The White House: Electronic Privacy Initiative


At this stage, the U S Government has effected legislation on only the most sensitive of information and has allowed the industry to self-regulate. Final rules for health providers and plans are being effected and will be implemented within two years. For financial services there are new privacy standards under the Financial modernisation law passed in 1998. (DMA Website, 1999)

The Federal Trade Commission effected laws governing the privacy of minors taking effect from April, 2000. This prohibits marketing to children under 13 without the permission of their parents. (FTC Website, 1999)

The FTC established the Advisory Committee on Online Access and Security in December 1999. It's purpose was to provide advice and recommendations to the Commission regarding implementation of certain fair information practices by domestic commercial Web sites. In particular, the Advisory Committee addressed providing online consumers reasonable access to personal information collected from and about them and maintaining adequate security for that information. (FTC Website, 1999)

Any self-regulation must be uniform across the industry and include all database providers such as DMA, Acxiom, Criss Cross, medical records, health care and insurance providers and Government departments etc.

The Direct Marketing Association as mentioned in the case is one of these databanks. They operate as a Data Warehouse that each telemarketer or marketing member is able to access and retrieve lists as required.

The policies proposed by Gore are explained as follows:

  1. Prohibit companies from pre-screening their credit records without their permission The credit records are just one area of what the Privacy Act covers. This credit information comes under strict legislation for accessing by members. In Australia, databases that involve the reporting of information about an individual's eligibility to be provided with credit, or history in relation to credit, or capacity to repay credit, are regulated by the Privacy Act 1988 and the Credit Reporting Code of Conduct. (Australian Government Privacy website)  undated

    However, in my own situation there have been times when I have signed credit authorisations after my loan has been approved and upon receipt of funds. It appears that the signing itself, is merely a record keeping formality, and that the providers have accessed the information long before I have given written consent for it to be accessed.

    In order to ensure that credit records and sensitive consumer information is not released, I feel that this site should be Government controlled so that interest in obtaining information isn't an economic one. Access could be restricted by an electronic and verified signature of the customer so that members were unable to illegally access unauthorised information. Though the Government may not wish to generate revenue from holding what is considered to be tangible and valuable information, they would need to charge whatever fees are necessary to ensure that the database will be up to date, efficient and effective.


  2. Prevent their drivers license data from being sold to data miners

    Greg Nojeim, ACLU legislative counsel stated "The US Drivers' Privacy Protection Act (DPPA), supposed to protect the privacy of personal information was riddled with loopholes." Whilst it was supposed to prevent the Department of Motor Vehicles from releasing information about drivers, it was challenged by South Carolina in court who argued that the Federal law violated states' rights, specifically, the US Constitution's 10th Amendment.

    A federal district court and the Fourth Circuit Court of Appeals agreed, ruling "Congress lacked the authority" to pass such a law. (McCullagh, 1999)

    Currently databases can provide a complete profile on an individual; details of their expenditure/income and a profile of their tastes by what their credit card purchases are. Through online purchases to a provider like amazon, their tastes profile can be even more specific, right down to the subjects of the books that they are purchasing even their culinary tastes may be able to be profiled. Links may become available through registries of their spouse and habits, details of children, and family members.

    One way to alleviate some of the concerns on breach of privacy is for the main database to specify what information is available to general members and designate sensitive information to require a specific password/permission before providing that information to members.

    By restricting access and only selling the basic and most pertinent profile information to a marketer, the individual can be assured of reasonable privacy. This can only be effected by a (preferably Government controlled) main database warehouse that is able to maintain records using a specific primary key. Again, the drivers licence or unique key details would be one of the restricted access areas and not revealed to subscribers unless they had an electronic signature attached to a signed authorisation for that specific information to be made available. Drivers license or other unique details should only be helpful as a primary access key known only by the databank as it is just not necessary information for most marketers.


  3. Remove their name and address from direct-mailing and telemarketing lists. This could be achieved by having an "opt out" facility which blacklists the names at the point of the main data warehouse.

    Once names are removed from the main database host, there would be a flagging facility on the "opt out" name should members upload the name as one of their own customers.


Positive and negative consequences of these systems

As a database warehouse will hold a large number of names, it must use a specific and unique key. Because populations may be transient, the most specific key is a social security, drivers licence or tax file number. This is perceived as a threat to privacy as once the customer has been identified so specifically, the file is capable of holding an unlimited amount of information on a person; their credit card number/s

By using a primary key such as social security, tax file number or driver's license, a person's most current and up-to-date address and telephone number is available.

The positives to this type of procedure is that there is a single centralised database warehouse that can provide up to date and specific information to marketers and companies to ensure that their advertising dollars are optimally spent.

However, stringent protection and "opt outs" taken up by a large proportion of the population may reduce marketers' ability to specifically target their marketing efforts. Improved database administration has so far enabled marketing to be more productive and keep advertising and subsequently, prices of products lower than competitors.

The consumer's name needs to be blacklisted from the main database provider to ensure a consistent and uniform database. However, member databases may lose the ability to advise their customers of specific products aligned with the product that the blacklisted customer is currently using.

For instance, if a bank decided it would like to advise both existing and potential customers of a new facility offered within their cheque account, they would need to make a SQL Query to extract from DMA all customers that their product may be relevant to. This should perhaps include new potential customers, existing customers and their own "opt out" customers. Should the bank feel that the new information is part of a continuation of an existing service to their "opt out" customer, they then need to make a decision as to whether the information is necessary and specific to their customers' well being or whether it is simply an additonal, but stand alone product.

Another consideration in privacy regulations is that there is an intrinsic value placed on names in a company, especially information services companies. Amazon.com recently advised customers of its privacy policy and their treatment of customer names as a normal asset which is saleable by the company. (amazon.com 2000) This was in light of the attempted sale of names by toysmart.com upon their liquidation. Amazon.com

Summary

Unfortunately, whilst privacy invasion can be minimised, it is almost impossible to eliminate it.

However, a databank regulated or controlled by the Government does not guarantee the public confidence. Many individuals may feel that a Government controlled authority would further reduce the freedom they have from their Government and fear the "big brother" of Government far more than the "big brother" of commerce. The Government has done little to allay those fears. Only last week, USA Today reported that U.S Government agencies are one of the main offenders in breaching privacy by using cookies to track internet users and providing the information to private companies. (USA Today, 2000)

However, I feel that current regulations as they stand are limited and people's privacy is already at risk under the present commercial control and their information being a tangible asset of private enterprise. The risk of privacy infringements is exacerbated when databases hold such a high value as an asset.




BIBLIOGRAPHY

DMA Website, 1999

FTC Website, 1999 Kid's Privacy  and Advisory Committee on Online Privacy and Security

Australian Government Privacy website, undated

McCullagh, Declan, "Your Driver's license for Sale?" 25th June, 1999 Wired.com

Amazon website, 2000

Tech Report, "Study: Govt Web sites track users" USA Today 23rd October, 2000