A Report to Congress
Federal Trade Commission
Robert Pitofsky, Chairman
In the past year, there has been growing public concern about computerized databases that collect and disseminate personal identifying information about consumers. At the request of three United States Senators, the Federal Trade Commission has conducted a study of computerized database services that are used to locate, identify, or verify the identity of individuals, often referred to as individual reference services or look-up services. The Commission has gathered information about the individual reference services industry by soliciting public comments and holding a public workshop in June 1997. At the workshop, industry members announced that they had formed the Individual Reference Services Group, or IRSG Group and intended to draft a self-regulatory framework to address concerns associated with their industry. Commission staff has worked with this group to encourage it to adopt an effective self-regulatory proposal.
This report summarizes what the Commission has learned about the individual reference services industry, examines the benefits, risks, and potential controls associated with these services, and assesses the viability of the IRSG Groups proposal. The report concludes with recommendations that address concerns left unresolved by the proposal.
A vast amount of information about consumers is available through individual reference services. This information is gleaned from various public sources, such as public records and the telephone directory, and non-public sources, such as credit header information from credit bureaus (which typically contains name, aliases, birth date, Social Security number, current and prior addresses, and phone number). Information contained in individual reference services databases ranges from purely identifying information, e.g., name and phone number, to much more extensive data, e.g., driving records, criminal and civil court records, property records, and licensing records.
Convenient access to so much information about individuals through individual reference services confers myriad benefits on users of these services and on society. The look-up services enable law enforcement agencies to carry out their missions, public interest groups to find missing children, banks and corporations to prevent fraud, journalists to report the news, lawyers to locate witnesses, and consumers to find lost relatives. At the same time, the increasing availability of this information poses various risks of harm to consumers. One harm is to consumers privacy interests; many consumers are increasingly concerned that personal information is so widely available. Consumers also may be harmed in more concrete ways. For instance, the easy availability of this information could lead to increased incidence of identity theft.
The IRSG Group has developed and agreed to a set of principles that regulates the availability of information obtained from non-public sources through individual reference services by implementing the voluntary restrictions described in this report. Restrictions on access to certain non-public information vary according to the category of customer; customers that have less restricted access to non-public information are subject to greater controls. It is particularly noteworthy that the principles prohibit distribution to the general public of certain non-public information, including Social Security number, mothers maiden name, and date of birth. In addition, consumers will be able to access the non-public information maintained about them in these services and to prevent the sharing (i.e., opt out) of the non-public information distributed to the general public.
Most importantly, the principles show particular promise because they include a compliance assurance mechanism and are likely to influence virtually the entire individual reference services industry. Members must undergo an annual compliance review by a third- party, the results of which will be made public, and members that are information suppliers are prohibited from selling to entities who fail to comply. Thus, the principles should substantially lessen the risk that information held by these services will be misused, and they should address consumers concerns about the privacy of non-public information about them in the services databases.
The Commission commends members of the IRSG Group for the commitment and concern they have shown in drafting and agreeing to comply with an innovative and far-reaching self-regulatory program. The principles address most of the concerns associated with the increased availability of non-public information through individual reference services while preserving important benefits conferred by this industry.
Despite the laudable efforts of the IRSG Group, important issues related to individual reference services remain. The IRSG principles do not give consumers access to the public information maintained about them and disseminated by the look-up services. Accordingly, consumers will not be able to check for inaccuracies resulting from transcription or other errors occurring in the process of obtaining or compiling the public information by the look-up services. IRSG members have agreed to revisit this issue in eighteen months, and to consider whether to conduct a study quantifying the extent of any such inaccuracies. The Commission strongly urges the IRSG Group to conduct an objective analysis to determine whether the frequency of inaccuracies and the harm associated with them are such that consumer access to public record information or other safeguards are in fact unnecessary.
The Commission also encourages public agencies to consider the potential consequences associated with the increasing accessibility of public records when formulating or reviewing their public records collection and dissemination practices. Furthermore, the Commission is concerned that individuals may be adversely affected by errors in information obtained through look-up services; therefore, the Commission encourages businesses that rely on such information in making adverse decisions (where not already required by law) to voluntarily notify affected consumers of the sources of the information, as long as such notification would not impede law enforcement or fraud prevention. Finally, the Commission acknowledges and encourages the ongoing efforts of many privacy advocates, consumer groups, government agencies, and the IRSG Group to educate the public about information privacy issues. The Commission looks forward to working with all of these groups in this important effort.
Table of Contents
Last Updated: Tuesday, April 01, 2003