[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
``HOW DO BUSINESSES USE CUSTOMER INFORMATION: IS THE CUSTOMER'S PRIVACY
PROTECTED?''
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
JULY 26, 2001
__________
Serial No. 107-49
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
74-846CC WASHINGTON : 2001
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York
Vice Chairman DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky LOIS CAPPS, California
BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona JANE HARMAN, California
ED BRYANT, Tennessee HENRY A. WAXMAN, California
STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon ANNA G. ESHOO, California
LEE TERRY, Nebraska JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Barrett, Jennifer T., Chief Privacy Officer, Acxiom.......... 49
Ford, John A., Chief Privacy Officer, Equifax, Inc........... 58
Hourigan, Jacqueline L., Director, Corporation Data Policies,
General Motors Corporation................................. 12
Johnson, David A., Vice President, Direct Marketing, Land's
End, Inc................................................... 23
Misener, Paul, Vice President, Global Public Policy,
Amazon.com................................................. 18
Pearson, Harriet P., Chief Privacy Officer, IBM.............. 7
Swift, Zeke, Director, Global Privacy, Procter & Gamble...... 15
Zuccarini, Deborah, Executive Vice President and Chief
Marketing Officer, Experian Marketing Solutions............ 65
(iii)
``HOW DO BUSINESSES USE CUSTOMER INFORMATION: IS THE CUSTOMER'S PRIVACY
PROTECTED?''
----------
THURSDAY, JULY 26, 2001
U.S. House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:35 a.m., in
room 2322, Rayburn House Office Building, Hon. Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Shimkus, Bryant,
Walden, Terry, Bass, Tauzin (ex officio), Towns, DeGette,
Doyle, John, and Harman.
Staff present: Ramsen Betfarhad, majority counsel; Michael
O'Reilly, professional staff member; Brendan Williams,
legislative clerk; and M. Bruce Gwinn, minority counsel.
Mr. Stearns. Good morning, good morning. I welcome all of
you here. This is the sixth and last in a series of hearings on
information privacy held by our Subcommittee on Commerce,
Trade, and Consumer Protection. This hearing concludes one
phase of the subcommittee's inquiry into information privacy,
but not the inquiry itself.
I think these hearings have fulfilled their objective of
informing members and the public at large, in a deliberate and
careful manner, of the many issues implicated by the privacy
debate. The collective record of the six hearings is a rich
resource of information and opinion on the issue of information
privacy, and should be used to inform all of us on the debate
on this issue.
I commend members of the committee to review the hearings
that we have had, the record that has been amassed by this
subcommittee on this important issue of information privacy,
before they seek to formulate or finalize their judgments on
this matter. In no other location, either within or without the
Hill, will we find a more comprehensive record on information
privacy.
I am especially pleased to have as witnesses executives
that represent some of the most revered companies in corporate
America. We all are or have been, at one time or another,
customers of General Motors, IBM, Proctor & Gamble, Amazon.com,
and Land's End. I appreciate the fact that these companies
didn't have to be here testifying on the difficult public
policy matter of information privacy. So I recommend--I commend
all of them for their participation and wish to thank them for
coming.
Many have written on or spoken to the issue of information
privacy in the commercial world, as if the issue existed in a
vacuum. That is to say, some commentators on information
privacy speak with little or no consideration of the realities
that characterize the intersection between privacy and the
commercial world. Today, we have the rare opportunity to ask
these large transnational corporations, representing differing
industries, and the three top compilers, what really transpires
in the real world with respect to consumer information.
The witnesses on the first panel represent a diverse group
of companies, ranging from the world's largest industrial
corporation with 400,000 employees, to one that markets 300
brands of consumer products to nearly 5 billion customers--let
me repeat, 5 billion customers--worldwide, and an online
company that in less than 6 years has become one of the most
recognized brands in retailing. These companies will all speak
to how they collect customer information; what types of
information they collect; what uses they put that collected
information to; why they use the information in the way that
they do; and what business or legal incentives are in place
assuring the proper utilization of that consumer information.
Moreover, the witnesses on the second panel, representing
data compilers, will help us better understand what it is that
they do. We may know the most about the credit reporting
services. We have, all of us, invariably been subjected to
credit checks in the course of our ordinary lives, when
applying for a car loan, a mortgage, credit cards, et cetera.
Yet many of us may not know that these three companies provide
authentication and verification services enabling the seamless
and speedy execution of millions of small and mundane
transactions every day, such as the purchase of a CD online
from Amazon.com or off-line from Tower Records.
The insight offered by our witnesses is especially
important when considering the fine balance present between the
proper and improper collection and use of consumer data. As
these hearings have established, there are substantial benefits
that accrue to our economy from the unencumbered flow of
information, particularly consumer information. Meanwhile,
these same hearings have highlighted the fact that Americans do
have concerns regarding abuses that may arise from the
collection and/or use of certain types of consumer information
in the commercial context.
The objective today, in this hearing, is to demystify--make
concrete--data collection and use practices common in the
commercial world today. To put it more bluntly, the testimony,
I hope, will help separate fact from fiction, reality from
myth, when it comes to the issue of information privacy. Only
when empowered with real facts can Congress advance good public
policy addressing information privacy.
So, Mr. John, you are welcome with an opening statement.
Mr. John. Yes, thank you, Chairman Stearns. My friend and
colleague, the ranking member from New York, is tied up at this
moment in another subcommittee, on Commerce and Health. And I
temporarily will try to fill his large shoes. Me being from
Louisiana and him from New York, those are very big and
different shoes to fill.
But I ask unanimous consent that all members be permitted
to include their statements into the record.
Mr. Stearns. By unanimous consent, so ordered.
Mr. John. Thank you.
I am sure that the panelists are ready to get started. I
want to thank them and welcome them, the first panel and also
the second panel, and express my really sincere thanks to
Chairman Stearns for having a series--the sixth, as he said--on
issues that are very important on information privacy.
I also believe that these hearings have been useful, and
helpful, and they have meant a lot because of the issues that
are confronting businesses, regulators, and consumers. And I
really look forward to hearing from the folks that deal with
this issue every day, and working with the chairman and the
ranking member as we move through this process legislatively.
So, welcome. And I look forward to hearing your testimony.
Thanks.
Mr. Stearns. I thank the gentleman. The gentleman from
Illinois, Mr. Shimkus?
Mr. Shimkus. Thank you, Mr. Chairman. I, too, want to
welcome the panel. I would have walked over and introduce
myself; I was here early. But I have an athletic injury, that I
am doing as little walking as possible. But we do appreciate
your attendance.
We have dealt with, are trying to understand this from the
public policy position. Of course, many of us were with the
Commerce Committee when we passed Graham-Leach-Bliley. But
statements have constantly been made in this committee that we
want to get a handle on how privacy is good for business--
obviously, that is what we hope to hear from you all today--and
how you go about doing that.
In the financial services arena, there is some argument
about how sharing of information within a designed arena is
actually good for some consumers, too. And that may not be true
in your business. So that is why this panel is unique in some
of the discussions we have had. I look to focus on that area. I
appreciate your expertise and your willingness to come before
us.
And with that, Mr. Chairman, I yield back my time.
Mr. Stearns. The gentleman yields back. Mr. Doyle, the
gentleman from Pennsylvania?
Mr. Doyle. Thank you, Mr. Chairman. I just want to welcome
our panelists this morning. I think we're all anxious to hear
what they have to say. And I will ask unanimous consent that my
statement may be made part of the record, so that we can hear
our panelists. And I yield back.
[The prepared statement of Hon. Mike Doyle follows:]
Prepared Statement of Hon. Mike Doyle, a Representative in Congress
from the State of Pennsylvania
Thank you Mr. Chairman and Ranking Member, for holding this
hearing. I am looking forward to learning about the technologies,
policies, and approaches that some of the leaders in the electronic
commerce industry have employed to prevent unwanted dissemination and
use of our private consumer information. Thank you all for taking the
time testify this morning.
As the discussions regarding individual consumer privacy progress
in America and before this subcommittee, I know think many of my
constituents back in the Pittsburgh area are not just asking ``how do
business use my information'' but they are saying, ``wait a minute, you
mean businesses have been gathering my personal information all
along?''
I often find that consumers in Western Pennsylvania seem to have no
problem allowing certain personal information to be collected and used
by industry. For example, the regional supermarket, Giant Eagle, asks
for certain access to personal shopping information through the use of
the Giant Eagle Advantage Card. I myself use such a card.
It provides incentives that members undoubtedly find useful, such
as discount coupons through the mail for items that a customer
routinely purchases. Obviously, this is an example of personal
information use that both client and consumer find beneficial and
acceptable.
Protecting this type of personal information, while important, is
decidedly different than protecting against abuses associated Social
Security numbers, birth dates, mother's maiden names, or health
records. It is the extent to which this personally identifiable
information is collected, used, and distributed that pose the greatest
threat to true privacy and create the need for Congress to find a
solution to protect consumers.
The industries represented this morning by our esteemed panelists
are some of the most successful and profitable companies in America. I
am anxious to hear of the problems associated with implementing their
effective self-regulatory policies, for if our Fortune 100 companies
have difficulty funding privacy protection policies, surely our smaller
firms or medium size companies will have greater problems generating
the necessary capital and resources.
In closing, Mr. Chairman, I look forward to finding a way that
Congress can augment and aid effective industry self-regulation in a
manner that will not impede the continued development of e-commerce,
while protecting and ensuring consumer rights are upheld.
Mr. Stearns. The gentleman yields back. His opening
statement will be made a part of the record.
And the gentleman from New Hampshire, Mr. Bass?
Mr. Bass. Thank you very much, Mr. Chairman. And I, too,
join my colleagues in thanking you for having this final
hearing. It has been a fascinating series of hearings. I have
learned more, I think--learned a lot more than I have been able
to impart to other folks about this issue, which is extremely
complex.
And I hope that we will be able to clear up some of the
misconceptions that may exist about corporate or business use
of personal information vis-a-vis Internet transactions. And I
also hope, Mr. Chairman, that as we listen to these witnesses,
we try to separate what may already be illegal anyway under
existing law from what may need to be attended to by the
Congress.
And we may not need to do anything. But again, I think it
is important that this committee fully and thoroughly
investigate the issue so that we understand, so that we
understand its complexity and scope, so that as the Internet
becomes more and more significant in the economy--not that it
isn't already--that we will be in a position to deal with it
from a position of strength, rather than ignorance.
And I appreciate the chairman holding these hearings.
Mr. Stearns. I thank the gentleman.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee
on Energy and Commerce
Thank you, Mr. Chairman for calling this hearing. I understand that
this will conclude the series of education hearings you have held on
privacy, so I also want to commend you for developing a process that
allows us to consider this issue in a thoughtful and deliberative
manner.
The topic of today's hearing is very important in the overall
privacy debate. Too often in Washington we are told how it works in the
real world through the eyes of Washington-based trade associations,
lobbyists and consumer groups. Today's witnesses will provide a
different perspective--from the real world. I appreciate their
willingness to come forward and share their knowledge and experience.
As Chairman of the Committee, and as a consumer, I have heard and
seen a great deal of activity by American companies. Let me sum up what
they tell me: they like to exploit consumers for all their worth, they
know consumers don't care about product quality, they don't try to
maintain good customer relations, they can always find new customers to
replace dissatisfied customers, they don't think that their brand name
is that important, and they don't care about consumer privacy. I joke
for purposes of making a point--Companies Do Care About Consumer
Relations. The litany of untruths I just rattled off is completely
opposite from what I have experienced from American business.
In our market economy, competition compels companies to strive to
meet consumer needs. If a company doesn't do what customers want,
they'll go elsewhere. People sometimes seem to forget this. Yet, it is
a fundamental fact of commerce that service to the consumer is the
cornerstone of a successful company.
Privacy is becoming a factor that consumers take into account as
they shop. It may not be the primary concern, but it is a factor. Many
companies have recognized this and have responded in kind with improved
privacy practices. In fact, many of the privacy requirements that some
want mandated by Washington are already being implemented by reputable
companies. It is simply sound business practice to do so.
Some companies even use their privacy practices to gain competitive
marketing advantage over competitors. IBM, for instance, recently
plastered a picture of their privacy guru, who is here with us today,
in countless advertisements. Obviously, they see a positive side to the
privacy debate.
So, it is instructive to examine just how real companies are
dealing with privacy in the real world. We need to learn how
established leaders in the American economy (and often the trend-
setters) collect customer information, what the information is used
for, and how companies handle consumer privacy. I hope the panelists
will enlighten us on these points.
I also hope that this hearing will help debunk the scary scenarios
that have been created to stir up consumer angst. Over the past few
years, we have heard a lot of crazy stories about how consumer
information is used. Many of these stories have proved to be false.
Furthermore, I am pleased to see a discussion of the practices of
the so-called data aggregators. Most people have had experience with
the credit ratings services of some of these companies, but they often
offer many other services. It is important to demystify just how they
operate and what they do.
I note that one of the benefits of data aggregators is of direct
benefit to consumer needs--the reduction of junk mail. If you have ever
received a catalog addressed to you that you have completely no
interest in then you know firsthand the results of poor information.
The accurate information provided by aggregators helps companies offer
consumers the products and services they will find useful. Of course,
many people have questioned the privacy practices of data aggregators
and so here is a chance to set the record straight.
Going forward, one thing should be clear: I don't see a need to
legislate on false scenarios. We cannot and will not design some
elaborate new privacy regime that will take into account every possible
daydream of how information could be used. Reality must be taken into
account. We will look to all parties to keep this in mind as we proceed
in this debate.
I thank the Chairman and appreciate his indulgence.
______
Prepared Statement of Hon. Edolphus Towns, a Representative in Congress
from the State of New York
Thank you Mr. Chairman and I too would like to welcome the
witnesses to our sixth hearing on Privacy.
Nearly every company across the country compiles information on the
consumers who use their products and some companies compile the data to
sell to other corporations. I am interested to hear what the companies
assembled here today have to say regarding their handling of personal
information.
Consumers across the country are literally begging to be informed
on how their information is collected, used and PROTECTED. And that is
assuming they realize who is collecting the information.
It is my hope today that the witnesses will shed light on not only
their practices on HOW they collect information, but what they do with
it after they get that information.
I would like to commend the witnesses today. They have chosen to
step forward and educate members of the committee on this topic. You
all have invested in making consumer's privacy a priority.
This brings me to the main reason I am advocating some sort of
minimum privacy standards. Not all companies are doing what Fortune 100
companies do. Not all of them take their customer's as seriously as do
others.
As I weigh this issue over the August recess and decide what type
of privacy bill to submit, consumer and corporate responsibility will
serve as my compass and I look forward to reviewing the testimony of
past witnesses and hearing the testimony of those assembled here today.
Mr. Chairman, with that I yield back the balance of my time.
______
Prepared Statement of Hon. John D. Dingell, a Representative in
Congress from the State of Michigan
Mr. Chairman, I want to thank you for holding this important
hearing. Privacy has been a major consumer concern for a long time, and
that concern has increased greatly with the advent of the internet and
e-commerce. In fact, market researchers estimated last year that
consumer concerns about privacy and security caused e-retailers to lose
$6.1 billion in sales worldwide. Clearly, business is paying a big
price for the concerns consumers continue to have about online
transactions.
For some online businesses, strong privacy protections have become
the key to greater competitiveness in the marketplace. Many firms now
highly publicize their privacy policies as they vie with each other to
see who can give consumers the greater comfort and security about
online retailing. Today we will hear from several large businesses that
have heard and responded to the privacy concerns of consumers.
While I compliment these companies for their initiative and
responsibility, I would caution my colleagues against drawing any
conclusion that what these firms have done is representative of all
business. It is not. And it is because it is not that the Federal Trade
Commission (FTC) has recommended that Congress pass online privacy
legislation.
The FTC reported to Congress last year, and I quote, ``only 20% of
the busiest sites on the World Wide Web implement to some extent all
four fair information practices in the privacy disclosures.'' The FTC
goes on to say, ``Moreover, the enforcement mechanism so crucial to the
success and credibility of self-regulation is absent.''
Mr. Chairman, a privacy right that is not enforceable is not worth
the paper it's written on, or in this case the screen. That is why this
Subcommittee needs to complete these hearings and get about the
important task of considering legislation. The legislation needs to
establish minimum standards governing the handling of information
online. It needs to give the FTC authority to promulgate more detailed
standards as necessary. And most importantly, it needs to provide
adequate enforcement authority. Without an effective means of enforcing
consumer privacy rights, consumers have no way to guarantee their
rights are protected.
Mr. Chairman, again I thank you for holding this hearing, and I
look forward to working with you and the Ranking Member of the
Subcommittee, Mr. Towns, on legislation to make sure that the privacy
rights of consumers that engage in online transactions are fully
protected.
Mr. Stearns. And now we will have our first panel. Let me
welcome all of you. Ms. Harriet Pearson, Chief Privacy Officer
from IBM; Ms. Jacqueline Hourigan, Director of Corporation Data
Policies, General Motors Corporation; Mr. Zeke Swift, Director,
Global Privacy, Proctor & Gamble; Mr. Paul Misener, Vice
President, Global Public Policy, Amazon.com; and Mr. David
Johnson, Vice President, Direct Marketing, Land's End,
Incorporated.
I welcome you. And Ms. Pearson, we will have your opening
statement.
STATEMENTS OF HARRIET P. PEARSON, CHIEF PRIVACY OFFICER, IBM;
JACQUELINE L. HOURIGAN, DIRECTOR, CORPORATION DATA POLICIES,
GENERAL MOTORS CORPORATION; ZEKE SWIFT, DIRECTOR, GLOBAL
PRIVACY, PROCTER & GAMBLE; PAUL MISENER, VICE PRESIDENT, GLOBAL
PUBLIC POLICY, AMAZON.COM; AND DAVID A. JOHNSON, VICE
PRESIDENT, DIRECT MARKETING, LAND'S END, INC.
Ms. Pearson. Thank you, Mr. Chairman. And members of the
committee, thank you for inviting IBM to share our views on
this important subject.
My name is Harriet Pearson. I am the Chief Privacy Officer
for IBM. We are the world's largest information technology
company, and the world's largest e-business services company.
We believe that from that vantage point we have a unique
perspective on the issue of privacy, dealing as we do with so
many customers who use information in their own businesses
worldwide.
IBM has a longstanding commitment to privacy dating back to
the 1960's. We were among the first corporations to develop a
global privacy policy, focusing first on our employees. We were
the first online advertiser to advertise and restrict our
advertising only to those Internet sites that posted privacy
policies. We are a leader in privacy and security technologies,
with over 600 patents in that area.
As Chief Privacy Officer, I manage our internal privacy
policies, help bring together our research and technology
initiatives, and engage customers and policymakers worldwide on
this issue. The effort is complex for a large company like
ours. For example, on the web, ibm.com has over a million pages
of content, and each site needs to have a privacy statement.
Privacy is a priority for IBM, and for the health of our
marketplace.
With that introduction, I would like first to comment upon
how we use data ourselves, since that is a topic of this
hearing. Then second, I would like to provide some observations
from where we sit on how others, thousands of our customers,
use data for their processes. And finally, I would like to
close with several recommendations for how you as policymakers
can continue building a record in this area and further the
public policy agenda.
I would like to turn to IBM first. The primary subject of
this hearing is how companies use data. We at IBM strive to use
data creatively and responsibly. Most of IBM's customers are
organizations rather than individuals, but in both cases we use
data to identify likely customers, understand their needs, and
to market to them. We use data to offer the right solutions,
deliver orders efficiently, offer strong service and support,
and to maintain good relationships.
These normal business functions require the collection and
effective use of data about individuals. For example, when a
consumer purchases an IBM personal computer, whether it is an
Aptiva or a ThinkPad, we use information about their purchase,
such as their name, address, phone, e-mail address. And we
collect their preferences about whether or not they wish to be
contacted. If they choose to register with what we call our
Owner Privileges program, we use their information to provide a
free product update newsletter, prioritize telephone handling
with a special toll-free number, and other special offers.
We govern our use of information with corporate-wide
policies and practices on privacy. They govern how we use
information worldwide. These policies require us, globally, to
provide individuals notice of our information practices, and of
the choices they can make about the use of their data. We
require, also, ourselves to implement appropriate security and
accuracy measures. And finally, we also have contractual
protections for customers when we share data with our business
partners and suppliers. And we do share data with those
suppliers and business partners; lots of companies help us go
to market and do business.
IBM is leading within the larger business trend of becoming
accountable on privacy. From our vantage point, working as we
have with nearly 20,000 businesses in the last several years
implementing and using the Internet to improve their
businesses, we see firsthand how they use information to
improve, in turn, their services and products for their
consumers. These companies use consumer information in ways
very similar to those I have just stated. And my experience is,
personally and my colleagues', is that they have the same level
of concern for consumer satisfaction and privacy.
For example, one of our grocery chain customers uses
information about consumer purchases to improve their decisions
about which items to stock and when; to offer discounts; and to
tailor promotions to individual customers. Data helps them
reduce costs, and to run their company more efficiently, and to
provide better service for their consumers.
I have mentioned other examples in my written statement,
and you will of course hear from the other companies here
today. I personally have spoken with 100 or more, hundreds, of
companies in the first 6 months of this year, and I can see
significant growth in awareness of privacy issues, and a
commitment to doing the right thing with respect to consumers.
It is amazing to see how the level of awareness has grown
within the U.S. business community.
I believe the heart of the privacy challenge is that
individuals must understand how information about them is used
and how they benefit. They should be able to exercise choices
and feel that the system that handles their information is
under control. They need to feel confident that the
relationships in which they enter are going to be ones that
respect their wishes.
It is important that we focus on these issues now and
later. From our vantage point, it is clear that we are still in
the early stages of a technological revolution that will change
how we as businesses deal with consumers, and it is only going
to keep accelerating in terms of how the technology lets us
manage information. Therefore, I conclude with a few thoughts
on how you as policymakers can move ahead.
The point, it seems to me, is to find a balanced approach
between government regulation, industry action, and individual
responsibility. And our view is that a framework for those
issues and how to approach it has emerged in this country. It
is built on top of over 30 existing laws on privacy; layered on
top of that, industry initiatives and proactive engagements by
companies such as ours; and on top of that, the kinds of tools
and technologies that are available now for companies to use.
We need to have a deliberative approach, as you, Mr.
Chairman, and the members of the committee have agreed to, to
study these issues and find out, where is the harm? Where are
the issues that need to be addressed? And how public policy
fits into that picture. I commend you for your approach. We at
IBM would like to continue to be a constructive player in this
process. And we thank you for the opportunity to share our
views.
[The prepared statement of Harriet P. Pearson follows:]
Prepared Statement of Harriet P. Pearson, Chief Privacy Officer, IBM
Corporation
Thank you Mr. Chairman for inviting me to share IBM's views.
My name is Harriet Pearson and I am the Chief Privacy Officer of
the IBM Corporation. IBM is the largest information technology company
in the world. We develop and manufacture many of industry's most
advanced technologies, including computer systems, software, networking
systems, storage devices and microelectronics. We also are the world's
largest e-business services company, delivering strategic consulting
and helping our clients to use information technology to improve their
internal operations and service to customers. This gives us a unique
vantage point from which to comment on privacy issues, working as we do
on a global basis with companies, governments, and organizations of all
sizes.
IBM has a long standing commitment to privacy. In the 1960s, IBM
developed one of the first global privacy approaches for business,
focused around employee privacy. As the computer revolution progressed,
we supported privacy legislation to protect e-mail and medical
information. IBM remains a leader in privacy and security technology--
currently holding over 600 patents for such technologies. IBM was the
first online advertiser to announce that it would only advertise on
Internet sites that posted privacy policies. Last year our CEO, Louis
Gerstner, appointed me as IBM's Chief Privacy Officer to confirm that
IBM has the right internal policies in place, to help unify our many
privacy research and technology initiatives, and to engage customers
and policymakers worldwide about privacy issues.
I'm certainly not alone at IBM in my efforts. We have a privacy
team that works across IBM in areas like marketing, development,
services, human resources, and legal. The effort is complex for large
companies. IBM is an $88 billion company that employs more than 300,000
people in the United States and operates in 160 countries. On the Web,
ibm.com has more than a million pages of content and each site needs to
have a privacy statement.
Externally, IBM's Privacy Consulting and Technology teams are
helping organizations implement sound privacy practices and giving them
the tools to do so. At all levels, IBMers speak out about the
importance of privacy and are backing their words with actions to help
build a responsible marketplace that can earn people's trust. In short,
privacy is a priority within IBM and it is important to the health of
the marketplace in which we operate.
how ibm uses customer data
IBM policies and practices are designed to let us use data
creatively and responsibly. Most of IBM's customers are corporate
rather than individual clients. In both situations we work to identify
likely customers, understand their needs, and market to them. We strive
to offer the right solutions, deliver orders efficiently, offer strong
service and support, and maintain good relationships in hopes of
earning future sales. All of these normal business functions require
the collection and effective use of data about individuals.
For example, when an individual or small business owner purchases
an IBM Aptiva or Thinkpad personal computer, we ask them for
information about their purchase, their name, address, phone, e-mail
and preferences about being contacted. As a special service for those
customers willing to take the time to register with our Owner
Privileges program, we use this information to provide a free e-mail
newsletter, prioritized telephone handling through a special toll-free
number, and special offers for registered customers (e.g. coupon for
free stamps from Stamps.com).
We inform customers about their choices not to receive further
marketing materials from IBM, and respect their preferences. We might
also use third-party sources like the National Change of Address
Service managed by the U.S. Postal Service to verify address changes.
We thus use customer information to provide better and more-tailored
service, while solidifying the relationship with the customer.
The net result? In this and other situations involving customer
information, IBM is able to offer services better-targeted to those who
might be interested, while at the same time delivering fewer
solicitations to people who are not.
IBM has a set of corporate-wide policies and practices to govern
our actions when we use personally identifiable data and we train IBM
professionals who are bound by these policies and practices. Our
policies also require that we put in place contractual protections when
we share data with business partners and suppliers.
When IBM gathers personally identifiable information online, we
offer notice of our privacy practices and inform the individual of
their choices regarding the use of that data. In the case of e-mail
solicitations, IBM requires that the individual first give his or her
permission before the e-mail is sent unless we already have an existing
business relationship. Our policies require that we safeguard the
information in our possession and limit its visibility.
IBM is leading within a larger business trend of taking action to
be accountable on privacy. In just the past few years, we've seen a
rapid growth of the number of online privacy statements, chief privacy
officers, privacy technologies, seal programs, and in the U.S.,
targeted laws to protect sensitive information. This subcommittee
should be proud its work to explore what further needs to be done. To
best reap the benefits of the information economy and preserve privacy
in the process, there must be a balanced approach. IBM believes it
should begin with an understanding of what the future holds.
the future of the information economy
Much has been said about the demise of the information economy in
the wake of the dot.com meltdown. In fact, however, we are still in the
early stages of a global technological transformation that will
revolutionize our society over the next 25 years, driving our economy
and exponentially expanding our opportunities. The transformation is
being fueled by the rapidly increasing power of the technology itself
and of information networks. These enable new models for business,
health care, education and government.
The Internet will transform every important business transaction
and relationship. This includes improving relations with customers, but
much more. It also means transforming relations with people who want to
invest with you and people who want to work for you. Companies also
will use the Net to integrate supply chains that connect an enterprise
to markets and industries. Internal transactions, such as order
processing, fulfillment, logistics, manufacturing and employee
processes, will be faster and less costly.
Companies will even be able to be in contact with their products--
appliances, industrial machinery, consumer electronics--so the company
can provide after-sale service, understand product performance, and
make improvements. Government will evolve similarly, as taxpayers will
expect not only online services, but also efficient management. The
benefit is very significant in hard dollar savings and cost avoidance
when transactions are performed on the Web as opposed to the old paper
format. For example, IBM saves 70 percent on transaction costs when we
use the Web and we have seen many similar results across industry as a
result of e-transformations.
However, all this adds up to massive data collection and management
and requires a heightened awareness and commitment to privacy
throughout our society.
My colleagues and I at IBM see first-hand how thousands of
companies use information to improve their service and products for
consumers--we've helped over 18,000 businesses successfully leverage
the Internet. And these companies use consumer information in ways very
similar to the companies at today's hearing, and with much the same
level of concern for consumer satisfaction and privacy.
Here are some examples:
A multi-billion dollar US-based financial services firm uses
state-of-the-art database technology in a way that's allowed
them to anticipate customer needs and to respond rapidly. The
company uses customer information to help it pinpoint
delinquencies early, so it can work harder and earlier with
customers to help them become solvent again. It can better
tailor product offers to those who might be interested--for
example, offering coupons toward phone service for those
customers who achieve a certain level of usage. The firm's
objective is to treat all of its customers with the same level
of respect and to discover what is important to each customer.
A utility company uses the consumer information it collects to
identify customers that may be interested in additional
services and market them accurately; to further customize rates
and offer analysis to specific customers; to generate
personalized reporting much faster than it was able to
previously; and to diversify their service offerings and react
quickly to new business opportunities.
A grocery store chain uses information about consumer product
purchases to: make better decisions about which items to stock
and when; to offer customized discounts and other offers on
those products which an individual customer buys or may be
likely to be interested in; and overall to reduce cost and run
the company more efficiently.
It is clear that the fullest fruits of the information revolution
will remain untapped unless individuals can understand how information
about them is collected and communicated to others. This lack of
knowledge can drive feelings of mistrust, fear, and a loss of control.
Individuals also must understand that they benefit from information
exchanges in terms of savings, convenience, services, and jobs. Many
surveys show that people want products quickly and conveniently and
want high levels of service. They realize that some information
exchange is needed.
Importantly, individuals must be able to exercise choices and feel
that the system is under control. They must feel confident entering
into data sharing relationships with banks, doctors, credit card
companies, grocery stores and their government. This is the heart of
the privacy challenge.
need for a broader u.s. privacy debate
Agreement is emerging around the world that private sector
initiatives are critical to address privacy concerns in day-to-day
commercial activities. Even in environments that embrace strict data
processing regimes like the European Union, governments recognize that
robust and accountable market-led measures must play a prominent, if
not preeminent, role. Europeans call it ``co-regulation.'' In the
United States it is often referred to as industry self-regulation.
Business leadership is crucial because governments do not have the
manpower, technology, or jurisdictional authority to comprehensively
monitor consumer transactions in cyberspace, nor would many people want
government to carry out such a task if it could. This brings me back to
the question I posed earlier about preserving privacy and the benefits
of the information economy: Is there a balanced approach between
government regulation, industry action, and individual responsibility?
