FTC: Consumer Privacy Comments Concerning The Information Industry Association--P954807
INFORMATION INDUSTRY ASSOCIATION
June 9, 1997
Mr. Donald S. Clark
Dear Mr. Clark:
Attached, please find six paper copies of supplemental information to the Information Industry Association's ("IIA") official response to the Federal Trade Commission's Consumer Privacy studies (P954807).
Should you have any questions, please do not hesitate to contact me at (202) 319-0141.
cc: Martha Lanesberg
1625 Massachusetts Avenue, NW Suite 700 Washington, DC 20036 202-986-0280 FAX 202-638-4403
INFORMATION INDUSTRY ASSOCIATION
Supplemental Comments of the
INFORMATION INDUSTRY ASSOCIATION
in response to the
FEDERAL TRADE COMMISSION
request for comments
Consumer Privacy 1997-- Comment: P954807
June 9, 1997
In response to a request from Federal Trade Commission (FTC) staff, the Information Industry Association (IIA) is hereby submitting supplemental information in response to the FTC's Consumer Privacy Study (Comment: P954807). These additional comments specifically address IIA's ongoing efforts to assist member companies in defining and fulfilling their responsibilities in the field of fair information practices. We appreciate the opportunity to provide this additional information, and look forward to continued dialog with the FTC in this matter.
IIA is the foremost trade association of companies involved in the creation and distribution of information products and services, particularly in the electronic environment. IIA's 550 member companies have extremely diverse business interests and include leading publishing firms, the nation's most innovative software producers and the world's largest providers of telecommunications services and technologies. IIA's membership is reflective of the entire information industry and includes not only large multinationals but many entrepreneurial start-ups whose financial and human resources are dedicated to serving the needs of a wide variety of consumers.
Virtually every IIA member company collects or uses individually identifiable data in some way. The data is drawn from a wide and abundant range of sources, including but certainly not limited to: the individuals themselves, publicly available and publicly-sourced records, and business records. Furthermore, the data sources are available via a variety of paper and electronic media. Once the data is collected, it is generally complied into a database. Commercial producers and providers then create information-rich products and services from the databases which are used by companies, individuals and a wide range of public and private institutions, to make more informed decisions about every conceivable business, social and political issue.
Though the products and services of IIA members are extremely diverse, the balance between the free flow of information and individual privacy concerns is central to what each and every one of them does. Therefore, IIA has been a consistent participant in the debate about privacy protection virtually since its founding in 1968, and has been committed to assisting our member companies in defining and fulfilling their responsibilities in the field of fair information practices in an efficient, comprehensive and balanced way.
Because many of IIA's members are among the pioneers in delivering information electronically, the idea of striking a careful balance between the free flow of information and individual privacy concerns in an electronic environment is not new. It is, however, more intensified today as "online" technology (Internet and the World Wide Web) has heightened awareness and -- in some instances -- anxiety among individuals and policymakers regarding the collection and use of individually identifiable information.
The assistance IIA provides its member companies encompasses many activities. The most important element of all the activities, however, is education. With respect to the FTC's online consumer privacy study and the serious issues it is examining, IIA has facilitated education of our members in several ways, including: individual discussions with FTC staff and Commissioners; roundtable discussions with FTC staff; participation in last year's FTC workshop; filing of comments; regular communications with IIA members such as inclusion of articles in Association-wide publications; and hosting Commissioner Christine Varney on a panel at our annual conference attended by over 100 information companies.
Providing these educational fora is critical to helping establish a common understanding and appreciation of the issues at hand.
Development of Guidelines:
IIA has also developed and adopted a set of Fair Information Practices Guidelines. The process of drafting and debating HA's 1994 guidelines underscored for many information companies the difficulties of devising clear rules designed for general applicability across the broad spectrum of information products and services that may contain personally identifiable information. The current IIA guidelines are not a set of absolutes; they instead reflect a market-based, self-regulatory approach. The guidelines identify principles generally regarded as important elements of corporate fair information practices and then rely on businesses to implement them as most appropriate, taking into account market forces and consumer demand.
Early this year, after much discussion and education, IIA member companies decided to revisit and revise -- where necessary -- IIA's existing guidelines. While members agreed that some of the underlying concepts contained in the 1994 guidelines such as: development and dissemination of individual company fair information practices guidelines; disclosure to individuals regarding uses of their personally identifiable information; maintaining the quality of data and protecting the of security of data should continue to be included. Companies also recognized that today's business realities, especially online information delivery, would likely be more adequately addressed if the 1994 guidelines were reexamined. Members also agreed that today's heightened political climate (both domestically and internationally) and consumer anxiety warranted a fresh look at the guidelines.
However, because IIA's members are largely using the Internet and World Wide Web as enhancements to their print and proprietary electronic products and services, IIA also decided that it could not develop new guidelines in the solely for the online world (see IIA Comment: P954807; May 19, 1997; p.27). Thus, the revised guidelines being developed by IIA will continue be relevant to all delivery media -- print, proprietary electronic systems and the online environment. In this respect, IIA's guidelines will be unlike other trade associations and coalitions whose membership typically uses individually identifiable information for one specific business purpose (e.g. marketing or advertising) and can, perhaps more easily, separate guidelines for online delivery from guidelines for delivery via existing media.
While it is premature to discuss the details of the revised Association guidelines, it would be accurate to state that none of the important elements of IIA's existing guidelines -- disclosure to individuals regarding uses of their personally identifiable information; maintaining the quality of data and protecting the of security of data -- will be eliminated and that these existing elements will likely be strengthened. The new guidelines are being drafted by individuals from our member companies who are experts with regard to privacy issues. Many of these participants have been responsible for developing guidelines for their own companies.
Once the drafting is completed, the guidelines will be forwarded to IIA's Board of Directors for consideration and approval by the end of 1997. IIA's Board of Directors consists of high-level decisionmakers from 21 leading companies in the information industry. A crucial part of the revision process has been a commitment on the part of IIA and its members companies to a serious educational campaign about the content of the guidelines, and an effort to help member companies implement them once approved.
The Association's process for considering and adopting fair information practices guidelines has the advantage of addressing the privacy concerns of consumers as they relate to all information delivery media. Once adopted, the guidelines will also have the backing of business leaders whose endorsement will carry much credence within the information industry.
Additionally, due in large part to IIA educational efforts thus far -- including exposure to the Commission and other policymakers -- many IIA members have already developed fair information practices guidelines for their own companies and serve as examples to the many more companies who are currently in the process of doing so. Among them are IIA member companies who are participating in the FTC's June 10- 1 3 hearings such as: Experian; LEXIS-NEXIS; IRSC; The Dun & Bradstreet Corporation; America Online, Inc.; and the McGraw-Hill Companies.
Many of these organizations -- as well as other IIA members -- also have in place very stringent security measures and restrictions on access to information. These protections are in place for employee access as well as for customer access. The level of protection depends on the sensitivity of the personal information being accessed and is generally enforced through contractual obligations. The measures include technological blocks on information access, customer and product screening, and intensive customer education. In some instances, the costs of participating in commercial systems raise barriers to access for frivolous or unjustified purposes.
Finally, while the policy of IIA's self-regulatory approach is not precise, it is flexible and realistic and has worked well. In this era of rapidly changing technology and consumer preference, it should continue to be operative by providing flexibility to respond efficiently and effectively to consumer concerns.