| |
Consumers Union(1) appreciates the opportunity to testify before the Subcommittee on Commerce, Trade,
and Consumer Protection. This hearing on An Examination of Existing Federal Statutes Addressing
Information Privacy provides a needed forum to discuss the lack of meaningful privacy protections for
American consumers.
The first part of this testimony discusses privacy in general. The second part goes into greater detail on
specific issues: online privacy, children and student privacy, subscriber privacy, financial privacy, and
medical privacy.
THE STATE OF PRIVACY
Consumers are fed up with aggressive intrusions on their private lives. Often a consumer is forced to
provide personal information to obtain products or services. Many times information that has been provided
for one purpose is then used for another reason, unbeknownst to the consumer. Financial institutions,
Internet companies, and marketers have been caught crossing the line.
Some members of Congress are not only shining spotlight on privacy, but also working to ensure that
consumers are told about how and why personal information is collected and used, provided access to that
data, and given a choice in the matter. But real protections have been slow in coming.
Instead, the right to be left alone appears to have been trumped by the pressure exerted by businesses to
protect and expand their ability to gather personally identifiable information from consumers. No part of life
is left untouched by data collection activities. Financial and medical records, what you buy, where you shop,
your genetic code, are all exposed in a privacy free-for all. Complete strangers can, for a price, have access
to your most intimate secrets.
This means that consumers have lost control over the ability to being left alone. Often, consumers have no
choice in whether or not information is collected and no choice in how it is used. Today, any information
provided by a consumer for one reason, such as getting a loan at a bank, can be used for any other
purposes with virtually no restrictions.
Do consumers care? You bet they do. According to a Forrester Research survey of online users, 67 percent
said they were "extremely" or "very" concerned about releasing personal information over the Internet. It is
estimated that those fears may have resulted in as much as $2.8 billion in lost sales for Internet retailers in
1999. The lack of privacy is costing business. AARP found that 93% of those surveyed believe that any
personal information provided during a financial transaction should remain the property of the consumer and
that the information should not be shared with other businesses without the permission of the consumer.
Last year, a Business Week/Harris poll shows that 92% of Internet users are uncomfortable about Web sites
sharing personal information. 57% favor the government passing laws on how personal information is
collected and used. And many people are uncomfortable with the creation of profiles. 82% said they were
not comfortable with linking their identity with personal information like income, credit data, and medical information.
The ability to collect, share and use data in all sorts of ways boggles the mind. Consumers, in many
cases, aren't even aware that data is being collected, much less how profiles about them are created. The
information collection overload is particularly troublesome when it becomes the basis for decisions made
about an individual -- like how much a product or service will cost.
What protections do consumers have today? Not many. For all the talk about giving their customers what
they think they want, the marketplace is not willing to give their customers what they really want -- privacy.
Privacy laws are either non-existent or are so riddled with loopholes that in most cases consumers will not
have to be told that their sensitive information is being shared, or be given the ability to stop the sharing of
their information.
Privacy invasion isn't only happening online. Cross industry mergers and consolidations have given
financial institutions unprecedented access to consumers' personal data. Technology has made it possible
and profitable to mine that data. No law prevents financial institutions from using data to choose between
desirable borrowers and less profitable consumers the institutions may want to avoid. Special software
helps guide sales staff through scripted pitches that draw on a customer¹s profile to persuade the account
holder to buy extra, and in some cases junk products
The much ballyhooed privacy provision of the Gramm Leach Bliley Act does not protect consumers' privacy.
And because the underlying bill is bad, the implementation of regulations provides little hope for consumers
seeking to keep their personal information private. While states were given the ability to enact stronger
protections, those efforts have met fierce resistance by the financial services industry.
Consumers across the country are receiving privacy notices from their financial institutions. These notices
were required under GLB. Consumers should respond by opting out of the use of information to send a
message that they care about their privacy. Unfortunately these opt outs, in reality, will do little or nothing
to prevent the sharing of your information with others.
We need stronger laws to put power and choice in the hands of consumers regarding the collection and use
of their personal information.
Some web-based businesses already seem to be willing to move beyond the privacy wasteland where GLB
left consumers. There no longer appears to be a question, for some, of whether consumers should get
notice, access, and control over their information. The challenge is how to effectively put these principles
into practice.
What about privacy policies? Won't those do the trick? Privacy policies are not a substitute for privacy
protections, especially when some companies don't even follow what is in their policies. Just because a
company has a privacy policy does not mean that they follow Fair Information Practices. And consumers
are skeptical about self-regulation. Only 15% of those surveyed in the Business Week poll supported letting
groups develop voluntary privacy standards. Nor has industry shown the will power to adopt adequate self-regulatory programs.