As this subcommittee established at an earlier hearing,
approximately 30 federal laws regulate privacy in some form. These laws
tend to focus on (1) preventing fraudulent or harmful uses of data
(e.g. identity theft, employment discrimination, deceptive trade
practices, or surreptitious monitoring of e-mail) and (2) establishing
special rules and protections for sensitive information (e.g.
financial, medical, and children's data).
Layered upon these protections are industry initiatives like
privacy policies, seal programs, industry codes of conduct, and
suppression lists for telemarketing and commercial e-mail. Furthermore,
people can use privacy technologies to control cookies or to surf,
shop, and send e-mail anonymously. Many are free and some are being
built into the architecture of the online marketplace (e.g. the
Platform for Privacy Preferences).
U.S. law and practice reflect a desire to balance individual
privacy and the societal benefits of data availability (e.g., economic
efficiency, free speech, accountable government). This is a solid
framework and should be the basis on which any new or modified U.S.
privacy regime is built.
Some have asked, ``where is the harm'' in data collection as a
rhetorical question to imply there is no harm or risk. We should ask
the question in earnest. And then answer it by devising responses to
people's real and legitimate concerns about data, such as identity
theft, financial fraud, disclosure of embarrassing information,
employment discrimination, denial of insurance, government seizure, or
nuisance issues like spam. We should not create laws because of a vague
notion that data collection itself is harmful.
We need to examine the incidence of these concerns, identify their
causes, assess any harm they may cause, and then as leaders--in
government and the private sector--ensure that an appropriate policy
regime is in place. Too much of the privacy debate now speculates on
how commercial data might be used without going through these steps. We
should identify a spectrum of privacy concerns and link them with
protections afforded by current law and practice. Most Americans are
unaware of the privacy protections afforded them now by the Fair Credit
Reporting Act, the FTC Act, the Network Advertising Initiative, the
Privacy Act, the Electronic Communications Privacy Act, and the Fourth
Amendment.
Against this backdrop we should review proposals by Members of
Congress and consider what further actions might be appropriate for
industry or the Administration. This subcommittee has demonstrated that
privacy has many dimensions and is complex, but I sense that we are
beginning to gain a fuller knowledge and perspective that will allow us
enter a more productive dialogue on privacy and to craft appropriate
responses.
In summary, we should build on current law where necessary and link
solutions to people's top priorities. We appreciate the subcommittee's
thoughtful examination of privacy issues and the critical role you will
play in shaping balanced, appropriate responses. IBM is committed to
continue being a constructive player in this process. For example, we
have joined with other companies in groups such as the Privacy
Leadership Initiative to further the contributions that the private
sector can make to understanding these complex issues and communicating
helpful information to fellow business and consumers.
Most companies agree that any U.S. privacy regime should be a
national solution, not a patchwork of fifty conflicting regimes. The
regime should encourage transparency and choice. It should hold
government and non-profit organizations accountable to similar
standards asked of industry. It should neither discriminate against the
Internet nor create new private rights of action.
In consummary, IBM believes that the best privacy model is a
layered approach of responsible industry action, consumer-empowering
technology, and targeted government action that promotes transparency,
protects sensitive information, and appropriately addresses harmful and
fraudulent data practices. This framework can build consumer trust and
remain flexible enough to allow companies to offer the convenience,
savings, services, and jobs that benefit our citizens.
Thank you for this opportunity to share our views.
Mr. Stearns. Thank you.
Ms. Hourigan?
STATEMENT OF JACQUELINE L. HOURIGAN
Ms. Hourigan. Good morning, Mr. Chairman and members of the
subcommittee. My name is Jacqueline Hourigan, and I am the
Director of Corporate Data Policies for the General Motors
Corporation. I welcome the opportunity to appear today to
discuss GM's perspectives of this very complex issue of data
privacy.
As you heard earlier, we have over 400,000 employees,
30,000 suppliers, and 8.7 million vehicles sold last year in
over 200 countries. As a result, the collection, use, and
security of personally identifiable data, collected both on the
Internet and in the off-line world, are critically important
issues for GM. As a result, we do appreciate the deliberative
and thoughtful approach this committee has taken to this
incredibly complex issue.
Our customers' trust is a priority for GM, and we are
working to balance our customers' needs and expectations with
the benefits available from the free flow of information.
Specifically, we seek to align our internal policies and
processes with customer expectations and data privacy laws
worldwide.
We collect information through a variety of means,
including standard market research and response techniques;
visits to GM web sites; product purchase channels; as well as
in-vehicle technology designed to enhance the safety and
security of our drivers on the road.
We are also sensitive to the privacy concerns of our
employees, as well as our need to effectively deploy and
support our work force on a worldwide basis. The ability to
transfer human resource data across borders is extremely
critical for multinational companies such as GM. We strive to
balance very significant and legal and societal expectations
for privacy with the objective of enhancing our customers'
ownership experience. With a better understanding of our
customers, we can make their shopping, buying, and owning
experience more enjoyable, and make the entire process more
efficient and cost-effective for GM.
Because the development lead time for vehicles can be up to
3 years long, it is important for us to understand our
customers' preferences and the market trends. For example, data
on customer purchasing and usage patterns can help us target
products more effectively to meet consumer needs, and also to
tailor messages and promotions to the interests of current and
prospective customers.
We have built a data base about GM vehicle owners to
facilitate after-market sales, repairs, next vehicle purchase,
and to cross-market the broad range of GM products and
services. Customer information is also critical to our U.S.
vehicle warranty data base, which is used in the event of a
safety or customer satisfaction recall. In addition, customer
information may be shared with other parts of the company, so
we can enhance the shopping, buying, and owning experiences of
our customers with related information and services.
The emergence of new technologies has facilitated more one-
to-one communications with our customers. Consequently, we are
moving toward a process whereby the consumer will control the
type of information they receive, and the manner in which they
receive it. The benefits to the customer of this data-rich
analysis and cross-marketing focus are increased satisfaction
with products and services that are better suited to their
needs, and marketing efforts that provide meaningful benefit at
the appropriate time and through the communication channel of
the consumer's choice.
Attention to the issue of data privacy has been elevated to
the highest levels of management at GM. Last fall, a corporate
officer assumed responsibility for developing a global data
privacy strategy, and my position, which focuses on
coordinating our global business units' implementation of GM's
privacy strategy, was also created.
We are implementing the strategy on a scheduled basis
throughout GM's global marketplace, through the adoption of
privacy statements by individual GM business units. The privacy
statements will vary by business unit, and the applicable laws,
customs, and culture of particular countries. GM already has in
place a global information security policy that provides
guidelines for appropriate use and handling of GM data.
Again, we appreciate the opportunity to be here today to
discuss GM's approach to data privacy, and our ongoing
commitment to honoring our customers' privacy preferences. We
commend this committee for taking a thoughtful approach to this
complex issue, and hope that you will continue to seek
industry's input to ensure the approach adopted does not result
in legislation that could be burdensome, impractical, and could
produce unintended consequences, such as higher consumer costs,
prevention of legitimate information collection, and the
creation of obstacles to the free flow of information.
Thank you very much.
[The prepared statement of Jacqueline L. Hourigan follows:]
Prepared Statement of Jacqueline L. Hourigan, Director of Data
Policies, General Motors Corporation
Mr. Chairman and members of the subcommittee, my name is Jacqueline
Hourigan, and I am the Director of Data Policies for the General Motors
Corporation. I welcome the opportunity to appear before the members
today to discuss GM's perspectives on the issue of data privacy.
GM appreciates the deliberative and thoughtful approach this
committee has taken to the privacy issue. For decades we at GM have
worked hard to build strong relationships with the millions of GM
customers. These relationships, based on high quality and exciting
products and services, are critically important to us. The trust we
have established and continue to reinforce through our policies and
practices is key to General Motors' success in this extremely
competitive automotive and financial services market.
By way of background, General Motors is the world's largest
industrial corporation. GM designs, manufacturers, and markets cars,
trucks, heavy-duty transmissions, and locomotives worldwide. Other
substantial business interests include Hughes Electronics Corporation
and General Motors Acceptance Corporation (GMAC). GM cars and trucks
are sold in 200 countries and the company has manufacturing or assembly
operations in more than 30 countries. GM employs 400,000 people
worldwide and partners with over 30,000 suppliers. In 2000, GM sold 8.7
million vehicles worldwide and had revenues of $185 billion.
importance of the privacy issue to gm
The collection, use, and security of personally identifiable data
collected on the Internet and in the off-line world are important
issues for GM. We seek to align our internal processes and policies
with consumer expectations and data privacy laws worldwide. We collect
information through a variety of means, such as traditional market
research and response techniques, visits to GM web sites, subscriptions
to OnStar', insurance, finance or mortgage products with
GMAC, and through in-vehicle technology designed to enhance our
customers' safety and security.
GM's privacy concerns also apply to data GM maintains on employees.
A key business objective for GM is the effective deployment and support
of our workforce. The ability to transfer human resource data across
borders is extremely important to companies that have a global
footprint, such as ours.
uses of data and benefits to customers
GM strives to balance the very significant legal and societal
expectations for privacy with the objective of enhancing our customers'
ownership experience. With a better understanding of our customers, we
can make their shopping, buying, and owning experience more enjoyable
and make the entire process more efficient and cost effective for GM.
Because the development lead-time for vehicles ranges from
approximately 24 to 36 months, it is important for us to understand
customer preferences and market trends. At GM, we apply predictive
modeling techniques to the data provided us by our customers to assess
trends and forecast our customers' future preferences. The better we
understand our customers and where we are gaining or losing sales, the
better we can focus our product and marketing priorities.
We also optimize our ongoing marketing efforts by tailoring
relevant messages and promotions to our current and prospective
customers. Customers generally own their vehicles for many years
(almost a decade on average) and we have built a substantial database
with information on GM vehicle owners that we use to facilitate after-
market sales, repairs, next vehicle purchase, and to cross-market the
broad range of GM products and services. It is important to note that
customer information is also compiled to populate our U.S. vehicle
warranty database so that we can contact customers in the event of a
safety or customer satisfaction recall.
Customer information may be shared with other parts of the company.
By offering a suite of products and services to our customers their
learning, shopping, buying, and owning experience is enhanced. By way
of example, GMAC's real estate operation is focused on coordinating
realtor, mortgage, closing, moving, homeowner, and relocation services
that are critically important to anyone buying a new home. By sharing
customer information within the GMAC organization, we can create a
seamless service delivery platform that gives time back to the customer
and creates real value for them.
The emergence of new technologies has facilitated more one-to-one
communications with our customers. Consequently, we are moving toward a
process whereby the consumer controls the type of information they
receive and the manner in which they receive it.
The benefits to the customer of this data-rich analysis and cross-
marketing focus are increased satisfaction with products and services
better suited to their needs and marketing efforts that provide
meaningful benefit at the appropriate time and through the
communication channel of their choice.
what data handling practices does gm employ
Attention to the issue of data privacy has been elevated to the
highest levels of management at General Motors. Last fall, a corporate
officer assumed responsibility for developing a global data privacy
strategy for the corporation, and my position, which focuses on
coordinating our business units' implementation of GM's privacy
strategy globally, was also created.
GM is implementing the strategy on a scheduled basis throughout
GM's global marketplace through the adoption of privacy statements by
individual GM business units. These privacy statements will vary by
business unit and the applicable laws, customs, and culture of
particular countries. GM already has in place a global information
security policy that provides guidelines for appropriate use and
handling of data.
conclusion
Again, we appreciate the opportunity to be here today to discuss
GM's approach to data privacy and our commitment to respecting our
customer's privacy preferences. We commend this committee for taking a
thoughtful approach to this complex issue. We hope that you will
continue to seek industry's input to ensure the approach adopted does
not result in legislation that would be burdensome, impractical and
would produce unintended consequences. These unintended consequences
could include higher consumer costs, prevention of legitimate
information collection, and the creation of obstacles to the free flow
of information.
Thank you.
Mr. Stearns. Thank you.
Mr. Swift?
STATEMENT OF ZEKE SWIFT
Mr. Swift. Thank you, Chairman Stearns and members of the
subcommittee. I am Zeke Swift, Director of Global Privacy for
the Proctor & Gamble Company.
P&G markets 300 brands of consumer products to, as the
chairman already mentioned, 5 billion consumers in over 140
countries. These include leading brands like Tide, Pantene,
Pringle's, and Iams. We are based in Cincinnati, Ohio, and have
on-the-ground operations in over 70 countries.
Privacy is a public policy issue long associated with
direct marketing and high-tech industries. So why does P&G, a
consumer products manufacturer, care about privacy? Let me
summarize our interest in three points.
First, information about consumers is central to a consumer
products business. We rely on information to better understand
consumer needs and produce products, information, and services
to better meet them. As a result, we have an enormous stake in
fostering an environment in which consumers confidently share
their information with us. Creating this climate includes
making sure that our practices meet or exceed consumer
expectations, and contributing to industry and policy
initiatives to enable other companies to do the same.
Second, new technologies are enabling us to deliver
benefits that were previously impossible. When consumers share
information with us, we can now deliver tailored offers, such
as samples or coupons, customized products and information, or
opportunities to test new products not yet available in stores.
This increases satisfaction among consumers who are interested,
and ultimately reduces costs of marketing to consumers who are
not. We want to preserve the ability to take full advantage of
current and emerging technology to target consumer needs.
Third, handling personal data is a complex issue for a
company the size of P&G. We receive consumer data from sources
including off-line promotions, online web sites, consumer
relations contacts, market research, and clinical studies, just
to name a few. We operate in over 70 countries. We have about
200 corporate entities, and relationships with hundreds of
vendors and contractors. We have about 375 web sites globally.
Administrative processes such as those required by recent
European legislation impose an unimagined burden for a company
like ours, with little or no substantive benefit to the
consumer. We hope that any steps taken in the United States
reflect this learning.
Now, let me share two examples of more sophisticated uses
of data to meet consumer needs. Both involve interactions with
consumers over the Internet.
First, with Reflect.com, a woman provides information about
her physical attributes and lifestyle preferences, and then
creates personalized skin care, hair care, fragrance, and
cosmetic products from some 50,000 possible product
combinations. The items are delivered to her door in a
personalized package within 3 to 7 business days.
Second, at our Pampers.com web site, parents can sign up
for a free monthly newsletter tailored to the age by month of
their baby, and delivered to their e-mail inbox. The newsletter
offers expert information about raising children, tips from
bathing to discipline, coupons, and opportunities to try new
products like our Bibster disposable baby bibs--just a word
from our sponsor.
In order to deliver these benefits, we collect, obviously,
data such as a person's name and address. To increase the
tailoring of those offers, we may collect demographic,
lifestyle, or product usage information. Consumers give us most
of the information we use. In some cases, we get additional
information from data compilers such as Acxiom, Equifax, and
Experian. And I've given them all equal time because they will
be following us in the next panel.
We do not sell personal information. We do share
information with vendors acting on our behalf to process data
or fulfill a promotion. We do not share data with companies
beyond our vendors without the individual's consent.
We are committed to keeping data secure, and take
precautions against loss, misuse, or alteration of the data.
These measures include physical security, controlled access to
data, and encryption for data transmission. We require our
vendors and partners to provide privacy practices equivalent to
our own, and we forbid them from any additional use of our
data.
In conclusion, we believe that understanding consumer
needs, delivering consumer benefits, and generating consumer
trust, are three pillars that should be at the center of any
policy discussion on privacy. If I may paraphrase
Representative DeGette from an earlier hearing, there are two
secrets about privacy: taking care of personal information is
good for business; and sharing personal information is good for
consumers.
Thank you very much.
[The prepared statement of Zeke Swift follows:]
Prepared Statement of Zeke Swift, Director, Global Privacy, The Procter
& Gamble Company
introduction
Thank you, Chairman Stearns and members of the Subcommittee, for
the opportunity to testify on this important issue. My name is Zeke
Swift and I am Director, Global Privacy for The Procter & Gamble
Company.
As background, Procter & Gamble markets 300 brands of consumer
products to nearly five billion consumers in over 140 countries. These
brands include Tide, Swiffer, Crest, Pantene Pro-V, Pringles, Pampers,
Olay, Iams and Vicks. We are based in Cincinnati, Ohio and have on-the-
ground operations in over 70 countries.
key messages
Privacy is a public policy issue long associated with the high tech
and direct marketing industries. So why does P&G, a consumer products
manufacturer, care about the privacy issue? Let me summarize our
interest in three key points.
1. First, information about consumers is central to our business.
We rely on information to better understand consumer needs, and produce
superior products, information and services to meet them. As a result,
we have an enormous stake in fostering an environment of trust in which
consumers confidently share their information with us. Creating this
climate includes making sure that our practices meet or exceed consumer
expectations, and contributing to industry and policy initiatives that
enable other companies to do the same.
2. Second, new technologies are enabling us to deliver a level of
benefit on the basis of personal information that was previously
impossible. When consumers share information with us, we now can
deliver tailored offers such as samples or coupons, opportunities to
test new products, or customized products and information. We want to
preserve the ability to take full advantage of current and emerging
technology to meet consumer needs.
3. Third, privacy--or more broadly the way we handle personal
data--is a complex issue for a company the size of P&G. We receive
consumer data from many sources including offline promotions, online
websites, Consumer Relations contacts, market research and clinical
studies. As mentioned, we operate in over 70 countries. We have about
200 corporate entities and relationships with hundreds of vendors and
contractors. Administrative processes, such as those imposed by recent
European legislation, impose unimaginable burdens for companies like
ours with little or no substantive benefit to consumers. We hope that
any steps taken in the United States would reflect this learning.
p&g privacy practices
Now, let me share a couple of points about our overall approach to
privacy.
First, we're guided by two fundamental principles:
(a) We strive to treat information provided by individuals as their
own, which has been entrusted to us; and
(b) We strive for transparency with consumers about how their
information is used. We inform people about how we handle
information they provide us. We give them choices about further
communication with P&G or further uses of their data. We offer
them reasonable access to data they've provided to review it,
correct it or ask us not to use it.
Second, we have a long history of responsible treatment of personal
information. Our employee privacy policy, for example, dates back more
than 20 years. And, we posted our first on-line privacy statement in
1997.
Third, for consistency's sake we've chosen to take a global
approach to privacy. We have a single global privacy policy. We have a
global structure for developing and implementing our information
practices worldwide. We are building a global IT system to implement
and monitor our policy globally.
consumer benefits
Now let me provide some examples of the way we're using consumer
information today. At the most elemental level, when consumers share
their information with us, we can give them information, services and
products tailored to their needs or interests. These may include new
product announcements, free sample offers, participation in contests
and sweepstakes, and opportunities to test new products not yet
available in stores.
But at a more sophisticated level we use interactions with
consumers over the Internet to deliver personalized or customized
products and services. For example:
1. With Reflect.com, a woman provides information about her
individual attributes and lifestyle and creates personalized skin care,
hair care, fragrances and cosmetics. The items are delivered to her
door in a personalized package within 3 to 7 business days. The beauty
products are produced from some 50,000 possible product combinations
based on P&G formulas.
2. Our Pampers.com website strives to be the best resource on the
web for parents and parents-to-be. It offers parents an opportunity to
sign up for a free monthly newsletter from the Pampers Parenting
Institute, tailored to the age of their baby and delivered to their e-
mail inbox. The newsletter is full of information about child rearing
written by experts, offers tips from bathing to discipline, coupons,
and opportunities to sample new products like our disposable Bibster
baby bibs.
how we collect and use personal information
In order to deliver offers such as these, we collect data such as a
person's name, address, email address or phone number so that we may
contact them or send them items they have requested. To increase the
likelihood that our offers will be of interest, we collect demographic
information such as age or gender, lifestyle information such as
household status or personal interests, and other relevant information
such as product usage and preferences.
Consumers volunteer most of the information we store in our
databases. In some situations we use additional demographic information
purchased from data aggregators such as Acxiom, Equifax or Experian.
The data provided by aggregators is from publicly available sources
such as telephone directories and public records, or from information
reported by consumers themselves through vehicles such as warranty
cards.
We seek to build our relationships with consumers on the basis of
transparency and trust. We offer individuals who have provided us with
information choices about further communications. We ask whether or not
a consumer would like to be contacted about additional offers or
services. We seek wherever we can to provide consumers with a
convenient means to tell us, yes or no, whether we may use the
information they provided to re-contact them.
We do not sell personal information. We obviously do share data
with vendors acting on our behalf to fulfill a promotion. We do not
share data with companies beyond our vendors without the individual's
consent.
We are committed to keeping data secure and take precautions
against loss, misuse or alteration. These measures include physical
security, controlled access to data and encryption for data
transmission. We require vendors, partners and contractors to provide
equivalent privacy measures and forbid them to use data for any
additional purpose.
summary
In conclusion, we believe that understanding consumer needs,
delivering consumer benefits and generating consumer trust are the
issues at the heart of any policy discussion on privacy. If I may
paraphrase Representative DeGette from an earlier subcommittee hearing,
``There are two secrets about privacy: privacy--the stewardship of
personal information--is good for business, and information sharing is
good for consumers.''
Thank you.
Mr. Stearns. Thank you.
Mr. Misener, your opening statement?
STATEMENT OF PAUL MISENER
Mr. Misener. Thank you, Chairman Stearns and members of the
subcommittee. My name is Paul Misener. I am the Vice President
for Global Public Policy at Amazon.com. Thank you very much for
inviting me here to testify today.
Mr. Chairman, Amazon.com is pro-privacy. The privacy of
personal information is important to our customers, and thus it
is important to us. Indeed, as Amazon.com strives to be the
Earth's most customer-centric company, we must provide our
customers the very best shopping experience, which is a
combination of convenience, personalization, privacy,
selection, savings, and other features. At Amazon.com, we
manifest our commitment to privacy by providing our customers
notice, choice, access, and security.
Before I describe these four facets of privacy protection
at Amazon.com, please allow me to explain how we use customer
information. In general, Amazon.com uses personally
identifiable customer information to personalize the shopping
experience at our store. Rather than present an identical
storefront to all visitors, our longstanding objective is to
provide a unique store to every one of our customers, now
totaling well over 35 million people. In this way, our
customers may readily find the items they seek, and discover
other items of interest.
Amazon.com now inserts, among the familiar tabs across the
top of our web pages, a special tab with our customer's name on
it. When I visited Amazon's site on Monday, for example, the
tabs included books, electronics, DVDs, and ``Paul's store.''
By clicking on the ``Paul's store'' tab, Amazon.com introduced
me to six smaller stores, including one named ``Your kitchen
and housewares store,'' which featured a Calphalon professional
nonstick 5-quart saucepan, which I promptly bought, and it was
delivered yesterday.
Now, it was no coincidence, of course, that Amazon.com
recommended this saucepan to me, and that I liked it. Using so-
called collaborative filtering techniques, which compare my
past purchases to anonymous statistics on thousands of other
Amazon.com purchases, Amazon.com computers automatically, and
correctly, predicted that I would want this saucepan. Similar
personalization is provided in the traditional Amazon.com
recommendations on the home page, and purchase follow-up
recommendations in the ``New for You'' feature, and in some
varieties of e-mail communications.
Obviously, Amazon.com's personalization features directly
benefit our customers. And just as obviously, these features
require the collection and use of personally identifiable
customer information. The question then is how do we protect
the privacy of this information?
As I indicated earlier, Amazon.com manifests its privacy
commitment by providing notice, choice, access, and security.
Amazon.com was one of the very first online retailers to
provide a clear and conspicuous privacy notice. We also provide
our customers meaningful privacy choices. In some instances we
provide opt-out choice, and in other instances we provide opt-
in choice.
We are an industry leader in providing our customers access
to the information we have about them. They may easily view and
correct, as appropriate, their contact information, payment
methods, purchase history, and even the clickstream record of
products they view while browsing Amazon.com's online stores.
And finally, Mr. Chairman, Amazon.com vigilantly protects the
security of our customers' information.
It is very important to note here that, other than an
obligation to live up to pledges made in our privacy notice,
there is no legal requirement for Amazon.com to provide our
customers the privacy protections that we do. So why do we
provide notice, choice, access, and security? The reason is
simple: privacy is important to our customers, and thus it is
important to Amazon.com. We simply are responding to market
forces. Indeed, if we didn't make our customers comfortable
shopping online, they will shop at established brick-and-mortar
retailers, who are our biggest competition.
These market realities lead us to conclude that there is no
inherent need for privacy legislation. That said, we have been
asked whether Amazon.com could support a privacy bill. Perhaps
we could, but only under certain circumstances.
At the Federal level, Amazon.com could support a bill that
would require notice and meaningful choice, but only if it
would pre-empt inconsistent State laws, bar private rights of
action, and address both online and off-line activities. Please
allow me to explain each of these points.
First, any Federal privacy legislation applied to online
activities must pre-empt inconsistent State laws, for it would
be virtually impossible for a nationwide web site to comply
with conflicting rules from multiple jurisdictions.
Second, Amazon.com could support a privacy bill only if it
would bar private rights of action. The threat of aggressive
private litigation would companies to balkanize their privacy
notices for the sake of legal defensibility, at the expense of
simplicity and clarity.
Third and finally, Amazon.com believes that privacy
legislation must apply equally to online and off-line
activities. It makes little sense to treat information
collected online differently from the same, and often far more
sensitive, information collected through other media, such as
mail-in warranty registration cards, point-of-sale purchase
tracking, and magazine subscriptions.
On one hand, such parity is necessary in fairness to online
companies. But more importantly, it would be misleading to
American consumers to enact a law that applies only to online
entities, because for the foreseeable future the putative
protections of such a law would apply only to a very tiny
fraction of consumer transactions. Last year, online sales
accounted for less than 1 percent of all retail business.
Obviously, any law that addresses only online transactions
could not benefit consumers much at all compared to one that
equally addresses online and off-line activities.
Moreover, to the extent it provides any real consumer
benefits, a law that addresses only online activities would
have the perverse effect of failing to provide any benefits to
those on the less fortunate side of the digital divide. Indeed,
consumers who, because of economic situation, education, or
other factors, are not online, would receive no benefits of a
new online-only law.
In sum, Mr. Chairman, Amazon.com is pro-privacy in response
to consumer demand and competition. We believe market forces
are working, and thus believe there is no inherent need for
legislation. Nonetheless, Amazon.com could support limited
Federal legislation, but only if it pre-empts State laws, only
if it bars private rights of action, and only if it applies to
off-line as well as online activities.
Thank you again for inviting me to testify. I look forward
to your questions.
[The prepared statement of Paul Misener follows:]
Prepared Statement of Paul Misener, Vice President, Global Public
Policy, Amazon.com
Chairman Stearns, Mr. Towns, and members of the Subcommittee, my
name is Paul Misener. I am Amazon.com's Vice President for Global
Public Policy. Thank you for inviting me to testify today.
A pioneer in electronic commerce, Amazon.com opened its virtual
doors in July 1995 and today offers books, electronics, toys, CDs,
videos, DVDs, kitchenware, tools, and much more. With well over 30
million customers in more than 160 countries, Amazon.com is the
Internet's number one retailer.
Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal
information is important to our customers and, thus, is important to
us. Indeed, as Amazon.com strives to be Earth's most customer-centric
company, we must provide our customers the very best shopping
experience, which is a combination of convenience, personalization,
privacy, selection, savings, and other features.
At Amazon.com, we manifest our commitment to privacy by providing
our customers notice, choice, access, and security. Before I describe
these four facets of privacy protection at Amazon.com, please allow me
to explain how we use customer information.
In general, Amazon.com uses personally identifiable customer
information to personalize the shopping experience at our store. Rather
than present an identical storefront to all visitors, our longstanding
objective is to provide a unique store to every one of our customers,
now totaling well over 35 million people. In this way, our customers
may readily find items they seek, and discover other items of interest.
If, for example, you buy a Stephen King novel from us, we likely will
recommend other thrillers the next time you visit the site.
Amazon.com now inserts, among the familiar ``tabs'' atop our Web
pages, a special tab with the customer's name on it. When I visited
Amazon.com's site yesterday, for example, the tabs included Books,
Electronics, DVDs, and ``Paul's Store.'' By clicking on the ``Paul's
Store'' tab, Amazon.com introduced me to six smaller stores, including
one named, ``Your Kitchen and Housewares Store,'' which featured a
Calphalon professional nonstick 5-quart saucepan (which I promptly
bought).
It was no coincidence, of course, that Amazon.com recommended this
saucepan to me, and that I liked it: using so-called ``collaborative
filtering'' techniques, which compare my past purchases to anonymous
statistics on thousands of other Amazon.com purchases, Amazon.com
computers automatically--and correctly--predicted that I would want the
saucepan.
Similar personalization is provided in the traditional Amazon.com
recommendations on the home page, in purchase follow-up
recommendations, in the ``New for You'' feature, and in some varieties
of email communications. Customers can improve the quality of these
recommendations in several ways, including by removing individual
Amazon.com purchases from consideration, and by rating the products
they buy at Amazon.com or elsewhere. For example, I bought my niece a
few CDs from the singer Britney Spears but, because I did not want
similar music recommended to me, I removed these CDs from the list of
items Amazon.com uses to produce my recommendations. In addition, on
Amazon.com's site, I can rate a CD that I might have purchased at Wal-
Mart to improve the quality of my music recommendations.
Obviously, Amazon.com's personalization features directly benefit
our customers. And, just as obviously, these features require the
collection and use of personally identifiable customer information. The
question, then, is how do we protect the privacy of this information?
As I indicated earlier, Amazon.com manifests its privacy commitment
by providing notice, choice, access, and security.
Notice. Amazon.com was one of the first online retailers to post a
clear and conspicuous privacy notice. And last summer, we proudly
unveiled our updated and enhanced privacy policy by taking the unusual
step of sending email notices to all of our customers, then totaling
over 20 million people.
Choice. We also provide our customers meaningful privacy choices.
In some instances, we provide opt-out choice, and in other instances,
we provide opt-in choice. For example, Amazon.com will share a
customer's information with a wireless service provider only after that
customer makes an opt-in choice. We simply are not in the business of
selling customer information and, thus, beyond the very narrow
circumstances enumerated in our privacy notice, there is no information
disclosure without consent.
Access. We are an industry leader in providing our customers access
to the information we have about them. They may easily view and correct
as appropriate their contact information, payment methods, purchase
history, and even the ``click-stream'' record of products they view
while browsing Amazon.com's online stores.
Security. Finally, Amazon.com vigilantly protects the security of
our customers' information. Not only have we spent tens of millions of
dollars on security infrastructure, we continually work with law
enforcement agencies and industry to share security techniques and
develop best practices.
