Data Base Study ­ Comment, P974806

1.5 Do the data bases contain identifying information that consumers regard as sensitive? What identifying information is considered to be sensitive? Why is such information regarded as sensitive? Please provide specific examples.

Sensitivity is in the eyes of the beholder. The direct marketing magazine Direct published in its June 1996 issue a survey about consumers' perception to the use of their personal information.<7> One of the questions of the survey had a list of categories and asked consumers to say for each category if it is OK or wrong to collect this type of information or if it is so wrong that it should be against the law. The answers are provided below (the survey is also attached). Bear in mind that these answers are under the assumption that the information is collected for a potentially positive products and service. When the use is less favorable for recipients (like databases used by lawyers), the results may be even lower in acceptability:

OK Wrong Illegal Category
4% 37% 58% Your social security number
9% 50% 40% The spending limits on your credit cards
13% 51% 33% Your sexual preference
14% 50% 35% What credit cards you have
18% 50% 31% Approximate Annual Income
23% 49% 25% The names and ages of any children in your household
30% 51% 18% Your political affiliation and position on political issues
30% 48% 21% Information about medical or health products you have purchased
31% 44% 24% Your race or ethnic group
32% 47% 20% Your religion
36% 48% 14% Your height and weight
44% 37% 17% Whether or not there are children in your household
44% 40% 14% If your household is expecting a baby
47% 39% 12% The make and model of the car or cars you own
50% 40% 10% Your education
51% 35% 12% Whether or not you are married
54% 33% 11% How long have you lived at your current address
54% 34% 10% What products and services you buy
55% 33% 11% Age
59% 29% 10% Whether or not you own a computer and what type it is
62% 29% 8% Your hobbies and other interests
64% 27% 8% What TV shows you watch

it is interesting to note that regardless of how benign the category is, at least 36% of the public sees any collection of their person information as wrong or illegal. This figure jumps to over 60% for questions of weight, height or religion, that most people see personal, to over 80% when talking about highly sensitive financial issues and sexual preference, and over 95% object to the collection of their SS#.

1.6 Do the data bases contain identifying information that consumers regard as non-sensitive? What identifying information is considered to be non-sensitive? Why is such information regarded as non-sensitive? Please provide specific examples

(same answer as previous question 1.5) Sensitivity is in the eyes of the beholder. The direct marketing magazine Direct published in its June 1996 issue a survey about consumers' perception to the use of their personal information.<7> One of the questions of the survey had a list of categories and asked consumers to say for each category if it is OK or wrong to collect this type of information or if it is so wrong that it should be against the law. The answers are provided below (the survey is also attached). Bear in mind that these answers are under the assumption that the information is collected for a potentially positive products and service. When the use is less favorable for recipients (like databases used by lawyers), the results may be even lower in acceptability:

OK Wrong Illegal Category
4% 37% 58% Your social security number
9% 50% 40% The spending limits on your credit cards
13% 51% 33% Your sexual preference
14% 50% 35% What credit cards you have
18% 50% 31% Approximate Annual Income
23% 49% 25% The names and ages of any children in your household
30% 51% 18% Your political affiliation and position on political issues
30% 48% 21% Information about medical or health products you have purchased
31% 44% 24% Your race or ethnic group
32% 47% 20% Your religion
36% 48% 14% Your height and weight
44% 37% 17% Whether or not there are children in your household
44% 40% 14% If your household is expecting a baby
47% 39% 12% The make and model of the car or cars you own
50% 40% 10% Your education
51% 35% 12% Whether or not you are married
54% 33% 11% How long have you lived at your current address
54% 34% 10% What products and services you buy
55% 33% 11% Age
59% 29% 10% Whether or not you own a computer and what type it is
62% 29% 8% Your hobbies and other interests
64% 27% 8% What TV shows you watch

it is interesting to note that regardless of how benign the category is, at least 36% of the public sees any collection of their person information as wrong or illegal. This figure jumps to over 60% for questions of weight, height or religion, that most people see personal, to over 80% when talking about highly sensitive financial issues and sexual preference, and over 95% object to the collection of their SS#.

1.11 How do the risks of the collection, compilation, sale, and use of this information compare with the benefits?

There are very few benefits, if any, that consumers can not get in an opt-in system. Therefore, the unauthorized collection, compilation, sale and use of personal information creates almost entirely a risk without adding much benefit to consumers. The authorized collection and use, however, can reduce the risk significantly while keeping most of the benefits.

