 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Chris Jay Hoofnagle, Deputy Counsel
Electronic Privacy Information Center
Access Enhances Openness and Accountability [pdf]
Fair Information Practices are principles that set out the rights and responsibilities of data subjects and data collectors. They are widely regarded as a fair approach to placing individuals in greater control of their personal information while allowing responsible use of data by governments and companies. Fair information practices are incorporated in many privacy laws at the local, state, federal, and international levels. They take the form of eight data guidelines, or principles,
for addressing the collection and maintenance of personal information. One of these guidelines Ð access Ð ensures that individuals can inspect personal information held by others and enables individuals to demand a measure of accountability on the part of those who process or maintain personal information. As Congress considers privacy legislation this session, it should incorporate a right of access in privacy statutes in order to ensure fairness and accountability.
Access encompasses an array of rights that empower the data subject and ensure more accuracy in databases. First, access guarantees that data subjects have the right to view the information that is stored about them. Second, it ensures that individuals are aware of all the databases that are used to catalog consumers. This prevents the creation of secret
databases or other systems of records that can be used unfairly. Third, it gives individuals an opportunity to correct errors or to supplement incomplete information. Last, access provides an audit function. That is, individuals can determine what other entities have received or used their personal information. Combined, these four rights place the individual in a better position to pursue those who misuse personal information. They also allow consumers to make more informed decisions about the privacy practices of different companies.
A statutory right of access exists in most federal privacy laws. Beginning with the Fair Credit Reporting Act (FCRA
) in 1970, Congress required credit bureaus to give individuals access to their entire file. This approach was followed subsequently in the Privacy Act[1], Freedom of Information Act[2], and in the Family Educational Rights and Privacy Act[3]. Individuals regularly use these laws to obtain personal information stored in federal systems of records, and in records held by both private and public schools. Privacy law affecting the commercial sector developed after 1970 continued to include access provisions. Privacy provisions in the Cable Communications Policy Act[4], the Telecommunications Act of 1996[5], the Children's Online Privacy Protection Act[6], and the rules implementing the Health Insurance Portability and Accountability Act[7] afford individuals access to their personal information.
Unfortunately, despite the rights granted in the statutes listed above, individuals do not have a general right of access to marketing and many other databases. Data aggregators and others in the profiling industry have opposed a broad right of individual access to personal information stored in their databases. Sometimes this opposition is grounded in legitimate concern. For instance, proper security requires that access be limited only to the data subject or to another person with proper authority. If access is provided too readily, a malicious actor or a snoop could obtain the personal information of another.
This legitimate concern, however, is undercut by the ease in which credit reporting agencies are willing to provide access to personal information to businesses. When an individual wishes to obtain her own file, a credit reporting agency requires a whole array of personal information and a copy of an identification document, such as a driver's license. The same high standard is not applied to businesses or other users of credit reports. For instance, one of the most common complaints of consumers under the FCRA is that businesses are making impermissible pulls
of the credit report. Frequently the complaint is made that the business only had access to the consumer's name or address, and did not have proper authority to pull the report. In other words, there is no parity between the amount of information that a consumer needs to provide in order to receive a copy of the report and the amount of information that is typically provided by a business in seeking reports. Simply put, a business should have to provide the same quality and amount of information that a consumer must provide in order to gain access to a report.
Similarly, the database marketers complain that consumer access creates difficult security problems, but the same companies sell entire lists of personal information over the Internet. Many lists of personal information can be purchased without any demonstration of need or intended use. These lists usually sell for less than $100 per million names. This industry cannot legitimately say that consumer access is impracticable for security reasons and at the same time sell the information to total strangers.
The true barrier to reasonable consumer access is that the database marketers do not want the public to know how personal information is used. The big credit reporting agencies all operate database-marketing businesses that slice and dice individuals into categories that many would find objectionable.[8] For instance, Claritas divides individuals into fifteen different groups, which are in turn categorized into various subgroups. These include Pools & Patios,
Big Fish Small Pond,
Shotguns and Pickups,
and Urban Cores.