It is very important to note that, other than an obligation to live
up to pledges made in our privacy notice, there is no legal requirement
for Amazon.com to provide our customers the privacy protections that we
do.
So why do we provide notice, choice, access, and security? The
reason is simple: privacy is important to our customers, and thus it is
important to Amazon.com. We simply are responding to market forces.
Indeed, if we don't make our customers comfortable shopping online,
they will shop at established brick and mortar retailers, who are our
biggest competition. Moreover, online--where it is virtually effortless
for consumers to choose among thousands of competitors--the market
provides all the discipline necessary. Our customers will shop at other
online stores if we fail to provide the privacy protections they
demand.
These market realities lead us to conclude that there is no
inherent need for privacy legislation. That said, we have been asked
whether Amazon.com could support a privacy bill. Perhaps we could, but
only under certain circumstances.
Under no circumstances would we support state or local laws
governing online privacy. Not only would such laws be constitutionally
suspect, a nationwide website like Amazon.com would find it difficult
if not impossible to comply with fifty or more sets of conflicting
rules.
At the federal level, Amazon.com could support a bill that would
require notice and meaningful choice, but only if it would preempt
inconsistent state laws, bar private rights of action, and address both
online and offline activities. Please allow me to briefly explain each
of these points.
Preempt State Law. First, any federal privacy legislation applied
to online activities must preempt inconsistent state laws, for it would
be virtually impossible for a nationwide website to comply with
conflicting rules from multiple jurisdictions. Even though such laws
most likely would fail a constitutional challenge, the expense and
uncertainty of litigation should be avoided with a Congressionally
adopted ceiling.
Bar Private Rights of Action. Second, Amazon.com could support a
privacy bill only if it would bar private rights of action. The threat
of aggressive private litigation would cause companies to balkanize
their privacy notices for the sake of legal defensibility, at the
expense of simplicity and clarity. Ten-page privacy statements and
fine-print legalese would become the norm. A regulatory body such as
the Federal Trade Commission, on the other hand, could balance the
competing interests of legal precision and simplicity. A class action
plaintiffs' lawyer would have no such motivation.
In addition, the aforementioned uniformity necessary to run
nationwide websites would be destroyed by a host of trial lawyers suing
companies all across the country. A single authority, such as the FTC,
could provide the nationwide approach that private litigation cannot.
Parity with Offline Activities. Third, and finally, Amazon.com
believes that privacy legislation must apply equally to online and
offline activities, including the activities of our offline retail
competitors. It makes little sense to treat information collected
online differently from the same--and often far more sensitive--
information collected through other media, such as offline credit card
transactions, mail-in warranty registration cards, point-of-sale
purchase tracking, and magazine subscriptions.
On one hand, such parity is necessary in fairness to online
companies. It simply would not be equitable to saddle online retailers
with requirements that our brick-and-mortar or mail order competitors
do not face.
But more importantly, it would be misleading to American consumers
to enact a law that applies only to online entities because, for the
foreseeable future, the putative protections of such a law would apply
only to a tiny fraction of consumer transactions. Last year, online
sales accounted for less than one percent of all retail business.
Obviously, any law that addresses only online transactions could not
benefit consumers much at all compared to one that equally addresses
online and offline activities such as using a grocery store loyalty
card or subscribing to a magazine.
Moreover, to the extent it provides real consumer benefits, a law
that addresses only online activities would have the perverse effect of
failing to provide any benefits to those on the less fortunate side of
the digital divide. Indeed, consumers who, because of economic
situation, education, or other factors, are not online would receive no
benefits from a new, online-only law.
In sum, Mr. Chairman, Amazon.com is pro-privacy in response to
consumer demand and competition. We believe market forces are working
and, thus, believe there is no inherent need for legislation. We firmly
oppose the adoption of any non-federal privacy law that addresses
online activities. Nonetheless, Amazon.com could support limited
federal legislation, but only if it preempts state laws, only if it
bars private rights of action, and only if it applies to offline as
well as online activities.
Thank you again for inviting me to testify, I look forward to your
questions.
Mr. Stearns. Thank you.
Mr. Johnson, your opening statement?
STATEMENT OF DAVID A. JOHNSON
Mr. Johnson. Mr. Chairman and members of the sub-
committee----
Mr. Stearns. You might just pull the microphone a little
closer and just maybe straighten it--yes.
Mr. Johnson. Okay. Mr. Chairman and members of the
subcommittee, I am pleased to appear before you today on behalf
of the National Retail Federation, and thank you for the
invitation to speak on this important issue. My name is David
Johnson, and I am Vice President of Direct Marketing for Land's
End in Dodgeville, Wisconsin.
Although we are now an international merchant, many of the
things that today sets Land's End apart are those same values
on which our founder, Gary Comer, built the business he founded
in 1963. Indeed, one of the principles that continues to guide
our business states: ``We believe that what is best for the
customer is best for all of us.''
When people are asked to define good customer service, they
commonly say that it involves dealing with consumers honestly
and fairly, a view that no one can seriously dispute. Many
others also view a component of good customer service as
treating everyone equally. Let me suggest, however, that equal
treatment is not good customer service. Rather, great customer
service recognizes the very unique wants and needs of each
individual consumer, and strives to meet those needs. Great
customer service uses all available information to assess each
individual's particular tastes, and then delivers goods and
services that meets those desires. In short, rather than
treating all customers equally, great customer service is built
on the premise of treating different customers differently.
In testimony before Congress in July 1999, Federal Reserve
Board Governor Edward Gramlich stated: ``Information about
individuals' needs and preferences is the cornerstone of any
system that allocates goods and services within an economy.''
The more such information is available, he continued, ``the
more accurately and efficiently will the economy meet those
needs and preferences.'' What Governor Gramlich was talking
about on a macro level, Land's End is striving to do on a micro
level.
The information required to provide these tailored
interactions with our customers does come from a wide variety
of sources. We look to our customer purchase history and other
acquired information in order to more reliably assess our
customers' needs and wants. By assessing information on
purchases that consumers actually make, and services that they
actually use, consumers are offered products and services that
respond to their demonstrated needs and desires. This greatly
reduces the cost of developing those products and services, and
the risk that they will be out of line with consumer demand,
thereby reducing the price that consumers pay for them, and
mitigating the inconvenience and delay associated with stopping
consumers to ask about likely preferences.
Admittedly, we often hear complaints about customers
receiving mailings that they don't want. But Land's End--and I
strongly suspect every other direct merchant--has no interest
in sending catalogues or other information to customers that
have no desire to receive it. Frankly, that is a waste of our
time and money, and a disservice to the customer. Thus, we use
all information available to us to assess the likelihood that
any catalogue sent will be welcome in the customer's home. To
the extent that cataloguers send mailings to people who are not
interested in the offering, I suggest that the problem is not
one of too much information sharing, but rather too little
reliable information, forcing businesses to employ mass
marketing techniques instead of more targeted efforts to a more
appropriate and appreciative audience.
Moreover, the ability to collect and assess individual
purchasing activity gives Land's End the ability to provide
services to customers that we might not otherwise. As an
example, Land's End sells its products with a guarantee that is
second to none. Under our ``Guaranteed. Period.'' policy, any
customer can return any product, at any time, for any reason. A
guarantee this sweeping is by its nature subject to abuse, and
by offering it Land's End has placed unprecedented faith in its
customers that they will not exploit the policy.
But we comfort in offering our ``Guaranteed. Period.''
policy, because it is enhanced by the ability of individualized
purchasing and return data that allow us to track and check
abuses. In short, this information ensures that the few that
might exploit the guarantee don't ruin it for the overwhelming
majority of our customers that are fair and reasonable.
And consistent with the trust and loyalty that our
customers have shown us, Land's End is also quite responsible
with the information we share with others. Indeed, the only
data we currently provide to others are one-time use list
exchanges, which include only customers' names and addresses,
and then only with high-quality companies that share our
commitment to product quality, customer service and value, and
could, therefore, offer products and services attractive to
Land's End customers. And regardless of the medium by which we
interact with the customer--the Internet, phones, or mail--
customers may at any time request that their information not be
shared with others, or that they be removed from our files
altogether. And that is a request that will be honored.
Guaranteed. Period.
So in answer to the question posed by this hearing--``Is
the Customer's Privacy Protected?''--the good news is that
currently available information is used responsibly, consistent
with the expectations of consumers, and in furtherance of
everyone's interest, the consumer's, as well as the companies
that serve them.
Again, thank you for this opportunity to speak this
morning, and I welcome your comments and questions.
[The prepared statement of David A. Johnson follows:]
Prepared Statement of David A. Johnson, Vice President, Direct
Marketing, Lands' End, Inc. on Behalf of the National Retail Federation
Mr. Chairman and Members of the Subcommittee: I am very pleased to
appear before you today on behalf of the National Retail Federation,
and thank you for the invitation to speak on this subject. My name is
David Johnson, and I am Vice President of Direct Marketing for Lands'
End, Inc., in Dodgeville, Wisconsin. Lands' End employs approximately
7,600 people in the U.S. and abroad. We are a global direct merchant of
classically-inspired clothing for men, women and children, soft luggage
and products for the home, sold through regular mailings of our
catalogs, our Web site--landsend.com--and a number of retail outlets.
Last year, Lands' End's revenues exceeded $ 1.4 billion, and we mailed
packages to approximately 6.7 million customers.
The National Retail Federation (NRF) is the world's largest retail
trade association with membership that comprises all retail formats and
channels of distribution including department, specialty, discount,
catalog, Internet and independent stores. NRF members represent an
industry that encompasses more than 1.4 million U.S. retail
establishments, employs more than 20 million people--about 1 in 5
American workers--and registered 2000 sales of $3.1 trillion. NRF's
international members operate stores in more than 50 nations. In its
role as the retail industry's umbrella group, NRF also represents 32
national and 50 state associations in the U.S. as well as 36
international associations representing retailers abroad.
Although we are now an international merchant, many of the things
that today set Lands' End apart are those same values on which our
founder, Gary Comer, built the business he founded in 1963. Indeed, one
of the principles that continues to guide our business states: ``We
believe that what is best for our customer is best for all of us.
Everyone here understands that concept. Our sales and service people
are trained to know our products, and to be friendly and helpful.''
Through this dedication to the customer, Lands' End has been able
to separate itself from the pack in customer service. Indeed, in the
book Customer Service,1 author Fred Wiersema lauds Lands'
End (along with five other companies) for its ability to service the
customer above and beyond the call of duty.
---------------------------------------------------------------------------
\1\ Customer Service by Fred Wiersema (Harper-Collins Publishers,
Inc. 1998).
---------------------------------------------------------------------------
When people are asked to define good customer service, they
commonly say that it involves dealing with consumers honestly and
fairly, a view that no one can seriously dispute. Many others also view
a component of good customer service as treating everyone equally. Let
me suggest, however, that equal treatment is not good customer service.
Rather, great customer service recognizes the very unique wants of each
individual consumer and strives to meet those needs. Thus, great
customer service does not view every customer as a nameless, faceless
person without individual preferences--someone that in the absence of
any other information needs to be treated just like the next person.
Instead, great customer service uses all available information to
assess each individual's particular tastes, and then deliver goods and
services that meet those desires. In short, rather than treating all
customers equally, great customer service is built on the premise of
treating different customers differently.
Access to information is critical to our ability to deliver this
level of service. Information is used to identify and satisfy customer
needs. Lands' End does not automatically know which products and
services consumers want. Information beyond a person's name and address
allows us to tailor our interaction with the customer to make it more
effective and more satisfying for the consumer. As Mr. Wiersema states
in his book Customer Service, two of the most key components underlying
the ability to provide exceptional customer service are (1) the
employment of up-to-date information technology, and (2) the personal,
one-to-one relationship built with every customer.
``Although they conduct their business in completely different
areas of industry, these organizations actually have many
things in common with regard to how they function:
* * *
``They employ the latest information technology at each level
of their business. This shouldn't be surprising: Information
technology lends itself to strong customer service, and early
on, these companies all recognized the advantages, the instant
gratification, that the Internet and other technological
advances could offer them. Rather than trying to dazzle the
customer with the latest bells and whistles, they use
technology to make their products and services easier to
acquire and operate--as well as more efficient.
* * *
``. . . [T]hey use that technology to gain a profound
understanding of what these customers want and need. The notion
of building profiles on every customer they interact with is
important to them. If Customer A likes something different from
Customer B, these companies want to know that ahead of time . .
.
* * *
``These companies build personal relationships with their
customers. They are not mass-production factories when it comes
to connecting with their constituents. Each customer who deals
with these organizations is given premium treatment and made to
feel he or she is valued as an individual, able to call a
service representative time and again . . .
This degree of one-to-one attention requires a commitment to
training, to coaching, and to teaching associates the best
listening strategies and most efficient methods for giving and
receiving input. It takes computer technology, as well as
dedicated personnel willing to record each customer interaction
onto databases so that it can be activated later and used as a
learning tool for fellow workers.'' 2
---------------------------------------------------------------------------
\2\ Customer Service at xiv-xviii.
---------------------------------------------------------------------------
In testimony before Congress in July 1999, Federal Reserve Board
Governor Edward Gramlich stated: ``Information about individuals' needs
and preferences is the cornerstone of any system that allocates goods
and services within an economy.'' The more such information is
available, he continued, ``the more accurately and efficiently will the
economy meet those needs and preferences.'' What Governor Gramlich was
talking about on a macro level, I can guarantee Lands' End is striving
to do on a micro level.While many of our customers love the technology
and the wealth of information that is available over the Internet, many
other customers want the direct interaction that they can get over the
phone from one of our highly trained customer sales representatives. We
are agnostic as to how we interact with the customer--whether it be
through the Internet, the phone, mail or one of our outlet stores--but
we do need to know their preferences in order to build the
infrastructure necessary to effectively communicate with them via their
preferred medium. We also need to know our customers' preferences with
respect to the products and services available--either now or in the
future--to our customers. While some would prefer to learn about the
entire array of Lands' End product offerings, others' interests are
more limited and they would prefer to only receive catalogs from a
certain selection of our assortment of apparel and home goods. This
type of information educates us not only on what we should be
communicating to our customers today, but also provides Lands' End with
information on every detail--including assortment, color, fit, level of
quality, and price--that we should provide in future products and
services.
The information required to provide these tailored interactions
with our customers comes from a wide variety of sources. One obvious
source is the customer himself or herself in the form of preference
surveys. It is possible to extensively survey customers to determine
their individual preferences, but such data is not only expensive to
acquire, its acquisition runs contrary to the customer service
commitment of an organization such as Lands' End. Frankly, it is a
bother for a customer to complete questionnaires telling businesses
what they expect in products and services. Because of these
limitations, such direct information is oftentimes unavailable and
somewhat unreliable. For that reason, we look to customer purchase
history and other acquired information in order to more reliably assess
our customers' needs and wants. By assessing information on purchases
that consumers actually make and services they actually use, consumers
are offered products and services that respond to their demonstrated
needs and desires. This greatly reduces the cost of developing those
products and services and the risk that they will be out of line with
consumer demand--thereby reducing the price that consumers pay for
them--and mitigating the inconvenience and delay associated with
stopping consumers to ask about likely preferences.
Admittedly, we often hear complaints about customers receiving
mailings that they don't want. But Lands' End--and I strongly suspect
every other direct merchant--has no interest in sending catalogs or
other information to customers who have no desire to receive it.
Frankly, that is a waste of our time and money, and frustrating to the
consumer as well. Thus, we use all information available to us to
assess the likelihood that any catalog we send out will be welcome in
the customer's home. To the extent that cataloguers send mailings to
people who are not interested in the offering, I suggest that the
problem is not one of too much information sharing but rather too
little reliable information, forcing businesses to employ mass
marketing techniques instead of more targeted efforts to a more
appropriate and appreciative audience.
Moreover, the ability to collect and assess individual purchasing
activity gives Lands' End the ability and comfort to provide enhanced
services to customers that we might not otherwise. As an example,
Lands' End sells its products with a guarantee that is second to none.
Under our ``Guaranteed. Period.''' policy, any customer can
return any product at any time for any reason. A guarantee this
sweeping is, by its nature, subject to abuse, and by offering it Lands'
End has placed unprecedented faith in its customers that they will not
exploit the return policy. But Lands' End's comfort in offering our
``Guaranteed. Period.''' policy is enhanced by the
availability of individualized purchasing and return data that allows
us to track and check abuses. In short, this information assures that
the few that might exploit the guarantee don't ruin it for the
overwhelming majority of our customers that are fair and reasonable in
their returns.
Likewise, the availability of certain products and services by
their nature--and particularly so of many of the services available
over the Internet--all but require that some information be shared
among companies. As examples, Lands' End offers online models which a
customer can use to virtually ``try on'' clothes, and a ``personal
shopper'' that, applying conjoint analysis techniques, offers
purchasing recommendations to online shoppers much as a sales clerk
would do in a retail store. For these types of services to become
accepted and useful to the consumer, they must also become standardized
throughout industry with the individualized models and preferences
portable from site to site. This type of information sharing will
ultimately enhance the breadth of products and services available to
the consumer.
And consistent with the trust and loyalty that our customers have
shown us, Lands' End is also quite responsible the information we share
with others. Indeed, the only data we currently provide to others are
one-time-use list exchanges, which include only customers' names and
addresses, and then only with high quality companies that share Lands'
End's commitment to product quality, customer service and value and
could, therefore, offer products and services attractive to Lands' End
customers. And regardless the medium by which we interact with our
customer--the Internet, phones or mail--customers may at any time
request that their information not be shared with others, or that they
be removed from our files altogether, and that request will be honored.
So in answer to the question posed by this hearing--``Is the
Customer's Privacy Protected?''--the good news is that currently
available information is principally shared responsibly, consistent
with the expectations of consumers and in furtherance of everyone's
interests--the consumer's as well as the companies that serve them.
Again, thank you for this opportunity to speak before this
Subcommittee, and I welcome your questions and comments.
Mr. Stearns. I thank the panel. Let me start by asking some
of the basic questions I think all consumers are concerned
about. And this sort of touches into what Mr. Hourigan had
talked about--that they build a substantial data base with
information on GM vehicle owners, and that GM uses this to
facilitate after-market sales, repairs, next vehicle purchase,
and to ``cross-market the broad range of GM products and
services.'' Is this a singular data base?
Ms. Hourigan. It is not a singular data base. We have
separate data bases. The data base that I mentioned is
primarily used for market segmentation, and in our product
development phase.
Mr. Stearns. Give me, for example, examples of the type of
information that is contained in this data base. Other than the
ones I mentioned, is it pretty much just the name of the owner,
the purchase? Are there preferences and things that are in this
data base?
Ms. Hourigan. It actually is, if I can mention one thing,
our divisions have operated on a tremendously autonomous basis
for many years. And we just recently have elected to streamline
many of our processes and practices. Data handling is one such
practice.
And so what we have attempted to do is, again, move toward
a process by which all divisions will operate under the same
policies and practices. The information that is contained in
that data base is vehicle name and type of vehicle. We will
augment that with information we obtain from the aggregators,
but again, it is only for the purpose of market segmentation.
Mr. Stearns. How do you protect that information? For
example, within the company, and also protect it when you deal
with subcontractors, or other organizations that you deal with?
Ms. Hourigan. Well, we obviously use the highest standards
of security to protect the information. We also use managerial
security techniques, along with physical security measures.
In terms of working with our suppliers, we obviously only
deal with credible suppliers to process the transactions on
behalf of our customers. We also have contractually limited how
our suppliers can use that information for any subsequent
purposes.
Mr. Stearns. Mr. Misener has talked about not having
legislation, but if we have legislation, he would say it should
be three items: pre-emptive rights, of course, so that if
States start to develop it, that there would be Federal
legislation to pre-empt the States, so you wouldn't have to
comply with 50 States; what would apply to online would also
apply to off-line; and then he talked about private rights of
action.
And just for the benefit, the private rights of action, we,
of course, on this committee would not all agree with this, but
basically this would prevent class actions suits as I
understand it against you individuals, based upon something
that perhaps you compromised privacy, and then this would turn
out to be, among thousands of people who would come together
with a class-action suit.
Now, he mentioned those three that he would like to see, if
there is Federal legislation. Are there any other ones? And I
will just go from my left to my right and ask each of you if
there are any besides those three? And if you disagree with Mr.
Misener, that you don't think they should be part of this, now
is the time to tell us.
Ms. Pearson. I would agree with those three features being
reflected that way in possible legislation. I would just go
back to the point of, as your committee has begun a process of
deliberation and understanding how information flows in our
economy, and how consumers can be affected by that information,
is to start with a more fundamental question: where is the
issue that needs to be addressed? Once we understand what
companies do with information, what government does with
information, and then go from there.
I think if there is legislation affecting commercial
practices, there ought to be some level of understanding of why
commercial practices versus other kinds of uses of information.
So there ought to be that.
Mr. Stearns. I could give you a list of what I think the
consumer wants. But I am just asking you now, just, because I
don't have a lot of time, just quickly to go through and say,
Yes, I think those three are the basic----
Ms. Pearson. Yes, I think those three features are basic.
Mr. Stearns. Basic for Federal legislation?
Ms. Pearson. Yes.
Mr. Stearns. Is there anything you would add to it?
Ms. Pearson. I think there ought to be technology
neutrality, so that you don't get into specific requirements
about this technology or that technology being used, so that
you accommodate flexible changes. The world is changing
extremely rapidly, and we need to have that ability to
innovate. There ought to be, I think, some basic guidelines so
that you encourage transparency in information practices
without requiring specific content for notices or specific
practices. Those are two.
Mr. Stearns. Okay.
Ms. Hourigan. I would just second what Harriet said,
technology-neutral, in addition to what Mr. Misener mentioned
earlier.
Mr. Stearns. Okay. Mr. Swift?
Mr. Swift. The one addition that we would have is that the
legislation would recognize the role of industry self-
regulation, and possibly the role of TrustMark programs in the
self-regulatory process.
Mr. Stearns. What does that last part mean?
Mr. Swift. A BBBOnLine or Trustee, a program that validates
and sets criteria for appropriate practices.
Mr. Stearns. Best business practices?
Mr. Swift. Correct.
Mr. Stearns. Okay. Mr. Misener?
Mr. Misener. I thought Mr. Misener's list was pretty good.
Mr. Stearns. I thought so, yeah.
Mr. Johnson?
Mr. Johnson. We believe that any legislation should move
incrementally, and allow us to really understand the impact
that it ultimately has in helping us to serve our customers.
Mr. Stearns. Okay, my time has expired, and we are eager to
hear other members. But I think, just briefly in the 5 minutes
I have had, you have outlined what, if any, Federal legislation
should include. And I think that is the purpose, to get from
you your heartfelt opinion of what we should do. And we have
come up with 1, 2, 3, 4, 5, 6, 7 components of this Federal
legislation.
I am very pleased to welcome the ranking member, the
gentleman from New York, Mr. Towns.
Mr. Towns. Thank you very much, Mr. Chairman. Let me say
that I am happy that you are having this hearing. I think it is
so important that we listen to people before we move forward on
legislation.
I would like to know, I guess, Mr. Misener, what do you
deem as an appropriate penalty for those companies who abuse
consumer privacy, by breaking their own privacy laws? What
would you consider an adequate penalty?
Mr. Misener. An adequate penalty? Well, certainly it would
depend upon a lot of factors going into the abuse. If it is
repetitive, if it is willful, intentional, deliberate--all
those sorts of things--then I would think that the penalty
could be greater. But those are the sorts of issues that, for
example, the Federal Trade Commission could take into account.
If a privacy policy is announced by a company, and then not
followed by that same company, the Federal Trade Commission,
under its powers in Section 5 of the Federal Trade Commission
Act, could go after that company and apply a variety of
remedies, including injunction and fines.
Mr. Towns. Let me ask you, if I buy ten books through your
company, are those records available to data collectors? In
other words, do you sell the products that I purchase through
Amazon.com to data collectors?
Mr. Misener. Yes, that is an excellent question, Mr. Towns.
Absolutely not. Amazon.com is emphatically not in the business
of selling customer information. We do not transfer that
information to unaffiliated third parties at all. And for the
few affiliated third parties, we transfer it only with opt-in
consent from our customers.
Mr. Towns. On that note, Mr. Chairman, I yield back.
Mr. Stearns. Okay. I thank the gentleman. We have the
distinguished chairman of the full committee, the gentleman
from Louisiana, Mr. Tauzin.
Chairman Tauzin. I thank you, Mr. Chairman. Again, thank
you for this series of hearings, because I think they are
better preparing this committee, and hopefully the Congress,
for whatever privacy decisions we need to make, either
generally or, as some of you point out, incrementally.
Let me first say that one of the concerns I have as we
explore all the edges of this privacy debate, is that we very
carefully remember that we ought to avoid solutions simply
looking for problems. It is easy to do in this area. It is easy
to begin imagining how data could be misused and how people
might do something with data, and then make a great deal of
complex Federal laws and solutions designed to fit imagined
problems. And what you are doing, Mr. Chairman, is actually
focusing on the real world, the reality of how data is
exchanged, and how the industry is really working for its own
customers' sake and its own business self-interest, in building
self-regulatory regimes and regulating itself. And that is an
important part of this process, I think, understanding where
the real problems are, not the imagined ones.
In that regard, in the very short time we each have, I want
to do just one thing with this very important panel. I would
like each of you to answer this question in order, and I will
be very satisfied with my 5 minutes. It is a very basic
question, and it is a question that goes to what is probably
the most important decision we first make on privacy. And that
is whether to make privacy policy Internet-specific or not.
Now, you all operate your businesses in different ways,
online and off-line. Some of you are strictly online. But the
question I have is that, recognizing that if we made privacy
policy that was Internet-specific--which could, theoretically,
prejudice commerce against online activities in favor of off-
line activities--recognizing that, is there a good reason to
make privacy policy special and different and unique for the
Internet world, the online world, as opposed to making it
consistent for all activities, whether it is online or off-
line?
If each of you will comment on that in a row, I would
deeply appreciate it.
Ms. Pearson. I get to start. From IBM's point of view, it
is the same data base or set of data bases, in back of that
curtain, that receive the information, no matter where it comes
from. So our view has been that if we are going to be
deliberative about this, we ought to realize that. And
therefore, particularly since the Internet is so new as a
mechanism for communicating, that we ought to think about all
the media equally--that there shouldn't be a disadvantaging of
the Internet over other media. That is a starting point for
discussion.
Chairman Tauzin. Okay. As you go down, I want--if any of
you have a good reason to believe that the Internet is so
different that it needs special rules, if you don't mind
commenting on that. Please?
Ms. Hourigan. Sure. I think--we actually had this exact
debate in our company, as to whether it was appropriate to
apply a different set of standards to the Internet. And we came
to the conclusion that it did not.
However, I think to the extent that there may be specific
abuses that may occur in the online world that would not exist
in the off-line world, then it may be appropriate to treat
those particular instances differently. But for General Motors,
we still collect a tremendous amount of information off-line,
and so to apply different standards would be challenging. And,
you know, it is complex enough as it is, I guess. So, thank
you.
Chairman Tauzin. Thank you.
Mr. Smith. Let me answer by just talking about how we are
looking at this within P&G. Our dream is that we would be able
to bring together information that we have about a single
consumer, regardless of how that information was collected--
through consumer relations contact, a web site, whatever. And
the reason is that when the consumer calls the next time, or
when we make an offer, we would like to reflect everything we
know about that consumer. And when we recognized that, we said,
we need to apply the same information practices to all the
data, because it is going to end up in the same place.
So, you know, we would obviously believe that looking at
that information, regardless of its source, regardless of where
it is stored, being treated in the same way.
Mr. Misener. Mr. Tauzin, we strongly believe at Amazon.com
that any new legislation ought to apply both to the online and
the off-line worlds. There are a couple of reasons. One is the
fundamental fairness that you mentioned to online companies who
would be potentially burdened by a new regulation that would
not apply to our off-line competitors.
But more fundamentally, it is a consumer issue. Consumers
spent, in the retail world, 99-plus percent of their dollars in
the off-line world. Less than 1 percent of the retail
transactions were made online. And so an online-only law is
going to do very, very little for consumers more broadly.
Moreover, the consumers that it would help, that it would
effect, would be only those on the fortunate side of the
digital divide. If you don't have the education or money to be
shopping online, that privilege, you would get no benefits from
an online-only law.
Mr. Johnson. Mr. Tauzin, we believe that there is not a
reason to make it Internet-specific per se. Our customers shop
with us via the phone, via the Internet. Many of our customers
interact with us through numerous different ways.
One position that we do take, however, is that there is a
need to be sure that we really understand the implications that
it may have on companies like us that are a multi-channel
business, and the implications in the long run that it may have
for the consumer in ultimately providing the high level of
customer services that our consumers expect.
Chairman Tauzin. There you go, Mr. Chairman. I have found
you unanimous consensus.
My work is done. Thank you very much.
Mr. Stearns. I thank the chairman. Mr. John? Oh, no, he is
not here. Mr. Doyle?
Mr. Doyle. Thank you, Mr. Chairman. Boy, I sure hate to
rain on the parade here. And I think this has been a good
discussion, and a helpful one. But let us all remember here,
too, that sitting before us are representatives of Fortune 100
companies, and I think that in an ongoing basis we also need to
hear from consumers and from small businesses, because I think
they face some different problems complying with and adhering
to privacy policies than some of these companies here, who have
vastly greater resources. And that needs to be kept in mind.
Mr. Misener, at Amazon.com you sell videos, right?
Mr. Misener. Yes, sir.
Mr. Doyle. We have a Federal law that if I walk into
Blockbuster and buy a video, they are not allowed to keep a
record of what kind of videos I am buying. Now, obviously that
law doesn't apply to Amazon.com online, because you keep
records of what kind of videos your customers buy?
Mr. Misener. We keep those records in the ordinary course
of our business, which is a specific exclusion in that law.
Mr. Doyle. Yes, exactly. So in that respect, your online
service is treated somewhat differently than an off-line
service.
Mr. Misener. Well, if off-line services were using those
records in the ordinary course of their business like we do,
they also could keep those records.
Mr. Doyle. But Blockbuster could never disclose or keep
records of anybody's purchases, I am saying. You could share
that information, could you not?
Mr. Misener. Let me be clear on a couple things.
Mr. Doyle. Sure.
Mr. Misener. First of all, we would be delighted to be in
the Fortune 100. We would actually be delighted to be in the
Fortune 500.
