July 6, 1998

 Ms. Jane Coffin

Office of International Affairs

National Telecommunications and Information Administration

Room 4898

14th Street and Constitution Avenue, NW

Washington, DC 20230



 Re: Response to the Department of Commerce "Elements of Effective Self-Regulation for the Protection of Privacy"



Dear Ms. Coffin:

 The McGraw-Hill Companies is pleased to have this opportunity to respond to the Department of Commerce paper, "Elements of Effective Self-Regulation for the Protection of Privacy". We commend the Department of Commerce and the National Telecommunications and Information Administration for their leadership on this issue. We further commend the federal government's extensive efforts to work with all stakeholders, including consumers, privacy advocates, businesses, trade associations, academics and policymakers, to clearly understand the uses of personally-identifiable information in today's digital economy. We also commend the Administration for calling on industry to take the lead in self-regulating its customer privacy practices and for recognizing the potential stifling effect overly-restrictive government regulation could have on the development of global electronic commerce.

 According to the Department of Commerce's own statistics, 65,000 web sites are being launched daily by businesses both large and small. Clearly the online world is a fluid environment in its infancy, with tremendous potential to empower both businesses and consumers to engage in commerce in ways previously unimaginable. Electronic commerce also is global by definition. For those engaged in electronic commerce, it is not practical or sometimes even possible to distinguish among customers based on their origin. As a result, any U.S. solution to the issues raised by electronic commerce, including customer privacy, will have an effect on these issues around the World.

 The advent of the Internet and electronic commerce has spurred heightened consumer sensitivity to the types of information being collected and disseminated online. In this new environment, customer demand for customized products and services has never been greater. Consumers expect to access the specific knowledge they need with a few clicks of a mouse. They do not want to waste time with search queries that return masses of information that then have to be further investigated to answer their questions. Customer product preferences help companies provide customized products and services that best meet individual needs and ensure that products are delivered to individuals in a timely and efficient manner. Customization of information on demand is the future of electronic publishing. Information providers require quality information about their customers to realize the potential of this medium.

 The McGraw-Hill Companies is an active participant in global electronic commerce. We are a global publishing, financial information and media services company with 16,000 employees located in over 40 states and 30 countries. We distribute our products and services via traditional media, as well as electronically, to customers around the globe. Clearly, it is imperative that customers have the necessary understanding of this new medium and the comfort level to take full advantage of the range of services and products it provides. The McGraw-Hill Companies is committed to working with consumers, governments and industry to help make this happen.

 Government and the private sector must share the responsibility for achieving the necessary environment to facilitate consumer confidence in global electronic commerce. This will require, in our view, three essential components. First, every organization that collects information about its customers electronically must develop and make publicly available a comprehensive Privacy Policy clearly stating its customer information practices. Second, the private sector and Government must work together to educate consumers and industry about responsible and fair information practices. And, finally, Government should enforce laws and regulations that currently protect against consumer fraud and misrepresentation in this area.

 The McGraw-Hill Companies supports effective industry self-regulation in the area of protecting customer and perspective customer privacy. Toward that end, we have developed and implemented in all our domestic operations and on our more than 80 web sites a comprehensive Customer Privacy Policy to protect customer data. Our Policy balances the legitimate business uses of personally-identifiable information against reasonable consumer concerns and expectations. This Policy applies to all of our consumer as well as to our business-to-business products and services. Our policy also was designed to be acceptable to our customers no matter where around the globe they are located. The Policy does not affect newsgathering and other editorial activities.

 Our relationship with our customers is based on trust, including trust in the quality and integrity of our information as well as our commitment to safeguard our relationship with our customers. We are in the business of providing knowledge that empowers our customers to learn, work, play and plan for their financial futures. Our ability to accomplish our business objectives is dependent on a two-way exchange of information. Our customers recognize that it is necessary for us to collect certain types of information -- ranging from a postal address and phone number to product preferences -- in order for us to best meet their needs. This type of trade off is a well-established business practice that has worked throughout our more than 100-year history. This type of exchange is, in fact, the foundation for the enormous growth in the publishing industry over the last half century. Although the medium has changed, the fundamental relationship between information businesses and their customers has not.

