July 6, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
14th Street and Constitution Avenue, NW
Washington, DC 20230
Re: Response to the Department of Commerce "Elements of Effective Self-Regulation for the Protection of Privacy"
Dear Ms. Coffin:
The McGraw-Hill Companies is pleased to have this opportunity to respond to the Department of Commerce paper, "Elements of Effective Self-Regulation for the Protection of Privacy". We commend the Department of Commerce and the National Telecommunications and Information Administration for their leadership on this issue. We further commend the federal government's extensive efforts to work with all stakeholders, including consumers, privacy advocates, businesses, trade associations, academics and policymakers, to clearly understand the uses of personally-identifiable information in today's digital economy. We also commend the Administration for calling on industry to take the lead in self-regulating its customer privacy practices and for recognizing the potential stifling effect overly-restrictive government regulation could have on the development of global electronic commerce.
According to the Department of Commerce's own statistics, 65,000 web sites are being launched daily by businesses both large and small. Clearly the online world is a fluid environment in its infancy, with tremendous potential to empower both businesses and consumers to engage in commerce in ways previously unimaginable. Electronic commerce also is global by definition. For those engaged in electronic commerce, it is not practical or sometimes even possible to distinguish among customers based on their origin. As a result, any U.S. solution to the issues raised by electronic commerce, including customer privacy, will have an effect on these issues around the World.
The advent of the Internet and electronic commerce has spurred heightened consumer sensitivity to the types of information being collected and disseminated online. In this new environment, customer demand for customized products and services has never been greater. Consumers expect to access the specific knowledge they need with a few clicks of a mouse. They do not want to waste time with search queries that return masses of information that then have to be further investigated to answer their questions. Customer product preferences help companies provide customized products and services that best meet individual needs and ensure that products are delivered to individuals in a timely and efficient manner. Customization of information on demand is the future of electronic publishing. Information providers require quality information about their customers to realize the potential of this medium.
The McGraw-Hill Companies is an active participant in global electronic commerce. We are a global publishing, financial information and media services company with 16,000 employees located in over 40 states and 30 countries. We distribute our products and services via traditional media, as well as electronically, to customers around the globe. Clearly, it is imperative that customers have the necessary understanding of this new medium and the comfort level to take full advantage of the range of services and products it provides. The McGraw-Hill Companies is committed to working with consumers, governments and industry to help make this happen.
Our relationship with our customers is based on trust, including trust in the quality and integrity of our information as well as our commitment to safeguard our relationship with our customers. We are in the business of providing knowledge that empowers our customers to learn, work, play and plan for their financial futures. Our ability to accomplish our business objectives is dependent on a two-way exchange of information. Our customers recognize that it is necessary for us to collect certain types of information -- ranging from a postal address and phone number to product preferences -- in order for us to best meet their needs. This type of trade off is a well-established business practice that has worked throughout our more than 100-year history. This type of exchange is, in fact, the foundation for the enormous growth in the publishing industry over the last half century. Although the medium has changed, the fundamental relationship between information businesses and their customers has not.
Regardless of which business sector a company may be in, however, it is imperative for all businesses to act now to develop and implement responsible and appropriate customer privacy policies. A core set of guiding principles, based largely on the key elements set forth in the Elements paper, provides the proper base line for privacy practices. Strong privacy policies with meaningful compliance mechanisms are the first step.
Government also has an important role to play in educating businesses and consumers about the need for and existence of customer privacy policies. Educated consumers can make determinations about the level of privacy protection they personally need and will make appropriate marketplace choices. When consumers encounter a business that does not properly meet their expectations about privacy, they will respond by taking their business to a company or organization that does. That type of consumer vote will compel businesses to develop privacy practices that reflect the expectations of consumers while meeting their legitimate business needs.
Finally, the government has an important role in assuring that deceptive practices are halted. As the Federal Trade Commission recently acknowledged in its proposal to study the applicability of current law to advertising in the electronic environment, fraudulent and deceptive practices that are illegal in the print world cannot be exempted from regulation in the electronic world.
A. Principles of Fair Information Practices
In the case of children's data, The McGraw-Hill Companies recognizes that children under 16 may not be aware of the implications of sharing personally-identifiable information. Since our children oriented online products and services are and will be for the foreseeable future primarily educational in nature, most of them are provided or sold directly to teachers, schools or parents. The data we collect through these online sites is generally used to enhance a child's experience at the site. In those limited instances where we do contact children directly, we do not collect personally-identifiable information without prior parental consent. We clearly indicate this at the point of data collection and explain the steps the child should take to obtain parental consent. While we recognize the difficulty in authenticating parental approval and look forward to technological improvements that will help us in this regard, in the meantime we are using all reasonable efforts to authenticate the approval. Further, we encourage children to use screen names and discourage sharing personal data online without parental permission.