Tune in this time next year. But we are fully compliant
with that video restriction law that you mentioned, because we
do use those in the ordinary course of business. We do not
reveal--repeat, do not reveal--that information to third
parties at all.
Mr. Doyle. But you do that voluntarily, is what I am
saying. There is no law requiring you to do that. You do that
as a matter of policy.
Mr. Misener. I think it could be argued that that law
applies to us. But we are responding to what our customers
demand. If we did that, we would lose customers, and therefore,
because our customers want it, and because we are pro-privacy,
we do it. And so therefore, the market forces are forcing us to
do this. Just like keeping our prices low and providing a high
level of convenience, we are providing a level of privacy
protection that consumers demand.
Mr. Doyle. Yes. And I guess the point I am trying to--and
it is certainly not an attack against Amazon.com--but we have
all kinds of vendors and entities out there that all have
varying degrees of privacy policies, and do things that they
are not really required to do. You do it because it is good for
your customers. And that is what we are hoping for, that there
isn't going to be a need for heavy regulation because the
industry understands that that is the way to go.
But I can tell you that most consumers don't have a clue
how data is being collected on them. They don't understand what
a cookie is; they don't know, when they are surfing the web,
what is happening to them. Trust me, they don't.
And I guess it doesn't bother me so much in the retail end.
I mean, I go to Giant Eagle and I have got my little Advantage
Card, and you know, I swipe that across the deal and I get some
discounts for doing it. But it also allows that supermarket to
track what I am buying, and make sure that the stuff I want is
there. I think it is helpful that we don't get junk mail, if
people know what our preferences are. So I see tremendous
benefits from it.
But I also see the tremendous potential for abuse,
especially in things like medical records and issues of
personal behavior, where consumers have the right to expect
that those types of information aren't being shared with
anyone, and that when you are dealing with vendors--I know you
say some of your vendors have the same privacy policies that
you do. I just don't understand what the enforcement mechanisms
are. How do you know they are not violating their own policy?
So I guess, you know, we struggle with these things. And it
is politically unpopular to want to do anything against the
Internet, because it is such a sexy new thing, and you know,
everybody wants to be seen as high-tech up here on this panel.
But I think there are some real concerns, and we appreciate
your input at these hearings. And I think we have a long way to
go, Mr. Chairman, to hear from many different groups, so that
when we do fashion legislation we do it thoughtfully.
But I appreciate your testimony today.
Mr. Stearns. I thank the gentleman. The gentleman from
Illinois, Mr. Shimkus?
Mr. Shimkus. Thank you, Mr. Chairman. And I am glad my
colleague Diana DeGette here, because I used her phrase, since
you mentioned it, in hearings earlier this year about
individuals not----
Ms. DeGette. See that you get it right.
Mr. Shimkus. Yes, she is concerned that I am using some of
her quotations. But how much individuals--we don't understand
the benefit we have from some information sharing. And although
we want to find out the benefits to you from having good,
strict policies.
And I was just interested here in how much you actually are
using the information in product-specifics at P&G, personalized
beauty care products to individuals, and the information and
the like.
I want to boil it down a little simpler, in the debates
that we use here and the terminology that we use here in
legislating in this arena, and get a few comments. And I want
to address questions on this opt-in/opt-out aspect, because in
some aspects, when people order from Amazon.com--which we have
done--it is almost implied that you are opting in, because you
are providing the information that they have to send you the
product. And then there may be some other boxes to put. And I
am not sure if it is a total requirement to fill in all the
boxes before you get an order processed--versus an opt-out
provision which would say, I want to buy your product. But I
don't want you to get any more information on me. All I want to
do is purchase your product, and opt out--do not use this for
anything else.
We also use here in Washington-speak the telephone
directory as an opt-out system that works. We wouldn't have a
telephone directory that worked if everyone had to call in and
say, yes, I really want my phone number listed in a directory.
But we do know that if you call, you will get an unlisted
number. For a price, as I'm being corrected. But that is a
price that some people are willing to pay.
So I would like to have your comments on how the whole
debate on opt-in/opt-out affects you individually as you do
this planning, and how you are going to respond to whatever it
is that we end up doing. And I would do it the same way--
actually, yes, let's just go the way the chairman did at the
table. And if you don't want to add, then you can just pass.
Ms. Pearson. Opt-in versus opt-out, from a business
perspective it boils down to choice, and what is the right
amount of choice to provide the consumer when you are dealing
with a consumer? And that is really, if you are a customer-
centric business, is what is the expectation of that consumer,
and what is going to result in a better environment, a more
trusted relationship? Because I want to continue my
relationship with that consumer. And so sometimes you market
and you use opt-in.
Particularly for us, in e-mail solicitations, we will only
send out e-mails if somebody has opted in or we have a prior
existing business relationship, where there is no surprise when
you are going to get that e-mail.
Sometimes it make a lot of sense to do opt-out, because all
we are going to do is, if you are not going to check here, we
are going to take advantage of your not opting out and send you
an additional piece of literature about that IBM Aptiva. And we
want to do that. And there is really very little harm that
comes from doing that.
So sometimes it is opt-in, sometimes it is opt-out. And
then the debate becomes, should there be a national requirement
as to one certain level? And should you impose that on every
kind of business decisionmaking, or how you interact with the
consumer? That is the real question.
Ms. Hourigan. I would agree with Ms. Pearson's statements,
and also add: it comes down to prominence, and making sure that
you are doing it in a way that is understandable to the
customer.
I think--wearing my consumer hat for a minute--I have seen
it done, opt-in and opt-out, done in very positive ways, and in
very sort of, you know, less than satisfactory ways. So again,
I think the important concept here is choice, and prominence,
and presenting it in a conspicuous and understandable way.
Mr. Smith. I would second the call for the fact that the
prominence and the clarity of the choice is more important than
what the default is. We use a system in Proctor & Gamble, and
we are moving it to universality in our company. But we ask,
you know, would you like to have other offers from this brand?
Would you like to have other offers from other Proctor & Gamble
brands? Would you like to have offers from other reputable
companies who are partners? And so we get kind of a hierarchy
of choices for our consumers.
Mr. Misener. My wife is from the North Hills, just north of
Pittsburgh. And we go up to the area frequently. And we have a
Giant-Eagle card. And I can assure you, down at the bottom of
that application form--I don't recall it exactly. But I am sure
that there is a little check box that says that you can
probably opt out of getting solicitations based on your
purchases there. Small print, down at the bottom, didn't pay
attention to at the time, probably wouldn't care much about it.
On Amazon.com's site, when we talk about information with
one of our affiliates--for example, ToysRUs.com for certain
toys deliveries--we actually have a little cartoon picture
prominently displayed on the site, which shows Geoffrey the
Giraffe, the Toys R Us giraffe, sitting in an Amazon.com box.
Now, that little picture makes it crystal clear to our
customers, without having read a long privacy policy or read
the fine print at the bottom of the page, that Amazon.com is
going to be delivering a Toys R Us product. Real simple. That
is meaningful choice, in our view.
And so yes, as I mentioned before, we provide opt-in choice
for any kind of sharing with our affiliates, and we don't share
any information, period, with any non-affiliated third parties.
But when there is that choice, we want to make it meaningful
choice, so that customers and consumers actually understand
what is going on. Frankly, Geoffrey sitting in the box makes a
lot more sense to consumers than small type at the bottom of a
form.
Mr. Johnson. There is not a whole lot I can add to what has
already been said. With respect to our business, our business
is very different from Amazon's in that we are a well
established direct merchant. The opt-in aspects of
communication via the Internet is only relatively new to us in
the history of our business.
It would be fair to say that in transacting our business,
to an earlier point raised, there is a certain amount of
information that is required. But with respect to opt-in versus
opt-out, depending on online or off-line aspects of our
business, we comply with what we believe to be the expectations
of our customers. So with respect to our Internet business, our
communications via e-mail, it is very clearly opt-in. On the
catalogue mailing side of our business, we certainly give our
customers choice there as well, making sure that they know that
if they want to limit that sharing of their name and address
with like-minded companies, that that option is available to
them.
Mr. Shimkus. Thank you very much. I yield back.
Mr. Stearns. The gentleman's time has expired. The
gentlelady from California, Ms. Harman?
Ms. Harman. Thank you, Mr. Chairman. I have an opening
statement which I would like to submit for the record.
Mr. Stearns. By unanimous consent, so ordered.
Ms. Harman. And I would mention that in it, I attach an
interesting op-ed that appeared earlier this week in the New
York Times, authored by Peter Wallison, a friend of mine who is
a former counsel to President Reagan, in which Wallison points
out the difficulties of opt-in and what it would do to the
financial community. I thought it was very interesting to read
that author make that point.
At any rate, I have appreciated the testimony of the
witnesses, and would like to declare, at least for myself, that
these are the good guys. You are all good guys. And I
congratulate you on being sensitive to privacy concerns.
My question, Mr. Chairman--maybe it is for you and the
committee, more than it is for our panel--is what about the bad
guys? What about the people who are not sitting here, who don't
think that privacy and protecting our privacy matters?
And interestingly, I understand that today's Industry
Standard reports a list of sites with the greatest
concentration--not absolute numbers, but the greatest
concentration--of teen users. I raise this because I know we
are all concerned with teenagers. As a mother of two of them
myself, I certainly am. But none of those people are sitting
here. Let me just read this list: Teen.com, TeenPeople.com,
Katrillion.com, SparkNotes.com, BadAssBuddy--I'm sure we would
love that one--dot-com, Blink182.com, CoolQuiz.com, TeenMag.
com, TeenChat.com, and Seventeen.com. Some of these sound
pretty antiseptic. There is one word I read that I am sure we
are all going to now check out.
But at any rate, here is the Katrillionsite, just so you
know. Katrillion is reported to be an entertainment and gossip
portal. Here is what it says on the site: ``By using this site,
you agree to the terms and conditions outlined below. If you do
not agree to these terms and conditions, please do not use this
site.''
Okay, good.
``We reserve the right to change, modify, add, or remove
portions of these terms at any time, whenever we want. If you
continue to use the site after we have posted changes to the
terms, it means you have accepted those terms.''
Now, if you are 16 or 17, you won't even read this. But if
you read this, and then you logged on to the site--at least the
way I understand this, and I realize my mind is not as agile as
my children's--the way I understand this, they can do whatever
they want.
So I would at least postulate that Katrillion would not be
a good guy in the way that you are, because I don't think that
is what you would do.
I want to ask the panel, Mr. Chairman, I really have only
one question, what do you have to say about this kind of
information? Your kids, presumably, or your nieces and nephews,
or your brothers and sisters, or teenagers that you know, are
logging on to these sites much more than they are having
anything to do with you. And what advice do you have for us
about this kind of stuff?
Ms. Pearson. I have a 9-year-old daughter who, when she is
old enough to go on the web by herself--which is when she is
going to be 18----
Ms. Harman. Good luck.
Ms. Pearson. I would be--yes, you're right. I am very
concerned about that, as a mother. And there are not only
privacy issues raised in what you said, Ms. Harman. There are
many other issues raised. It is absolutely critical that we
educate our children, particularly those who are old enough to
be on their own on the web, about what to look for. There is
absolutely no reason that a teenager should not be looking for
some sort of privacy policy or seal, or other kind of indicator
of what is good for them.
But we all know that they are going to go wherever they
shouldn't go anyway. Those sites, no matter what they say, are
still bound by laws. And they still should be bound by industry
practices, so that if they are not doing what they say they are
doing, they ought to be prosecuted, and there should be
enforcement. If they are doing something misleading, collecting
information and abusing that information to hurt a child, they
should be prosecuted to the fullest extent of the law. And
there are laws that can get you there.
If they are a bad guy and they disregard industry practices
and they disregard existing law, then they are a bad guy,
period. And I am afraid that a law or industry practice,
whatever that is, is still going to lead to having some bad
guys out there. So for us, it fundamentally becomes an issue of
education. Educating our kids, and making sure parents are
involved with the children.
Ms. Harman. Other comments?
Ms. Hourigan. I would just add, with respect to that site,
and actually just general commercial web sites, with respect to
privacy and consumers, education is absolutely key. Technology
is challenging; you know, I have to read new articles on a
daily basis to keep up. And so making education part of any
comprehensive privacy solution is appropriate.
I would also say, with respect to the bad guys, you lose
customers if you don't treat them well. From a large company's
perspective, if we lose a customer, it is hard for us to get
them back. And so that really drives us to say, hey, this is
incredibly important, and we need to respect our customers and
respect their preferences.
Mr. Smith. I think empowering consumers to make decisions
is important. And that probably means parents need to step up
to the responsibility of training their kids. Some interesting
data: 82 percent of people on the web have seen privacy
statements. That is going up. Sixty-seven percent say they
sometimes or always read them. I suspect that that is an
overstatement, to a degree. But you know, they are aware of
them. Fifty-six percent of people say that privacy statements
are important. And the great thing about the web is that you
are always one click away from--you know, if you make the
consumer mad, boom, hit the ``Back'' button, and you are
absolutely out of there.
So I think the issue is how do we enable people to
understand privacy policies and make choices?
Ms. Harman. Well, my time is up, Mr. Chairman. Any other
comments?
Mr. Stearns. Sure.
Ms. Harman. I thank you. I just want to state for the
record that I am quite dubious about whether Federal
legislation will work here, with the exception of some bright
lines around medical and financial privacy, personal privacy. I
think the rest of it might better be handled by responsible
actors in the industry. But having said that, there are
irresponsible actors. And particularly when they interact with
teenagers, whom--I would volunteer, as one parent who attempts
to be responsible--who are difficult to fathom.
I think we are at risk, and I don't know what the answer
is. And it sounds good to say we should all make good choices.
Yes. I agree. Mr. Chairman, I think you should make good
choices, and I hope you have a better ability than I do to
understand what is in your kids' head, and to guide them
perfectly.
But I think, as a society, we are at risk here. And I don't
know whether we are yet finding the best tools to help
overworked parents deal with kids. And I would welcome some
enlightenment here. And I hope that all of you, in your role as
parents, keep thinking about this, because we certainly have a
lot of work to do.
Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentlelady. The gentleman from New
Hampshire, Mr. Bass?
Mr. Bass. Thank you, Mr. Chairman. Two or three
observations about what I have heard in the last hour or so.
First of all, only an absolute dyed-in-the-wool retail
salesperson could characterize an unsolicited e-mail offer or
advertisement as a benefit. It is the computer equivalent to
seeing somebody drive up your driveway in a car full of clothes
or something in the back and saying, ``Oh, boy, this is just
what I have been waiting for all morning long!'' I am not sure
how popular that really is.
Second, I myself, and my wife, buy products online, and
from nothing but very reputable firms. And yet I receive on
average 4 or 5 solicitations on my e-mail address to
consolidate my loans, to travel to faraway places, to make
money fast. All you have to do is click this button and you're
rich. And I don't know how it ever got there, and I think that
is part of--by illustration at least--what we are facing here
today. I am not--these are companies like yours.
The third observation I have is that we really are--I as a
consumer, am presumably at least moderately knowledgeable--
really don't know what to look for. You mentioned, Ms. Pearson,
that we need to educate our children about what to look for.
Well, if we don't know what to look for, then it is hard to
educate anybody else.
My question for you folks, if you wish to answer--you can
or not--is, you have high standards. I think, Mr. Misener, you
mentioned that you sell your list to other people that have the
same standards that you have.
Mr. Misener. I did not say that.
Mr. Bass. Oh, somebody else did.
Mr. Misener. We absolutely do not sell our list.
Mr. Bass. Okay, Land's End, Mr. Johnson did. To use the
analogy of whispering in a circle, after a while the message
may begin to get indistinct. What happens to the lists that you
sell to them, and then they sell, and so forth and so on? I
guess you said your clients have the same standards that you
do. That is a requirement internally, is that correct?
Mr. Johnson. That is correct.
Mr. Bass. And is there any way that that information can be
abused by your clients?
Mr. Johnson. We take a number of measures to protect
against that. As I stated in my testimony, it is for one-time
usage only, and that is by a contractual agreement. We also, in
managing that process, we plant what we call our decoys. I
myself am a decoy on that list. So we track usage by those
companies, and we track it very closely, so that we can ensure
that it is a one-time usage, and that the usage of it is as was
stated in the original agreement.
Mr. Bass. And you are adequately protected should there be
abuse? You could seek civil action of some sort?
Mr. Johnson. Absolutely. Yes.
Mr. Bass. All right. Let's see. Does your commitment to
consumer privacy extend to sites that might link to or from
your sites? In other words, there might be people that are
linking. Can you control the ability for other sites to link to
your site, or vice versa? Does that make sense, or not?
Mr. Smith. The answer is you really can't control who can
link to your site. On our sites, if you are moving out of a
Proctor & Gamble site somewhere else that we have linked, there
is a notification that you are leaving the Proctor & Gamble
area, and that different policies may pertain.
Mr. Bass. Okay. I have no further questions, Mr. Chairman.
Mr. Stearns. Thank you.
Ms. Pearson. Can I make one point on education?
Mr. Bass. Sure.
Ms. Pearson. Mr. Bass, you mentioned that it would be great
to know what to look for. And I just want to come back to that
and say that this education, this need for further education,
is a bipartisan, it is an industry-government--we all need to
work together on education.
And I would commend the Federal Trade Commission for
providing a certain level of education. I would say FTC.gov and
the material there is what every consumer ought to take a look
at. I think any number of our companies has been involved in
this kind of effort. Trustee.org, BBBOnLine.org, and a few
other organizations such as UnderstandingPrivacy.org, the web
site for the Privacy Leadership Initiative, all have
information about what a consumer could look for. And any kind
of assistance you can provide in this committee to highlight
the availability of those materials, or to suggest further
activities, or to encourage the Federal Trade Commission to
encourage that kind of activity, I think would be appreciated
and welcome by the American public.
Mr. Stearns. I thank the gentleman. The gentlelady from
Colorado, Ms. DeGette?
Ms. DeGette. Thank you, Mr. Chairman. I would like to add
my thanks for having this series of hearings, and also to
announce that at the conclusion we are going to pull my
original comment I made at the first hearing, and whoever
paraphrased it the most closely is going to win a prize.
Mr. Stearns. Skiing in Aspen.
Ms. DeGette. Skiing in Aspen? Yeah, okay, I'll work on
that.
I want to go back to something Ms. Harman talked about and
others touched on. And Ms. Pearson, you were just talking about
it briefly, which is, how do we educate consumers? Because I
hear everybody up here talking. I hear Ms. Hourigan talk about
what they do internally to help identify consumer preferences,
and to help their customers, and so on. And I hear others
talking about what happens online.
And I guess my question--I think we all know consumers are
really not educated at all as to what is going on with their
personal information. Some of it, we might agree with the uses,
some we may not. But consumers don't know--despite disclaimers,
despite privacy policies on web sites, despite some kind of
education effort. So my question to you is, do you think
industry has any obligation to find some way, jointly or
separately, to increase consumer education, and what would that
be? Beyond what we are doing now, because what we are doing now
is not educating consumers. Anyone?
Mr. Smith. Well, I think industry does sense the
responsibility to communicate and improve the education. A
number of firms in industry and leading trade associations
about a year ago created the Privacy Leadership Initiative. A
key element of that work was consumer education. We have
developed, and will soon launch, a web campaign with privacy
tips for consumers.
Ms. DeGette. And how is that going to be disseminated to
consumers, so that they can actually know?
Mr. Smith. As they visit web sites, a banner ad will pop up
with a privacy tip, that explains a privacy practice. You know,
how to create a good password, for example. And then have the
URL to visit the Privacy Leadership site for additional tips.
Ms. DeGette. And how widely is that going to be
disseminated?
Mr. Smith. I don't have specific impression estimates at
the moment. But the members of the Internet Advertising Bureau
have very generously committed to run these ads on a pro bono
basis.
Ms. DeGette. Anyone else with thoughts on that?
Ms. Hourigan. I would just add a couple of comments. The
concept that Trustee, which is one of these seal programs,
recently announced regarding labeling, so you would basically
develop a label for a particular practice on a web site--I
think that will go to at least alleviating some of the burden
on a customer to go through and read a privacy statement and
understand. And hopefully, again, that will serve to--it will
be a little more transparent to the customer. I think that is
an interesting concept. I am not sure what the status of that
initiative is, however.
The other thing I would mention is the introduction of the
platform for privacy preferences, or P3P, which will be built
into Internet Explorer 6.0. What I think we hope for is this
becomes almost a transparent issue for customers, and they
become familiar with it, because it is built into their
browser, they can select their preferences, and basically it
will be an effort for the browser to look in course and
communicate that information back to them.
Ms. DeGette. Well, you know, I appreciate these answers.
But as you yourself can realize, they are not very specific or
broad. And so my suggestion to the industry--I know we have
many representatives here today--would be you start to think
about these things on a much broader scale, especially because
we are all loath to have over-reaching government regulations,
which means there is a big responsibility for companies.
And let me follow up, because the title of this hearing is
``How do Businesses Use Customer Information: Is the Customer's
Privacy Protected?'' This hearing, and your testimony, is not
just about online privacy, but privacy in general. And I am
wondering if any of you can talk about whether you think
standards for privacy for data that is not online should be
different than online data. And if not, how do we deal with
that? All of your answers were related to Internet privacy.
Mr. Misener. Ms. DeGette, thank you. As I mentioned in my
testimony, we strongly believe it ought to apply equally off-
line as to online, for a variety of reasons, not the least of
which that so few transactions and so few consumers actually
are online.
My wife and I purchased a small $15 space heater a few
months back, and inside was a warranty registration card. In
the card, in filling it out in pencil, they wanted me to list
our household income, where we took our last vacation, whether
or not we read the Bible, and whether or not someone in the
household has prostate problems.
Now, I assure you this information is far, far more
sensitive than any information Amazon.com collects. It would be
patently unfair to consumers--to consumers--not to address that
issue, as well as the online issue.
Ms. DeGette. Right. And how do we address that issue
without passing a law?
Mr. Misener. All I am suggesting is that when we think
through whether or not the market is taking care of it, whether
or not there are real problems out there, they ought to be
addressed equally on- and off-line.
Ms. DeGette. Thank you.
Ms. Pearson. Ms. DeGette, my answer, and I think a number
of the other answers, were that our practices apply online,
off-line, no matter where we're getting information, throughout
our companies. And there is sort of, within my company there is
an equal level of protection for information.
I think in terms of how to handle these issues, I would
suggest focus first on that information that is the most
sensitive. For example, medical information. You know, we have
strongly supported Federal-level legislation on medical, very
sensitive information for a long time, and we are very happy
that there has been some activity and movement in that area, to
create Federal-level protections. Those are absolutely
sensitive information.
Ms. DeGette. Thank you. Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentlelady. The gentleman from
Oregon, Mr. Walden?
Mr. Walden. Thank you very much, Mr. Chairman. I have a
couple of questions. I want to follow up on something Mr. Bass
said I think is of interest to me. I get those same sort of
junk e-mails, if you will allow me to use that term.
And I guess I am probably not unlike a lot of other
consumers who want to be able to respond and tell somebody no,
stop sending that to me, get me off your list. And yet I am
sort of fearful that if I do, I may actually end up on more
lists. You know, because I have heard that if you open some of
those, then you really connect, and away you go. So I think as
you wrestle with that one, I would be interested in your
comments.
I would also be interested in your comments on
international standards, because the Internet is so ubiquitous.
We run into this issue with other Internet-related problems--we
can establish a standard here, but what are you facing in other
countries, in terms of privacy? You talk about State pre-
emption. What are you facing in terms of other countries?
And then I guess another question I would have for you is
have you analyzed these off-line laws on privacy--you talked
about the collection of data there--to see how and if they
should be applied to online data collection and privacy
standards? I understand what Mr. Doyle was saying regarding the
rental of movies, and I understand Amazon, you know, abides by
that same sort of carve-out in the statute. But are there other
off-line--if we are going to treat everybody equally--statutes
regarding privacy that we need to follow?
So I will throw it open to you for your responses.
Ms. Pearson. Let me address the international question, Mr.
Walden. I will let my colleagues address the question of
unsolicited commercial e-mail.
We operate in 160 countries, and so we have deep experience
handling information all over the world, both on our own
behalf, as well as on behalf of many companies and
organizations. And I can tell you, similar to what Mr. Swift
said in his oral remarks, that many countries have data
protection, data privacy legislation. Most others do not. And
it is a concept that is kind of foreign and not really
developed in many parts of the world, particularly in Asia-
Pacific and in Latin America.
I can tell you that we provide the same level of protection
throughout the world, and that the requirements that are
imposed on us in Europe, of course we comply with. But I
cannot, as Mr. Swift said, say to you that we are providing any
greater level of protection to the average European citizen by
virtue of that. Sure, we have to go through some more
administrative steps. We have to have a few more managers doing
different things. But I have to tell you that we are probably
more conscious of the issue and more innovative in the United
States than we are almost at any other place.
This is where we have developed our policies. This is where
we have a chief privacy officer. This is where we have engaged
in industry leadership activities, to try to move forward on
the issue. So, that is my comment on the international side.
Mr. Walden. Anyone else on any of those three points?
Ms. Hourigan. I would add to the complexity of dealing with
the international standards. And it is not just the privacy
laws; it is what the consumer expectation is. And that varies
dramatically by country.
We continue to actually look at the options available to
us, to determine what the most appropriate approach is, given
that we are in over 200 countries. But very, very complex and
very complicated.
Mr. Smith. I think the international requirements--and just
looking at the European Commission principles--I think align
very well with principles of the OECD of 10 or 15 years ago, of
the FTC fair information practices. When I began working in
privacy about 2 years ago, it seemed to me that those
principles were how I wanted to be treated, or how I would want
my children to be treated.
So I think it is fairly easy, on a principle standpoint, to
get to appropriate principles. The question really is in the
administration. And if I were to test--the question is whether
the process benefits the consumer or not. You know, I think
there is a fair amount of the process that benefits lawyers and
paper manufacturers, and does darn little for the consumer.
Mr. Walden. Mr. Misener?
Mr. Misener. I might take up the question of unsolicited e-
mail. First of all, Amazon.com never, ever sends unsolicited e-
mail to those who are not customers. And as far as e-mails
marketing certain products, at Amazon.com we provide a menu of
some 150-plus different categories that you can go in and
select, choose opt-in to receiving e-mails on specific items of
interest.
Mr. Walden. Right. Different deal.
Mr. Misener. So, for example, I have mine set up to send me
information on history books and jazz music, two interests of
mine. This is the kind of thing that is being addressed, by
this committee and also the Judiciary Committee in the House,
and also in the Senate as well, in the context of spam. And we
are trying to get at--as I understand, the industry and
Congress are trying to get at these nasty e-mails that we
receive from random places about all sorts of get-rich-quick
schemes and such. And so hopefully those can be addressed. But
I think those are outside the context of these privacy sorts of
discussions.
Mr. Walden. Yes, to an extent. Although it seems like if
you respond to some of those, they are able to apparently take
your data and go and send it elsewhere, it seems like. I don't
know.
Do you have a comment on the off-line laws, privacy laws
that are out there, versus online?
Mr. Misener. Yes, and it is a huge topic. There are several
trade associations, the ITI in particular, who has done an
extensive listing of the extant off-line privacy protection
laws. And so we would be happy to provide that to you. It is
actually quite long in different areas. And they tend to be
targeted, as Ms. Pearson was saying earlier, to things like
medical privacy and children's privacy--things that are the
most sensitive kinds of issues.
Mr. Walden. Okay, that would be helpful. Thank you.
Mr. Johnson. Just with respect to the off-line versus
online issue, I don't believe that our customers view
themselves as off-line customers or online customers. They are
Land's End customers, and they have expectations of us. And it
is so critical for us to maintain that relationship with that
customer, and do everything in our power to further the
customer's interest and make sure that we are not in any way,
shape, or form risking that wonderful relationship we have with
our customers. So I don't see the consumer as necessarily
differentiating between an online versus off-line.
Just one other point with respect to off-line. As we
consider off-line, I think we do need to be very careful about
the implications that off-line legislation potentially has for
very small companies, very small retailers that are not
involved in the online arena. You know, it potentially has an
impact on the many very small companies that do business in
this country.
Mr. Walden. Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman. Mr. Terry is going to
pass?
Mr. Terry. Yes, I could be redundant and repetitive, but I
will relieve you of that.
Mr. Stearns. Okay. Before I let you go, if any other member
has a quick question--I had a quick one. Mr. Swift, you
mentioned in your opening testimony about the recent European
legislation dealing with information privacy on the Internet,
and how you said it was ``unimaginable burdens'' for a company
like yours, with no substantive benefits. But I understand you
have joined the safe harbor decision, to have Proctor & Gamble
go into safe harbors. Is that a compromise? Or are you--tell me
your reasoning on that.
Mr. Swift. Well, the issue is really not safe harbor. The
issue really is not the European Data Directive. The issue is
that the Data Directive required 15 European countries to
create their own privacy legislation that comported with the
Directive. Twelve of the 15 have. The three others are in the
process.
So as a company that operates, and has data, and has
employees and consumers in all 15 of those countries, I need to
obey those laws. And the issue of the Data Directive really was
to facilitate transfer of data within European countries. So we
observe the European laws and have no problem transferring data
there.
The issue is that I need to be able to move employee data
anywhere in the world. I may choose to move employee data from
the U.S. to Europe for processing, or from----
Mr. Stearns. By joining the safe harbors, you are complying
with the European Union Internet privacy.
Mr. Swift. I am. But it is one choice. In non-U.S.
countries, I have contracts. In other words, if it is going
from Europe to Japan, I have to have a contract. And what I
have chosen for the United States, for administrative
efficiency, really what I have done is I have created 400
contracts between my P&G entities. Which means that I don't
have a contract when I transfer a specific type of data. I have
freedom to transmit any type of data within our corporate
entities.
Mr. Stearns. So you did it for self-survival?
Mr. Smith. Well, it is obey the law, and what seems to be
the most efficient or effective way to obey the law.
And honestly, what I have found as I have gotten into
privacy, half of my time needs to be spent in making sure that
our information practices enable our business practices, not
impede them. You know, our lawyers, the easy answer from a
lawyer in Europe is, ``Well, don't move the data out of
Europe.'' But that is not the right thing for the business.
So I have to continually look at how can we do what is
right for the consumer, what is right for the business, and at
the same time obey the law? And in this case, I had no choice
by to do 400 internal contracts, and uncountable external
contracts.
Mr. Stearns. Now, Ms. Pearson, IBM, I understand, has not
signed up. Why haven't you signed up?
