|
Chairman Stearns, Ranking Member Towns, and members of the
Subcommittee, thank you for the opportunity to participate in this timely
hearing and to share the perspective of the Companies on Titles I and III of
H.R. 4678 – the “Consumer Privacy Protection Act of 2002”. The three
corporations listed in the caption sheet strongly support a balanced approach to
the use of personal information. Descriptive information on these
companies may be found in the appendix attached.
I will not make specific comments about Title II.
Instead, I urge the Committee to work closely with the Credit Bureaus and their
trade associations to make certain Title II is effective in preventing identity
theft and improves the remedies available for those whose identity has been
stolen.
Information products from our three companies fill an
important gap in today’s business-to-consumer relationship. In our
information-based economy, companies succeed not just by meeting their
customers’ expectations, but by exceeding them with superior products and
services of the highest quality. Businesses do not instinctively know
everything their customers want and thus need information to better understand
what consumers both want and need. Companies such as Acxiom, Experian and
Trilegiant are the vehicles by which businesses acquire or better use this vital
consumer information.
The efficient flow of consumer information to businesses
has significantly contributed to our nation’s economic growth and stability by
(1) enhancing variety in consumer goods and services; (2) facilitating lower
domestic prices as compared to foreign markets; and (3) accelerating the speed
and ease with which transactions can be completed. This flow should be
permitted to continue.
Notwithstanding these successes, the inappropriate use of
information to defraud or discriminate against consumers should be illegal.
H.R. 4678 is a bill that makes every effort to balance these concerns, and we
are pleased to be here today to comment specifically on a number of aspects of
the bill.
Comprehensive Coverage of Both Online and Offline Practices
In the debate about data privacy, public policy makers are
asking some very good questions regarding whether legislation should be specific
to the online sector or technology neutral covering both online and offline
practices.
It is difficult to argue that a corporation’s policies
governing the collection and use of personally identifiable information should
be different in the online and offline environments. Further, even if
legislation was focused only on online information, the offline environment
would be affected equally, since online and offline data is inevitably combined
at some point by every company.
Even so, there are practical differences in the online and
offline worlds that policy makers must carefully consider for legislation that
is technology neutral. Self-regulatory regimes already in place recognize
these practical differences, so policy makers should look to these practices as
the basis of any future legislation deemed necessary.
Most of the clients of our three companies, as well as our
data sources, operate in multiple environments, too. For example, many
catalog companies have an online catalog, and many retailers are becoming
dominant forces on the Internet. In fact, only a very few companies exist
solely in an online environment today – and even these companies depend on
offline information, which they merge with online information, to increase
efficiency and to stay competitive.
However, there are important differences in how notice can
be delivered and choice exercised in the online and offline environments.
Understanding these differences is at the heart of the online/offline debate
because self-regulatory practices or legal regtexts must allow enough
flexibility to provide consumers effective notice and choice across different
media.
In order to be fair in all mediums, the regtext for
providing a full statement of information practices, usually referred to as a
privacy policy, must be “upon request.”
Online Notice
In an interactive online environment, an “on-request”
regtext can easily be provided by a conspicuous link to a privacy policy.
The interactive nature of the Internet also allows a consumer to make immediate,
informed choices about how his or her information can be used. In the
marketing industry, “opt-out” is the regtext for informed consent, but the
interactive nature of the Internet is also allowing new voluntary methods of
permission-based marketing to flourish as well. This interactive nature
has resulted in the wide spread acceptance of online privacy regtexts like
those proposed in Title I. Nearly 100 percent of the 100 largest consumer
websites have a link to a privacy statement.
Offline Notice
However, this interactive model is difficult, if not
impossible, to achieve in the offline marketing context. In the
telemarketing environment, delivering the same kind of notice and gaining the
same kind of consent would be financially onerous, could destroy otherwise
successful marketing campaigns, and could result in very negative customer
relations.
In the offline environment, there must be flexibility to
deliver notice and choice, upon request, through the mail in paper form.
Alternatively, businesses should be able to direct consumers to a telephone
number or website to access a company’s policy. Also, retailers should
be allowed to deliver notices at the checkout counter. In other words,
businesses must have the flexibility to adopt practices that best meet the
medium in which they are engaged, even though notice and choice about marketing
information should be the policy in all mediums.
We believe Sections 101 (a) and (b) of H.R. 4678, Privacy
Notices to Consumers, Notice Required and Form and Contents of Notice, are
intended to recognize and allow for these practical differences in collection,
notice and choice methods that exist in the online, offline and telephone
environments. We want to continue to work with the Committee to ensure
this “upon request” distinction is clear in the law, so that businesses have
the necessary flexibility to conduct successful marketing campaigns in this
difficult economic environment.