The government also has an important role to play in educating consumers about the importance of consumer privacy on the Internet. The Federal Trade Commission has held various workshops and posted materials on its web site to help consumers understand the issue. The Department of Commerce also has provided forums to discuss the importance of effective self-regulation and how best to implement strong privacy practices. Participants in all of these programs have included representatives from a variety of industry segments, key policy makers and consumer and privacy advocates. Publicly spotlighting this issue and conducting these types of public conferences should continue. Media coverage will help consumers pay attention to the need to appropriately exercise their privacy options and will nudge industry to respond to this marketplace challenge. Government should continue to use its "bully-pulpit" to encourage responsible privacy practices.
Although business and government have a critical role to play in educating consumers about privacy practices, it is important to bear in mind that the consumer also has a responsibility to actively participate in the process. Consumers should be encouraged to look for and understand privacy policies on the sites they visit and to consider the level of protection they desire before proceeding. Parents in particular have a heightened responsibility to understand privacy practices of sites visited by their children and to educate their children about the potential dangers and pitfalls of providing personal information online.
Other Companies and Organizations: Our obligation to create awareness reaches far beyond the confines of our own products and services. It is important that industry as a whole promote the importance of privacy policies to consumers, other businesses, and government officials. This can be done through conferences, such as the multi-industry forum titled "Customer Privacy on the Web: Self-regulation or Government Enforcement?" sponsored by The McGraw-Hill Companies in conjunction with the American Business Press, the Association of American Publishers, the Information Industry Association and the Magazine Publishers of America earlier this year. Our executives also regularly advocate effective industry self-regulation of customer privacy in public speeches and media interviews. We have devoted an entire section on the Corporation's Internet site to the issue.
Individual companies also can work with various industry groups and associations to help them develop fair information practices that member companies can use to implement their own policies. The McGraw-Hill Companies is actively involved in the development of industry guidelines such as, for example, the Information Industry Association's Fair Information Practices Principles. We applaud and look forward to other organizations such as the Direct Marketing Association, Information Industry Association, U.S. Council for International Business and the Online Privacy Alliance joining together to conduct effective consumer and business outreach programs.
In those instances when businesses or organizations collect information directly from a customer, it is appropriate that the customer has a degree of choice about how that information is subsequently used. When explaining the options to a customer, it is incumbent upon the information collector to clearly explain the benefits of data sharing so that an informed decision can be made.
It is The McGraw-Hill Companies' Policy to never share or distribute Sensitive Data outside our organization. In addition, we enable customers to "opt-out" of internal sharing of Sensitive Data among the family of The McGraw-Hill Companies. In the areas of personal financial information and information about children -- two of the most common types of Sensitive Data collected by the Corporation from our customers -- our businesses have generally decided never to share this information even among units of The McGraw-Hill Companies.
As with most companies, The McGraw-Hill Companies contracts with vendors to perform a variety of functions, such as circulation fulfillment or list management. Under those circumstances, we use contracts to ensure that vendors acting on our behalf do not misuse the data and honor whatever choices the customer has exercised. Conversely, whenever The McGraw-Hill Companies receives personally-identifiable information from a third-party (such as a list rental company), we clarify all restrictions on use of that information in the agreement and take reasonable steps to ensure compliance with those restrictions. Further, we take reasonable steps to ensure that, to the extent applicable, these third party information sources abide by principles consistent with our own.
Organizations that collect, store and transfer data should develop and institute strict data security mechanisms and procedures to safeguard personally-identifiable information about customers. Technology will play an important role in ensuring that data is handled in a secure fashion. It is incumbent upon businesses to use available technology and other means in this area.
The McGraw-Hill Companies has instituted measures to ensure that data is stored, transferred and accessed responsibly. For instance, we use contractual arrangements with external third parties to ensure that restrictions placed on use of data collected from customers are honored by third parties and that they have equivalent security mechanisms in place. We restrict access to personally-identifiable information to those employees who have a legitimate reason for using or accessing the information. This can be achieved by strict database management measures, such as password access to customer information and secured networks for housing data.
