July 6, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
14th St. & Constitution Ave., NW
Washington, DC 20230
[Docket No. 980422102-8102-011]
Dear Ms. Coffin:
On behalf of Dun & Bradstreet (D&B), I appreciate the opportunity to comment on the Department of Commerce’s staff discussion paper "Elements of Effective Self Regulation for the Protection of Privacy" and the additional questions raised concerning online privacy protection. D&B applauds the Department of Commerce and the National Telecommunications and Information Administration for putting forward a document which largely is on target with respect to the basic elements necessary for self-regulation of online privacy and for raising such provocative questions regarding the elements.
Though D&B believes all the questions raised in the Request for Comment (RFC) to be important, our comments will focus specifically on question number "3". The comments will describe how D&B’s "Data Protection Practices for the Internet"—coupled with other company measures—effectively addresses the elements. In so doing, the comments will also respond to some of the other questions that have been raised in the RFC.
About Dun & Bradstreet
The Dun & Bradstreet Corporation is a multi-billion dollar company with offices in more than 38 countries and employing around 15,000 people. The company was founded in 1841 to facilitate commerce by providing business information about businesses to other businesses. Dun & Bradstreet (D&B) is the world’s leading provider of business-to-business credit and marketing information and receivable management services.
The data we provide for our customers is essential in their sound decision-making processes and is therefore the lifeblood of our business. Dun & Bradstreet collects information on over 49 million business establishments from 217 countries and invests over $360 million annually in these data collection activities. The company collects up to 1,500 data items on each business subject and uses thousands of information sources to ensure our data is of the highest quality possible. While all data contained in our Business Information Report product are business related, some are specifically identifiable to individual owners or principals of the business entity. Dun & Bradstreet collects only that information about the business owners or principals which is relevant and necessary for business decisions.
As a leader in the information industry, D&B developed data protection practices more than 20 years ago. The fundamental principles of those data protection practices still apply to our traditional information products and services. Recognizing the continued need to balance the free flow of information against an individual’s privacy interests in the online environment the company, in early 1998, developed and implemented data protection practices for the Internet. Those practices and their compatibility with NTIA’s outline of the elements of effective self regulation are described below.
Elements of Effective Self-Regulation and
D&B’s Data Protection Practices for the Internet
A. Principles of Fair Information Practices
1. Awareness: Privacy Policies & Notification
Awareness is a key element of effective self-regulation if individuals using the Internet are to feel secure and choose to do business online. D&B agrees that in order to achieve awareness, a company’s policy must be written in a manner that makes it easy for visitors to understand exactly what is happening to data during the transaction, as well as what will happen to it once the transaction is complete. To help ensure that D&B’s policy was clearly written in terms that a lay person could understand, it was vetted among a diverse group of D&B employees – some of which had little or no past knowledge of privacy issues.
Further, crafting privacy policies and implementing them is a critical exercise for companies. This exercise allows them to take stock of their existing practices and update or change them when necessary to ensure they are continually consistent with recognized fair information practices. Though D&B has had fair information practices in place for more than 20 years, the company felt compelled to draft a new policy for the Internet. In so doing, a cross-functional working group was assembled consisting of approximately 30 individuals representing a large number of D&B’s business units. The exercise pointed out that while the fundamental principles contained in our long-standing fair information practices were still valid, some had to be reengineered and some had to be added to make sense in the Internet environment. For instance, D&B has always disclosed our data collection practices, but on the Internet there are technological methods for collecting information, such as cookies, which the company never had a need to explain before. Our traditional fair information practices regarding collection, therefore, had to be updated.
Clearly, when considering whether or not an individual should have choice with respect to use of individually identifiable information, there is a careful balance that must be struck between the importance to society of having that information available and the potential harm which may be caused if information is misused. In addition, in some instances, companies or industry sectors will find it important for the further development of that industry to provide individuals with choice regarding uses beyond the completion of the transaction.
With respect to choice, D&B believes there are three categories of information use that should be considered. The first category is information over which individuals should have complete control with respect to whether and how it is used. In this category are uses such as dissemination of information to third parties when the information will be used for marketing purposes and most uses of personal medical and financial information. The second category is information over which individuals should have no control. This category includes uses such as those controlled by existing law (Fair Credit Reporting Act), uses related to law enforcement activities, any records that have been deemed to be public records and that have not been specifically exempted from disclosure or data that is needed to complete a transaction. The third category includes uses that cannot be argued to be absolute with respect to control. This category includes uses such as an internal company use for marketing purposes.