[9] The assumptions drawn on these categories of people often can be racially-charged and objectionable. They also can catalog populations of people who are at-risk for hate crimes or other stigmatization. For instance, PlanetOut.com sells lists of consumers identified as homosexual.[10] Experian sells databases with the names, addresses, and other personal details of racial and ethnic minorities.[11]
Aside from lifestyle categories that may be objectionable, access would also allow individuals to see how the database marketers have assigned certain individuals attributes that are objectionable. For instance, Experian sells a list of people believed to be suffering from bladder control problems.[12] Similarly, the Medical Marketing Service sells lists of individuals suffering from breast cancer, yeast infections, constipation, and a whole host of other maladies.[13] Other companies sell databases of information relating to individuals lifestyle habits, reading preferences, and even religion.[14] If consumers had greater access to these databases, they would likely be shocked to see how these companies categorized them and how this sensitive personal information could be sold to others for marketing purposes.
Access is likely to draw attention to many of the most privacy-invasive and objectionable marketing practices. With full information about these practices, consumers will have a better opportunity to avoid companies that feed profiling databases.
The FCRA was enacted in order to ensure that credit reporting agencies followed reasonable procedures
to guarantee the accuracy, privacy, and fairness of the credit system. A major purpose of the FCRA was to make the credit system transparent Ð the statute specifies that individuals should have access to their entire credit file. But fairness and transparency have been diminished in recent years through the rise of credit scoring.
Credit scores are used by many businesses to evaluate risk, set interest rates, and even to make hiring decisions. The scores range from a low of 400 to a high of 800 points.
Individuals do not have a right to access credit scores under the FCRA. Neither do they have the right to discover the algorithm used to judge their credit risk. These limits on transparency are in direct opposition to the transparency and fairness that the FCRA is supposed to protect. Individuals do not have the right to discover the algorithm used to judge their credit risk.
According to a new report by the Consumer Federation of America (CFA
) and the National Credit Reporting Association (NCRA
), millions of Americans may pay more for their home loans and insurance, and may be denied other opportunities because of errors or inconsistencies in credit scores.[15] The CFA and NCRA analyzed 500,000 credit scores and more than 1,700 credit reports from all three major credit bureaus. The groups found that credit scores varied an average of 41 points. Individuals on the edge of the sub-prime lending market would be affected by this variance greatly. A home loan applicant improperly classified in the sub-prime market could receive a 9.8% interest rate rather than a 6.5% one, resulting in an enormous increase in interest payments over the life of a mortgage.
When Congress considers privacy issues this session, it should carefully consider how improvements in access can put individuals in a better position to evaluate privacy practices, to enhance transparency, and to provide accountability. Congress should continue the tradition set by the FCRA and other privacy legislation, and continue to include broad rights of access to data for consumers.
[1] 5 U.S.C. § 552a(d).
[2] 5 U.S.C. § 552.
[3] 20 U.S.C. § 1232g(a)(1)(a).
[4] 47 U.S.C. § 551(d).
[5] 47 U.S.C. § 222(c)(2).
[6] 15 U.S.C. § 6502(b)(1)(B)(iii).
[7] Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 through 164 (2000).
[8] EPIC maintains a comprehensive site on consumer profiling online at http://epic.org/privacy/profiling.
[9] The Claritas Prizm and MicroVision clustering services are online at http://cluster2.claritas.com/yawyl/default.wjsp?system=wl.
[10] Meet Your Best Customer, PlanetOut Partners, at http://www.planetoutpartners.com/sales.html (last visited Jan 20, 2003).
[11] Experian List Services Catalog (on file with author).
[12] Id.
[13] Consumers By Ailment, Medical Marketing Service (on file with author). This list has been removed from the Internet, but is still available via the Google Cache: http://216.239.53.100/search?q=cache:kkd1orzu204c:www.mmslists.com/consumers_by_ailment_counts.htmÖ&hl=en&UTF-8.
[14] A number of companies sell religious affiliation information, including the Post-Newsweek company's "Catholic Subscriber" database, which is described online at http://dmipublic.directmedia.com/datacard/dmicards/dmi/47/dm47610.stm..
[15] Credit Score Accuracy and Implications for Consumers, National Credit Reporting Association and the Consumer Federation of America, December 2002, at http://www.ncrainc.org/documents/cfa%20ncra%20credit%20score%20report.pdf.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |