Back to www.cdt.org                    
  IMAGE MAP
CDT's data privacy page
Considering Consumer Privacy

Consumer Privacy in the 108th Congress

Robert Ellis Smith, Publisher
Privacy Journal

Consumer Privacy in the 108th Congress [pdf]

Credit reporting

There may be a false alarm circulating around the Capitol in early 2003: that the Fair Credit Reporting Act (FCRA) will expire in 2003 if not renewed.

Not true. The FCRA is the original privacy protection law in the U.S. (1971) and the most important one currently on the books. The notion that it will expire at the end of 2003 is not true. What is true is that amendments to the law enacted in 1996 preempted state action in certain, discrete areas. Those limited preemptions sunset (expire) Jan. 4, 2004. As far as privacy and consumer advocates are concerned, Congress need do nothing. Doing nothing would allow states (1) to limit prescreening of consumer records by credit bureaus (without notice to the consumer) before credit-card solicitations are mailed; (2) to limit sharing of credit information among affiliated companies (for instance, between an insurance company and a bank owned by the same holding company), and (3) to set timetables for credit bureaus to process consumers' requests for correction. States already have the authority to mandate that a person may see one's own credit report for free, and six states do so. (Federal law permits a credit bureau to charge up to $8 in most situations, but not if a person has been denied credit).

Representatives of the credit-reporting, banking, and credit-card industries are using this opportunity to try to expand the list of provisions in the FCRA that preempt action by state legislatures. This is a way of banning states from enacting stronger protections against the disclosure of account information by financial institutions (like opt-in laws). The 1999 Financial Modernization Act (Gramm-Leach-Bliley) invited states to enact stronger protections for the release of bank-account information to marketers and others. No state has done so, although California is close to doing so in 2003. About a dozen states have preexisting laws that provide a higher level of protection for bank information than in Gramm-Leach-Bliley (GLB). GLB permits unlimited disclosures to affiliated companies and virtually unlimited disclosures to unaffiliated companies.

The U.S. Public Interest Research Group, which along with Consumers Union is the major public-interest group advocating meaningful privacy and consumer-oriented protections, expects industry lobbyists to seek federal legislation overturning two appellate court decisions in Washington, D.C., against Trans Union, one of the three nationwide credit bureaus. One appellate decision denied that a restrictive Federal Trade Commission interpretation of the financial modernization law of 1999 (GLB) violates a credit bureau's right of free speech. Trans Union v. FTC, 472 U.S. 749 (2001). The other decision upheld the FTC's order to Trans Union not to extract personal information from credit reports and sell it for marketing purposes. Trans Union v. FTC, 245 F. 3d 809 (2001).

A long list of consumer-oriented groups would like Congress to enact legislation overturning a 2001 Supreme Court decision saying that a consumer must sue within two years of finding an error in his or her credit file. TRW Inc. v. Andrews, 534 U.S. ___, reversing 225 F. 3d 1063 (9th Cir. 2000).

The general rule is that a person must sue within two years of discovering an error, but the court found that Congress had tweaked the statute of limitations provision when it amended the FCRA in 1996 and intentionally chose not to begin the two-year period upon discovery. It's a harsh rule, especially for victims of theft of identity, who usually do not know that they have been victimized until many months later when they inspect their credit file. There is no reason that in credit reporting the general rule should not apply: that a person may sue for a tort within the statutory period of discovering that he or she has been the victim of a tort (or, in this case, a violation of the FCRA).

Telemarketing

The Federal Trade Commission (FTC) announced in December its anticipated decision to create a do-not-call list, which telemarketers will have to purchase and abide by. The list will include names and telephone numbers who have told the FTC that they wish to receive no telephone sales calls. The FTC said that it had authority to create the list under the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994, which authorizes the commission to regulate telephone sales to residences. The Federal Communications Commission announced in 2002 that it too may create a do-not-call list. Nearly half the states have government-run do-not-call lists.

In 1991 Congress included a government-run do-not-call list in final drafts of what became the Telephone Consumer Protection Act, which limits automated telephone calls and bans unsolicited fax messages. But the government-run list was deleted at the last minute and instead the law requires telemarketers to maintain and consult their own do-not-call lists. Because Congress opted not to create a government list and because the FTC's authority may not be definitive, a legal challenge from a telemarketer can be anticipated. Therefore, it would be wise for Congress to amend the 1991 act (47 USC 227) and authorize a do-not-call list within the federal government. After all, under its current authority, the FTC has no jurisdiction over many entities that conduct significant telemarketing Ð banks, insurance companies, charities, institutions of higher education. These do-not-call lists have proven very popular with the public. Missouri, for instance, had half a million households sign up in the first six months; the list now exceeds one million, which may be half the households in the state.

Internet

The 108th Congress will be asked to consider legislation similar to proposals introduced in the previous session to regulate privacy protection on the World Wide Web. Sponsors were House Commerce Committee Chair Billy Tauzin, Rep. Cliff Stearns, and Sen. Ernest F. Hollings, ranking member of the Committee on Commerce. The proposals would make companies and other groups disclose somewhere on their Web sites what they do with customers' personal data.