Dun & Bradstreet has information uses which fit into two of the three categories. We create and license marketing lists to third parties. We provide individuals – both on the Internet and in our traditional products and services – the opportunity to opt-out of inclusion in those lists. The policy clearly states; "A business may request to have its information removed from business marketing lists published by Dun & Bradstreet and licensed to third parties" and provides individuals the opportunity to opt-out either by calling a customer service representative or by clicking on an e-mail address. We also allow individuals on the Internet to opt-out of further D&B marketing uses of their individually identifiable information by un-checking a box at the end of a form requesting information to complete a transaction.
However, the company does not allow business owners or principals to opt-out of the use of individually identifiable information used in our business decision-making products and services. D&B believes that the societal and economic interest in making this information available far outweighs any potential harm. Purposeful public activity by individuals on behalf of businesses is neither personal nor private. Businesses function only through individuals, such as their principals and officers. Individuals who choose to do business on behalf of businesses should not be able to conceal their activities on behalf of such businesses.
D&B agrees that data security to protect against loss, misuse, alteration or destruction is a critical element of fair information practices. To secure data, D&B takes technical, contractual and administrative steps to control data in order to protect against unauthorized access to and disclosure of it. For instance, D&B will not provide reports or information to third parties without a contractual relationship. Our strict contractual processes stipulate valid/authorized uses of D&B data and bind our customers to relevant US and foreign laws. In the Internet environment, some of our sites use technology to further secure the information.
In addition, D&B requires employees to complete extensive training in data handling processes. The company has developed numerous volumes of training documents which detail the policies and procedures associated with data collection, accuracy, quality control, updating, notification, disclosure and more. A relevant leading statement in one of these training documents reads "there is a vital need to respect individuals’ right of privacy," and "[employees] will not discuss Business Information Reports or the contents of Business Information Reports with non-business associates or friends."
The notion of allowing individuals to access or review information and have that information corrected if it is inaccurate is directly linked to data quality and that data quality is the heart and soul of any successful information company. To ensure that data are as up-to-date and accurate as practicable, D&B takes exhaustive measures including: direct contacts with businesses which generate 670,000 updates to our data per day; and quality review at the point of collection instead of exclusively at the end of the data collection process.
In addition to company measures, individuals are given the opportunity to review and have corrected their own Business Information Report. When a D&B business report undergoes a full revision, the principal contact at the business can receive a complimentary copy of their Business Information Report by calling a D&B toll-free telephone number. When a business owner or principal contacts D&B about a potential error, we act promptly to correct errors or misleading information whenever we learn of it. When the error has come from a public records source, the company will help the business owner identify which public record and will direct the individual to the source to have the error corrected.
Depending upon the matter raised by the business’ management, a "stop distribution" can be applied to the relevant business report and to ancillary products affected by the error, until the matter is resolved – even if the matter must be resolved with a third party such as a public records source. A correction notice is sent to businesses or others that D&B knows to have received the erroneous data. A detailed control sheet for managing corrections contains over 30 steps, each dated, to address distribution stoppage, corrective action, report/product revision and correction notices. The stop distribution process is crucial to ensuring that only high quality, accurate data about our customers is disseminated.
D&B agrees that to be effective self-regulatory privacy protections must include mechanisms to assure compliance with fair information practices and provide appropriate recourse to individuals when they have been harmed or deceived by information misuse. To help put into place an industry-led initiative that will develop strong enforcement mechanisms for privacy self-regulation, D&B recently agreed to become a full corporate sponsor of the Council of Better Business Bureaus newly launched online privacy program, BBBOnLine.
The BBBOnline privacy program will draw on the Council of Better Business Bureau’s (CBBB) experience with its successful self-regulation and dispute programs, and will address all three of the elements – consumer recourse, verification, and consequences – outlined by NTIA as necessary elements of enforcement. Though the details of the privacy program have not yet been established, two basic elements that will be included in the new privacy program are: (1) the awarding of a "privacy seal" of approval to businesses that meet certain privacy guidelines as established by BBBOnLine; and (2) a consumer dispute resolution program. The "privacy seal" program will provide attestation that businesses are implementing and living by the fair information practices they have asserted they abide by. The consumer dispute resolution program will provide consumer recourse and will help define appropriate consequences for information misuse.
Dun & Bradstreet’s markets and customers, as well as the U.S. information industry as a whole, have been well-served by a self-regulatory system for protecting the privacy of individually identifiable information. To be effective, D&B agrees that fair information practices must contain certain basic elements and that companies must be held accountable for their stated practices. D&B’s fair information practices are extensive and have continued to evolve since the company’s founding 157 years ago. Our practices mirror the elements outline by the Department of Commerce in its RFC and attempt to strike an appropriate balance between the interests of individuals and the information needs of society. D&B believes it is the private sector’s responsibility to take a leadership role in the development and application of information policies and practices that serve both goals of information privacy and the free flow of information. Again, we appreciate the opportunity to comment and look forward to working with NTIA and the Department of Commerce to ensure that the Internet and electronic commerce continue to grow and prosper.