Self-Regulatory Programs
Section 106, Self-Regulatory Programs, further recognizes
the important role of self-regulatory programs that have served both the
consumer and the business community well in areas of information use where
legislation has not previously existed.
Such programs as the online seal programs from BBBOnline
and TrustE, along with the Direct Marketing Association’s “Privacy
Promise,” represent very effective self-regulatory regtexts for online,
offline and telephone based relationships. These practices generally
require companies to provide consumers choice through an opportunity to
“opt-out” of information sharing, to develop appropriate guidelines to keep
the information secure, offer the consumer third party recourse for settling
disputes, and the option to go to the Federal Trade Commission under Section
5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45 (a) (1)) where
prior efforts to resolve the conflict have failed.
All of these practices, which are in effect today and have
a proven record of success, conform nicely with the provisions in H.R. 4678, and
we therefore support the bill’s language with regard to self-regulatory
regtexts.
Enforcement
We believe H.R. 4678 has proposed a reasonable enforcement
mechanism in Section 107, Enforcement, by building on existing and proven
enforcement methods. By doubling the amount of fines that may be imposed,
this approach to enforcement becomes an even more effective deterrent.
Enforcement is one of the hardest aspects of privacy with
which to deal. Far too often, legislation is not enforced for one reason
or another. However, an increasing number of successful enforcement
actions have recently been undertaken by the Federal Trade Commission.
Such actions have demonstrated the effectiveness of the FTC in dealing with
privacy and security issues.
Furthermore, with the self-regulatory choices and the
straightforward nature of the provisions of H.R. 4678, the Companies agree with
the Committee that the need to prescribe regulations is not necessary to enforce
this title. The regulations in effect already exist in the Federal
Trade Commission Act.
Harmonization with Other Laws
Since there are in excess of fifteen (15) federal
privacy-related laws in the U.S., it is critical that any broad-based
legislation, such as H.R. 4678, recognize and respect these existing laws and
not create conflicting requirements that do not serve either the consumer or the
business community.
There are specific practices that need to be treated
differently from general personal information collected and used by commercial
entities, such as affiliate sharing of credit information within a financial
institution covered under the Fair Credit Reporting Act, and the sharing of
sensitive information about children under the age of 13 under the Children’s
Online Privacy Protection Act.
In Section 109, Effect on Other Laws, H.R. 4678 properly
recognizes these various laws and the requirements they each impose and offers
the right kind of harmonization.
State Preemption
Section 109(d), Preemption of State Privacy Laws, is a
necessary requirement both for the consumer and the business community.
Nothing will be more confusing to concerned consumers, nor create more
inefficiency to commerce, than to have differing privacy laws in each state or
locality. As we have seen recently in North Dakota, and at the local level
in Daly City, Contra Costa County and Berkeley, California, there appears to be
a rush to enact unduly restrictive financial privacy laws. We suggest that
these laws serve no other purpose than to dramatize the need for federal
preemption, which H.R. 4678 offers.
If states and localities are permitted to continue enacting
their own versions of privacy laws, several risks exist.
First, in light of the fact that no state or locality is likely to have the
necessary resources to conduct a comprehensive and thorough analysis of the
issues surrounding the use of information such as this committee has conducted,
plus the fact that the privacy issue is a very highly charged political issue,
legislation passed by states and localities will almost surely result in serious
unintended consequences. Second, for consumers, to understand their rights
and be able to easily enforce their rights when they believe an infraction has
taken place will be extremely difficult, thereby diminishing the effectiveness
of any enforcement action. Third, local law enforcement has not
historically focused on these kinds of issues and the Federal Trade Commission
has more resources and more expertise to deal with consumer complaints regarding
privacy than any state or local authority. In short, without state
preemption, consumers will be confused and the effectiveness of enforcement will
be reduced.
International Issues
Title III – International Provisions – offers a good
first step to address the growing concern of companies doing business outside
the U.S. regarding the wide variety of privacy laws enacted in other countries.
Dealing with information flows across borders is an
extremely complex issue and we have far too few facts on which to evaluate
effective solutions. The bill’s requirement that the Comptroller
General of the United States conduct a study and make recommendations regarding
remediation of discriminatory activities should provide the facts needed to
identify solutions that will work.
Access to Information
Few would argue that the four Fa ir Information Practices
Principles – notice, choice, access and security – are not important
consumer rights. Unfortunately, these principles are usually recited
without considering their true complexity. Practical approaches such as
H.R. 4678 – whether statutory or self-regulatory – recognize that each of
these principles must be applied in sensible ways appropriately tailored for the
purpose for which the information is used.
