or coupons and special offers from companies via email by simply checking the appropriate boxes on the Survey form.  Consumers who complete product registration cards have similar opt-out opportunities.  

In addition, in some situations, we provide opt-in opportunities. At our “RightOffers” website, not only do we provide consumers with the ability to opt-in to marketing uses by selecting only those categories of offers that they want to receive, but we have implemented a double opt-in system.  Under that system, once we receive a completed RightOffers survey, we send the consumer an email asking the consumer to confirm his/her desire to receive offers.  Furthermore, RightOffer participants may update their information by revisiting the site and are free to unsubscribe at any time. 

We also employ state-of-the-art technology to help ensure data integrity and security.  In addition, our customers are prohibited from using our marketing databases for individual look-up purposes.  We have always contractually prohibited our customers from using our database for this purpose.  Furthermore, we have designed our system so that we have no delivery mechanism for a customer to query the database based on a name; therefore, no individual look up is offered or feasible. 

Further, Equifax provides consumers with meaningful and practicable privacy protections through our compliance with a variety of self-regulatory programs providing consumer rights and redress.  We adhere to the self-regulatory principles of organizations such as the BBBOnline Privacy Seal program, the Online Privacy Alliance, and the Direct Marketing Association.  

Finally, in consultation with renowned privacy expert, Dr. Alan Westin, Equifax conducts privacy audits of our procedures as well as our products and services to ensure high standards of privacy protection and, in fact, to provide a value-added quality.    

            All of these protections are consistent with Equifax’s three Core Values to which we adhere in order to protect the fair and ethical use of data -- 

Core Value I:  Equifax is committed to the ethical use of data and to maintaining the highest standards of consumer information privacy. We adhere, therefore, to a meaningful set of self-regulatory privacy principles enterprise wide. 

  •  Responding to and anticipating evolving technology and changing societal demands, we have managed sensitive consumer data in an ethical manner for more than 100 years, earning a reputation as a responsible steward of information.

  •  We provide consumers with notice – the ability to know what and for what purpose personally identifiable information about them is collected and used. 

  •  We provide consumers with choice - the ability to opt-out of our use of marketing information about themselves; and where feasible, the ability to opt-in to certain marketing uses.  

  •  When feasible, we provide consumers with access to and a correction procedure for personally identifiable information about themselves used for non-credit-marketing purposes. 

  •  To ensure data integrity and security, we employ state-of-the-art technology and tested procedures to collect, store and transmit personally identifiable information. Because commerce and our reputation are on the line, we have a vested interest in the quality of the information in our databases. Thus, we employ stringent practices and procedures to maintain the highest standards of data accuracy, reliability and completeness that humans and technology can achieve. 

  •  Equifax provides individuals with meaningful and practicable remedies and redress in the event individuals are harmed by the misuse of personally identifiable information about them.  These remedies arise from several sources: Equifax adherence to our own privacy principles and to other industry self-regulatory principles governing the use of personally identifiable consumer and commercial information; adherence to the requirements of the BBB Online Privacy Seal; from the Federal Trade Commission’s enforcement of the unfair and deceptive practices provisions of its charter, and from compliance with US and international laws, including the European Union Data Protection Directive. 

Core Value II: Equifax supports and has launched business self-regulatory and marketplace initiatives designed to balance the substantial societal benefits of the free flow of information and the legitimate concerns about the privacy of personally identifiable data.  

  •  Equifax adheres to the privacy principles and requirements of the BBBOnline Privacy Seal, the Online Privacy Association, and the Direct Marketing Association, as well as to the information-use initiatives of the Coalition for Sensible Public Record Access (CSPRA) and the Associated Credit Bureaus, Inc.   

  •  Equifax will only do business with entities that adhere to meaningful fair information practices that effectively address the concepts of notice, choice, access, security, and redress. 

  •  Equifax enlightens, enables and empowers consumers to monitor their financial health using product solutions to address consumer privacy issues such as identity theft and credit score disclosure.   

  •  Equifax employs and provides our customers with patent-pending identity authentication technology and a wide range of other products and services that enable our business customers to make sound risk assessment decisions and relevant marketing offers to consumers through the appropriate and ethical use of personally identifiable information. 

  •  Consumers and business both expect to conduct business transactions instantaneously and securely.  The free flow of relevant information to legitimate businesses makes this possible. 

  •  Legitimate business access to relevant consumer information is critical to achieving a number of societal benefits: thwarting identity theft, locating estate heirs, witnesses, child support delinquents, debtors, missing children, organ donors, etc. 

Core Value III:  Equifax seeks opportunities to work harmoniously with governments, consumers and businesses to forge effective solutions to the complex privacy and ethical information-use issues worldwide. 

  •  Governments first must enforce existing laws concerning use of personally identifiable information and should consider enacting applicable laws only after industry self-regulatory measures fail.    

  •  If industry self-regulatory initiatives fail after being given a fair chance, Equifax then supports government regulation that is relevant, not unduly restrictive, and that clearly resolves the perceived imbalance. 

  •  In an e-commerce, online environment, national governments must adopt preemptive measures to ensure that the transmission of information and online transactions are seamless across geographical boundaries. 

  •  In considering privacy law and policy, governments should recognize the differences between the impact of and the potential harm arising from the use of personally identifiable information for financial decisions and that used for marketing or other less serious purposes. Privacy laws should pivot not on the source, but on the content and the use of the individual information. 

  •  Consumers must take some responsibility for educating themselves about privacy policies, procedures, products, and technologies that enhance consumer information protection and increase trust in transactions. 

  •  Under the privacy bargain, consumers should expect the level of information privacy protection commensurate with their demands on business, the benefits sought and the sensitivity of the information exchanged.  

  •     Businesses that collect, maintain and use personally identifiable data have a responsibility to develop and implement an effective privacy program and to employ ethical information practices. 

  •  The business community has a responsibility to develop products and services that allow consumers to participate safely in the information marketplace and to protect their own privacy. 

  •  Equifax has taken the lead by providing online solutions that enlighten, enable and empower consumers to manage their financial health.  These easily accessible products allow consumers to examine their credit file, monitor changes in it to thwart identity theft, and to obtain and understand their current credit score. 

  •  Equifax will continue to develop products and services and, in concert with other industry members and associations, develop programs designed to empower and enable consumers and customers to better manage privacy and risk issues.  

IV.       CONCLUSION           

In sum, direct marketing is a societal and economic good.  The process is profitable, efficient and benign. The concept is consumer oriented and privacy sensitive. 

In closing, I want to thank you again for the opportunity to testify and to congratulate the Chairman and the Subcommittee for their leadership in the privacy arena.  We look forward to working with you so that the marketplace might achieve the synergies that can arise from a greater understanding and appreciation of the important societal benefits of direct marketing – that is, efficient direct marketing conducted in a self-regulatory environment that embraces effective privacy protections.

  
 

Related Documents

 

 
 

Printer Friendly

Comment On This Page

Related Documents

  
 

Document Menu

Hearing Webcast

Invited Witnesses

Member Statements

Printed Hearing Record
(transcript)