1. We believe all 9 of the characteristics of effective self-regulation for privacy are relevant and useful as a framework for company policies and practices. However, companies must have flexibility to develop and implement privacy and security policies that meet the needs of their customers and markets, without onerous cost and compliance burdens. CSI has developed a rational method of assessing the adequacy of a company's data protection practices using a simple checklist that addresses transparency (i.e., disclosure of information policies and practices), consumer choice and access to personal account information, data security and enforcement. To be useful in assessing adequacy, a checklist should: establish objective criteria for measuring data protection; be uniformly applicable across all industry sectors; be easy to use, replicate and administer; provide a scale to measure various levels or degrees of adequacy; provide an incentive for companies to achieve high ratings on the adequacy scale; and help determine whether self-regulation is enforceable. The attached checklist meets the above criteria and should be a useful tool for measuring adequacy of data protection. (Attachment A)

2. Companies and individual industry sectors should implement their self-regulatory policies consistent with industry-specific laws and regulations governing the protection of customer information, industry best practices and guidelines and their markets. Some industry sectors, such as financial services, are regulated more heavily than others, and some laws (e.g., FCRA) cross industry lines. The financial services sectors address privacy through a combination of self-regulation, contracts, case law, federal and state laws and regulations. In industry sectors where little or no regulation exists, enforceable industry guidelines may be appropriate.

3. Examples of existing privacy policies of CSI member companies that effectively address concerns about privacy can be found on their Web pages.

4. We believe the "Elements" paper covers the essential characteristics of effective self-regulation.

5. Consumers should be given the opportunity to opt-out of having their information provided to third parties. In many industries, federal and state laws already require that consumers be given such a choice, and this is a widely-accepted industry practice today. It is also a common business practice for companies to maintain tight control over customer information provided to external organizations for marketing purposes, by seeding customer lists to detect unauthorized use of customer lists and auditing for compliance with acceptable privacy standards.

6. Many industry sectors already have effective regulatory enforcement mechanisms in place. For example, existing federal law makes unfair and deceptive practices unlawful. Thus, if a company provides its customers with a privacy statement that does not accurately reflect its privacy practices, it can precipitate a challenge by the appropriate regulators.

7. The primary consequence for companies that do not comply with fair information practices is the loss of the customer's trust and business, unfavorable media coverage and loss of future business opportunities. We concur with Secretary Daley's belief that business has the most vested in the success of electronic commerce, which depends on consumer confidence and trust to transact business on the Internet. Market sanctions are severe and swift for companies that fail to maintain the trust of their customers.

8. Public opinion is an effective privacy regulator. Where threats to the privacy or security of consumers have been identified, the response by industry has been swift and decisive. There is evidence that consumers respond to threats to their privacy or security. For example, America Online planned to provide lists of its customers' phone numbers to telemarketers and other direct marketers. Under pressure from its subscribers, the media, politicians and privacy-rights groups, AOL canceled its plans. Another example involved Experian, Inc., one of the three largest credit reporting companies. In response to strong customer demand for information contained in their credit reports, Experian offered people the opportunity to access their reports via the Internet. Technical problems caused some credit reports to be sent to the wrong people, and media coverage of the problem added pressure, so the company shut down the system. The responsiveness of companies to the press and public opinion means that problems are corrected quickly without government action.

9. The bankcard associations (Visa and MasterCard), automated clearing houses (ACHs) and ATM networks are examples of effective self-regulation. Members of these organizations must comply with an extensive body of operating rules pertaining to cardholders, merchants and other parties.

10. In general, self-regulation of online privacy should be permitted across the board. If self-regulation proves to be consistently unworkable, and public opinion fails to correct actual abuses, further steps may be necessary.

11. While difficult to quantify, the costs to implement a self-regulatory privacy regime are likely to be far less than the costs of legislation or regulation.

12. We believe that self-regulatory distinctions need not be made between the online and traditional business environments. The scope of data protection encompasses both privacy and security issues, and online policies should be linked to company policies that protect their customers' information whether online or off.

13. While CSI has not polled its members, it is our understanding that in general they do not receive an appreciable or material number of consumer complaints about privacy. Some CSI members have had privacy policies for a number of years. Others are implementing such policies now. All believe that they are highly responsive to their consumers and to consumer privacy concerns. However, companies offering "look-up" services have entered a special arrangement to assure protection of privacy as the result of public concern.

14. The balance between freedom of information and individual privacy concerns is usually determined by the consumer. Some consumers are more concerned about privacy than others and will take steps to opt-out of being solicited for products and services. Others may be concerned about the collection and use of sensitive personal information (e.g., medical records) and seek to prohibit or restrict companies from using such information. Since there is no one appropriate point at which to strike a balance, but many points on a scale, attempts should not be made to apply a single standard. As we pointed out earlier, many people are willing to trade-off some degree of privacy for lower prices, more choices and greater convenience. The responsibility of business is to disclose clearly its privacy policies to consumers and provide them with privacy choices.