Ms. Pearson. Not yet. As you can tell, this stuff is mind-
numbingly complex. It can get really complex. We similarly have
operations everywhere in Europe, and we move data globally. So
we have come up with a fairly complex--and I will spare you the
details--way of complying with the European law.
The safe harbor framework is a framework of principles that
very importantly, between the U.S. and the EU, there is a
handshake that says, the EU says, okay, if U.S. companies
comply with that framework and use U.S. mechanisms, including
self-regulatory mechanisms, you are okay for Europe. That is a
very important statement. And we believe in the safe harbor; I
support it in principle.
It may or may not be the right fit for our operations,
because we are this big enterprise that is really complex. I
think it is an ideal mechanism----
Mr. Stearns. Proctor & Gamble is pretty big and complex.
Ms. Pearson. And actually we are still looking at the safe
harbor for our web operations, because that is an area where it
makes a lot of sense, since we do use a self-regulatory trust-
mark, the Trustee program, for our web. So we actually may
still enroll in it for that purpose. And I think it makes a lot
of sense for companies who are doing business over the web, in
particular small- or medium-sized.
Mr. Stearns. And of course GM, I understand, has not signed
up either. And you are a big company, too, and complex.
Ms. Hourigan. That we are.
Mr. Stearns. So why haven't you signed up?
Ms. Hourigan. We actually are--safe harbor is one of the
alternatives we are looking at. As of today, we comply with the
European laws; therefore I don't have an issue with
transferring information within the EU countries.
Mr. Stearns. But if the data base is outside of Europe, you
would have to comply.
Ms. Hourigan. That is correct. And we actually, as we
speak, are investigating all of our options available. And we
will make a decision in the near term.
Mr. Stearns. Just tell me why you haven't joined. What is
there, the part about the European legislation that you don't
like? What specifically is preventing you from joining? Last
year, I think the Clinton administration had negotiated 30
large companies. And you folks weren't one of them. What is
there specifically why you didn't buy?
Ms. Hourigan. I don't think there is any specific part that
we dislike. I think it is the challenge of--we are looking at--
again, we operate in over 200 countries. So the EU is one
issue, but because we are global we are trying to come up with
a global solution. And to the extent that--we may decide to
take advantage of safe harbor.
Mr. Stearns. Is there anything that Congress could do to
make this simpler for companies like yourself?
Ms. Hourigan. I don't think so.
Ms. Pearson. The issue is, we have a European law, and we
are complying with a European law, in various ways. And the
safe harbor framework is one way to do it.
Mr. Stearns. But you have not signed up, and I just want to
know why IBM and General Motors have not signed up. What
specifically is the reason?
Ms. Pearson. There are other ways of complying with the
European law. So the safe harbor is 1 of 3 or 4 or 5 ways of
achieving compliance with that law.
Mr. Stearns. I am not saying you should necessarily. I am
just curious.
Ms. Pearson. And so, at this point, I think what help the
government, from the U.S. side, could do is to keep actively
engaged with Europe in oversight capacity and dialog capacity,
to make sure that U.S. companies are treated similarly with
European companies with respect to how this law is implemented.
Because it is a very important issue going forward.
Mr. Stearns. Anyone else like to mention anything else? And
then if any other member would like to add another question, I
would be glad to welcome that. Mr. Doyle?
Ms. Hourigan. I will add one--I'm sorry--one very brief
comment. And that is when safe harbor was negotiated, as you
all know, there was a carve-out for financial services. We have
a tremendous presence, with our GMAC operations, in Europe. And
that is one thing that we are looking at, because that is not
included in safe harbor.
Mr. Stearns. Okay. Mr. Misener?
Mr. Misener. Mr. Chairman, thank you for this question. And
actually it gives us an opportunity to hopefully clear up some
of the misconceptions that have been produced in the press
recently.
Safe harbor does not imply one way or another necessarily
compliance with the underlying national privacy laws in
European countries. We are fully compliant with all the
national privacy laws there that govern the transfer of
information in and out of the European economic area. However,
we have not sought safe harbor protection; we have not yet been
convinced of the value of the safe harbor in itself. Yet we are
fully compliant with the national laws.
And so it is not the same to say that we are not complying
or interested in complying.
Mr. Stearns. Well, you were just saying that if you had
signed a legal document, then the enforcement mechanism in the
European Union would apply to you. And right now----
Mr. Misener. That is correct.
Mr. Stearns. [continuing] that is what it sounds like you
are worried about.
Mr. Misener. Well, I am not sure we are worried, actually,
Mr. Chairman.
Mr. Stearns. Not worried--it's a word. But I mean, it is
another ambiguous set of circumstances that you don't know the
implication of, and yet you are complying.
Mr. Misener. I think that is fair to say. We are just not
yet convinced of the value of seeking safe harbor treatment per
se. Although, again, I clarify that we are fully compliant with
the national laws in Europe, and therefore don't necessarily
need to attain that safe harbor protection.
Mr. Stearns. Okay. Mr. Doyle?
Mr. Doyle. Yes, thank you. Just one quick follow-up. Just
before you leave--and if you could take off your company hats
and just be citizens and consumers, we won't hold you
responsible for anything you say.
Mr. Stearns. Just forget the camera.
Mr. Smith. Oh, sure.
Mr. Doyle. We will never tell anyone else what you said.
Mr. Smith. You will protect our privacy, right?
Mr. Doyle. You have got complete privacy here.
But just to help us with this, you know, these computers,
they are getting faster every day. They store more information.
It is scary to think 5 years from now how quick they will be,
and how rapidly we will be able to collect and disseminate
information. What scares you, or concerns you, as a private
citizen, about the ability that many people are going to have
to collect and disseminate information on just about
everything? I mean, what scares you when you just think as a
private citizen about this technology, and what is the
potential for abuse?
I mean, I get these things on my--maybe because we are in
politics. But I think we get them all the time. ``You can spy
on your neighbors and friends,'' you know, just sign up here
and you can learn anything you want to learn about your
political opponents. And I have always been tempted to click on
that.
But I haven't. But think--I mean, 5, 10 years from now,
given what is happening in this technology, what really scares
you about this ability to collect all this information on one
another?
Mr. Smith. I think to me the question is, where does harm
occur? If someone takes a communication out of a mailbox that
has a person's Social Security number, and from that steals a
person's identity, that is concerning. And you know, that has
been possible as long as there have been mailboxes and Social
Security numbers. And if we find that there are elements that,
you know, at some level of frequency create harm, then we have
got to break the code. We have got to stop the pipe on that.
Typically, that is not where companies in commerce are. I
mean, our consumers vote for us every day, and we are trying
the best we can to get them information. And those are the
things where we don't want to break the code or break the bank.
Mr. Doyle. But just as a citizen.
Mr. Smith. I don't want my identity stolen. I don't want my
credit cards stolen. I appreciate it when people inform me of
practices that can help me for those things not to happen.
I think, you know, some of the software that is being
developed that will give us more choices about the data that we
give up on the Internet all make good sense. You know, if you
don't want people to have the answers to what is on the
warranty card information, don't do it. You know, most of the
stuff that you get on the web, it has an unsubscribe at the
bottom. Let's help people hit the unsubscribes. And my bet is
that most of the things that we are most concerned about would
be something that may be facilitated to a degree by technology.
But it is, you know, how do you stop a criminal from doing a
criminal act?
Ms. Hourigan. I would just add to the concept of identity
theft, I have had two people very close to me undergo--it has
just been an absolute nightmare for them. And it has got such a
tremendous ripple effect, sweeping consequences. And it really
requires a tremendous amount on a consumer to try and rectify a
wrong that was completely outside his or her control.
Mr. Doyle. We are getting called to vote.
Mr. Stearns. Yes. Anyone else?
Mr. Misener. Well, Mr. Doyle, very quickly, before I was
brainwashed in law school I was an electrical engineer and a
computer scientist. And I do have an appreciation for those
huge data bases that are out there, that you mentioned. Those
exist quite distinct from the Internet. The Internet is a
communications medium, as we all understand. But those data
bases are also connected to a typist who actually took that
little warranty card asking about the prostate problems in my
family, and typed it into those data bases.
I think what the concern is, as a citizen, is the type of
information that we are talking about here. I don't care if
someone knows that I bought that pan at Amazon.com. I really
don't care. I do care, however, about medical records,
financial information, information about young children, those
sorts of things. And those things deserve a higher level of
scrutiny and protection.
Mr. Johnson. I agree absolutely with what everyone here has
said. As a consumer, as a citizen, the technology itself
doesn't scare me a bit. A concern, though, as a consumer is
with respect to, as Mr. Misener stated, financial information,
health care information, which is dealt with separately and is
protected. So the technology itself and the communication
mediums and whatnot really don't frighten me.
Mr. Doyle. Thank you all.
Mr. Stearns. Ms. DeGette? Mr. Towns?
Mr. Towns. Hearing all of this--and believe me, there are a
lot of problems--you still feel that we should not do anything?
The Congress?
Mr. Misener. Do I feel that you should not do anything? I
don't think legislation is inherently necessary, as I mentioned
before, because I think companies are being forced to address
these issues head-on, or they are not going to survive. These
are the kinds of issues that we must do, simply to please our
customers and to survive in the marketplace.
So no, Mr. Towns, I don't believe that legislation is
inherently necessary. But if there is a belief that there is a
need to address specific areas of information--for example,
financial or medical or children's information--I think that
strong arguments could be made to go after those specific types
of information, as opposed to the medium through which they are
collected.
Mr. Smith. And one of the things that I would urge is that
we start from where the harm is. You know, with Graham-Leach-
Bliley, all of us have had our mailboxes full of disclaimers
that are too long to read and incapable of being misunderstood.
And the reason was that we didn't look at where the harm was,
but we looked at a type of data. And I think we need to find
where the difficulty is and then address that difficulty,
rather than to take a blanket approach on a specific type of
data. As important as it is.
Ms. Pearson. I hope you will pass new privacy legislation,
at the right time, on the right subject. I am not smart enough
today to tell you exactly what it is, but I hope we can work
together to find it.
Ms. Hourigan. And I would also urge, if that were to take
place, industry appreciates being involved. And there are a lot
of practical complexities associated with this issue. And so we
would appreciate having our input heard.
Mr. Towns. Mr. Johnson?
Mr. Johnson. I concur with Mr. Misener. I believe the vast
majority of companies doing business today are doing everything
in their power to protect their relationships with the
consumer. And I would just caution that we not do something
that inhibits our ability to ultimately serve our customers and
provide benefits and valued services and products to them. As
Ms. DeGette said earlier, how do we target the bad guys, the
very few that raise these kinds of issues? I don't know that I
have answers for that, but I am not convinced necessarily that
legislation is going to be successful at doing it.
Mr. Towns. Thank you very much, Mr. Chairman.
Mr. Stearns. I thank my ranking member. We have finished
with panel No. 1. We have been called to vote. So it is
probably appropriate to reconvene after these--I think we have
two votes. So we will do that, which would be--we have 10
minutes left on this, and then 5, 15. So hopefully we will
reconvene in about 15, 20 minutes. And so I thank panel No. 1,
and if panel No. 2 will hold, we will be right with you.
[Recess.]
Mr. Stearns. The committee will reconvene, and we will have
panel No. 2. And we thank you for waiting.
We have Jennifer Barrett, Chief Privacy Officer of Acxiom.
And we have Mr. John Ford, Chief Policy Officer, Equifax,
Incorporated. And Ms. Deborah Zuccarini, Executive Vice
President and Chief Marketing Officer of Experian. Welcome to
you.
And Ms. Barrett, if you don't mind, we will have your
opening statement.
STATEMENTS OF JENNIFER T. BARRETT, CHIEF PRIVACY OFFICER,
ACXIOM; JOHN A. FORD, CHIEF PRIVACY OFFICER, EQUIFAX, INC.; AND
DEBORAH ZUCCARINI, EXECUTIVE VICE PRESIDENT AND CHIEF MARKETING
OFFICER, EXPERIAN MARKETING SOLUTIONS
Ms. Barrett. Thank you, Chairman Stearns, Ranking Member
Towns. For more than 30 years, Acxiom has been a leaders in
responsibly providing innovative data management services to a
who's who of America's leading companies. And we do it in a way
that goes beyond what is required by law or self-regulation, in
order to respect consumer privacy.
Acxiom believes that any use of information to defraud or
discriminate must be illegal. At the same time, we strongly
believe in a balanced approach to the collection and use of
information. The free flow of information we enjoy today has
greatly contributed to our Nation's economic growth and
stability. Consumers have greater choice and variety. Goods and
services cost less. And transactions are completed faster and
more easily.
It takes much more than just instinct to recognize what
consumers want. One hundred years ago, the local shopkeeper
knew just what his customers bought, but knew them also
personally, knew how they spent their time, and he knew their
family.
Today's consumers are as likely to shop through a catalogue
or over the Internet as they are in a store. The business-to-
consumer relationship requires new information tools. Acxiom
helps businesses recognize and engage consumers who likely have
the greatest need for what they are selling. Our operations
include two distinct components: data base management services,
and information products.
Specialized computer services represent 90 percent of our
revenue, and help companies manage their customer information.
This includes keeping up-to-date customer records in order to
ensure opt-in or opt-out requests are properly honored, and
saving companies millions of dollars when unwanted duplicate
promotions are eliminated.
The other 10 percent of our business comes from a separate
line of information products. These allow businesses to improve
their relationship with consumers, irrespective of whether they
live in a city or in a rural area, whether they are a parent or
an elderly shopper. For example, a major kitchen and bath store
used our product to reach households with elderly patrons
likely interested in learning more about their new senior
product line, including shower grips, bath stools, and large-
print clocks.
The real winner in the use of information to engage in the
consumer is the consumer. To fit all the pieces of the
marketplace together that we have learned and heard about
today, I have provided a chart on page six of my testimony, and
as well on the easel you see over here to your right. Point A
on the chart represents the consumer, who expects to complete
transactions quickly, obtain the best prices, and choose from
the widest variety of products and services. At point B, we
find the business, who responds to these expectations by
understanding their customers and their market. To do this,
they need information beyond that collected during a sale. For
example, the characteristics of a household, such as are there
elderly consumers in the home?
This information is available from two points, or from two
sources: point C, which is directly from another merchant; or
point D, from information compilers such as Acxiom.
For example, our customer enhancement products give
businesses the demographic, lifestyle and interest information
they need to understand their customers and the market. And our
compiled list products provide access to likely new consumers
who would like to be customers.
We compile or acquire the relevant information from a
variety of sources, points E and F on the chart, and aggregate
this data by household. We compile public records and we
acquire self-reported and other general information directly
from companies that sell products and services to consumers,
and who offer a third-party opt-out.
We only receive general summary information, indicating
probable interest or lifestyle data. We do not have detailed
data about individual transactions. Acxiom only sells data to
qualified businesses, under contract for specific use. We do
not sell data on one individual or a household, and we do not
sell data to the general public. Our information products help
businesses and consumers fill in some of the missing pieces in
today's relationship gap.
We are also very proud of our ingrained culture of respect
for privacy. Since we do not have a relationship with the
consumer, we ask our customers to refer any consumer to us who
inquires about our data. We have posted a privacy policy on our
web site since 1997, and we maintain a consumer care department
to handle inquiries. We also provide an opt-out to all
marketing products through our web site and via a toll-free hot
line.
We have consistently not only met but exceeded all
requirements placed on us by law and industry self-regulation,
by establishing our own even more restrictive policies.
In closing, there are a few things that I would like to add
that we do not do. Acxiom does not have one big data base
containing data on every individual. Instead, we have many
different information products designed to meet the various
business needs of our customers. The information we provide
cannot be used for decisions of credit, insurance, or
employment. And we do not sell Social Security numbers, credit
or other detailed personal financial information that could be
used to steal someone's identity.
In short, we are committed as business leaders and
consumers ourselves to protecting consumer privacy.
Mr. Chairman, on behalf of our more than 5,000 associates,
I wish to thank you for the thoughtful approach which your
subcommittee continues to use in studying this very important
issue. And we appreciate the opportunity to be here.
[The prepared statement of Jenniffer T. Barrett follows:]
Prepared Statement of Jennifer Barrett, Chief Privacy Officer, Acxiom
Corporation
introduction
Chairman Stearns, Ranking Member Towns, and members of the
Subcommittee, thank you for the opportunity to participate in this
timely hearing and to share Acxiom Corporation's perspective on how the
current flow of information powerfully underpins the vibrancy of the
new American economy.
As your Subcommittee continues to explore the issue of privacy in
the responsible manner that this series of hearings evidences, we
strongly support the concept that a balanced approach to the use of
information must be achieved. We believe that inappropriate use of
information to defraud or discriminate against consumers should be
illegal, as it is already in most situations. Furthermore, the
relatively free flow of information we find today in the U.S. has
significantly contributed to our nation's economic growth and stability
by enhancing variety in consumer goods and services, by facilitating
lower domestic prices as compared to foreign markets, and by
accelerating the speed and ease with which transactions can be
completed. We believe that it is imperative that consumers be protected
from fraud and discrimination while the benefits to both consumers and
businesses are preserved.
When privacy laws and implementing regulations overreach, the
results can be devastating: legitimate businesses suffer irreversible
damage, and consumers unintentionally lose many advantages. It is our
hope that by sharing our story with you--as well as by separating
information myths from reality--we will aid you in evaluating an
appropriate legislative direction.
about acxiom corporation
Founded in 1969, Acxiom Corporation has more than thirty years
experience in customer data management services, technology leadership,
and awareness of and sensitivity to consumer and business privacy
concerns. We are based in Little Rock, Arkansas, with operations
throughout the United States, Europe, and Asia. Our annual revenues
approach $1 billion. Our company has over 5,000 employees worldwide:
with over 2,800 of them working in Arkansas, almost 1,000 in Illinois,
more than 200 in California, and 170 in Arizona.
Acxiom's business includes two distinct components: database
managment services and information products.
Database Management Services
Acxiom's database management services, which represent ninety
percent of the company's revenue, include a wide array of leading
technologies and specialized computer services. These services help
large companies improve and boost customer loyalty, retention, and
market share by making accurate ``customer recognition'' possible
across multiple lines of business and across multiple points of sale,
including the Internet, call centers, and retail outlets.
Customer recognition is critical to delivering an exceptional
initial customer experience, retaining that customer, honoring consumer
preferences about how personal information is used, and improving
business profitability. Although e-commerce has increased consumer
product availability, it also has made customer recognition more
difficult.
Acxiom's database management services assist companies in better
managing their customer information to address this need. For example,
it is not uncommon for a company's databases to contain several
different names and address variations for the same person. We provide
services that will accurately recognize a particular individual. Our
services can save a company millions of dollars when, for example,
unwanted duplicate catalogs or other mailings are eliminated. Moreover,
we assist companies maintain up-to-date records to ensure that their
customers' opt-in or opt-out requests are properly honored.
Informational Products
Acxiom also offers a complementary line of information products
that represent the remaining ten percent of our gross revenues. Our
InfoBase information products allow businesses to make smarter and
faster strategic decisions, streamline customer communication at every
point of contact (Website, telephone, store, wireless, and more),
personalize and target various communications, and strengthen
relationships with their customers. The majority of our testimony today
further explains these products.
the economic need for acxiom's information products
Acxiom's information products help fill an important gap in today's
business to consumer relationship. Think back to 1901. The local shop
owner knew his customers and his market well. The shop owner was
familiar with what they bought, what they liked to do, how they spent
their time and something about their family. Today, large and small
businesses are trying to achieve the same level of knowledge about
their customers' interests and needs as the small shop owner enjoyed a
hundred years ago. This need for knowledge is not new. In the current
environment, however, with customers shopping remotely via the
Internet, on the phone and through catalogs, securing information about
customers that allows companies to better serve them is more difficult
to accomplish.
In our information-based economy, companies grow by exceeding
consumer expectations with unparalleled products and services of the
highest quality. Despite technological advances, businesses do not
instinctively know what their customers want and need. Acxiom's
information products provide the additional knowledge necessary for
businesses across diverse industry sectors to stay in touch with and to
satisfy their customers in order to achieve profitability and market
growth.
Our role is to help businesses systematically recognize and engage
consumers who, with the aid of our information products, are believed
to be those with a likely interest or need for their products, or
services. While changing technology, such as the Internet, has largely
reshaped the mechanics of how commerce is conducted, the basic strategy
of marketing remains constant--the operational need to focus a
company's marketing efforts on those most likely to have an interest or
need in their products or services.
With Acxiom's information products, companies have been able to
accomplish goals such as:
A kitchen and bath store used age to recognize their elderly
customers in order to offer them a new senior-lifestyle product
line of kitchen and bath enhancements--shower grips, bath
stools, large print stove dials, large print clocks, and better
grip door-knob covers.
A bookstore used age to recognize the right audience to
promote a new line of large-type books, including large-print
Bibles.
A major publisher used the knowledge of which subscribers had
younger children in the household to promote a new publication
for kids, which was co-branded with Crayola.
A computer software company used the knowledge that certain
households owned a computer to promote in-home access to
educational software.
A computer manufacturer employed information on households
that did not have computers to offer a special purchase price
in order to encourage the use of educational and in-home
financial management software.
A retailer used the knowledge about which customers in their
area had swimming pools to offer special products and prices
for pool toys and supplies, as well as an inventory management
resource to determine how much merchandise of this type to
stock in each local store.
A local bass fishing supply store launched a catalog to reach
customers outside their store trading area by knowing which
households had a passion for their specialty--fishing.
A small tool company expanded their customer base by mailing
catalogs to professionals interested in power tools at a
discounted price.
A local day care program promoted a special offer to single
moms in their local community.
A literacy program in English was focused on reaching non-
English speaking families in rural areas.
Without the use of our information products, each of the businesses
in the preceding examples would have been less effective in
communicating with their existing and potential customers.
Consequently, the real winner in the use of information to engage
consumers is the consumer.
The following chart has been provided to assist the Subcommittee in
understanding the information marketplace from a more macro
perspective, as well as the key role that Acxiom plays in this
interchange.
[GRAPHIC] [TIFF OMITTED] T4846.001
Consumers expect to complete transactions quickly, obtain the best
price possible, and be able to choose from a wide variety of products
and services--as reflected in point A on the chart. Businesses--point B
on the chart--respond to the expectations by working hard to understand
their customers and their market. To do this effectively, they need
information beyond that collected during the sale. If the information
cannot be collected directly from the consumer, then it is available
from two sources--either directly from other merchants--point C--or
from information compilers, including Acxiom--point D. Information
compilers use public information, primarily obtained from the
government, or in some cases collected from other businesses--point E--
that obtain the information through their relationship with the
consumer--point F.
Information Product Development
Acxiom begins its information product development with the
identification of a marketplace need. For example, in order to achieve
growth and product objectives, businesses may need to know something
about the characteristics of a household. Is it a single adult
household, or is it a married couple? Do they have children, and if so,
are they small children, teenagers, or college aged? Other relevant
characteristics might include whether the household has an interest in
certain hobbies, such as cooking or gardening, or participates in
certain activities--do they play tennis, golf, or both? Such
characteristics are extremely relevant in determining whether a
consumer in that household may want to learn more about a product or
service.
Once a particular information need by business has been identified,
Acxiom compiles or acquires the relevant information from a variety of
sources and aggregates it by household. This is a complex process which
varies on a case-by-case basis. However, it is important to emphasize
that in all such efforts, any data collected is general in nature and
not specific to transactions or events. It does not include details on
specific actions that an individual has taken, confidential medical
information, or specific information regarding children. Once the data
is collected, Acxiom must clean, integrate, and package the information
into a product that meets the marketing needs and information demands
of businesses. We invest significant time and resources in developing
these products. Finally, a successful information product provides
Acxiom's customers with enough of the right information to solve their
specific business problem or need.
Acxiom does not sell data on one individual or one household at a
time. We do not sell information to the general public. Information is
sold by the thousands of elements or records to qualified businesses.
We perform a credit check on all pro-
spective customers. Once we are satisfied about our customer's
qualifications, we require them to sign a contract that binds their use
of the information acquired from us for specifically articulated
purposes. Acxiom and our customers typically enter into long-term
contracts--one, three, or five years--for use of a particular
information product.
Categories of Acxiom's Information Products
Our information product offerings provide needed intelligence for
three primary functions: (1) our directory products provide telephone
information necessary to locate, verify or contact consumers by phone;
(2) our enhancement products provide the information businesses need to
better understand their customers and their market; and (3) our list
products provide access to consumers who are potential future
customers. As mentioned earlier, these products comprise about ten
percent of Acxiom's gross revenues.
Directory Products: Containing name, address, and telephone number,
Acxiom's line of directory products are compiled primarily from the
white and yellow pages of published U.S. and Canadian telephone
directories--5,900 different directories in the U.S. alone.
For example, we license some of our directory products to companies
as an inexpensive form of directory assistance and to Websites that
provide free nationwide directory assistance. These Web-based
directories benefit consumers in many ways, such as providing help in
finding friends or family members with whom individuals may have lost
touch.
In all our directory products, Acxiom respects a consumer's choice
regarding unpublished numbers. The names and numbers we include in
these widely-used directories are derived only from those consumers who
have elected to have their number made publicly available by their
local telephone carrier. Moreover, for consumers who contact us in
writing, through our Website, or by calling our toll-free Consumer
Hotline, Acxiom offers the option to opt-out of this service if, for
instance, the consumer wants to keep a published number in the local
printed telephone book, but not have it available on a Web-based
directory.
Enhancement Products: Acxiom also offers businesses lifestyle,
demographic, and interest data on their customers to enhance the
company's knowledge about their customers and provide a better
understanding of their customer's desires, needs, and changing
characteristics. Demographic data includes such information as the
makeup of the household--single, married, with or without children.
Lifestyle data might include information such as home ownership,
retirement status, or average income strata of the neighborhood.
Interest information would identify a passion for cooking or golfing.
This demographic, lifestyle and interest information is added to a
company's already-existing customer files, known as ``response lists.''
The information is general in nature. We do not provide detailed
transactional information. We license enhancement information to
qualified businesses through a menu-oriented approach. Businesses
license only the data needed for a particular business decision or
process. In many cases, we have pre-packaged information groups to meet
common or recurring business needs for specific industries.
How might a business use enhancement information? First, it is used
to better understand the interests and needs of current customers.
Second, enhancement data is employed to identify the best market
segments for up-selling or cross-selling particular products. Finally,
demographic, lifestyle, or interest data can help identify
characteristics common in a business' best customers in order to target
similarly-situated prospective customers who may be more likely to have
an interest or need for the company's products or services.
List Products: Acxiom offers prospect lists as a third type of
information product. These lists are built from a variety of
information sources, and represent broad coverage of the population.
Prospect lists, which contain much of the same information contained in
our enhancement products (including demographic, lifestyle, and
interest information), differ from a particular company's response
lists in so far as they contain information about consumers with whom
the company has had no prior relationship.
Prospect lists allow businesses to take the information about their
best customers and apply that knowledge to selecting likely households
of potential new customers. Acxiom sells prospect lists to businesses,
not-for-profit organizations, and political parties and candidates.
Data Sources for Acxiom's Information Products
The information we acquire to build our information products is
obtained from three general types of sources--public information, self-
reported information, and summary customer information from companies
who have consumers as customers. Acxiom compiles or acquires this
information from several hundred carefully chosen sources with whom we
have cultivated and maintained long-term contractual relationships.
Public Information: Public records and publicly-available
information are the foundation of Acxiom's information
products. The types of data that Acxiom acquires or compiles
include: telephone directories and other types of publicly-
available directories, property records, and other state and
county public records. This information provides the basic
names, addresses, and general demographic information, such as
home ownership, profession, and the age of members of a
household.
Self-Reported Information: Surveys and questionnaires are an
additional source for demographic information and provide much
of the lifestyle and interest information we acquire. Consumers
are asked to voluntarily complete surveys, such as those
contained on warranty cards, from a variety of companies asking
for specific information. In these cases, the consumer is
customarily provided the opportunity to opt-out of further use
of the information beyond that of the company conducting the
survey.
Information from Merchants: Acxiom acquires some information
directly from companies who sell products and services to
consumers. In these instances, we ensure that consumers have
received an opportunity to opt-out of their information being
shared with a third party, such as Acxiom. Also, we only
receive very general summary information that indicates
possible lifestyle or interest data. We never receive detailed
transaction information. Rather, general information that we
acquire is used to extrapolate lifestyle or interest
characteristics. For example, knowing that certain households
subscribe to a magazine on golf would indicate that those
households have an interest in golf, just as the fact that
those households ordered that subscription from a Website would
indicate that they are Web-enabled.
In some cases, Acxiom compiles information directly from the
source, such as the telephone directory and the property records. In
other cases, Acxiom acquires this information from other reputable
information providers, who perform the original compilation, or we
acquire the information directly from the business holding the
relationship with the consumer. Acxiom carefully screens all
information providers and businesses from which we receive information
to assure that the information has been legally obtained and is
appropriate for the intended use.
The information Acxiom collects on an individual or a household is
always incomplete. Acxiom does not have information on every
individual, and we do not have the same kind of information on all
individuals. For example, we may or may not have the telephone number
of a household. We may or may not have property information. We may or
may not have lifestyle or interest information. Our goal as an
information provider is to provide sufficient coverage of various data
elements to meet the market needs for that particular piece of
information.
The following chart summarizes the process Acxiom uses to take
information from a variety of sources and to develop specific
information products designed to meet the business needs of various
markets.
[GRAPHIC] [TIFF OMITTED] T4846.002
respecting consumer privacy
Acxiom has a long-standing tradition and engrained culture of
respecting consumer privacy in the development and marketing of our
information products. I have been employed by Acxiom for 27 years, and
I have been responsible for privacy oversight since 1990. Privacy has
been my full-time job over the past three years.
Since Acxiom does not have a customer relationship with individual
consumers, we do not routinely have direct contact with the individuals
whose data we hold. Therefore, we ask our customers to refer any
individual consumer to Acxiom who may inquire about the sources of data
they have obtained from us. Since 1997, we have posted our privacy
policy on our Website, before it was an established and common
practice. Acxiom maintains a Consumer Care Department to handle
consumer inquiries. We also provide consumers who contact us in
writing, through our Website, or by calling our toll-free Consumer
Hotline the option to opt-out of all of our marketing products.
Our privacy policy is designed to adhere to all Federal, State, and
local laws and regulations on the use of personal information. In
addition, Acxiom follows the industry self-regulatory guidelines of a
number of trade associations in which we are active members, including
the Direct Marketing Association, the Online Privacy Alliance, and the
Individual Reference Services Group. These guidelines include posting a
notice that describes what data we collect, how we use it, to whom we
sell it, as well as what choices consumers have about the use of that
data. We recently certified under the European Union Safe Harbor and
have applied for and are in the final stages of being certified for the
BBBOnline Seal.