1.17 How should the benefits of the collection, compilation, sale, and use of information from these data bases be balanced against privacy or other legal interests implicated by such practices? Are there other ways to obtain these benefits without implicating privacy or other legal interests? If so, please describe.

As described in the attached document,<6> which was composed after extensive discussion between privacy advocates and private investigators, it is possible to design a system that takes all needs into account. The main concept is that the database companies will become accountable to consumers for the use in their personal information. In return, consumers will agree to provide blanket authorizations (for specific categories) which the database companies could use in selling the data. In addition, courts may order access to the data. However, if the data was misused, the database companies would become accountable.

Here are the guidelines stated in the document:

GUIDELINES

1. Limit access only for certain pre-approved categories of reasons. Each category entails only pre-determined portions of the record.
 
2. Consumers have a right to accept or deny a use in each category.
 
3. Limit access to specific pre-approved groups of qualified recipients. Qualification to
certain categories may require federal licensing.
 
4. Bureaus will be responsible to keep complete records and audit trail on all requests and accesses.
 
5. Bureaus will report all accesses to the subject person periodically or by request, and make their records available in disputes.
 
6. Bureaus will be automatically liable for unauthorized or undocumented ACCESS to personal records.
 
7. Recipients will be liable for unauthorized USE of accessed information.

This method creates a system in which the information flows from consumers to databases to investigators to ultimate users, but each recipient is accountable to the provider of the information so that the information is not abused.

1.18 Is the ultimate use of the information disclosed to the subject individuals? At what point in time is the use of the information disclosed? What is the content of such disclosures? Is there any information that should be added to these disclosures? If so, please describe.

Federally licensed investigators may be allowed to not disclose the end users, but they should still be accountable to the database company and the consumer for the use of the information. If the information is used for other purposes, then consumers (or database companies) would have the right to force the investigators to reveal the end user.

The main purpose of this disclosure is to create accountability that can be hidden in case of problem.

1.20 Is there an effective mechanism for an individual to remove his or her name from a data base or otherwise control the use of their personal identifying information? If so, please describe.

In stating this question, it is important to understand that no consumer knows about all data bases in existence and thus would not know to remove himself or herself from them, even if the databases have removal instructions. Therefore, an effective removal mechanism needs to have an active notification to consumers, telling them about the fact that their personal information is on the database and advising them on the ability to remove themselves from it.

No database today has that feature.

1.25 Is the collection, compilation, sale, and use of this information subject to any state laws or regulations? If so, please describe.

Many states (NY, CA, VA, FL,.. ) have laws that prevents the commercial use of a name. For example, VA law says:

"A person, firm or corporation that knowingly uses for advertising purposes, or for the purpose of trade, the name, portrait, or picture of any person resident in the Commonwealth, without having first obtained the written consent of such personshall be deemed guilty of a misdemeanor and be fined not less than $50 nor more than $1,000."

-- (Criminal Code of Virginia, Section 18.2-216.1)

This law and similar others can and should be applied to unauthorized use of names in data bases.

1.26 Should the collection, compilation, sale, and use of information from these data bases be subject to additional regulations or laws? If so, what regulatory or legal requirements are appropriate?

Unfortunately, self regulation does not work. Since industry associations are funded by the companies who benefit from unrestricted use of personal information, and since associations can not enforce their rules on outside companies because of anti trust laws, the economic incentives have prevented in the past and will prevent in the future any possibility that most companies will honor voluntary guidelines. This is especially true in the Internet environment when numerous small and home business attempt to do business but do not have the financial ability to participate in the mechanism of the large industry associations.

Thus, consumers would need to fend for themselves for inevitable violations and the government should make sure that consumers will have indeed enforceable cause of action.

The easiest method is the opt-in one. This would require authorization and thus accountability for every use of personal information, not only among organizations but also between organizations and individuals.

An opt-out method can work only if there is real accountability of the opt-out mechnism to the consumer and only if the consumer has the choice of opting out once rather than having to do so from every database, most of them are invisible to most consumers. Thus, an opt-out system would require a law to force companies to check a central opt-out system or honor requests from consumer agents, and give consumers a non-industry cause of action if they have not.

In any case, consumers are the only ones who are entitled to benefit commercially from their person information. It is my belief that such law already exists (see question 1.25), but that has not been proved yet. A federal law crystalizing this principle is recommended. Such law would force an opt-in system.