 Of course, even within the information industry, the types and uses of data collected, stored or transferred about individuals varies among business sectors. For that reason, it is important that different types of businesses have the necessary flexibility to tailor their privacy practices to best suit their and their customers' needs. There is not a one-size-fits-all solution. Industry self-regulation allows businesses the flexibility to fashion appropriate solutions. It also allows businesses to develop and implement privacy practices that are evolutionary. While the core principles will likely remain the same over time, organizations should continue to adjust their policies as they learn more about consumer reactions to data collection and as technology enables different types of information collection and privacy solutions. This need for ongoing adjustment is consistent with our recent experience in developing and implementing our own Customer Privacy Policy. Although only fully implemented domestically since late 1997, we already have begun to make minor modifications to better meet marketplace and consumer demands.

 Regardless of which business sector a company may be in, however, it is imperative for all businesses to act now to develop and implement responsible and appropriate customer privacy policies. A core set of guiding principles, based largely on the key elements set forth in the Elements paper, provides the proper base line for privacy practices. Strong privacy policies with meaningful compliance mechanisms are the first step.

 Government also has an important role to play in educating businesses and consumers about the need for and existence of customer privacy policies. Educated consumers can make determinations about the level of privacy protection they personally need and will make appropriate marketplace choices. When consumers encounter a business that does not properly meet their expectations about privacy, they will respond by taking their business to a company or organization that does. That type of consumer vote will compel businesses to develop privacy practices that reflect the expectations of consumers while meeting their legitimate business needs.

 Finally, the government has an important role in assuring that deceptive practices are halted. As the Federal Trade Commission recently acknowledged in its proposal to study the applicability of current law to advertising in the electronic environment, fraudulent and deceptive practices that are illegal in the print world cannot be exempted from regulation in the electronic world.

 A. Principles of Fair Information Practices

 The following response to the specific components of self-regulation articulated in the Elements paper is based on our experiences within our organization and in dealing with our customers in developing and implementing The McGraw-Hill Companies' Customer Privacy Policy. Key components of our Policy are: notice, choice, data security, and review and correction, each of which is described below.

 By way of background, our Customer Privacy Policy generally provides customers with the ability to opt-out of external sharing of their personally-identifiable information outside the family of The McGraw-Hill Companies. Personally-identifiable information includes e-mail and postal addresses, billing information, and employment status. We also have established a subset of personally-identifiable information -- Sensitive Data -- for which we provide additional protections, including a prohibition against distribution of this information outside the Corporation. Sensitive Data includes social security numbers, personal financial data such as salary specific information, specific portfolio and net worth data, information about specific medical conditions and most information about children. Our Customer Privacy Policy applies to all of our customers, regardless of the medium through which we provide them with information or their location. Although the methods used to deploy our Policy are customized to reflect the means through which we interact with our customers, we do not discriminate among print, online or electronic customers. Not only is this the "right" thing to do, it also is the practical thing to do. It would be burdensome and impractical to do otherwise.

 1. Awareness

Awareness is the cornerstone of any effective customer privacy policy and must be achieved at three levels: with customers, with the company's employees and with other parts of the company's industry. Customers should be educated by industry and government about the importance of understanding the customer privacy policies of the businesses with whom they do business. Employees should be aware of their employer's privacy policy and understand how to implement it. Finally, each company has a responsibility to educate other companies with whom it does business as well as other companies within its industry.