Acxiom is also an active member of the Privacy Leadership
Initiative and the Coalition for Sensible Public Record Access. We
believe that consumers should be educated about how businesses use
information. To that end, we publish a booklet, entitled ``What Every
Consumer Should Know About the Use of Their Individual Information,''
which is available both on our Website and upon written or telephone
request.
Acxiom takes its responsibility toward protecting consumer
information seriously. Beyond the industry accepted guidelines which we
follow, we have also established our own guidelines which are more
restrictive than industry standards. For example, we do not provide
Social Security numbers or other personally identifiable information
about children in any of our products. Moreover, we only capture the
specific information required to meet our customers' information needs,
discarding the remaining data, when we compile information from public
records. These voluntary information practices are internally and
externally audited on a regular basis.
myths about information providers
With the full picture of Acxiom's business operations now outlined
to better explain what we do, I believe it is important to close by
reiterating for you what Acxiom does not do. Over the years, a number
of myths have developed about the information industry that require
clarification. Please allow me to set the record straight:
Acxiom does not have one big database that contains detailed
information about all individuals. Instead, we have many
databases developed and tailored to meet the specific needs of
our business customers--entities that are carefully screened
and with whom we have legally-enforceable contractual
commitments.
Acxiom does not provide information on a particular individual
to the public. The information we sell is provided only to
qualified businesses for specific legitimate business purposes.
I cannot call up from our databases a detailed dossier on any
of you, let alone me.
The information we provide cannot be used, according to
existing law, for decisions of credit, insurance or employment.
These activities are regulated by the Fair Credit Reporting Act
and such uses are prohibited under our contracts.
Acxiom does not contribute to the nation's identity theft
problem. We do not sell Social Security numbers or credit card
numbers to anyone, nor do we sell credit or other detailed
personal financial information that could be used to steal
someone's identity.
Acxiom does not develop any information products containing
sensitive information. We define sensitive information as
personal information about children, medical information, and
detailed financial information. The only exception to this
would be a situation where the consumer has opted-in to
volunteer such information for distribution or where the
information may be a part of the public record.
Acxiom does not sell detailed or specific transaction-related
information on individuals or households, such as what
purchases an individual made on the Web or what Web sites they
visited. The information we provide is general in nature and
not specific to an individual purchase or transaction. For
marketing purposes, businesses need information about the
household, not the specific individuals comprising the
household.
Mr. Chairman, on behalf of our over 5,000 associates, Acxiom
appreciates the opportunity to appear today to share with the
Subcommittee a detailed overview of our core business operations. We
also wish to thank you, Mr. Chairman, for the deliberative and thorough
approach with which this committee has studied the appropriate and
inappropriate uses of information in our economy. Acxiom is available
to provide any additional information the Subcommittee may request.
Mr. Stearns. Thank you.
Mr. Ford, your opening statement?
STATEMENT OF JOHN A. FORD
Mr. Ford. Mr. Chairman, Mr. Towns, counsel. I am John
Ford--that's Chief Privacy Officer, sir--for Equifax. I thank
you for this opportunity to summarize the written statement
that Equifax submitted for the record.
I am going to talk a bit fast so that I can stay within the
time limit, so let me get straight to the point. Equifax's view
is that personal information for marketing purposes provides
important benefits to consumers, to businesses, and to our
economy, and that the potential privacy risks or harm arising
from these uses are small, are already subject to effective
privacy safeguards, and need not be subject to further privacy
regulation.
Founded in 1899, Equifax is the oldest and the largest of
the credit reporting companies in the United States. Our
activities here are regulated under the Fair Credit Reporting
Act and related State statutes. As a separate company, Equifax
Direct Marketing Solutions maintains one of the largest
marketing data bases in the world.
I want to emphasize that our consumer reporting data base
is entirely separate and distinct from our direct marketing
data bases--physically, managerially, operationally. As a
responsible steward of information, Equifax is committed to the
fair and ethical use of data, the free flow of information,
self-regulatory initiatives, and to forging effective
information privacy solutions.
When assessing privacy risks and harms, at least four key
topics, I think, are relevant. First is source: is the source
of the information reputable and reliable? Second, content: is
the data base information aggregated, anonymous, or is it
personally identifiable, is it sensitive?
Use: will the information be used to benefit the
individual, or does its use put the individual at risk for
adverse action? And finally, privacy protections: are there
adequate privacy protections already in place?
The answers to all of these questions, I believe, support
the conclusion that the privacy risk or harm from direct
marketing is minimal, the benefits are substantial, and little
basis exists for more governmental regulation.
Regarding sources, at Equifax much of the personally
identifiable information provided for marketing purposes is
consumer self-reported data. Third-party data sources include
public record repositories, other government agencies that
provide, for example, hunting or fishing license information,
and other types of reputable sources using publicly available
data, such as telephone white pages or other directories and
exchanges, and census data.
Regarding content, our marketing data bases contain
primarily information that is predictive: that is, information
that describes the characteristics that people who live in a
particular geographic area are likely to have. Even when the
information is more granular, it typically describes buying
characteristics of a household, not necessarily of a specific
individual.
We do collect sensitive, personally identifiable
information, but only when the consumer has voluntarily
provided it. The personal information we obtain for marketing
purposes is not used for risk assessment; rather, the
information is used to efficiently shape and deliver the kinds
of offers an individual is most likely to want. As a result of
direct marketing, consumers become aware of new products and
services, businesses sell more products more cost-effectively,
and the economy grows.
Some have suggested that such target marketing provides
some consumers advantages over others who do not receive the
direct mail offer. The fact is, businesses have a limited
number of dollars to support marketing campaigns. It only makes
sense that businesses would seek to achieve the best return
possible by focusing on those most likely to respond.
Similarly, Members of Congress do not mail campaign
solicitations to every constituent, but usually only to those
who have given before or who are more likely to respond.
As I said at the outset, Equifax has adopted privacy
protections for marketing data that are appropriate to the use
and any potential harm. For example, we have always
contractually prohibited our customers from using our data base
for individual lookup, and our system has no delivery mechanism
for a customer to query the data base based on a name. Data
collection or exchange, rather, is done in batch mode, usually
computer to computer or via mag tape, making review by an
individual virtually impossible.
In sum, direct marketing is a societal and economic good.
Overall, the process is profitable, efficient, and benign. The
concept is consumer-oriented and privacy-sensitive.
In closing, I want to congratulate you, Mr. Chairman and
the subcommittee, for your leadership in this privacy arena. We
look forward to working with you so that the marketplace might
achieve the further synergies that can arise from a better
understanding, and a greater appreciation, of the important
benefits of direct marketing.
[The prepared statement of John A. Ford follows:]
Prepared Statement of John A. Ford, Chief Privacy Officer, Equifax Inc.
i. introduction
Mr. Chairman and members of the Subcommittee, I am John Ford, Chief
Privacy Officer for Equifax. I want to congratulate you, Mr. Chairman,
and the members of your subcommittee and its excellent staff for the
thoughtful and thorough manner in which your subcommittee is reviewing
the information privacy issue.
In this statement, I briefly describe Equifax; our commitment to
protecting consumer privacy; and, from the Equifax perspective, the
sources, content, and uses of marketing data and the associated
protections.
I recognize that the primary purpose of this hearing is to better
understand the flow of data in the marketing process. Beyond that, it
is my intent to discuss this process in a way that supports Equifax's
view that personal information, when collected and used for marketing
purposes, provides important benefits to consumers, to businesses, and
to our economy. Further, the potential privacy risks and harm arising
from the use of personal information for marketing purposes are small,
are already subject to effective privacy safeguards, and need not be
subject to further privacy regulation at this time.
ii. equifax
A. Background
Founded in 1899, Equifax is the oldest and largest of the companies
that provide consumer information for credit and other risk assessment
decisions. These activities are regulated under the Fair Credit
Reporting Act and dozens of related state statutes. In addition,
Equifax Direct Marketing Solutions, formerly part of Polk, maintains
the largest marketing database of lifestyle and compiled data in the
world. At the outset, I want to emphasize that the personally
identifiable information in our consumer-reporting database is entirely
separate and distinct from information contained in our marketing
databases. In fact, the databases are managed by totally separate
Equifax companies.
B. Equifax's Longstanding Commitment to Privacy
More than a decade ago, Equifax was one of the first U.S. companies
to develop and adopt a meaningful privacy policy. At the risk of
sounding flippant, we were privacy before privacy was cool. As a
responsible steward of information, our commitment to consumer privacy
has remained steadfast. We remain committed to three Core Values,
described in greater detail in Section III.D. below, in order to foster
the fair and ethical use of data. We support self-regulatory and
marketplace initiatives to balance the substantial benefits of the free
flow of information and the legitimate concerns about the privacy of
personally identifiable data, and we seek opportunities to work with
governments, consumers, and businesses to forge effective solutions to
the complex information-use issues worldwide.
C. Equifax Products
Equifax believes that the marketplace can offer solutions that
enlighten, enable and empower our customers and consumers to address
effectively some of the information-use issues today. So, increasingly,
Equifax is providing products directly to consumers to assist them in
understanding their credit profiles and to empower them to fight
identity theft and manage their fiscal health. For example--
Equifax's Score Power gives consumers access to their actual
BEACON credit score, along with an explanation of how that
score is used by credit grantors and recommendations about how
consumers may ``improve'' their score.
Equifax's Credit Profile gives consumers online access to the
information in their Equifax credit file.
Equifax's Credit Watch provides consumers with online
notification of changes to their credit file within twenty-four
hours, thereby providing early detection of potential identity
theft.
Equifax's eIDverifier patent-pending product permits consumers
to use information from their consumer credit report to
establish their identity virtually instantaneously in a
reliable and secure manner so that they can obtain products and
services online. This service deters identity theft and fosters
trust in e-commerce by facilitating an electronic handshake
between a known consumer and the online vendor. Subsequent
online transactions are encrypted, further enhancing trust and
protection.
iii. marketing and privacy
When assessing privacy risks and harm, at least four key topics are
relevant:
1. Source. Is the source of the information reputable and does it put
the record subject on notice that information is being
collected?
2. Content. What is the content of the information--is the information
aggregated or anonymous or is it personally identifiable and is
it sensitive?
3. Use. Will the information be used to benefit the individual or does
its use put the individual at risk for adverse, substantive
action?
4. Privacy Protections. Are there privacy protections already in place
to eliminate or minimize privacy risks?
When it comes to marketing, the answers to all of these questions,
I believe, support the reasonable conclusion that the privacy risk or
harm is minimal; the benefits to consumers, to business and to the
economy are substantial; and little basis for more governmental
regulation exists.
A. Sources
Equifax provides information to its customers for marketing
purposes from the following categories of data sources, in conjunction
with an array of analytical services.
At Equifax, most of the personally identifiable information
provided for marketing purposes comes from consumer self-reported data.
For example, Equifax's Survey of America and our online survey,
RightOffers (www.rightoffers.com), give millions of consumers an
opportunity to voluntarily provide information about themselves and the
members of their households and to exercise choice in what kind of
marketing offers they receive. Another source of self-reported data
included in the Equifax marketing databases is product registration
cards. On a voluntary basis, consumers may provide information about
themselves by responding to lifestyle or buying preference questions
included on paper product registration cards, electronic product
registrations, or Internet registrations.
Other data sources include third-party data sources such as public
record repositories and other government agency data sources (e.g.,
land records, certain license information such as hunting and fishing
licenses, and census data), and other types of reputable third-party
sources including those using publicly-available data such as telephone
white pages or other directories and exchanges.
In essence, our databases contain personal or aggregated data about
individuals or households that is self-reported, inferred through
sophisticated modeling procedures, or obtained from reputable third-
party sources, including public record or publicly-available sources.
B. Content
The vast majority of information held by Equifax for marketing
purposes is not personally identifiable information. Information does
not have to be personally identifiable in order to be useful to
marketers. Marketers can successfully market their products and
services on the basis of predictive, aggregated information. Whether
aggregated data is appended to a client's list of names and addresses,
offered with our analytical services, or used to develop a predictive
model, the key purpose is to help companies market products and
services to consumers who are likely to be interested. This information
is very valuable to marketers for predicting consumer spending
patterns. Consumers benefit because they receive only those offers in
which they are likely to have an interest. What's the result: Consumers
become aware of new products and services, businesses sell more
products more cost-effectively and the economy grows.
While the vast majority of information held by Equifax in its
marketing databases is not personally identifiable, as indicated above,
Equifax's marketing databases do contain some name and address
information. Naturally, marketers must have name and address
information in order to communicate their offers directly to consumers.
It is important to note, however, that the information included within
the Equifax marketing databases is not organized so as to be readily
and easily retrievable by personal identifiers (i.e., name and
address).
Our marketing databases contain primarily information that is
predictive, psycho-demographic information, such as ``Zip+4''
information--that is, information that describes the characteristics
that people who live in a particular geographic area are likely to
have, including lifestyle information.
Even when the information is more granular than geographic
``Zip+4'' type information, the information describes some of the
buying characteristics of a household, not necessarily of a specific
individual. For example, both the Survey of America and the online
RightOffers survey provide information that is used as a primary source
for our marketing databases. Both surveys ask participating consumers
to provide certain lifestyle information, including information about
their leisure activities and hobbies and those of the other members of
their household, as well their preferences regarding product categories
and/or brands. In addition, consumers are asked to provide certain
demographic information such as marital status, month and year of
birth, and occupation for household members. The information collected
from surveys is used in the aggregate to better understand consumer
preferences, past buying behavior, and responsiveness to direct
marketing.
Finally, in no instance is the marketing information we collect
sensitive personally identifiable information, unless the consumer has
voluntarily provided it. Even then, the data pertain to the household,
not an individual.
C. Uses
It is very important to emphasize that personal information
obtained for marketing purposes is not used for risk assessment
purposes. Marketing data is not used to make decisions about whether an
individual obtains or retains a job, insurance, or a government license
or benefit. Instead, the information is used merely for the purpose of
efficiently shaping the kinds of offers an individual receives.
Some have suggested that such target marketing provides some
consumers with an advantage over others who do not receive the direct
mail offer. It only makes sense that businesses would seek to cost-
effectively align their marketing with their markets, achieving the
best return possible by focusing on those most likely to respond. The
simple truth is that businesses have a limited number of dollars to
support marketing campaigns. Similarly, Members of Congress do not mail
campaign solicitations to every constituent but only to those in their
party and then only to those who have given before or who are more
likely to respond. In order to accomplish this goal, marketers must
direct their offers based upon their understanding of consumers' buying
preferences and willingness to respond to direct marketing offers.
Individual consumers are not excluded from receiving marketing offers.
In addition, marketers constantly refine their marketing campaigns
based upon changes in consumer spending patterns and other predictive
information. As a result, the audience to which a marketer directs its
offers may change. Furthermore, consumers who express an interest in a
particular product or service directly to a marketer are likely to be
included in marketing campaigns.
D. Privacy Protections
As I said at the outset, Equifax has adopted privacy protections
for marketing data that are appropriate to the use and any potential
harm. For example, we provide consumers with notice and opportunities
to opt-out (sometimes opt-in) of Equifax's use of marketing
information. We provide consumers who participate in our Survey of
America with the opportunity to specify on the Survey how their
information may be used. Survey of America participants may opt-out of
receiving future survey questionnaires, product samples and coupons in
the mail, or coupons and special offers from companies via email by
simply checking the appropriate boxes on the Survey form. Consumers who
complete product registration cards have similar opt-out opportunities.
In addition, in some situations, we provide opt-in opportunities.
At our ``RightOffers'' website, not only do we provide consumers with
the ability to opt-in to marketing uses by selecting only those
categories of offers that they want to receive, but we have implemented
a double opt-in system. Under that system, once we receive a completed
RightOffers survey, we send the consumer an email asking the consumer
to confirm his/her desire to receive offers. Furthermore, RightOffer
participants may update their information by revisiting the site and
are free to unsubscribe at any time.
We also employ state-of-the-art technology to help ensure data
integrity and security. In addition, our customers are prohibited from
using our marketing databases for individual look-up purposes. We have
always contractually prohibited our customers from using our database
for this purpose. Furthermore, we have designed our system so that we
have no delivery mechanism for a customer to query the database based
on a name; therefore, no individual look up is offered or feasible.
Further, Equifax provides consumers with meaningful and practicable
privacy protections through our compliance with a variety of self-
regulatory programs providing consumer rights and redress. We adhere to
the self-regulatory principles of organizations such as the BBBOnline
Privacy Seal program, the Online Privacy Alliance, and the Direct
Marketing Association.
Finally, in consultation with renowned privacy expert, Dr. Alan
Westin, Equifax conducts privacy audits of our procedures as well as
our products and services to ensure high standards of privacy
protection and, in fact, to provide a value-added quality.
All of these protections are consistent with Equifax's three Core
Values to which we adhere in order to protect the fair and ethical use
of data--
Core Value I: Equifax is committed to the ethical use of data and to
maintaining the highest standards of consumer information
privacy. We adhere, therefore, to a meaningful set of self-
regulatory privacy principles enterprise wide.
Responding to and anticipating evolving technology and
changing societal demands, we have managed sensitive
consumer data in an ethical manner for more than 100 years,
earning a reputation as a responsible steward of
information.
We provide consumers with notice--the ability to know what and
for what purpose personally identifiable information about
them is collected and used.
We provide consumers with choice--the ability to opt-out of
our use of marketing information about themselves; and
where feasible, the ability to opt-in to certain marketing
uses.
When feasible, we provide consumers with access to and a
correction procedure for personally identifiable
information about themselves used for non-credit-marketing
purposes.
To ensure data integrity and security, we employ state-of-the-
art technology and tested procedures to collect, store and
transmit personally identifiable information. Because
commerce and our reputation are on the line, we have a
vested interest in the quality of the information in our
databases. Thus, we employ stringent practices and
procedures to maintain the highest standards of data
accuracy, reliability and completeness that humans and
technology can achieve.
Equifax provides individuals with meaningful and practicable
remedies and redress in the event individuals are harmed by
the misuse of personally identifiable information about
them. These remedies arise from several sources: Equifax
adherence to our own privacy principles and to other
industry self-regulatory principles governing the use of
personally identifiable consumer and commercial
information; adherence to the requirements of the BBB
Online Privacy Seal; from the Federal Trade Commission's
enforcement of the unfair and deceptive practices
provisions of its charter, and from compliance with US and
international laws, including the European Union Data
Protection Directive.
Core Value II: Equifax supports and has launched business self-
regulatory and marketplace initiatives designed to balance the
substantial societal benefits of the free flow of information
and the legitimate concerns about the privacy of personally
identifiable data.
Equifax adheres to the privacy principles and requirements of
the BBBOnline Privacy Seal, the Online Privacy Association,
and the Direct Marketing Association, as well as to the
information-use initiatives of the Coalition for Sensible
Public Record Access (CSPRA) and the Associated Credit
Bureaus, Inc.
Equifax will only do business with entities that adhere to
meaningful fair information practices that effectively
address the concepts of notice, choice, access, security,
and redress.
Equifax enlightens, enables and empowers consumers to monitor
their financial health using product solutions to address
consumer privacy issues such as identity theft and credit
score disclosure.
Equifax employs and provides our customers with patent-pending
identity authentication technology and a wide range of
other products and services that enable our business
customers to make sound risk assessment decisions and
relevant marketing offers to consumers through the
appropriate and ethical use of personally identifiable
information.
Consumers and business both expect to conduct business
transactions instantaneously and securely. The free flow of
relevant information to legitimate businesses makes this
possible.
Legitimate business access to relevant consumer information is
critical to achieving a number of societal benefits:
thwarting identity theft, locating estate heirs, witnesses,
child support delinquents, debtors, missing children, organ
donors, etc.
Core Value III: Equifax seeks opportunities to work harmoniously with
governments, consumers and businesses to forge effective
solutions to the complex privacy and ethical information-use
issues worldwide.
Governments first must enforce existing laws concerning use of
personally identifiable information and should consider
enacting applicable laws only after industry self-
regulatory measures fail.
If industry self-regulatory initiatives fail after being given
a fair chance, Equifax then supports government regulation
that is relevant, not unduly restrictive, and that clearly
resolves the perceived imbalance.
In an e-commerce, online environment, national governments
must adopt preemptive measures to ensure that the
transmission of information and online transactions are
seamless across geographical boundaries.
In considering privacy law and policy, governments should
recognize the differences between the impact of and the
potential harm arising from the use of personally
identifiable information for financial decisions and that
used for marketing or other less serious purposes. Privacy
laws should pivot not on the source, but on the content and
the use of the individual information.
Consumers must take some responsibility for educating
themselves about privacy policies, procedures, products,
and technologies that enhance consumer information
protection and increase trust in transactions.
Under the privacy bargain, consumers should expect the level
of information privacy protection commensurate with their
demands on business, the benefits sought and the
sensitivity of the information exchanged.
Businesses that collect, maintain and use personally
identifiable data have a responsibility to develop and
implement an effective privacy program and to employ
ethical information practices.
The business community has a responsibility to develop
products and services that allow consumers to participate
safely in the information marketplace and to protect their
own privacy.
Equifax has taken the lead by providing online solutions that
enlighten, enable and empower consumers to manage their
financial health. These easily accessible products allow
consumers to examine their credit file, monitor changes in
it to thwart identity theft, and to obtain and understand
their current credit score.
Equifax will continue to develop products and services and, in
concert with other industry members and associations,
develop programs designed to empower and enable consumers
and customers to better manage privacy and risk issues.
iv. conclusion
In sum, direct marketing is a societal and economic good. The
process is profitable, efficient and benign. The concept is consumer
oriented and privacy sensitive.
In closing, I want to thank you again for the opportunity to
testify and to congratulate the Chairman and the Subcommittee for their
leadership in the privacy arena. We look forward to working with you so
that the marketplace might achieve the synergies that can arise from a
greater understanding and appreciation of the important societal
benefits of direct marketing--that is, efficient direct marketing
conducted in a self-regulatory environment that embraces effective
privacy protections.
Mr. Stearns. Thank you, Mr. Ford. And we have corrected
our--we have you as Chief Privacy Officer, instead of Policy
Officer, and we are sorry.
Mr. Ford. Thank you.
Mr. Stearns. Opening statement?
STATEMENT OF DEBORAH ZUCCARINI
Ms. Zuccarini. Good morning, Mr. Chairman and subcommittee
member Towns. Thank you for the opportunity to address the
subcommittee as it studies information use, particularly as it
relates to marketing.
My name is Deborah Zuccarini. I am Executive Vice President
and Chief Marketing Officer for Experian Marketing Solutions.
My comments today summarize key issues addressed in a much more
detailed statement I have submitted for the record.
Experian is one of the world's leading information services
providers, with more than 30,000 North American customers. Our
information solutions help businesses in over 50 countries
expand their markets, make sound lending decisions, and provide
the products and services their customers need and desire.
We have been responsible stewards of the information we
collect, maintain, and utilize for decades. Experian takes
information security and consumer privacy very seriously. Our
business practices and culture reflect our resolve to ensure
information is used to bring benefit to both businesses and
consumers, while ensuring consumer privacy is protected. A
thorough discussion of our approach to privacy is included in
my written statement, including consumers' choice to opt out.
There is a great deal of misunderstanding about marketing
information use, which has led to a number of popular myths
about direct marketing. During the next few minutes, I would
like to try to dispel a few of the most pervasive myths.
I suspect the myth most responsible for this meeting is
that marketing information is used to create detailed
individual consumer profiles. That simply is not true. Mr.
Chairman, subcommittee member Towns, with all due respect, data
compilers don't care who you are as an individual. From our
information, marketers want to know about the general
characteristics of their overall market or key market segments.
Specific characteristics about a single individual do not
provide useful marketing insight. For that reason, marketing
data bases typically are not designed to provide a list of one.
Our marketing information consists of estimated or modeled
data, summarized U.S. Census data, other publicly available
information, or self-reported consumer survey data. It is
typically used to reach lists of thousands of consumers with an
offer of interest to them, not to review a single record about
an individual.
In the end, direct marketing using our compiled data is
just advertising. Just as television advertising brings you the
Super Bowl, direct marketing advertising brings you the
products, services, and other benefits that businesses have to
offer. Direct marketing allows many small businesses and new
market entrants to advertise and compete, even without a Super
Bowl budget.
The second common myth is that marketing information is
used for individual look-up. Experian marketing information
services are not utilized to locate, identify, or verify the
identity of individuals. In fact, our contracts prohibit the
use of marketing information for such applications. In the
information industry, we refer to such information use as
individual reference services. We separately offer these
services to law enforcement and other qualified users such as
government agencies, who use the services for child support
enforcement, locating witnesses and victims, and preventing
fraud. However, such services are not derived from information
compiled for marketing purposes.
The third myth I would like to address today is that
marketing information is used for credit, insurance, or
employment underwriting. This is not the case. This myth arises
from confusion between marketing information and credit
reporting. The Fair Credit Reporting Act governs third-party
information used for credit, employment, or insurance
underwriting. Use of a marketing data base for FCRA-permissible
purposes could subject that data base to all of the
requirements of the FCRA, making it unusable for marketing.
Therefore, Experian prohibits such use. And that is why the
urban legend about grocery store purchases being shared for
insurance underwriting is just that--a legend.
These and other misunderstandings contribute to heightened
privacy concerns. We understand and respect these concerns, and
we work diligently to ensure consumer privacy is protected.
Experian believes that marketing information use is not a
privacy threat, but it is vital to our economy.
In the privacy debate, there seems to be an assumption that
such information use somehow causes harm, yet no evidence of
real harm has been shown. Hard questions must be asked to
determine if any real or perceived harm truly outweighs the
demonstrated economic benefits of information use for
marketing. A recent study by the Information Services Executive
Council estimated consumers save over $1 billion annually as a
result of information sharing in the catalogue apparel industry
alone. A WEFA Group study estimated that in the year 2000,
total consumer sales attributable to direct marketing would be
nearly $940 billion, and that more than 14.7 million people
would be employed throughout the U.S. economy as a result of
direct marketing activities.
We believe that responsible information use for marketing
is in the best interests of both businesses and consumers. The
quality of offers today has improved significantly over the
years, resulting in greater efficiency for businesses, lower
costs for consumers, less mail, and more opportunity.
Mr. Chairman, this concludes my remarks. Thank you for
inviting Experian to present our view on these important
issues. We would be happy to answer any questions you or other
subcommittee members may have.
[The prepared statement of Deborah Zuccarini follows:]
Prepared Statement of Deborah Zuccarini, Executive Vice President and
Chief Marketing Officer, Experian Marketing Solutions
summary
For more than 50 years Experian has been a leader in the
information industry. In fact, the company's roots date back more than
100 years to the pioneers of credit reporting. Its success is based on
sound information values that guide the development of practices and
policies that protect consumer privacy, ensure security and provide
benefit to consumers and our business clients alike.
Responsible information use today affords consumers greater choice,
convenience, and lower prices than ever before. In past decades, our
economy was local. Consumers lived where businesses were located.
Product and service choices were limited to what was available in a
consumer's neighborhood, the local main street, or perhaps a nearby
city. Consumers learned about businesses by walking down the street, or
reading ads in the local newspaper.
Today, our economy is national. Businesses in Los Angeles and New
York compete daily for sales to consumers in Kansas. Where once there
was only a single provider of a product or service, or maybe two or
three to choose from, there now are hundreds. Because of responsible
information sharing, those businesses can reach consumers who are most
likely to need their products and services. That greatly increases
consumer choice and promotes competition, which drives down prices.
Unfortunately, a number of myths and misunderstandings have arisen
about information use for marketing purposes. Those myths and
misperceptions are the basis for many of the privacy concerns that have
brought us here today. This testimony attempts to dispel three of those
myths:
MYTH: Marketers want to know specific information about
individual consumers. In fact, marketers don't focus on
individual consumers. Instead, they are interested in overall
market characteristics.
MYTH: Marketing databases are used for individual ``look-up.''
In reality, marketing information is used for overall market
analysis. It is not used to identify, locate, or verify the
identity of individuals.
MYTH: Marketing information is used for credit, insurance or
employment underwriting. The Fair Credit Reporting Act governs
information use for these purposes. Therefore, marketing
information is not utilized for these purposes.
Unintended and unforeseeable consequences of new legislative
mandates based on such myths may jeopardize today's robust,
information-based economy.
Dozens of federal and state laws govern information use for
marketing purposes, along with multiple industry self-regulatory
regimes. We are concerned that current legislation may already have
gone too far, and has failed to balance economic vitality with
legitimate consumer interests.
Legislation already strictly controls the use of sensitive
information, including credit, financial, medical and children's data.
Additional government-mandated restrictions on marketing information
use may result in unexpected and unintended consequences. Small
businesses, relying on cost-effective direct marketing as an
advertising channel, could be forced out of the marketplace,
diminishing consumer choice and opportunity. Yet, consumers would
likely not benefit from any substantive privacy protections.
Experian applies stringent information values to all of its
information uses through a strict assessment process that ensures
privacy concerns are addressed and that the information use benefits
both businesses and consumers.
We consider ourselves to be stewards of the information we collect,
maintain and utilize. Our responsibility is to ensure the security of
the information in our care is protected and that the privacy of
consumers is maintained through appropriate, responsible use.
Through its Consumer Advisory Council, Experian receives valuable
insight and guidance from consumer advocates, legislators, scholars and
business leaders regarding our information services. In addition, our
Corporate Privacy Council, a group of company leaders, meets regularly
to ensure Experian information services provide consumer and business
benefit while upholding the Experian Information Values and ensuring
privacy expectations are met.
Although the pervasive myths discussed above inaccurately suggest
otherwise, Experian and others in the direct marketing industry work
diligently to understand and address consumer privacy concerns. We
encourage you to continue to study the importance of information flows
to our economy. We believe the current legal and self-regulatory
framework best serves consumers and businesses. The greatest consumer
and business benefit is achieved through consumer notice and the
opportunity to opt-out.
about experian
Experian is one of the world's leading information solutions
companies. Primarily involved in credit reporting and direct marketing
services, we also provide references services, analytic services, and
consulting solutions, helping businesses make better, faster decisions,
and efficiently reach consumers with new product and service offerings.
Our annual sales are in excess of $1.5 billion. The chart in Appendix A
outlines Experian's history.