The application of each principle must strike a balance
between the value gained by consumers, businesses and society and the costs
associated with each. Sometimes that balance prohibits application of one
or more of the fair information principles. For example, under the Fair
Credit Reporting Act (FCRA), the nation’s oldest privacy statute, consumers do
not have a choice about being included in the national credit reporting system.
If choice were an option, those who are lax on paying their bills would probably
choose not to have that information disclosed to potential lenders which would
result in increased lending risk for creditors and increased credit costs for
consumers. In effect, there would be fewer financial service products for
consumers.
The principle of access, arguably the most complex issue in
the debate about consumer privacy, must be thoughtfully applied because it
raises significant privacy, data security and cost considerations for consumers,
businesses, and society in general. Unfortunately, perhaps because of the
complexity of this issue, many legislative proposals dispense with the access
principle by simply citing the obscure regtext that “reasonable access”
should be provided upon the consumer’s request. While sounding sensible
on its face, such an undefined regtext delegates too much authority to
regulators and the courts to develop public policy about consumer access.
As explained below, we believe that, by not including a
requirement for consumer access, H.R. 4678 has properly recognized the inherent
pitfalls of such a requirement.
Allowing consumer access, by the very nature of the
process, makes the data less secure. As a result, appropriate
authentication and verification systems would have to be implemented.
Providing access also means that information held by an organization must be
collected into personal, comprehensive profiles, which raises new privacy
concerns. Finally, the costs associated with data collection, new security
systems for authentication, and customer service staff necessary to administer
disclosure, dispute and correction systems, can be enormous.
The primary purpose of access is to make certain the
information a company maintains about an individual is accurate. For
example, if a company’s use of inaccurate or fraudulent information could
cause harm to an individual through over-billing, or is used to make a decision
that could deny a consumer a benefit or service such as credit, insurance or
employment, then access should be provided. In these cases, it is in the
best interest of both the consumer and the business to be sure the personal
information about a consumer is correct.
However, access for the sake of curiosity is not justified
when the costs to society and the threat to personal privacy are significant.
In such instances, access should be discouraged if there is no legitimate
identified harm to an individual such as a denial of a benefit or service.
Today, even without a legal mandate, almost every company
provides consumers ready access to current account information, the very
information which, if inaccurate, could result in a benefit or service being
denied. This kind of targeted access to personal information reflects
business’ interest in accurate, up-to-date records for billing purposes, as
well as a customer-focused response to consumer demand. Many
Internet-based companies offer access not only to account and billing
information but also to customer-supplied information used to predict consumer
preferences.
Providing access to consumers would be of little benefit,
and such access likely would pose a greater threat to privacy than currently
exists. The nature of information in marketing databases would limit identity
authentication largely to name and address (which is widely available in public
sources, such as telephone directories) and, therefore, would greatly limit the
ability of businesses to validate consumer identities for disclosure purposes.
Accordingly, access requirements should be constructed so as to balance the
benefits to consumers against the security risks to them, and the costs to
companies that hold the data.
Allowing access to marketing databases would be enormously
expensive. While that expense is justified and necessary with regard to
information governed by the Fair Credit Reporting Act, it is of questionable
value for data used only for marketing purposes.
A consumer’s current ability to opt out of having their
name shared for direct marketing purposes satisfies the underlying concern about
privacy and accuracy without imposing undue and unnecessary costs to businesses
or risks to consumers that would result from access requirements.
H.R. 4678 has rightly not included a provision for access
in the bill.
Conclusions
While Acxiom, Experian and Trilegiant do not agree on all
the detailed provisions of H.R. 4678, we believe the bill, in its current form,
and subject to the our comments herein, represents a well-intentioned, balanced
approach to protecting consumer privacy while allowing information flows that
bring value to consumers and to our economy. We look forward to working
with you to ensure these intentions are realized throughout the legislative
process.
Mr. Chairman, thank you for the opportunity to appear today
on behalf of these three companies, Acxiom Corporation, Experian Marketing
Services and Trilegiant. I am prepared to furnish any additional
information to the Committee, and answer any questions you may have. APPENDIX
The Companies include some of the most prominent
organizations in the country involved in helping facilitate the appropriate use
of information in ways that bring value to both the consumer and the business
community.
Acxiom Corporation
For over thirty years, Acxiom Corporation has provided data
management services and technology. The company helps both large and small
businesses sell better products and services smarter, faster, and at a lower
cost. Acxiom’s business includes two distinct components: database
management services and information products. Database management
services, representing almost 90% of the company’s revenue, assist businesses
in better managing their customer information, helping them save costs and
secure a better return on their marketing efforts. Acxiom’s information
products – directories, customer enhancement and list products – provide
needed intelligence to help businesses overcome the time and distance of
less-personal customer relationships.
Acxiom has approximately 5,000 employees worldwide, has
processing centers in Arkansas, Illinois, Arizona and California, and has
operations in the UK, Australia, France and Japan.