 Customers: All organizations that collect, store, use or transfer personally-identifiable customer information should develop and implement a privacy policy and take reasonable steps to make customers aware of their policies. The McGraw-Hill Companies developed and publicly announced a comprehensive Customer Privacy Policy in mid-1997 that was implemented throughout our domestic operations by year-end. An important part of any privacy policy is ensuring that customers are aware of and understand our Policy and how it applies to the information we collect about them. To achieve that, The McGraw-Hill Companies uses a privacy "icon" on all our branded web sites to enable users to readily find the summary of our Policy. The summary is written in clear, easy to understand language. It includes an explanation of the types of data we collect and how we use it. It explains that the customer will be able to opt-out of external distribution of his or her information. It includes a description of our security procedures, our review and correction procedures and our compliance process. We place our summary no more than two clicks away from each web site's home page and place a link to the summary at or near the point of data collection. This makes it easy for the consumer to both understand our Policy and decide whether they want to conduct business with us.

 In the case of children's data, The McGraw-Hill Companies recognizes that children under 16 may not be aware of the implications of sharing personally-identifiable information. Since our children oriented online products and services are and will be for the foreseeable future primarily educational in nature, most of them are provided or sold directly to teachers, schools or parents. The data we collect through these online sites is generally used to enhance a child's experience at the site. In those limited instances where we do contact children directly, we do not collect personally-identifiable information without prior parental consent. We clearly indicate this at the point of data collection and explain the steps the child should take to obtain parental consent. While we recognize the difficulty in authenticating parental approval and look forward to technological improvements that will help us in this regard, in the meantime we are using all reasonable efforts to authenticate the approval. Further, we encourage children to use screen names and discourage sharing personal data online without parental permission.

 The government also has an important role to play in educating consumers about the importance of consumer privacy on the Internet. The Federal Trade Commission has held various workshops and posted materials on its web site to help consumers understand the issue. The Department of Commerce also has provided forums to discuss the importance of effective self-regulation and how best to implement strong privacy practices. Participants in all of these programs have included representatives from a variety of industry segments, key policy makers and consumer and privacy advocates. Publicly spotlighting this issue and conducting these types of public conferences should continue. Media coverage will help consumers pay attention to the need to appropriately exercise their privacy options and will nudge industry to respond to this marketplace challenge. Government should continue to use its "bully-pulpit" to encourage responsible privacy practices.

 Although business and government have a critical role to play in educating consumers about privacy practices, it is important to bear in mind that the consumer also has a responsibility to actively participate in the process. Consumers should be encouraged to look for and understand privacy policies on the sites they visit and to consider the level of protection they desire before proceeding. Parents in particular have a heightened responsibility to understand privacy practices of sites visited by their children and to educate their children about the potential dangers and pitfalls of providing personal information online.

 Employees: Organizations also must raise the awareness of their own employees about their customer privacy policies and procedures for implementing them. We have conducted numerous internal forums to educate our employees about our Customer Privacy Policy and the importance of respecting consumer privacy expectations. We will provide ongoing education for employees and periodic written updates to our Customer Privacy Policy and implementation guidelines as needed. We also have designated Privacy Officials within the company who are responsible for ensuring that our Policy is followed and that ongoing training is available to all employees who have responsibility for or access to personally-identifiable information. We have added customer privacy protection to the Corporation's Code of Business Ethics. This Code applies to all employees. Violation of the Code can result in disciplinary action, up to and including termination. Further, we have a robust Intranet site devoted to our Policy and implementation guidelines. This type of employee involvement and training is imperative if organizations are going to "walk-the-walk" and not just "talk-the-talk".

 Other Companies and Organizations: Our obligation to create awareness reaches far beyond the confines of our own products and services. It is important that industry as a whole promote the importance of privacy policies to consumers, other businesses, and government officials. This can be done through conferences, such as the multi-industry forum titled "Customer Privacy on the Web: Self-regulation or Government Enforcement?" sponsored by The McGraw-Hill Companies in conjunction with the American Business Press, the Association of American Publishers, the Information Industry Association and the Magazine Publishers of America earlier this year. Our executives also regularly advocate effective industry self-regulation of customer privacy in public speeches and media interviews. We have devoted an entire section on the Corporation's Internet site to the issue.