Some tout the use of technology to allow consumers to choose their preferences - even "opting-in" using
a privacy thermometer. Will the technology allow a consumer to shut-out all intrusions? Unfortunately, the
usefulness of technology often depends on knowledge of the user. Technology may be of some use, but
may prove lacking where it unfairly pushes the burden on the often-unsuspecting consumer. If you are not
in the know, you will likely lose your privacy because you won¹t know how to keep it private. And if the
preferences can be circumvented, then the usefulness of a technological solution without baseline
protections will be completely lost.
Where is all this going? The marketplace is changing daily. The Wall Street Journal reports that Time
Warner has the names, addresses and information on the reading and listening habits of 65 million
households. USA Today says Time Warner has access to
information about its 13 million cable subscribers and from its other businesses, like Time and People
magazine. With so much information, how will the competitiveness of the marketplace be impacted by this
merger? Will companies who seek to operate under a higher privacy standard be at a competitive
disadvantage and unable to compete against a larger entity that is able to make unrestricted use of the
personal information it obtains? Is this the future? Now imagine a Time Warner/AOL/Bank of X.
Will consumers benefit from all this data sharing? Financial institutions promised that in exchange for a
virtually unfettered ability to collect and share consumers' personal information, that consumers would get
better quality products and services and lower prices. This is why, they claimed, consumers shouldn't have
strong privacy protections like the ability to stop the sharing of their information among affiliates, or access
to that information to make sure its accurate. Let's look at reality.
Bank fees for many consumers continue to rise. Information about financial health may actually be used to
the consumer's determent if it is perceived that the consumer will not be as profitable as other customers.
Both Freddie Mac and Fannie Mae say between 30 and 50% of consumers who get subprime loans, actually
qualify for more conventional products, despite all the information that is available to lenders today. Credit
card issuers continue to issue credit cards to imposters, thus perpetuating identity theft, even when it seems
like a simple verification of the victim's last known address should be a warning. Instead of offering
affordable loans, banks are partnering with payday lenders. And when do some lenders choose not to share
information? When sharing that information will benefit the consumer -- like good credit histories that would
likely mean less costly loans.
Chase Manhattan Bank, one of the largest financial institutions in the United States, settled charges brought
by the New York attorney general for sharing sensitive financial information with out-side marketers in
violation of its own privacy policy. In Minnesota, U.S. Bancorp ended its sales of information about its
customers' checking and credit card information to outside marketing firms. Both of these were of
questionable benefit for the bank's customers. Other institutions sold data to felons or got caught charging consumers
for products that were never ordered.
Maybe the right approach is to let institutions that want a consumer's information to be put in a position to
convince that consumer that some benefit will be derived from a willingness to give that information up to
the institution. Such an approach may increase trust in financial institutions and let consumers have control
and choice over their own personal information. The same technology that enables vast amounts of data
to be collected can be used to give consumers access to that data. It is a simple thing to tell consumers what
is collected and how it is used.
Sound and comprehensive privacy laws will help increase consumer trust and confidence in the marketplace
and also serve to level the playing field. These laws do not have to ban the collection and use of personal
data, merely give the consumer control over their own information.
SPECIFIC PRIVACY ISSUES
The Lack of Online Privacy
A May 2000 Consumer Reports survey of web sites, Consumer Reports Privacy Special Report, Big Browser
is Watching You, shows that consumers' privacy is not being protected online. The report also shows that
privacy notices at several popular sites are inadequate and vague. This data, as do other recent web
surveys, shows the state of consumer privacy online continues to be dismal. Not much has changed since
that survey was first done.
Consumers Union has urged Congress and the regulators to reverse their prior reliance on industry self-regulation and recommend that legislation is both appropriate and necessary to protect the privacy of on-line
consumers.
The Consumer Reports survey evaluated the placement of tracking devices at 28 sites. The privacy policies
at six heavily trafficked commercial web sites were also examined.
Among the findings of the report:
- Even the activities of the most casual Internet users are carefully monitored by advertisers -- often
without the users knowledge or consent. Marketers are able to amass personal data about what you
buy, what you read, what ails you and what you are worth.
- Most web site visitors may be unaware that the simple act of viewing a site's home page can trigger the
placement of a cookie by an ad network with whom they never consented to have a relationship.
- Trying to block cookies resulted in some sites generating as many as 28 attempts to implant a cookie
before displaying the home page of the site.
- There are troubling shortcomings in the privacy policies of popular sites: inadequate notice, vague
disclosures, and unproven "seals of approval."