Experian employs more than 6,500 people in North America. Our
corporate headquarters are in Orange, CA, where we have 1,364
employees. Other major U.S. employment centers include:
Colorado--209 employees (Denver)
Georgia--157 employees (Atlanta)
Iowa--585 employees (Mt. Pleasant)
Illinois--1,398 employees (Lombard, Schaumburg)
Nebraska--1,218 employees (Lincoln, Seward)
New Jersey--79 employees (Parsippany)
New York--220 employees (Albany, New York, Rye)
Texas--802 employees (Allen, McKinney)
Vermont--263 employees (Rutland)
experian's primary business areas
Experian has six key business areas: direct marketing services,
credit reporting, automotive information services, customer
relationship management, electronic commerce services and individual
reference services.
Direct marketing services
Experian direct marketing services help bring businesses and their
customers together. The company touches nearly one in four pieces of
mail delivered by the U.S. Postal Service. But Experian direct
marketing services extend beyond targeted mailing. Businesses rely on
Experian to help them better understand their markets and the
characteristics of the people who do business with them. Understanding
the marketplace makes possible faster, more efficient product
development and delivery, better retail outlet and service center
locations, improved customer service, more cost-effective advertising
and lower costs for consumers.
Each year, Experian ships 1.7 billion pieces of mail from its
processing centers and provides address information for more than 20
billion promotional mail pieces delivered to more than 100 million
households. Those offers present consumers with products and services
from companies about which they may otherwise never have known. By
identifying the characteristics of consumers likely to be interested in
certain kinds of products and services, Experian helps marketers more
efficiently reach consumers who are most likely to be interested in a
business' products or services.
Credit reporting
Experian and the companies from which it was formed have provided
credit reporting services for more than 100 years. J.E.R. Chilton began
credit reporting in Dallas, TX in 1897 by taking notes from local
merchants in a little red book. Decades later, the TRW Corporation
pioneered computerization of the credit reporting process, leading to a
national credit reporting system. In 1996, TRW sold its credit
reporting unit, which became Experian.
Today, hundreds of millions of credit reports are provided to
lenders annually. The ability of creditors to check a person's credit
references in an instant enables them to make rapid, sound, and
objective lending decisions. That ability helps consumers get the
credit they need and deserve faster and cheaper than anywhere else in
the world. Enabling lenders to make objective, safe, secure loans and
minimize other credit-related losses, while providing consumers instant
access to credit, has contributed greatly to the robust U.S. economy.
Customer relationship management
Business success is built upon positive relationships with
customers. Relationships are built on information. Experian helps
businesses establish and develop long-lasting customer relationships
through responsible information use. We help businesses get a clearer
picture of their customers across multiple business units and market
segments. We help companies understand why certain kinds of people shop
with them and what the customer needs. With that clearer understanding,
Experian then is able to provide information services that help
businesses initiate relationships with new customers, assist the
businesses in developing new, desirable products and services and aid
in providing pleasant shopping and effective customer service. The
result is a better shopping experience for consumers and more
profitable operation for businesses.
Automotive Information Services
Experian Automotive Information Services specialize in the
collection and dissemination of vehicular data from each of the 51
United States jurisdictions. The information is utilized to provide
valuable services to auto dealers, manufacturers, consumers and
advocacy organizations, advertising agencies and internet information
sites, law enforcement and tollway authorities. Detailed vehicle
history reports enable consumers to make informed used-auto purchasing
decisions. Manufacturers rely on our services to manage recalls and
conduct market analysis to manage product supply and improve service.
Electronic commerce services
Experian's electronic commerce division helps businesses establish
a presence in the electronic marketplace, develop relationships with
online consumers and ensure consumers and businesses enjoy positive,
safe transactions. Our e-commerce division focuses on both consumers
and the businesses that reach them with patented delivery systems and
best-in-the-industry security processes and systems.
For our business partners, we verify, authenticate and enhance
identity information about consumers and businesses. With enhanced
authentication, clients reduce fraud by making confident transaction
decisions in real time.
For consumers, we offer a range of personal information solutions
ranging from our online credit report with real-time dispute
registration, to our vehicle history report--a must for used car
purchases. We offer a subscription service for unlimited access to
credit report and credit score information along with the tools
required to better understand them. We also offer a property report--to
better understand the value of your home--or prospective home.
Individual reference services
Our reference services help people, businesses, non-profit
organizations, government agencies, law enforcement, and other
organizations identify, locate, and verify the identity of individuals.
The most recognized individual reference services are the telephone
book and directory assistance--services you use every day. They usually
include only names, addresses and telephone numbers.
More sophisticated reference services may include information about
whether you own a home or rent an apartment, how long you have lived in
the same location, and if there are additional household members.
Sensitive identifying information such as your Social Security
number, driver's license number, and date of birth is included in some
reference services. These services, however, are limited to use by law
enforcement, government agencies, and other organizations with a
legitimate and appropriate need for such information.
the benefits of information use
Because of the information services provided by Experian and its
counterparts, the United States has the most robust economy in the
world, and its consumers have greater choice and receive greater value
than consumers anywhere else in the world.
Consumer benefits of information use
Direct marketing: Direct marketing services increase choice and
opportunity and reduce costs. Each year, Experian ships 1.7 billion
pieces of mail from its processing centers and provides address
information for more than 20 billion promotional mail pieces delivered
to more than 100 million households. Those offers present consumers
with products and services from companies about which they may
otherwise never have known. By identifying the characteristics of
consumers likely to be interested in certain kinds of products and
services, Experian helps marketers reduce unwanted mail and send only
offers that consumers are likely to want or need. But targeted mail
processing is only one of many direct marketing services provided by
Experian and its industry associates.
Market analysis services help businesses identify the common
characteristics of their customers. A richer understanding of their
customer base helps businesses better plan media campaigns, determine
retail site location, develop new product offerings, better position
their brands, have a clearer understanding of their customers' service
needs, and reach new customers. For consumers, the result is lower
product cost, better customer service, more convenient shopping, faster
delivery, reduced unwanted mail and exposure to useful new products and
services.
An April 2001 study by the Information Services Executive Council
found restrictions on marketing information use would cost catalog and
Internet apparel shoppers $1 billion annually.\1\ According to the
study, that cost would be shared disproportionately by inner city and
rural catalog shoppers. Inner city neighborhoods generally are under-
served by traditional retail stores, and rural consumers often live
long distances from the nearest mall or retail center. As a result,
these two groups are more reliant on catalog or Internet shopping
alternatives.
Similarly, a December 2000 study by Ernst & Young found members of
the Financial Services Roundtable (FSR)--a group of 90 of the nation's
top banking, insurance and securities firms--save approximately $1
billion a year by using targeted marketing. Much of that savings is
passed directly on to consumers.\2\
``FSR members report that they would send out about three to six
times more direct marketing if they could not use information sharing
for targeted marketing. Targeted marketing results in real savings for
financial institutions, some or all of which will be passed forward to
customers in price reductions,'' the study said.
According to the study, FSR customer households annually save $17
billion and 320 million hours as the result of information sharing
among affiliates and third parties.
Credit reporting: The United States' unique credit reporting system
dramatically increases American consumers' choices and opportunities
for financial services. Because of the U.S. automated credit reporting
system, American consumers can obtain credit and secure other financial
services at lower costs from a larger number of providers than anywhere
else in the world.
By comparison, economist Walter Kitchenman said of nations without
an open credit reporting system, ``As a result, financial services are
provided by far fewer institutions--one-tenth the number serving U.S.
customers, despite the fact that the pan-European market has almost one
and one-half times as many households.'' \3\ He added, ``consumer
lending is not common, and where it exists, it is concentrated among a
few major banks in each country, each of which has its own large
databases. ``In fact, European consumers, although they outnumber their
U.S. counterparts, have access to one-third less credit as a percentage
of gross domestic product.''
The open U.S. credit reporting system provides a foundation for
lender confidence, increasing the availability of loans, reducing the
cost of credit and increasing competition for customers, all of which
benefit the U.S. consumer.
Individual reference services: Often the benefits of individual
reference services, and the services themselves are taken for granted.
Yet they are used everyday. People, businesses, law enforcement and
other organizations utilize individual reference services routinely to
locate, identify and contact people for a variety of very positive
reasons. Basic reference services, such as a telephone book, are
available to almost anyone. Experian separately provides more
sophisticated services only to law enforcement or other qualified
users. A few of the users of individual reference services and how such
services are utilized are listed below.
You: through the telephone book or directory assistance to
find a telephone number or an address to send a thank you note
or holiday greeting.
Lenders, retailers, e-tailers: to verify the identities of
potential customers and protect you from fraud.
Law enforcement agencies: to locate crime witnesses and
apprehend criminal suspects.
Child support agencies: to locate parents who are behind in
their child support payments.
Government agencies: to find missing pension fund
beneficiaries and heirs.
Alumni Associations: to contact recent graduates and send
event notices to current members.
Businesses: for product recalls and product notices.
The information included in individual reference services can range
from just names, addresses and telephone numbers, to more sensitive
identifying information including dates of birth, Social Security
numbers and drivers license numbers. Access to certain types of
reference information is carefully monitored and controlled. For
instance, an individual only is allowed access to published telephone
book information. Law enforcement agencies, however, can access more
sensitive data for use in criminal investigations.
During 1998, the FBI made 53,000 inquiries into commercial
individual reference services. According to then FBI Director Louis
Freeh, utilization of these services aided in the arrest of 393
fugitives, identification of more than $37 million in seizable assets,
locating 1,966 wanted individuals and location of 3,209 witnesses
wanted for questioning.\4\
Overall economic benefits of information use
Experian information services promote competition in the
marketplace. Information sharing for target marketing and credit
reporting opens the door for small, emerging businesses to compete with
larger, established companies. It levels the playing field by making
the cost of entry affordable to everyone.
Information sharing ``allows new market entrants, which cannot
afford mass market advertising and lack the customer lists of their
well-established competitors, the ability to reach those people most
likely to be interested,'' said Fred H. Cate and Michael E. Staten in
their paper, Putting People First: Consumer Benefits of Information-
Sharing.\5\
According to the Ernst & Young study, ``FSR members save about $1
billion per year through targeted marketing based on shared
information--savings that can then be passed forward to customers.
Almost all of the survey respondents said that if they could not use
targeted marketing, they would resort to mass marketing instead, while
a few said that they may eliminate direct marketing completely.''\6\
The implication is that large companies could bear the cost of mass
marketing--ostensibly unfettered distribution to every U.S. consumer.
For small businesses, it means being forced out of the marketplace.
With reduced competition, consumers would be faced with higher prices
and less choice. The French financial banking industry provides a good
example.
In a 1999 study, Walter Kitchenman said:
In France, for example, the EU country with the strictest
financial privacy laws, seven banks control more than 96
percent of banking assets. The seven dominant French banks,
each with assets of over $100 billion, already own extensive
databases--and don't need to share customer information with
anyone. The fact that this system restrains innovation, hurts
customer choice, and increases price is not a great concern to
those banks because the same system also restrains competition
and makes it easier to hold customers and capital captive.\7\
As he points out, while solicitations may sometimes seem annoying
to consumers, the solicitations in fact represent a free flow of
information that promotes competition among businesses of all sizes,
giving U.S. consumers far more choice and opportunity at significantly
lower costs.
The direct marketing industry also is an important source of
employment and a significant part of the overall consumer market. A
recent WEFA Group study estimated that in the year 2000, total consumer
sales attributable to direct marketing would be nearly $940 billion.
The same study estimated more than 14.7 million people would be
employed throughout the U.S. economy as a result of direct marketing
activities.\8\
Building relationships between businesses and consumers
It has been said that credit reporting is a secret ingredient of
the U.S. economy's resilience. The availability of automated,
nationwide credit histories enable lenders to make objective, sound
lending decisions, reducing risk, attracting investment and
strengthening the economy.\9\ As a result, U.S. consumers benefit from
widely available credit at lower costs than anywhere else in the world.
Some estimate that because of the U.S. credit reporting system,
consumers in this country save as much as $80 billion a year on
mortgage loans alone.\10\ But the robust nature of the U.S. economy
does not rest only with information use for credit reporting purposes.
Direct, or target, marketing results in significant savings for
businesses each year. Those savings are passed on to consumers. An
Ernst & Young study indicated members of The Financial Services
Roundtable (FSR) would have to send out three to six times more
marketing offers if they could not use information sharing for targeted
marketing purposes. The result would be far greater costs, which would
be passed on to consumers, not to mention increased volumes of mail in
their mailboxes.\11\
Restricting information use also threatens the backbone of the U.S.
economy: small businesses. Today, small businesses rely on the
availability of information to establish and expand their markets. They
could not compete with corporate giants if they were unable to utilize
target marketing to reach consumers who otherwise would not even know
the business existed. Experian provides marketing solutions to almost
4,000 small businesses across the country.
In a July 2000 paper, Fred Cate and Michael Staten presented very
clearly the danger to our economy of interfering with information
sharing:
Interfering with the availability of that information hurts
both consumers, who miss out on opportunities, and businesses,
who face higher costs to reach consumers, but such interference
imposes an especially heavy burden on small companies, which
cannot afford mass market advertising and lack the customer
lists of their well-established competitors. Open access to
third-party information and the responsible use of that
information for target marketing is essential to leveling the
playing field for new market entrants.\12\
The ISEC study reached the same conclusion when looking at an opt-
in approach to marketing information as opposed to the current opt-out
standard. Implementation of data use restrictions would drive up total
costs to consumers from 3.5 to 11 percent. The result would be
devastating to small firms and new market entrants.
According to the study, ``Since marketing costs will likely
increase if external opt-in restrictions are put in place, some
retailers will be forced to exit the market and other, new companies
will be deterred form entry. With a smaller marketplace, competition
suffers, giving consumers less choice and higher costs when distance
shopping.'' \13\
It is easy to overlook the impact of information use on our local,
small businesses. We too often take for granted the local food store,
pharmacy or men's clothing store. In today's economy, they are
competing not only with giant supermarkets, drug outlet stores and
shopping malls, but also with online services that may deliver to your
door. In such an environment, information sharing is critical for small
businesses just to maintain a storefront in the community.
Detecting and preventing fraud
Experian's information services are a key resource in providing
assistance to businesses, consumers and law enforcement to detect, stop
and recover from fraud--both online and offline. Consumer information
maintained under Experian's stewardship is fueling new, state-of-the-
art online verification and authentication systems, including digital
signatures. The new technology, used responsibly, is critical to the
continuing growth of e-commerce.
Individual reference services provided by Experian help law
enforcement identify and locate suspects and perpetrators of fraud,
speeding arrest and prosecution.
Recently, Experian launched the National Fraud Database, the
nation's first repository of known fraudulent activity. Participants
include representatives from a variety of industries, such as financial
services, insurance, retailing and telecommunications. Members
contribute known fraud data to Experian, which then enters it into the
database. A National Fraud Database Report will be provided to a
participating lender, for example, when a loan application is
submitted. Information in the report matching a previously verified
fraud case will help lenders prevent fraud from occurring at the point
of origin.
Participation in this ground breaking initiative has been offered
to Experian's competitors--Trans Union and Equifax--as a way of
solidifying the industry's resolve to fight fraud and identity theft.
helping businesses build customer relationships
Why marketing information is important to businesses
Businesses rely on Experian to provide accurate, reliable
information services that help them better understand their markets and
identify, contact and build profitable relationships with new
customers. Experian's information solutions help businesses better
understand their markets and more efficiently reach consumers likely to
be interested in the products and services the businesses offer. That
reduces marketing costs and increases new customer satisfaction.
Customer analysis and resultant market segmentation also enables
business to tailor their advertising outlets to reach interested
consumers, better position their brands, improve customer service, and
better locate retail outlets and delivery centers. The result is
greater efficiency, lower costs passed on to consumers, greater
customer satisfaction and increased customer loyalty, all of which make
a business more successful.
Some myths about marketing information use
There are a number of myths and misperceptions about direct
marketing and the information in direct marketing databases. Many of
these myths appear to drive the debate about increasing restrictions on
marketing information to protect consumer privacy. Here are a few of
those myths and the facts that will help dispel them.
1. MYTH: Marketers want to know specific information about
individual consumers. Direct marketing is simply another form of
advertising, not unlike television ads aired during the Super Bowl.
Like Super Bowl advertisers, direct marketing advertising are
attempting to reach a large group of individuals who have certain
demographic characteristics that indicate they may be interested in
purchasing their products or services. Unlike Super Bowl advertisers
that have millions of dollars to spend on promotions, direct marketers
often are small businesses, or new market entrants without large
budgets. Therefore, they need more efficient ways to advertise to their
marketplace.
Marketing databases are not designed to provide a ``list-of-one.''
Instead, businesses want to know about the characteristics of their
overall market. The consumer characteristics of a single individual do
not provide useful market insight. Once a market is better understood,
a business may want to send an offer (whether offline or online) to
hundreds, thousands, or even tens-of-thousands of consumers. For that
they may receive a mailing list of names and addresses, but again, the
business is not interested in the specific information about a single
individual.
Further, information in most marketing databases is summarized at
the household, not individual level. Rather than analyzing information
about specific individuals, businesses typically consider household-
level information. Much of that information is estimated or modeled
using U.S. Census data or consumer survey data. Estimated age and
income ranges and general interests are examples. For more information
about the types of information utilized for direct marketing and
information sources, see Appendix B.
2. MYTH: Marketing databases are used for individual ``look-up.''
Experian marketing information services are not utilized to locate,
identify or verify the identity of individuals. Our contracts prohibit
the use of marketing information for such applications.
In the information industry, we refer to such information use as
individual reference services. Appropriate use of these services is
ensured through a strict self-regulatory code and related industry
practices.
Although you don't realize it, you probably use reference services
every day. The most common is the telephone book.
Experian separately offers more sophisticated services to law
enforcement and other qualified users, such as government agencies, who
use the services for child support enforcement, locating witnesses and
victims, and preventing fraud.
However, such services are not derived from information compiled
for marketing purposes.
Marketing databases are used for overall market analysis and
identifying households with consumers who are most likely interested in
purchasing a product or service. The information in marketing databases
generally are not intended to be used to locate, identify or verify the
identity of individuals and is not used in that manner. Again,
marketing databases are not designed to return a ``list-of-one.''
3. MYTH: Marketing information is used for credit, insurance or
employment underwriting. The Fair Credit Reporting Act governs third-
party information used for credit, employment or insurance
underwriting. Use of a marketing database for FCRA permissible purposes
would subject the database to all of the requirements of the FCRA. The
database then could be used only for FCRA permissible purposes. It
could no longer be used for marketing.
For that reason, Experian's marketing database and credit reporting
database structures are entirely different and distinct.
And it's why the legend about grocery store purchases being shared
for insurance underwriting is just that--a legend.
compiling and utilizing information for marketing purposes
Experian is a data aggregator. Our company collects and maintains
information for marketing purposes and provides information solutions
enabling marketers to efficiently reach consumers who are interested in
purchasing their products and services. We are committed to providing
information solutions that benefit both our business clients and
consumers. We also recognize and take very seriously our responsibility
to protect consumer privacy.
We must ensure the security of the information we collect and
maintain, and ensure that it is used appropriately. Experian takes a
``values approach'' to privacy, which is described in greater detail
below.
We provide consumers with notice regarding our information
collection and use and choice regarding that information collection and
use including an opportunity to opt-out of information collection and
use by Experian.
To opt-out of Experian marketing information use, consumers need
only call 1 800 407 1088.
Experian also is a member of the Direct Marketing Association
(DMA). We honor the DMA mailing and telephone preference lists.
The following sections describe Experian's role as a data compiler
and our approach to addressing privacy issues.
Experian's role as a data compiler
Experian marketing databases contain information about more than 98
percent of U.S. households. The information is utilized to help
businesses analyze their overall markets and market segments and to
contact consumers who will most likely be interested in the products
and services they offer.
Experian maintains databases for two distinct purposes: credit
reporting and direct marketing. The data for those uses is kept
separate, both physically and electronically. Experian's credit
reporting database is physically located near Dallas, TX. Its marketing
databases are in Schaumburg, IL. The information is maintained and
utilized for appropriate purposes and is not combined or commingled
except as allowed by law.
The information Experian collects
The information Experian collects for direct marketing purposes
comes from a number of sources, first and foremost directly from
consumers. Warranty cards, surveys, magazine subscriptions and
sweepstakes entries all are provided by consumers and are utilized for
direct marketing services. Other sources include non-personally
identifiable United States Census information, public records and
telephone directory information. Experian direct marketing information
includes:
Census information (median or percentage values based on
census track)
Lifestyle information (reported by consumers)
Interests, hobbies, activities
Public records/telephone directory information
For more information about the types of information utilized for
direct marketing and information sources, see Appendix B.
Ensuring appropriate information use
Experian found that rigid rules directing information use are
quickly outdated by today's rapidly evolving technology and constantly
changing consumer and business needs and expectations. For more than a
decade Experian has taken a values approach to information use. Our
five global information values ensure Experian information services
provide value and benefit to both businesses and consumers while still
enabling adaptation to cultural and regulatory changes and
technological advances.
The Experian global information values are:
Balance
Experian strives to balance the interests of consumers with the
business needs of customers to ensure both receive benefit from
information use.
Accuracy
Experian strives to ensure the information it collects and
maintains is as accurate and up-to-date as possible and that the
information is appropriate for its intended use.
Security
Experian protects the information it maintains from unauthorized
access or alteration.
Integrity
Experian complies with all laws and applicable industry codes and
operates its businesses in accordance with these information values.
Communication
Experian communicates openly about the information it maintains,
how it is used and seeks to inform consumers of their rights regarding
the use of information.
Every Experian information service undergoes a formal Information
Values Assessment before it is approved. The assessment ensures the
service not only meets all legal and self-regulatory requirements, but
that it also meets security standards, addresses consumer privacy
concerns and provides value and benefit to both businesses and
consumers.
Teams within each Experian business unit is tasked with ensuring
new information services undergo values assessments. These individuals
and their teams work integrally with Experian sales staff and marketing
units to ensure the Information Values are built into all of Experian's
products and services.
In addition, Experian seeks input from consumer groups, consumer
advocates and its business partners regarding information use to
further ensure the services it provides incorporate appropriate
security and privacy provisions and provide benefit to both consumers
and its business clients.
Our Consumer Advisory Council was among the first organizations of
its kind. Composed of consumer advocates, legislators, scholars and
business leaders, the Council provides valuable insight and guidance
regarding Experian information services. Consumer Advisory Council
opinions and suggestions help us provide information services that
provide value and benefit to both businesses and consumers while
effectively addressing privacy issues.
The Experian Corporate Privacy Council is comprised of senior-level
managers. Its members meet regularly to discuss and address privacy
issues and to ensure Experian information services uphold the Experian
information values and exceed privacy expectations.
Experian is committed to providing consumers with notice and choice
regarding its information services. Whenever Experian direct marketing
services are utilized, consumers must be given notice of the
information use and provided with an opportunity to opt-out of that
information use. To opt-out of Experian marketing information use,
consumers need only call 1 800 407 1088. We comply strictly with the
Direct Marketing Association (DMA) Privacy Promise and honor the DMA
opt-out lists.
Consumer education
We produce a number of education materials that describe how
information is collected and utilized, our Information Values and
information use policies and consumer choices regarding information
collection and use. All of the materials are provided free to consumers
through many partnerships, among them:
State attorneys general
State and federal legislators' offices
State and federal government agencies
The United States Army
The United States Navy
Offices of consumer affairs
Consumer organizations
High school and university educators
Student organizations
Divorce attorneys
Marriage counselors
Realtors
Lenders
The media
There are many others. Experian is committed to reaching consumers
with the information they need to understand how they can be actively
involved in our information economy.
We have delivered to consumers more than 1 million copies of our
various Reports on series. Our four-part Reports on Direct Marketing
describe how the direct marketing process works, what information
Experian collects and how it is used, and provides details on the
choices consumers have and what they need to do if they choose to opt-
out.
Hundreds-of-thousands of Experian's booklet 12 Common Questions
about Credit Reporting and Direct Marketing have been distributed
directly to consumers and through our many partnerships. The booklet is
printed in both English and Spanish versions.
Much of the consumer education material is available online.
Experian also offered the first online advice column about information
use, called Ask Max. During the past four years, more than 50,000
questions have been received from consumers, and more than 100 columns
have been published. Most column responses address credit reporting
issues because few consumers have submitted questions about direct
marketing.
Access
Marketing databases often are erroneously compared to credit
reporting databases. However, the data, data uses and structures of
marketing databases and those of credit reporting databases are
entirely different. Comparison is, to use a cliche, apples and oranges.
To suggest an access and dispute process for marketing databases like
that for credit reporting is unrealistic.
The information in a credit reporting database is used to make
critical lending, insurance, housing and employment decisions about
specific individuals. Therefore, the data must be as precise as
possible. Because the information is specific to the individual and of
such a crucial nature, consumers need to know and have the ability to
play a role in ensuring the accuracy of the information. Information
service providers store data and manage its use. The source of the
information generally must correct any inaccuracies and update that
information with the credit reporting agency, which essentially serves
as a library.
Marketing databases also serve, in a sense, as a library. But the
nature of marketing databases makes such a disclosure and dispute
process very impractical, if not impossible.
Unlike lenders, who need to know precise details about an
individual's repayment history, marketers need only to understand the
general characteristics of their overall markets. By identifying those
characteristics, businesses are better able to reach consumers who will
most likely be interested in purchasing the products and services they
offer. Because marketers need only to contact a broad group of
consumers who may be interested in a product or service, the
information in marketing databases is not precise. In fact much of the
information in marketing databases is derived from computer models, is
estimated or is presented in ranges.
Consumers would expect a level of precision and accuracy that
simply is not present, which would make a dispute process impractical,
if not impossible. Because most information in a marketing database is
of this nature, such a disclosure would be of little, if any benefit to
the consumer.
While providing a disclosure would be of little benefit, it likely
would pose a greater threat to privacy than currently exists. The
nature of marketing databases would limit identification authentication
largely to name and address, which is widely available in public
sources, such as telephone directories. Access requirements, therefore,
should be constructed by balancing the benefits to consumers against
the risks to them and the costs to companies that hold the data.
Requiring access would require information aggregators like
Experian to create the very kind of database you are most concerned
about. In order to provide access, a marketing database would have to
include detailed, personal information that could be compiled and
provided easily and quickly in highly detailed individual dossiers.
This is the very thing we want to avoid.
Allowing access to marketing databases would be enormously
expensive. In fact, it would require retooling of an entire industry.
Existing database architecture would have to be redesigned and
disparate databases linked together to form name-driven profiles. Large
customer service staffs would have to be hired and stringent security
safeguards put in place. While that expense is justified and necessary
with regard to information governed by the Fair Credit Reporting Act,
it is of questionable value for data collected only for marketing
purposes.
A consumer's current ability to opt-out of having their name shared
for direct marketing purposes satisfies the underlying concern about
privacy without imposing undue and unnecessary costs to businesses and
risks to consumers that would result from access requirements.
The current regulatory environment
A significant body of legislation and self-regulatory regimes
already govern the use of consumer information. All information
collected and utilized by Experian is governed either by specific
legislation or industry self-regulatory guidelines. The following lists
describe the statutory and self-regulatory regimes currently governing
information use for marketing and credit reporting purposes, for both
online and offline applications.
Regulatory requirements governing marketing information:
Drivers Privacy Protection Act (DPPA)
Fair Credit Reporting Act (FCRA; for pre-approved credit
offers)
Children's Online Privacy Protection Act (COPPA)
Telephone Consumer Protection Act and Telemarketing Sales Rule
State do-not-call requirements
Census Confidentiality Act
State Voter Records Acts
Gramm-Leach-Bliley Act
Self-regulatory standards for marketing information:
Direct Marketing Association (DMA) Privacy Promise
DMA Telephone Preference Service
DMA Mail Preference Service
DMA Electronic Mail Preference Service
DMA Ethical Guidelines
Experian Information Values and associated practices
Regulatory requirements for credit information:
FCRA
Equal Credit Opportunity Act (ECOA; relates to risk score
development)
Fair Debt Collection Practices Act (FDCPA)
Gramm-Leach-Bliley Act
Experian supports the House Commerce Subcommittee's efforts to
thoroughly investigate the issue of consumer privacy before concluding
that more legislation is necessary. The Subcommittee is wise to focus
on what gaps exist, if any, and whether there is a need for new
regulatory mandates or enforcement regimes.
The combination of existing statutory requirements and self-
regulatory guidelines of marketing information already is substantial.
Experian is constantly working with its trade groups to strengthen and
improve existing self-regulatory standards. For these reasons, Experian
opposes further federal regulation of marketing and reference service
information at this time.
The debate about privacy is incomplete and evolving. We do not yet
fully understand the importance of information flows to our robust
economy. Enacting legislation based on incomplete knowledge could
result in additional, negative, unintended consequences to our economy
and greater consumer inconvenience with no meaningful privacy
protection.
The above listed regulations and self-regulatory regimes must be
allowed time to work and the impact of their restrictions on
information use studied. The affects of the safeguards implemented by
these laws and of the recently enacted Gramm-Leach-Bliley Act are as
yet unknown. It is essential that we allow some time for these new laws
to bear out any unforeseen or unintended consequences.
To reiterate, Experian strongly believes existing law, industry
self-regulation and market responses are providing more than adequate
consumer protection.
In fact, we are concerned that current legislation may already have
gone too far, and has failed to balance economic vitality against
legitimate consumer interests.
The scale is often tilted by the assumption that direct marketing
somehow causes harm. A number of studies, including a report by the
Federal Trade Commission,\14\ have found no evidence of real harm
resulting from marketing information use.
Hard questions should be asked of those who claim consumers have
suffered real harm. How do they define harm? Where are the examples of
real harm? Is there truly harm, or are they erroneously equating harm
with annoyance?
New legislation should be considered only if specific consumer harm
can be demonstrated and must be implemented only in a manner that
carefully balances intended consumer privacy protection against the
economic benefit of accessible marketing information.
conclusion
Thank you for the opportunity to submit these remarks on behalf of
Experian. I hope this document helps dispel a few of the myths about
marketing information use, addresses important privacy concerns and
clarifies the importance of information use to our robust economy. I
look forward to future opportunities to work with the subcommittee as
it studies privacy and information use.
Appendix A--Experian History
------------------------------------------------------------------------
Year Event
------------------------------------------------------------------------
1932...................................... Michigan Merchants Co.,
later known as Credit Data
Corp., is formed to provide
credit-reporting services.
1966...................................... Metromedia acquires
lettershop capabilities and
begins operation of its
direct marketing division
called Metromail.