 Individual companies also can work with various industry groups and associations to help them develop fair information practices that member companies can use to implement their own policies. The McGraw-Hill Companies is actively involved in the development of industry guidelines such as, for example, the Information Industry Association's Fair Information Practices Principles. We applaud and look forward to other organizations such as the Direct Marketing Association, Information Industry Association, U.S. Council for International Business and the Online Privacy Alliance joining together to conduct effective consumer and business outreach programs.

 2. Choice

In those instances when businesses or organizations collect information directly from a customer, it is appropriate that the customer has a degree of choice about how that information is subsequently used. When explaining the options to a customer, it is incumbent upon the information collector to clearly explain the benefits of data sharing so that an informed decision can be made.

 Choice is a core component of The McGraw-Hill Companies' Customer Privacy Policy. When we collect personally-identifiable information directly from customers, we provide them with an explicit opportunity to "opt-out" of having that data shared outside of The McGraw-Hill Companies. This choice is provided in clear and concise language. For online products and services, the customer can exercise this choice electronically at no cost. In those instances when the data collected is used solely to complete a transaction, we do not provide choice because the intended use of the data is clear to the customer. To date, it has been our experience that customers, once provided with a clear understanding of the uses to be made of the personally-identifiable data and the benefits they derive from such use, most frequently decide to participate in responsible data sharing.

 It is The McGraw-Hill Companies' Policy to never share or distribute Sensitive Data outside our organization. In addition, we enable customers to "opt-out" of internal sharing of Sensitive Data among the family of The McGraw-Hill Companies. In the areas of personal financial information and information about children -- two of the most common types of Sensitive Data collected by the Corporation from our customers -- our businesses have generally decided never to share this information even among units of The McGraw-Hill Companies.

 As with most companies, The McGraw-Hill Companies contracts with vendors to perform a variety of functions, such as circulation fulfillment or list management. Under those circumstances, we use contracts to ensure that vendors acting on our behalf do not misuse the data and honor whatever choices the customer has exercised. Conversely, whenever The McGraw-Hill Companies receives personally-identifiable information from a third-party (such as a list rental company), we clarify all restrictions on use of that information in the agreement and take reasonable steps to ensure compliance with those restrictions. Further, we take reasonable steps to ensure that, to the extent applicable, these third party information sources abide by principles consistent with our own.

 Data Security

Organizations that collect, store and transfer data should develop and institute strict data security mechanisms and procedures to safeguard personally-identifiable information about customers. Technology will play an important role in ensuring that data is handled in a secure fashion. It is incumbent upon businesses to use available technology and other means in this area.

 The McGraw-Hill Companies has instituted measures to ensure that data is stored, transferred and accessed responsibly. For instance, we use contractual arrangements with external third parties to ensure that restrictions placed on use of data collected from customers are honored by third parties and that they have equivalent security mechanisms in place. We restrict access to personally-identifiable information to those employees who have a legitimate reason for using or accessing the information. This can be achieved by strict database management measures, such as password access to customer information and secured networks for housing data.

 4. Data Integrity

It is simply smart business practice to maintain the most accurate, up-to-the minute information about customers possible. Businesses have a built-in incentive to do so. For example, mailing information must be accurate to ensure that our products reach subscribers, that invoices are received in a timely fashion, and that data used to customize products is accurate. We recommend that organizations establish guidelines to restrict customer information collection to the types of information needed to fulfill legitimate business purposes.

 As part of our Policy implementation, we reviewed the types of data being collected from or about consumers to ensure that we collect only data that is needed for our reasonable commercial purposes. For example, in some instances social security numbers were being collected from customers as a security measure to ensure that only the data subject would have access to certain products or services. We have evaluated that process and established alternative verification mechanisms. We will periodically undertake this type of data review and adjust our data collection practices accordingly. For example, in some instances, we have decided to collect personally-identifiable information within a specified range (such as an age range) rather than data specific to an individual.