It is apparent that self-regulation has done little to protect privacy. Companies continue to pursue ever more
invasive collections of personal information. And there is no legal safeguards that limit what data collectors
can gather. Inadequate notice of privacy policies that may or may not address fundamental Fair Information
Practices leave consumers vulnerable and ill-equipped to make informed choices. Lack of strong privacy
laws has resulted in continued intrusions into consumer privacy, little accountability, and no assurance that
other firms will not engage in similar practices in the future.
Because of the failure of the industry to police itself, Consumers Union supported the Federal Trade
Commission recommendations to Congress that legislation is needed to protect the privacy of consumers
on the Internet. Strong protections now will not only curb privacy intrusions, but also have the benefit of
increasing consumer confidence when choosing to go online.
Protecting Children
Consumers Union recognizes the benefits of the World Wide Web, especially in opening doors to the world
through access to a variety of sites containing a lifetime of information. But it is also a medium where
children can be placed at risk, especially when asked to provide personal information about themselves,
their family and friends. With the ever expanding and increasing use of the World Wide Web, by both adults
and children, it was appropriate and timely that Congress passed the Children's Online Privacy Protection
Act of 1998 (COPPA), specifically placing the control of information collected from and about children with
parents.
COPPA said that online protection for kids must:
- Not exploit kids' inexperience and vulnerability. Attempts to do research or glean personal information
shouldn't be disguised as entertainment, and prices shouldn't be used to induce kids to provide personal
information.
- Be widely available and easily implemented, even by adults who aren't computer literate.
- Provide a foolproof way to communicate directly with parents, rather than rely on having kids get
permission to visit a site.
- As the Federal Trade Commission adopted rules to implement COPPA, Consumers Union made the
following comments:
- Children must be protected against the online collection of personal information without a parent's prior
informed and verifiable consent.
- Close potential loopholes in the proposed rule that could allow operators to circumvent the intent of
COPPA.
- Ensure that parents receive a simple and comprehensive notice of policies, that information on the
collection, use and dissemination of the information be complete and accurate, and that there be a
means to verify parental consent in cases where a parent makes an informed choice.
- Ensure that information previously collected from children is given the same protection as future
collected information.
- Exercise care in providing a safe harbor for self-regulatory efforts
Consumers Union fails to see any compelling commercial interest to allow a website to collect personal
information about children without their parent's knowledge or consent. A commercial website, under the
proposed regulations will, in fact, be able to collect and use such information. It simply has to inform the
child's parents about what type of information will be collected, how it will be used, whether it will be shared,
and then obtains the parent's consent. Congress was clear in it's intent when it passed COPPA -- that the
interests of children and not that of industry should be protected.
A recent study by the Annenberg Public Policy Center of the University of Pennsylvania found the most
children's websites are not following the spirit of COPPA. Moreover, the study found that the privacy policies
that exist on many sites are often very difficult to read and are missing key elements. While children's sites
that collected personal information had a link from their home page to their privacy policy, many skirt COPPA
by not prominently displaying those links.
Even more troubling was that the researchers found the policies too complex to understand. Many were
determined to be either too short and vague or too long and confusing to be read in a brief period of time.
The researchers questioned whether companies expect or want parents to read their policies.
The lack of compliance with COPPA highlights the need for further Congressional action. If children are not
safe when they go online despite the passage of COPPA, something more needs to be done. Failure to
comply with COPPA should not be taken as sign that children using the Internet should not be protected.
Rather, it shows that Congress should demand swift enforcement of the law, strengthen it's provisions, and
send a strong message to industry groups who go after America's kids.
In addition to protecting children online, students in our classrooms should not be forced to submit to data
collection of personal information by business interests so that those businesses can then turn around and
use that data to target kids. Today, companies are being allowed easy access to America's children through
our schools:
A California company provides schools with free computers, software, and access to certain web sites.
In exchange, the company monitors students' web browsing habits and sells the data to other
companies.
Children in a Massachusetts elementary school spent two days tasting cereal and answering an opinion
poll to help the company sell to kids.
Children in a New Jersey elementary school filled out a 27-page booklet called "My All About Me
Journal" as part of a marketing survey for a cable television channel.
Schools should not usurp parent's authority when it comes to the privacy of children weighed against purely
business interests. The taking of information for non-educational commercial purposes effects students
outside the classroom, especially because no guarantees can be given about how the information collected
may eventually be used and by what types of companies.
Protection of Subscriber Privacy
The privacy of personal information is a growing concern with the integration of various technologies.
Consumers Union agrees with the Federal Communications Commission (FCC) that the privacy provisions
of the Communications Act apply to cable operators and their affiliates.