4. Data Integrity
It is simply smart business practice to maintain the most accurate, up-to-the minute information about customers possible. Businesses have a built-in incentive to do so. For example, mailing information must be accurate to ensure that our products reach subscribers, that invoices are received in a timely fashion, and that data used to customize products is accurate. We recommend that organizations establish guidelines to restrict customer information collection to the types of information needed to fulfill legitimate business purposes.
As part of our Policy implementation, we reviewed the types of data being collected from or about consumers to ensure that we collect only data that is needed for our reasonable commercial purposes. For example, in some instances social security numbers were being collected from customers as a security measure to ensure that only the data subject would have access to certain products or services. We have evaluated that process and established alternative verification mechanisms. We will periodically undertake this type of data review and adjust our data collection practices accordingly. For example, in some instances, we have decided to collect personally-identifiable information within a specified range (such as an age range) rather than data specific to an individual.
5. Customer Access
It is also important to recognize that if data about an individual has been provided by a third party, there may be contractual restrictions on our ability to make a requested change or alteration to the data. Further, even where an organization makes a requested change to an individual customer record in its database, it may be more important that the data source also make the change so that inaccurate information is not repeatedly disseminated. The best solution in those cases is for the data subject to contact the data source provider directly to achieve resolution.
There are instances when it would not be useful for the customer to see "all data" we have about them. For instance, customer service records are coded and would require extensive translation to be understood by or useful to consumers. The limited value of such records, coupled with the cost of providing access to the data in a useful manner, should be carefully balanced. Because of the uniqueness of individual companies' business practices and operating systems, it is important that companies have the flexibility to provide customers with access that is tailored to their organization and the type of data they collect, store or distribute.
With these considerations in mind, The McGraw-Hill Companies provides access to data collected directly from the individual. In some instances, due to the structure of our databases and to protect the security of the information, we cannot provide the customer with immediate and direct electronic access to the data. In those cases we provide hard-copy access to an individual's personally-identifiable information upon written request. In other cases, we provide customers with a verbal recitation of their data records via our customer service representatives. For security reasons, however, those representatives only have information specific to the product or service for which they work. Wherever feasible, we also provide the customer with the opportunity to correct his or her data.
As stated in the Elements paper, organizations should have the flexibility to choose the most effective compliance and consumer recourse mechanism for their market and customers. Such compliance mechanism must be globally understood. In our view, a clear statement of policy coupled with a clear process for compliance and consumer recourse, may be the best means for customers to make informed choices about providing their personal data to an organization.
We believe an effective customer privacy compliance program should include the following components:
We believe that a self-assessment procedure that includes the components listed above and described in further detail in the attachment will provide businesses with the flexibility to tailor appropriate enforcement programs for their businesses and provide appropriate assurances to customers that stated policies have been followed.
We appreciate the opportunity to present our views on behalf of The McGraw-Hill Companies on this very important issue. We pledge to continue to work with other stakeholders to develop workable and effective privacy protection self-regulation that will provide consumers confidence in the global medium.
Cynthia H. Braddon Katherine D. Roome
Co-Chair, The McGraw-Hill CompaniesCo-Chair, The McGraw-Hill Companies
Privacy Steering Committee Privacy Steering Committee
Vice President, Washington Affairs Vice President & Associate General Counsel
The Corporation has established a standing Customer Privacy Steering Committee consisting of senior managers and executives across all of our business units and Corporate departments, charged with:
The Corporate Audit Department has begun conducting periodic random reviews to assess the degree of compliance with the Policy. This review is conducted in conjunction with the Corporation's third-party auditor. The Corporate Audit Department contacts the Customer Privacy Steering Committee if compliance problems are identified. The Steering Committee Co-chairs then work with the unit to bring it into compliance. The Audit Department reports its results to Corporate Senior Management and the Corporation's Board of Directors' Audit Committee.
The Corporation will make publicly available a summary report at least annually regarding its compliance efforts.
In those limited instances when a customer request/problem is not resolved through the appropriate Privacy Official, the customer may contact the Privacy Steering Committee Co-Chairs and request assistance in resolving the dispute. The Co-Chairs, who are senior managers, will conduct a prompt review of the issue and work with the Privacy Officials to resolve the matter. A written response will be provided to the customer within 90 days.
Each of those business units that target their products or services to children have appointed senior-level "Personally-Identifiable Information Guardians" responsible for:
July 6, 1998