 5. Customer Access

Customer access to personally-identifiable information is an important component of any privacy policy. The level or degree of access, however, will depend on the type of business and the type of data being collected, stored or transferred. Of course, efforts to provide customer access to information should not run counter to data security or integrity measures. In addition, for diversified organizations such as ours that have multiple, unrelated databases, it is difficult if not impossible, to provide access to all data about individual customers from one location within the organization. Further, to guard against unauthorized "browsing" of databases, many are not searchable by name alone. Every practical effort, however, should be made to make appropriate information about customers accessible upon request. Access to customer information must be carefully balanced against practical programming and cost constraints.

 It is also important to recognize that if data about an individual has been provided by a third party, there may be contractual restrictions on our ability to make a requested change or alteration to the data. Further, even where an organization makes a requested change to an individual customer record in its database, it may be more important that the data source also make the change so that inaccurate information is not repeatedly disseminated. The best solution in those cases is for the data subject to contact the data source provider directly to achieve resolution.

 There are instances when it would not be useful for the customer to see "all data" we have about them. For instance, customer service records are coded and would require extensive translation to be understood by or useful to consumers. The limited value of such records, coupled with the cost of providing access to the data in a useful manner, should be carefully balanced. Because of the uniqueness of individual companies' business practices and operating systems, it is important that companies have the flexibility to provide customers with access that is tailored to their organization and the type of data they collect, store or distribute.

 With these considerations in mind, The McGraw-Hill Companies provides access to data collected directly from the individual. In some instances, due to the structure of our databases and to protect the security of the information, we cannot provide the customer with immediate and direct electronic access to the data. In those cases we provide hard-copy access to an individual's personally-identifiable information upon written request. In other cases, we provide customers with a verbal recitation of their data records via our customer service representatives. For security reasons, however, those representatives only have information specific to the product or service for which they work. Wherever feasible, we also provide the customer with the opportunity to correct his or her data.

 

  1. Enforcement

 Responsible privacy policies must have an effective compliance mechanism. As with other types of industry self-regulation, if customers do not believe that a company is adhering to its stated privacy policy, they will not do business with that organization. Industry self-regulation is fundamentally built around the precept that organizations will "say what they do" and "do what they say". How to ensure that will and should vary depending on the type of business. The Elements paper effectively outlines the key components of various enforcement structures.

 It is important to note that in addition to evaluating whether an organization has followed its stated privacy policy, careful consideration should be given to consumer recourse for violations of that policy. Any recourse mechanism should take into consideration the level of harm associated with a violation of a stated privacy policy. As with many of the Elements, there is no one-size-fit-all solution to consumer recourse. In many instances, such as when an individual makes a request to remove his or her name from a marketing and promotion list, the correct "recourse" may be to "right the wrong"; that is, remove the name that was inadvertently missed. Clear distinctions should be made between material harm to a consumer and inconvenience. For those organizations that collect information directly from consumers, the marketplace will drive companies to "right the wrong." Good business sense dictates that companies safeguard relationships with their customers.

 As stated in the Elements paper, organizations should have the flexibility to choose the most effective compliance and consumer recourse mechanism for their market and customers. Such compliance mechanism must be globally understood. In our view, a clear statement of policy coupled with a clear process for compliance and consumer recourse, may be the best means for customers to make informed choices about providing their personal data to an organization.

 As a model, we submit for discussion purposes an outline of The McGraw-Hill Companies' Customer Privacy Policy Compliance Process. It includes mechanisms for verification and recourse. Our process is based upon the belief that our brands are trusted within our marketplace. Customers will look to our tradition of integrity and the relationship we have built with them to evaluate whether they can believe us when we state our Customer Privacy Policy and report our "track" record. We have built mechanisms into our process that provide customers with the necessary information to make educated judgements not only about whether our Customer Privacy Policy is sufficient, but also about whether we have implemented and adhered to it in an adequate manner. Our compliance process was developed to assure that our commitment to customer privacy is taken seriously by all employees and satisfies our customers.