The Communications Act provides that at the time a cable operator enters into an agreement to provide any
cable service "or other service" to a subscriber, and annually thereafter, the cable operator shall inform the
subscriber of, among other items, the nature of personally identifiable information the cable operator will be
collecting, the nature of the use of the information, and the nature and purpose of any disclosures of that
information.
The Communications Act also provides that a cable operator may not use the cable system to collect
personally identifiable information. The cable operator cannot disclose personally identifiable information
without the prior written or electronic consent of the subscriber. The statue defines "other service" to include
any wire or radio communication service provided using any of the facilities of a cable operator that are used
in the provision of cable service.
Financial Privacy Not Yet a Reality
The Gramm-Leach-Bliley Act (GLB) falls far short of providing meaningful privacy protections. Loopholes
in the law and in this draft rule allow personal financial information to be shared among affiliated companies
without the consumer's consent. In many instances, personal information can also be shared between
financial institutions and unaffiliated third parties, including marketers, without the consumers consent.
Other loopholes allow institutions to avoid having to disclose all of their information sharing practices to
consumers. In addition, the GLB does not allow consumers to access to the information about them that
an institution collects.
With the passage of the GLB, the financial marketplace is poised to undergo rapid and profound changes,
including the consolidation of industries. One consequence is that personal financial information has
become a marketable commodity, with banks, insurance companies and securities firms knowing, and
having the capacity to know, more about an individual consumer than ever before. Not only is this
information used to market products and services to consumers, it can be used to make decisions about the
cost and availability of those products and services.
Consumers have reason to be concerned about how their private financial information is being collected,
used, shared and sold. Under the GLB there are no limits on the ability of a financial institution to share
information about consumers' transactions, including account balances, who they write checks to, where
they use a credit card and what they purchase, within a financial conglomerate. Because of loopholes in
GLB, in most cases sharing a consumer's sensitive information with a third party is allowed too. All the
exceptions created by GLB make it difficult to come up with a list of circumstances where personal financial
information cannot be shared.
Here is why the GLB fails to provide privacy protections:
- •Limited notice provisions. The notice provisions merely require that an institution provide consumers
with the institution's privacy policy, which could simply say "We share your information with affiliates and
third parties." Financial institutions would only have to provide general information about the type of
information that is collected and with whom it is shared. A consumer would not have to be told how their
information is being used. In some cases the proposed regulations do not require that an institution
provide a consumer with any notice at all, such as when the information collected is used to service an
account.
- •Opt-out to "nonaffiliated third parties" only. GLB's limited third party opt-out does not apply at all to
internal affiliate sharing -- affiliates can still share and sell information. Consumers will have no ability
to stop it.
- •Loopholes gut the already limited opt-out requirement by allowing information to be shared with
"nonaffiliated third parties" under most circumstances. Even if a consumer wants to opt-out,
information may still be shared with third parties offering financial products on behalf of or endorsed by
the institution or pursuant to a joint agreement between financial institutions. Thus, financial institutions
can share customers' information without notice to the customer or permission from the customer.
- •No consumer access. The law does not allow a consumer to have access to the information collected,
or the ability to correct erroneous information.
Here is what consumers should have when it comes to privacy protections:
- •Notice: Financial institutions should inform their customers in a clear and conspicuous manner when
they plan to collect, use and/or disclose personally identifiable information, and customers should be
told the intended recipient of the information and the purpose for which is will be used. Notice should
be about the sharing of information with all entities, both internal and external, and for any reason,
including the servicing of accounts.
- •Access: A customer should have access to all personally identifiable information held by the financial
institution to make sure it is accurate, and complete and customers should the ability to correct
erroneous information. These rights should not only be limited to account information, but should extend
to any dossiers, profiles or other compilations prepared for sale or sharing with third parties.
- •Consent: A financial institution should receive prior affirmative consent of the customer before it uses
and/or discloses that customer's information for any other purpose than for which it was originally given.
No customer should be denied, or forced to pay a higher price for, any product or services by a financial
institution for refusing to give consent to the disclosure of the customer's personal information except
where necessary to determine eligibility for a specific financial product or service.
Consumers should have the right to be fully and meaningfully informed about an institution's practices.
Consumers should be able to choose to say "no" to the sharing or use of their information for purposes other
than for what the information was originally provided. Consumers should have access to the information
collected about them and be given a reasonable opportunity to correct it if it is wrong. In addition to full
notice, access, and control, a strong enforcement provision is needed to ensure that privacy protections are
provided.