Experian Marketing Services
Experian is one of the world's leading information
solutions companies. Experian Marketing Solutions enables organizations to
make fast, informed decisions to improve and personalize relationships with
their customers. This is done by combining decision-making software and
systems with some of the world's most comprehensive databases of information
about consumers, businesses, and property.
Experian Information Solutions is a consumer reporting
agency that enables businesses to make objective, safe, secure loans and
minimize other credit-related losses, while providing consumers instant access
to credit. Experian also provides reference services, analytic services,
and consulting solutions. Experian employs 6,500 people in North America,
with major facilities in Costa Mesa, CA; Allen, TX; Denver, CO; Atlanta, GA; Mt.
Pleasant, IA; Schaumber, IL: Lincoln, NE; Parsippany, NJ; Albany, NY; New York
City, NY; Rye, NY; and Rutland, VT.
Direct Marketing Services
Experian direct marketing services help bring businesses
and their customers together. Businesses rely on Experian to help them
better understand their markets and the characteristics of the people who do
business with them. Understanding the marketplace makes possible faster, more
efficient product development and delivery, better retail outlet and service
center locations, improved customer service, more cost-effective advertising,
and lower costs for consumers. By identifying the characteristics of
consumers likely to be interested in certain kinds of products and services,
Experian helps marketers more efficiently reach consumers who are most likely to
be interested in a business’s products or services.
Credit Reporting
Experian and the companies from which it was formed have
provided credit reporting services for more than 100 years. Today,
hundreds of millions of credit reports are provided to lenders annually.
The ability of creditors to check a person’s credit references in an instant
enables them to make rapid, sound, and objective lending decisions. That
ability helps consumers get the credit they need and deserve faster and cheaper
than anywhere else in the world.
Customer Relationship Management
Experian helps businesses establish and develop
long-lasting customer relationships through responsible information use.
We help businesses get a clearer picture of their customers across multiple
business units and market segments. We help companies understand why
certain kinds of people shop with them and what the customer needs. With
that clearer understanding, Experian then is able to provide information
services that help businesses initiate relationships with new customers, assist
the businesses in developing new, desirable products and services, and aid in
providing pleasant shopping and effective customer service. The result is
a better shopping experience for consumers and more profitable operation for
businesses.
Automotive Information Services
Experian Automotive Information Services specialize in the
collection and dissemination of vehicular data from each of the 51 United States
jurisdictions. The information is utilized to provide valuable services to
auto dealers, manufacturers, consumers and advocacy organizations, advertising
agencies and internet information sites, law enforcement and tollway
authorities. Detailed vehicle history reports enable consumers to make
informed used-auto purchasing decisions. Manufacturers rely on our
services to manage recalls and conduct market analysis to manage product supply
and improve service.
Electronic Commerce Services
Experian’s electronic commerce division helps businesses
establish a presence in the electronic marketplace, develop relationships with
online consumers, and ensure consumers and businesses enjoy positive, safe
transactions.
Individual Reference Services
Experian reference services help people, businesses,
non-profit organizations, government agencies, law enforcement, and other
organizations identify, locate, and verify the identity of individuals.
The most recognized individual reference services are the telephone book and
directory assistance – services you use every day. They usually include
only names, addresses and telephone numbers. More sophisticated reference
services may include information about whether you own a home or rent an
apartment, how long you have lived in the same location, and if there are
additional household members. Sensitive identifying information such as
your Social Security number, drivers license number, and date of birth is
included in some reference services. These services, however, are limited
to use by law enforcement, government agencies, and other organizations with a
legitimate and appropriate need for such information.
TRILEGIANT CORPORATION
Trilegiant Corporation is one of the country’s largest
direct mail marketers. Trilegiant offers consumers the opportunity to join
various membership clubs that provide valuable services, significant discounts
and other member privileges. Trilegiant’s membership clubs provide a
wide array of financial and consumer-based individual services, including those
relating to shopping, travel, auto, personal finance and other membership
programs that make their lives more convenient and secure. We were a
pioneer in the direct marketing and membership services business and have been
active for over 27 years, and we currently have over 23 million members in the
U.S. who enjoy our services. Trilegiant partners with many of the
nation’s leading financial, retail and media entities to enable them to
enhance their customer loyalty and brand affinity and to generate additional
revenue.
Each year, Trilegiant mails hundreds of millions of pieces
of consumer correspondence, receives tens of millions of inbound telemarketing
calls, and conducts millions of outbound telemarketing calls. Trilegiant
also is a major on-line marketer and partners with many of the country’s
largest on-line businesses and markets its services through hundreds of millions
of on-line impressions.
Trilegiant has over 3,000 employees in facilities across the nation.
|