 We believe an effective customer privacy compliance program should include the following components:

 We believe that a self-assessment procedure that includes the components listed above and described in further detail in the attachment will provide businesses with the flexibility to tailor appropriate enforcement programs for their businesses and provide appropriate assurances to customers that stated policies have been followed.

     Conclusion

We appreciate the opportunity to present our views on behalf of The McGraw-Hill Companies on this very important issue. We pledge to continue to work with other stakeholders to develop workable and effective privacy protection self-regulation that will provide consumers confidence in the global medium.

 Sincerely,

    Cynthia H. Braddon Katherine D. Roome

Co-Chair, The McGraw-Hill CompaniesCo-Chair, The McGraw-Hill Companies

Privacy Steering Committee Privacy Steering Committee

Vice President, Washington Affairs Vice President & Associate General Counsel

                             COMPLIANCE MECHANISMS FOR INDUSTRY SELF-REGULATION OF CUSTOMER PRIVACY POLICY

 

The McGraw-Hill Companies is committed to effective industry self-regulation in the area of customer privacy. Toward that end, we have developed and implemented a comprehensive Customer Privacy Policy to protect customer data that has been implemented in all of our domestic operations and on more than 80 web sites. We are currently in the process of implementing the Policy across the Corporation's overseas operations. The McGraw-Hill Companies has established the following internal procedures to assure compliance with its Policy:

 

  1. INTERNAL OVERSIGHT COMMITTEE

The Corporation has established a standing Customer Privacy Steering Committee consisting of senior managers and executives across all of our business units and Corporate departments, charged with:

 

  1. INTERNAL AUDITING PROCEDURES

The Corporate Audit Department has begun conducting periodic random reviews to assess the degree of compliance with the Policy. This review is conducted in conjunction with the Corporation's third-party auditor. The Corporate Audit Department contacts the Customer Privacy Steering Committee if compliance problems are identified. The Steering Committee Co-chairs then work with the unit to bring it into compliance. The Audit Department reports its results to Corporate Senior Management and the Corporation's Board of Directors' Audit Committee.

 The Corporation will make publicly available a summary report at least annually regarding its compliance efforts.

 

  1. CODE OF BUSINESS ETHICS

The McGraw-Hill Companies' Code of Business Ethics has been expanded to include a commitment to complying with the Corporation's Customer Privacy Policy. Violation of the Code of Business Ethics may result in disciplinary action, including termination.

 

  1. PRIVACY OFFICIALS

Each business unit has appointed a Privacy Official charged with overseeing unit-wide compliance with the Corporation's Customer Privacy Policy, including assuring appropriate personnel are trained to ensure compliance. This person is the contact point for the public regarding Customer Privacy Policy compliance. Customer requests to have his/her name removed from mailing or telemarketing lists and requests to review the data the Corporation has collected directly from that customer can be sent to the appropriate Privacy Official via email, telephone, fax or mail, or can be made to The McGraw-Hill Companies home page located at www.mcgraw-hill.com. Privacy Officials are responsible for carrying out this duty as part of their job responsibilities. Their performance of these responsibilities will be measured in annual performance reviews. Failure to effectively perform this duty may result in disciplinary action.

  

  1. CUSTOMER COMPLAINT RESOLUTION

In those limited instances when a customer request/problem is not resolved through the appropriate Privacy Official, the customer may contact the Privacy Steering Committee Co-Chairs and request assistance in resolving the dispute. The Co-Chairs, who are senior managers, will conduct a prompt review of the issue and work with the Privacy Officials to resolve the matter. A written response will be provided to the customer within 90 days.

 

  1. SPECIAL CONSIDERATIONS FOR CHILDREN'S DATA - PII GUARDIANS

Each of those business units that target their products or services to children have appointed senior-level "Personally-Identifiable Information Guardians" responsible for:

 July 6, 1998