Currently, the Federal Trade Commission enforces fairness and truth-in-advertising online just as it does offline. In other words, if a Web site promises a certain privacy protection or a certain limitation on its handling of personal information and then violates that pledge, the FTC has regarded that as a violation of existing fair trade laws.

But the Federal Trade Commission Act does not cover all entities that have Web sites collecting sensitive personal data (like banks, insurance companies, utilities, charities, universities). Further, FTC enforcement of the act does not include any requirement that a Web site have a privacy policy. It requires only that once a company has a Web privacy policy it must abide by it or face possible enforcement action. The question is: should a new federal law compel companies doing business on-line to have privacy policies and to limit their disclosure of personal information to third parties like marketers, business partners, contractors, and government agencies?

Many business representatives will say that business online has not been as robust as it might be precisely because consumers do not have confidence that the personal information they leave behind will remain confidential. Other business lobbyists continue to insist that voluntary compliance will result in adequate protections.

Privacy advocates are not unanimous on whether federal legislation is advisable. Those who do believe that protections are necessary say that secondary uses of the data are essentially unfair if the consumer has no say in the matter. Further, the disclosures lead to commercial exploitation, like additional telephone solicitation and unwanted email ads. The possible manipulation is even more extensive: Simply visiting a Web site can expose an individual to manipulative online advertising (through cookies). Simply using a search engine on a particular topic can do the same. Search engines are not operated as eleemosynary organizations; they expect revenue from all the hits they generate. Beyond that, the easy availability of this information (which often can include home addresses, ages, gender, children's names, and Social Security numbers) makes it accessible to stalkers and other potential criminals.

The question then becomes whether guaranteeing (by a new federal law) an individual an opportunity to just say no (opt-out) to these secondary disclosures is adequate. It's certainly feasible to make disclosure the default on a Web site and obligate the visitor to click no to opt out of the disclosures. But many privacy advocates insist that the default ought to be non-disclosure, so that a Web site must affirmatively get consent. The fact is that opt-out on a Web site is cumbersome, obscure, and often deceptive.

Surely opt-in (consent) ought to be required for gathering and disclosing more sensitive personal data (like medical records, bank-account records, personnel records, prescription records, and certain family information); but there are currently no federal requirements for opt-in, or even opt-out, in any of these categories.

Consequently, other privacy advocates Ð including this writer Ð believe that federal legislation on Internet privacy will create an imbalance. An elitist imbalance. Persons who use the World Wide Web will have a higher degree of protection than those who use retail stores, medical facilities, financial institutions, or drug stores or who are included in employee records. Already, Congress has created a higher level of protection for cable TV records and video-rental records than for medical records, bank-account information, prescription information, or personnel files! Federal Internet privacy legislation would reinforce this illogical imbalance.

Fair Information Practice

Instead, Congress should seek to establish uniform standards for the collection and use of personal information in all of these sectors, by imposing the widely accepted Code of Fair Information Practice on these sectors. Personal information ought to be protected according to the sensitivity of the data not based on the electronic format of its collection (whether online or offline).

Employee Privacy

Next, Congress should scrutinize the collection and use of personal information by employers and determine whether the abuses and potential abuses merit federal legislation, before a crisis erupts. No laws Ð state or federal Ð limit in any way what a company may disclose about an employee.

Video monitoring

Further, Congress should investigate the extent of video monitoring in public and private places and devise safeguards affecting both municipal surveillance and video voyeurism by private parties. Who is paying for the cameras in urban areas and on interstate highways? How are the cameras used? What retention policies, if any, affect the videotapes? What privacy policies or other protocols, if any, have been drafted to cover the monitoring? Is TV monitoring effective? Has it solved crimes or prevented crimes or made communities safe from terrorism? Does the technology actually work? (Prior to the terrorist attacks in 2001, every single community that installed the cameras discontinued them. That includes New York City.)

With regard to video voyeurism, what crime is committed when a person takes a covert videotape of another person and uses it for private viewing? What crime is committed when a neighbor or someone else (with authorized entry into a home) installs covert video equipment in a person's home without consent? Prosecutors have not found adequate language in state laws to prosecute these offenses fully.

Policy makers and the public have no answers to any of these questions currently.

Federal legislation in Canada and provincial legislation in Ontario have proven that privacy protections can apply to video monitoring and that they go a long way in reassuring law-abiding citizens that their freedoms while out in public will not be curtailed because of ubiquitous video monitoring of dubious usefulness. Since September 2001, communities in the U.S. have chosen to ignore the proven costs of and (lack of) benefits of video surveillance. That has not happened in Canada.

Most important, a Congressional investigation should seek to answer the ultimate question: What has been the effect of video monitoring on American life and on the values of a democracy?

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam
Navigation bar
Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action!
Previous Headlines | Legislative Tracking | CDT's Privacy Policy
  The Center For Democracy & Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
(v) 202.637.9800
(f) 202.637.0968
Contact CDT

Copyright © 2005 by Center for Democracy and Technology.
The content throughout this Web site that originates with CDT can be freely copied and used as long as you make no substantive changes and clearly give us credit. Details.
CDT Mission Get Involved Staff Policy Posts Resource Library Search the Site Jobs Take Action