1969...................................... Conglomerate TRW buys Credit
Data Corp.
1979...................................... Metromedia buys Marketing
Electronic Corp. to provide
list enhancement services
within Metromail.
1981...................................... Direct Marketing Technology,
Inc. is founded in the
Chicago area.
1987...................................... TRW buys Executive Service
Co. to expand into the
direct marketing industry.
Metromail is acquired by
R.R. Donnelly & Sons Co.,
the world's largest
printer.
1989...................................... TRW buys Chilton Corp., a
credit-reporting company
founded in 1897.
1996...................................... TRW sells Information
Systems & Services unit to
a group of investors.
Experian name and logo are
introduced.
Group of investors sells
Experian to The Great
Universal Stores P.L.C., a
British conglomerate.
1997...................................... CCN/MDS is integrated with
Experian North America.
Experian buys Direct Tech, a
leading provider of list
processing, database
marketing, and consulting,
analytical and information
services.
Direct Tech buys Brigar
Computer Services.
Metromail buys Saxe Inc.,
Marketing Information
Technologies, and Atlantes
Corp.
1998...................................... Experian buys Metromail, a
leading provider of
database marketing, direct
marketing, mail processing
and distribution, and
reference products and
services.
2001...................................... Experian buys Exactis, the
global leader in multi-
platform interactive
marketing.
------------------------------------------------------------------------
[GRAPHIC] [TIFF OMITTED] T4846.003
[GRAPHIC] [TIFF OMITTED] T4846.004
[GRAPHIC] [TIFF OMITTED] T4846.005
Notes
\1\ Michael A. Turner, Executive Director, Information Services
Executive Council, The Impact of Data Restrictions On Consumer Distance
Shopping, 2001.
\2\ Ernst & Young LLP, Customer Benefits from Current Information
Sharing by Financial Services Companies, conducted for The Financial
Services Roundtable, December 2000.
\3\ Walter F. Kitchenman, Senior Analyst, Commercial Banking, The
Tower Group, Summary of Tower Group Studies Related to European System
of Opt-In, 1999
\4\ Fred H. Cate, Professor of Law and Director of the Information
Law and Commerce Institute, Indiana University School of Law, Michael
E. Staten, distinguished Professor and Director of the Credit Research
Center, The Robert Emmett McDonough School of Business, Georgetown
University, Putting People First: Consumer Benefits of Information-
Sharing: Summary, December 2000
\5\ Fred H. Cate, Professor of Law and Director of the Information
Law and Commerce Institute, Indiana University School of Law, Michael
E. Staten, distinguished Professor and Director of the Credit Research
Center, The Robert Emmett McDonough School of Business, Georgetown
University, Putting People First: Consumer Benefits of Information-
Sharing, December 2000
\6\ Ernst & Young LLP, Customer Benefits from Current Information
Sharing by Financial Services Companies, conducted for The Financial
Services Roundtable, December 2000.
\7\ Walter F. Kitchenman, Senior Analyst, Commercial Banking, The
Tower Group, Summary of Tower Group Studies Related to European System
of Opt-In, 1999.
\8\ WEFA Group, 2000 Economic Impact: U.S. Executive Marketing
Today Executive Summary, http://www.the-dma.org/library/publications/
libres-ecoimp1b1a.shtml
\9\ Fred H. Cate, Professor of Law and Director of the Information
Law and Commerce Institute, Indiana University School of Law, Michael
E. Staten, distinguished Professor and Director of the Credit Research
Center, The Robert Emmett McDonough School of Business, Georgetown
University, The Value of Information-Sharing, July 2000.
\10\ Walter F. Kitchenman, Senior Analyst, Commercial Banking, The
Tower Group, US Credit Reporting: Perceived Benefits Outweigh Privacy
Concerns, January 1999
\11\ Ernst & Young LLP, Customer Benefits from Current Information
Sharing by Financial Services Companies, conducted for The Financial
Services Roundtable, December 2000.
\12\ Fred H. Cate, Professor of Law and Director of the Information
Law and Commerce Institute, Indiana University School of Law, Michael
E. Staten, distinguished Professor and Director of the Credit Research
Center, The Robert Emmett McDonough School of Business, Georgetown
University, The Value of Information-Sharing, July 2000.
\13\ Michael A. Turner, Executive Director, Information Services
Executive Council, The Impact of Data Restrictions On Consumer Distance
Shopping, 2001.
\14\ Paul H. Rubin and Thomas M Lenard, The Progress & Freedom
Foundation, Privacy and the Commercial use of Personal Information,
July 2001.
Mr. Stearns. Thank you. Ms. Zuccarini, I have a question.
You talk about these myths that you mentioned. You have a
national fraud data base, though, right?
Ms. Zuccarini. Yes, we do.
Mr. Stearns. And why was it established? And isn't it
oriented toward individuals?
Ms. Zuccarini. It is, but that is not a marketing use. It
is not for marketing purposes.
Mr. Stearns. Why was it established?
Ms. Zuccarini. To help prevent identity fraud, and detect
fraud.
Mr. Stearns. And who gets access to that?
Ms. Zuccarini. That would be businesses that have a need
for that. That is not a marketing purpose, and covered under
the----
Mr. Stearns. So a business could subscribe to this? Any
business could subscribe to this fraud data base?
Ms. Zuccarini. I am not positive of the answer to that. I
would have to get back to you. It is in a different division.
Mr. Stearns. Okay. When you go on the Internet, you see
these web sites that say, we go and get credit information. We
go to public courthouses, and we go across the board, and find
all this information, and we compile it. Does your company do
that?
Ms. Zuccarini. We do that in a separate division.
Mr. Stearns. Okay. And then you provide this information
for law enforcement, government agencies, and you say ``other
organizations with legitimate and appropriate need for such
information,'' I think you are indicating.
Ms. Zuccarini. Other qualified users, such as----
Mr. Stearns. Yes. What other organizations would have
access besides law enforcement, government agencies, and how
would they get it?
Ms. Zuccarini. It would have to be a purpose that would be
covered under the Fair Credit, or the exemptions to the Fair
Credit Reporting Act. In terms of examples of users, I believe
I gave some in my written testimony: child support enforcement,
witness look-up and protection, those types of things.
Mr. Stearns. In your testimony, you indicated that Experian
has found that ``rigid rules directing information use are
quickly outdated by today's rapidly evolving technology and
constantly changing consumer and business needs and
expectations.'' You might just help us with what you mean by
that, how it has changed, and you know, what impact that would
have, from our standpoint as a legislator.
Ms. Zuccarini. Experian has five core information values
that we live by and we practice within our business: balance,
accuracy, security, integrity, and communication. We have
privacy compliance teams within each business unit that are
responsible for enforcing these values and the written policies
that support them.
By ensuring that our entire organization is aware of these
five values--in addition to written policies and the officers
that are responsible for making sure that they are employed--
that gives us flexibility in making sure that we are
recognizing whether technologies are advancing, or there are
different needs to protect certain types of sensitive data, for
example.
Mr. Stearns. Okay. Ms. Barrett, you make the point that
``e-commerce has increased consumer product availability. It
has also made consumer recognition more difficult.'' What do
you mean by that?
Ms. Barrett. Well, I will go back to the example I used
earlier of the store owner of 100 years ago, where he knew his
customer because he walked in. Today, many customers buy from
the Internet, they buy over the telephone, or they order
through a catalogue, and the merchant has no opportunity to
interact with that customer beyond the purchase.
That makes it much more difficult for a company to really
understand, beyond what a customer bought, who that customer
is, what they are interested in, what other products and
services might be of likely interest.
Mr. Stearns. Going back to this web site, where you can pay
$35 and find this information that Mr. Doyle talked about--you
know, if a corporation came to you and said, we want to buy
this information, or--you would give him this information, he
might put it on the web site. How do you protect the consumer
whose information you have?
Ms. Barrett. We have a variety of products that are
designed and developed for very specific business purposes. We
do not sell data in bulk to anyone for any purpose. Our
contracts limit what the data can be used for by the purchaser,
and we monitor that to assure that those contractual
restrictions are enforced.
Mr. Stearns. Mr. Ford, you highlight that ``the harm of
using personal information practices for marketing is
minimal.'' Can you describe the harm that such information, I
guess--how can it be misused, or how do you go to protect so
that the marketing information would be misused? Did that make
sense?
Mr. Ford. Let me make sure I understand your question, Mr.
Stearns. Are you asking me to define some ways in which
marketing data might be misused?
Mr. Stearns. You are saying it is minimal. Give me examples
of how it would be misused, and what you are doing to protect
it, so that you don't have that case.
Mr. Ford. I think one example comes in the use of the
information that we have. For example, what restrictions do we
place on who is able to receive that information? We, for
example, have a policy that we do not provide certain data to
insurance companies. We make sure that when a subscriber, or
someone who uses our data, we have policies and procedures in
place that allow us to check and make sure that the information
we have provided is only being used in accordance with the
contract.
We have review authority for any of the copy or the direct
marketing materials that go out. So we are in a position to
take a look at what our customers are doing with the data that
we provide.
Mr. Stearns. You mentioned that you have undergone privacy
audits conducted by Dr. Westin?
Mr. Ford. Correct.
Mr. Stearns. And can you explain how, how comprehensive are
these audits? And what standards do they meet? Is there a seal
of approval or best business practices-type of thing? And what
is the cost of such an audit?
Mr. Ford. Okay, that is a great question, I appreciate your
asking it. Without sounding too flippant, we like to say at
Equifax that we were for privacy before privacy was cool. We
engaged Dr. Alan Westin in 1988 as a privacy consultant for us.
Since that time, he has helped us develop our privacy
policies and our procedures. And he has developed, with our
input, too, a template that we use, that we overlay for each
product or service before it goes out the door. And in fact,
the template has evolved to where it covers issues like notice,
and choice, and access, and security, and the standard fair
information practices that I think we are all accustomed to.
So we have an internal process in our company that forces
our products and services to go through this review before it
goes to the marketplace.
Mr. Stearns. And what does it cost, such an audit?
Mr. Ford. Alan Westin is on retainer, annual retainer to
us. This is part of his consulting assignment for us.
If I might add, too, sir, we also were one of the first
companies to qualify for and earn the Better Business Bureau
Online Privacy seal. So in terms of audit, in terms of
consumers going to our web site--I think the previous panel
mentioned a visible way of generating trust and confidence at
the site; having that seal up there is one way to do that.
Mr. Stearns. Okay. My time has expired. Mr. Towns?
Mr. Towns. Thank you very much, Mr. Chairman. I think all
of you, I think I hear you saying that self-regulation is the
key to your business growth and development. And I trust and do
believe that all of you are good actors and so on, in terms of
you doing things right.
Would your organizations support a bill which would create
financial penalties for companies who commit online fraud and
abuse? Go right down the line, starting with Ms. Barrett.
Ms. Barrett. Okay. We believe that online fraud and abuse
is already illegal, and certainly would support any legislation
that strengthens those penalties.
Mr. Towns. Mr. Ford? I know you say that harm is minimal,
but----
Mr. Ford. Well, I agree with Ms. Barrett that the fraud and
deterrence act that was passed a couple of years ago was a bill
that Equifax supported. I think your larger question might be
would we support further legislation, and I don't mean to put
the question in my words. But it is not a perfect world, and I
don't think there is such a thing as perfect legislation. So
our view, Equifax's view, is that we would like to see self-
regulation be given a chance to run its course. If it doesn't
work, and there is an actual, demonstrated, real harm, then
let's focus on legislation that would address that particular
harm.
Mr. Towns. Yes, I was thinking that the bad actors that
would be punished, while still being held to some kind of
minimum standards. I am a little concerned about not having
one.
Mr. Ford. Again, sir, I would say that if responsible
companies do business with responsible companies, then those
bad actors ultimately are going to be weeded out of the
marketplace.
Mr. Towns. Ms. Zuccarini?
Ms. Zuccarini. I would agree with Jennifer and John, that
online fraud, we believe, is already illegal, and prosecuting
that should definitely be encouraged.
With regard to additional legislation, we too believe that
the record is not yet clear whether there are unintended
consequences that might come from restricting further use of
marketing information, and what the impact might be, both on
businesses and on consumers, in terms of choice.
Mr. Towns. Well, you know, you are right, I mean, it is
illegal. But you know, but it is being done. And I am not sure
how much--you said ``minimal,'' but I am not sure in terms of
how much is going on.
But let me ask this: how secure are your data bases? How
certain are you that you can prevent unauthorized access?
Ms. Zuccarini. Question for me?
Mr. Towns. I am going down the line.
Ms. Zuccarini. Sure, I can take that. We have been
responsible stewards of consumer information for over 50 years.
Making sure consumer information is secure is mission-critical
for Experian.
We have a variety of different security techniques that
range from our general security environment of being password-
protected with encrypted data transfer, to requiring IDs with
security cameras. We have automated system monitoring that
indicates what type of data is being accessed and when and by
whom. We have automated and manual systems that flag when
sensitive data is being accessed, and bring transactions to a
halt until we can actually manually inspect that and approve
it.
In addition to that, we have contractual requirements in
our contracts that state that the data must be used for
marketing purposes; that we have the right to inspect any
communication associated with it. We have the right to audit,
and we do business with legitimate businesses.
Mr. Ford. I don't know that there is much I could add to
that. That covers the gamut for Equifax as well, in terms of
the physical security, in terms of the technological security,
in terms of--maybe one thing I could add is let's remember that
most of this data, even if someone were to be able to get
access to it, most of this data is probability data. It is
characteristics about a particular zip code or geographic area,
for example.
The data is not organized by name. So it is not as if there
is an Equifax direct marketing file for John Ford, and there is
this little pigeonhole, and all this data about me is in there.
The file is not organized that way.
Ms. Barrett. I would concur with the comments from Mr. Ford
and Ms. Zuccarini. I might add that Acxiom also employs
external auditors, security auditors, to come in on a regular
basis to test our processes and our systems to make sure they
are current with technology and the latest security updates.
Mr. Towns. Right. Is any opportunity provided for a person
to make a request, that I would like to come in and review, you
know, my files with you? Is it possible for that to happen?
Ms. Barrett. We do not provide access to our marketing
information. Our systems are not designed in a way that you can
go in and look up information on one individual. If a consumer
contacts us and is interested about what information we have on
them, we tell them what types of information we might have in
the data base, and if they are uncomfortable with that, we
offer them the opportunity to opt out of that data base.
Mr. Ford. Again, Mr. Towns, the data base is not organized
by name and address. So it would take a programmer to go in and
obtain the personally identifiable data, name and address, and
then associate the characteristics that we ascribe to that
person in some kind of file. So yes, it can be done, but it is
not a feasible process at the moment.
Ms. Zuccarini. I would echo their comments. First of all,
our data is not in any single giant data base. It is in
multiple places. We have no mechanism as well to provide
access. If a consumer comes to us with questions about
information we may have about them, we also describe the type
of information that we have and offer them the opportunity to
opt out.
Mr. Towns. Well, let me make sure I understand this. I
mean, this is a complicated issue.
Ms. Zuccarini. Yeah.
Mr. Towns. Okay. I'm happy that I'm not alone.
If you don't have it by individual, how can a person opt
out?
Ms. Barrett. The data is actually stored in large files
that are not accessible by individual record.
Mr. Towns. Then how can I opt out?
Ms. Barrett. The files are updated and maintained on a
batch basis. And the ability to opt out occurs when maintenance
transactions are applied to those files. It is not a look-up
type of service that allows you to go retrieve the data on an
individual.
Mr. Ford. If I can interject, I think maybe another way to
look at it is the outcome of the process by which a customer of
ours obtains data is a list of name and addresses. Before that
list goes anywhere, we run it up against any opt-out list--our
own, or whether it is the Direct Marketing Association's list--
to take those names out at the back end of the process. That is
how people can opt out.
Mr. Towns. I guess by now you know that there is a
tremendous amount of pressure from a lot of us, from our
consumers, you know, to really take a very serious look at this
and do something. And there are complaints; every time I have a
town hall meeting, you know, I always get one person--and the
funny thing about this is that one person can tell a story and
there comes a situation where everybody wants to top it. And
this goes on, and it gets bigger and bigger.
So it is at the point where I really feel that Congress has
to take some kind of action. And I am happy that the chairman
is moving very slowly, because I wouldn't want to just jump and
do something. We are hearing from a lot of folks; I think that
is important.
But eventually, I really feel that we will have to take
some kind of action. And I don't want to do anything that is
going to jeopardize any company's ability to continue to grow
and to expand. But at the same time, we need to reassure our
consumers, the clients out there, and our constituents, that
there is this kind of protection in terms of privacy.
Every now and then things happen. I will give you an
example. I played at a golf course not too long ago. I mean, I
don't even play a lot of golf; I just signed up, went out there
and banged away. And now I am getting all this material. Now, I
realize that it is from playing at that golf course.
I don't want this material. I don't want anything. I don't
want to know anything about it, because I don't ever plan to go
back there again. So, you know, these are the kinds of things
that when you hear this, you know that these things are going
on.
And I don't question for a moment the fact that you are
doing the right thing. But my problem is, is with those that
are not doing the right thing, and that I am not sure the
penalties are great enough, or strong enough, to really give
the kind of protection that we need to give.
And that is where I am coming from. I don't question
anything you have said today in reference to your companies. I
do believe you are doing the right thing. But you must know,
too, there are some folks out there that are not doing the
right thing, and that is our problem. That is our problem. And
they make it bad for you as well.
Mr. Chairman, on that note I yield.
Mr. Stearns. Okay. We can go a second round. I just have
some illustrative points along where my colleague from New York
brought this discussion. Experian has, in Appendix B to their
testimony--and I just want to list some of the things that they
seek, in terms of marketing data.
They go to public records, and they go to white page
telephone listings, to get information. And then they go to
real estate information--your home ownership, the type of home
you have, the characteristics. They go to voter records--name,
address, date of birth. They go to occupational licenses, State
professional licenses, whether it be medical, attorney,
cosmetology. Then they will go to recreational license, to see
if you have a fishing license or a hunting license.
Then, if they have back from you a card that you have
filled out--perhaps you filled this card out because you want
to get a new car, or you want to get a free gift--they would
have lifestyle information. They would have, you know, things
that you enjoy--whether it is sports, music, investing,
hobbies, great outdoors, world environment. And then it gets to
your age, your marital status, gender, home ownership, number
of children. And they ask for an estimated home income.
Now, you take all that information and you try and
correlate it with the census information, which doesn't have
the name, but does have a lot of information that you filled
out. You can get a pretty good picture of a person. Am I wrong?
Is that true, that with this kind of data base, that the
Americans who are, I think, unaware of the kind of information
that you would have--and you say it is not for individual, but
it is provided with a name with it.
Ms. Zuccarini. That is correct, it is. It is demographic,
lifestyle, and interest information. And the lifestyle and
interest information is either self-reported or public record
data.
Mr. Stearns. Now, let's say I want to get a copy of
everything you have on me. How would I do it?
Ms. Zuccarini. We wouldn't provide that to you, because we
have a policy of not providing data to individuals.
Mr. Stearns. Okay. Yet you could sell that information--and
I am not being critical; I am just exploring this for whoever
is interested. A non-profit organization could come to you and
say, you know, I want to buy this from you. You would sell it
to a not-for-profit organization, wouldn't you?
Ms. Zuccarini. We would sell a list.
Mr. Stearns. A list?
Ms. Zuccarini. Of no less than 50. Our systems don't even
return a list of under 50.
Mr. Stearns. Okay. And so I would have to specify all these
lifestyle characteristics and the information in here to get
the list? But you would not provide individual names correlated
with all this information?
Ms. Zuccarini. We would provide a list back to you that had
a list of people that satisfied your request for different
lifestyle interests.
Let's say, if you were interested in selecting people that
enjoy cooking, because you have a cooking catalogue, you would
get back a list of individuals that enjoy cooking.
Mr. Stearns. So I could come to you and say, okay, I want
somebody who is making between $50,000 and $100,000 who is
interested in rhythm and blues music, who enjoys skiing, who
has a fishing license, and attends church, and also interested
in gardening, and is married with three children. You could
come back with a list?
Ms. Zuccarini. We could come back with a list, yes.
Mr. Stearns. And you would give me names?
Ms. Zuccarini. We would. So you could send an advertising
offer to them. For marketing purposes.
Mr. Stearns. Now, let's say a person is in your data base
and he or she wants to get out of that data base. How do they
get out?
Ms. Zuccarini. A variety of different ways. We honor the
Direct Marketing Association mail preference service and
telephone preference services and e-mail preference services,
which are widely publicized, which allow people to go directly
to the DMA--they don't even have to contact us.
We publicize, on our web site and with a toll-free phone
number, that you can call, if you would like to remove yourself
from our mailing list. In addition, we provide consumer
advocate groups, legislators, States' attorney general's
offices, a variety of different groups, with an extensive
consumer outreach program, where we outline the steps that you
can take to remove yourself from our marketing information
list.
Mr. Stearns. Okay. What would be your worst nightmare? For
example, Ms. Barrett, your company makes most of its money
dealing with the management of these data bases. And I assume,
certainly Experian is, you're owned by Europe, by a European
company.
Ms. Zuccarini. We are owned by Great Universal Stores.
Mr. Stearns. Yes, so you are over in Europe. Does that mean
you are complying with the European Internet privacy----
Ms. Zuccarini. Our international operations are largely
autonomous. We are compliant with the country laws in Europe.
We have not subscribed to safe harbor.
Mr. Stearns. You have not subscribed?
Ms. Zuccarini. No, we have not.
Mr. Stearns. But since you are a European Union company, I
would think you would have to comply.
Ms. Zuccarini. Our U.K. operations, our international
operations. I am talking about Experian Marketing Solutions,
the organization that I am representing today here in the U.S.
Mr. Stearns. Oh, okay. Okay, I see that. So the worst
nightmare would be, Ms. Barrett, for your company, is if the
Federal Government came up with this Internet privacy
legislation like the European Union's, so that your data bases
would be affected, don't you think?
Ms. Barrett. Well, in that we operate in five countries in
Europe as well as here in the United States, we appreciate the
differences between the European law and the U.S. law.
Mr. Stearns. Right. I am just trying to help you out. You
are trying to tell us as legislators, please, Mr. Legislator,
don't do this, because this would harm us because we get most
of our income from the management of these data bases. So I am
just trying to understand from your point of view, as I try to
understand for consumer groups--when they come in here, I ask
them the same question: what is the thing that concerns you
most? What should I do as a legislator, and Mr. Towns, and so
on?
And so I am asking you, what would be your concern if we
developed an Internet privacy bill that would, you know, do
something with the data bases that you manage?
Ms. Barrett. If it restricted the flow of information for
legitimate businesses to use for marketing purposes, then not
only Acxiom but our customers, and ultimately the consumers,
are going to have serious economic impacts. A number of studies
show the variety of economic benefits and savings that our
customers, through the use of our data, get. An apparel study
showed that somewhere between 3 and 11 percent, if you
restricted in the way that the Europeans have, some of the
data, the costs in the apparel industry would go up between 3
and 6 percent. We view that really as a means of taxing the
consumer to pay for the lack of economic benefit that we enjoy
today.
Mr. Stearns. Mr. Ford? Either one of the other panelists
would like to comment, what would be your worst nightmare?
Mr. Ford. I haven't given it a great deal of thought. But
in the past minute, I would have to say that probably mandated
opt-in--and I am speaking about off-line and online.
Mr. Stearns. Now, there are a lot of people that want to do
a mandated opt-in. Particularly with financial and medical
records.
Mr. Ford. Well, that is a different story, because in the
direct marketing business that we are talking about, we don't
have financial records or medical records. We are only talking
about the kind of direct marketing information that we have. I
think what you are about ready to refer to is ailment data that
is self-reported by the consumer.
Mr. Stearns. The problem is that people say, well, just
financial or medical information is sensitive. But if you take
all this information that I mentioned here, in terms of the
lifestyle, and then you combine that with public records and
telephone directory information, and then the census
information that I can glean from your neighborhood and where
you live, you come up with some pretty sensitive information
about individuals. And maybe people want to be able to opt in.
Mr. Ford. Well, I would ask that you remember, sir, that
the kind of information that is sensitive there is self-
reported information. It is not information that my company
goes out and gleans from someplace.
Mr. Stearns. No, I understand.
Mr. Ford. So there is a built-in--there is a built-in opt-
in, if I am filling out----
Mr. Stearns. Because they volunteered?
Mr. Ford. Because they volunteered the information. And we
make it possible for them to opt out of what they have opted
into. They can come back later on and say, no, I want to take
that back.
In fact, on our web site, which conducts this same kind of
survey, there is a double opt-in. They fill out the survey,
they are asked if they are comfortable with it, if they really
want to send it. They hit the button, yes, they do, we come
back at them and say, ``Are you sure?'' And then, each time we
ask them to fill out the survey again, they have the ability to
unsubscribe.
So I submit that the sensitive information, such as it is,
is voluntarily provided.
Mr. Stearns. Anything you would like to add to that? What
your worst nightmare is?
Ms. Zuccarini. My worst nightmare? I have many nightmares,
but my worst one is mandated opt-in, because I think what we
are doing then is setting the default standard for the majority
of the population, whether we are looking at opt-in or opt-out.
And if we are looking at opt-in, then we believe that that
default standard will be not so much a sincere concern about
protection of privacy, but may be as a result of consumer
inertia, people not wanting to respond back affirmatively. And
we are concerned about the potential unintended consequences,
again, both economically and to consumers in terms of less
choice, higher prices, and less competition.
What you would start to look at in that case is an extreme
challenge for a new market entrant or a small business to
actually be able to compete and advertise effectively.
Mr. Stearns. Yes, Mr. Ford?
Mr. Ford. May I make one more comment about that, sir?
Mr. Stearns. Sure.
Mr. Ford. I think that we are all in agreement that we want
consumers to have informed choice. And we do both; at Equifax,
we provide the ability for consumers to opt out of this data
off-line, and we provide online the ability to opt in.
But I think there are a number of national surveys who have
kind of segmented the American population into a group that is
called privacy fundamentalists, a group that is probably 20
percent or so, maybe more, 20, 25 percent, at one end that are
privacy fundamentalists. At the other end, you have the privacy
unconcerned, maybe 15 percent.
Mr. Stearns. Libertarians.
Mr. Ford. And then in the middle, you have got this 55
percent that are the pragmatic middle. So we need a system that
satisfies the needs of that full range of people who want to
have different choices.
By making opt-in the default mechanism, we satisfy probably
the privacy fundamentalists, and we disenfranchise the other
two-thirds who may want to see those offers. They may want to
become informed citizens by receiving these offers. So my
argument is, let's go with an opt-out mechanism. It still
protects the fundamentalists who want to not receive any more,
and it offers the choice to the other two-thirds.
Mr. Stearns. Well, I think--Mr. Towns?
Mr. Towns. Yes. Well, you know, I want to go back to the
bad actors. You know, they are out there. What should we do
about them? Because what is going on now is really not working.
It is not that effective. So what do we do to sort of address
that issue? Other than pray?
Mr. Ford. That, too.
Ms. Barrett. Mr. Towns, I think we have--if there is any
area for criticism, both of the government and of industry, is
that we have not done a good job of educating the consumer
about not only what their choices are, but how to watch out for
bad actors.
There are many things that industry is working on in that
regard. I think individual companies need to take the
initiative as well. We have produced a booklet called ``What
Every Consumer Should Know About the Use of Personal
Information.'' It is available on our web site. We would love
to have it distributed by anyone who wants to distribute it.
I think that we have an obligation and a responsibility to
consumers to tell them about not only the valuable uses of
information, but the tools and choices that they have at their
hands, so that those that do want to exercise them can.
Mr. Towns. The accuracy in your data base, do you feel
comfortable with that? In terms of the accuracy, do you think
it is very accurate?
Ms. Barrett. We strive very hard to make the data in our
data bases accurate. And in our interactions with consumers, we
actually have consumers that contact us and have learned that
it is inaccurate, and give us corrected information. So we are
always striving to keep the data accurate and current.
Mr. Ford. Perhaps a better word for us is, is the data base
reliable? Is it predictive? Can our customers use it reliably
to make sure that they are sending the kind of offers to the
kind of people who are interested in receiving those offers?
And I think our data bases are highly reliable.
Ms. Zuccarini. We would concur with that as well. We put an
enormous amount of resources and effort against making sure
that the information is as accurate as we can make it, and
making sure as well that it is reliable, so that businesses,
again, can try to determine whether consumers are interested in
receiving marketing offers.
Mr. Towns. Mr. Ford and Ms. Zuccarini, I still want to get
your views and feelings on what we should do about these bad
actors.
Ms. Zuccarini. Can I comment on that?
Mr. Ford. Go ahead.
Ms. Zuccarini. Yes, again, our first recommendation would
be, make sure that we are strictly enforcing the existing laws.
There are, I believe, eight laws at least that currently govern
the type of marketing information that we are discussing today.
In addition to that, we have very strict self-regulatory
guidelines through our trade organizations, and our clients are
members of those. And to make sure that we are doing that, and
really step up the enforcement.
The second thing would be to echo what Ms. Barrett said
with regard to consumer education. We need to do a better job
of making sure consumers understand how to recognize bad
actors, and how they can contribute to making sure that they
are no longer in business.
Mr. Ford. I look at it as a three-pronged initiative, or
three sets of responsibilities. Business has a responsibility
to educate consumers about the products and the services, and
the technologies that are out there that they can use to help
them protect their privacy.
Government has a responsibility in two ways. No. 1, to
enforce the laws that have already been enacted. And No. 2, I
think that on the political side, that peeling this onion,
which this series of hearings is really trying to do, to
understand the complexities of this issue, is very, very
important to making good public policy. And that is what you
are doing, and I very much appreciate that.
On the consumer side, though, they have an obligation and a
responsibility, I think, as well, to make themselves informed
consumers; to take advantage of the information that is out
there, the products, the technologies.
And there is also something known as the teachable moment:
to send out some educational material to a consumer who is not
at a teachable moment is not very effective. So finding those
opportunities when consumers are, if not eager, at least
willing to learn more, is a task that business must set itself,
too.
Mr. Towns. Thank you very much. Thank you, Mr. Chairman.
Mr. Stearns. I thank my colleague. We will complete the
second panel. We want to thank you, again, for waiting for us.
We had a very good hearing, and I think, as you pointed out,
that we are moving incrementally to try to understand this very
broad and significant and comprehensive area. And we thank you
again for testifying.
And the subcommittee is adjourned.
[Whereupon, at 12:55 p.m., the subcommittee was adjourned.]