Medical Privacy
When Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the
Department of Health and Human Services (the "agency") was directed to develop and implement rules to
protect the privacy of Americans' health information by February 2000. More than a year later regulations
have not been implemented. The rule followed normal rulemaking procedures. All interested parties had
ample opportunity to provide comment. In fact, the comment period was extended to provide additional time
to submit views. The comments were given due consideration and a final rule was published. The agency
has now used a procedural technicality to reopen the rule for additional comments.
The Final Standards for the Privacy of Individually Identifiable Health Information, 65 FR 82462 (December
28, 2000) is a significant step towards restoring the public trust and confidence in our nation's health care
system. Critics of the rule are urging the agency to scrap the rule or otherwise delay its implementation. The
agency is being urged to weaken it by taking away the rights of patients to consent to the sharing of their
information, denying patients the right to access their own records, creating larger loopholes in the rule, and
allowing holders of medical information to share their patients' data with others without any responsibility
or accountability. The rule should not be scrapped or delayed. If changes are made to the rule those
changes should strengthen, not weaken, the medical privacy protections.
But nothing has changed since the rule was finalized that diminishes the need for strong medical privacy
protections. Medical information continues to be used for inappropriate purposes. The rule itself highlights
a number of cases where private medical information was released for profit and marketing purposes -
completely unrelated to the treatment of those patients. A recent USA Today editorial further highlights the
consequences of a failure to protect medical privacy - an employer firing an employee when they got the
results of a genetic test; release of medical records to attack political opponents; and hackers getting access
to health records from a major University medical center (USA Today, March 20, 2001).
Patients should not be put in the position of withholding information or even lying about their medical
conditions to preserve their privacy. Those seeking medical treatment are most vulnerable and should be
allowed to focus on their treatment or the treatment of their loved ones, rather than on trying to maintain their
privacy. It is unfair that those citizens must be concerned that information about their medical condition
could be provided to others who have no legitimate need to see that information.
The rule is simple.
- •Patients are told in plain English how their medical information is used, kept and disclosed.
- •Patients are allowed to see their medical records and get copies of those records if they want. Patients
are also allowed to have inaccurate information corrected.
- •Patients are allowed to consent to the disclosure of their health information in most circumstances,
including non-medical or non-treatment related purposes. Companies should have to defend their
reasons for wanting access to that data. If those companies are unable to convince patients to consent
to the use of their information, they should not be able to circumvent the patient's choice.
- •The rule limits the use of an individual's health information to health purposes only with few exceptions.
- •The rule says that hospitals and other providers must adopt privacy procedures, train employees about
those procedures, and provide a process if those procedures are violated.
- •The rule holds the hospital and other health care providers accountable if patient health information is
misused.
- •The rule only requires that reasonable safeguards be used. Hospitals will not have to erect soundproof
walls, as some critics have charged.
- •The rule is flexible. People will still be allowed to pick up prescriptions for family members. If further
clarification is needed, the rule allows the agency to simply issue guidance. Because the agency is
allowed to act if needed, this issue and similar issues can be resolved without weakening or delaying
the rule.
- •The rule allows information sharing for treatment purposes. The quality of patient care will not suffer.
In fact, by increasing trust between the doctor and patient, the rule will likely increase the quality of care
.
Medical information in the context of financial services has also been considered. Last year, Congressman
Leach, then chair of the House Banking and Financial Services Committee introduced the Medical Financial
Records Privacy Protection Act that would have prevented financial institutions from sharing medical
financial records without customer consent. Further, the bill would have prohibited financial institutions from
using consumer's medical information in providing credit. The bill was voted out of the House Banking
Committee but Congress failed to act on the bill prior to their adjournment.
The Leach Medical Financial Privacy Protection Act would have:
- •Required financial institutions to obtain customer's affirmative consent before disclosing individually
identifiable health information to an affiliate or non-affiliated third party.
- •Prohibited a financial institution from obtaining or using individually identifiable health information in
deciding whether to issue credit, unless the prospective borrower expressly consents.
- •Provided consumers the right to inspect, copy, and correct individually identifiable health information
that is under the control of a financial institution.
1. 1 Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the
State of New York to provide consumers with information, education and counsel about goods, services,
health, and personal finance; and to initiate and cooperate with individual and group efforts to maintain
and enhance the quality of life for consumers. Consumers Union's income is solely derived from the
sale of Consumer Reports, its other publications and from noncommercial contributions, grants and fees.
In addition to reports on Consumers Union's own product testing, Consumer Reports with approximately
4.5 million paid circulation, regularly, carries articles on health, product safety, marketplace economics
and legislative, judicial and regulatory actions which affect consumer welfare. Consumers Union's
publications carry no advertising and receive no commercial support.
|
|
