Joseph L. Gattuso
Alfred M. Lee
We wish to thank Carol E. Mattey, now Deputy Chief of the FCC Common Carrier Bureau's Policy and Program Planning Division, for her substantial role, while at NTIA, in the preparation of NTIA's Privacy Notice of Inquiry. We wish to thank Michael Francesconi, Jim McConnaughey, Joanne Kumekawa, Sallianne Fortunato, and David Gardner for their assistance in reviewing drafts of this report and for their helpful comments and suggestions. We also wish to thank Arthur J. Altenburg for his document layout and typesetting support.
<1> Currently Acting Professor, UCLA School
<2> Currently Attorney-Adviser, FCC Common Carrier Bureau, Policy and Program Planning Division.
In this White Paper, the National Telecommunications and Information Adminstration (NTIA) hopes to contribute to the broader privacy debate by addressing the privacy issues related to a specific sector -- the telecommunications sector. Specifically, this paper focuses on the privacy concerns associated with an individual's subscription to or use of a telecommunications or information service. The overall purpose of the paper is to provide an analysis of the state of privacy in the United States as it relates to existing and future communications services and to recommend a framework for safeguarding telecommunications-related personal information (TRPI).
The analysis provided herein reveals that there is a lack of uniformity among existing privacy laws and regulations for telephony and video services. In fact, similar services are governed differently depending on how they are delivered. And, other communications services like those available over the Internet are almost entirely unprotected. Furthermore, NTIA believes that it will become increasingly difficult to apply existing privacy laws and regulations to communica tions service providers as services and sectors converge, and as new technologies evolve.
To rectify limitations in existing telecommunications privacy law and to provide consumers with a uniform privacy standard for TRPI, NTIA proposes a framework that draws upon the Information Infrastructure Task Force's NII Principles for Providing and Using Personal Information. This framework has two fundamental elements -- provider notice and customer consent.
Under this proposed framework, telecommunications and information service providers would notify individuals about their information practices, abide by those practices, and keep customers informed of subsequent changes to such practices. Service providers would be free to use information collected for stated purposes once they obtain consent from the relevant customer. Affirmative consent would be required with respect to sensitive personal information. Tacit customer consent would be sufficient to authorize the firm to use all other information.
NTIA believes that establishing minimum privacy protections across the communications industry would ensure that consumers are provided with a reasonable level of privacy protection. Uniformly applied, a common "base" standard could also prevent some industries from gaining an unfair competitive advantage.
A. The Nature of Privacy
B. NTIA's Inquiry
C. Scope of the White Paper
D. Recommended Approach
II. CURRENT REGULATION OF TRPI
A. TRPI Collected by Telephone and Video Service Providers
B. Existing Privacy Protections Pertaining to Telephony Services
C. Current Privacy Protections Pertaining to Video Services
D. Lack of Uniformity
III. PROPOSED FRAMEWORK FOR COLLECTION AND USE OF TRPI
APPENDIX A: MARKETING PROFILES
A. Marketing Profiles: The Heart of Targeted Marketing
B. Sources of Information for Marketing Profiles
II. THE PRIVACY ENVIRONMENT
A. Legal Environment
B. Market Environment
The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable.
The numbers dialed from a private telephonealthough certainly more prosaic than the conversation itselfare not without "content." Most private telephone subscribers may have their own numbers listed in a publicly distributed directory, but I doubt there are any who would be happy to have broadcast to the world a list of the local or long distance numbers they have called. This is not because such a list might in some sense be incriminating, but because it easily could reveal the identities of the persons and the places called, and thus reveal the most intimate details of a person's life.
Smith v. Maryland<2>
An advanced national information infrastructure (NII) promises enormous economic, social, and cultural benefits to its users and to the nationenhanced educational and employment opportunities for all Americans, greater citizen participation, and improved delivery of government services. The NII can produce these benefits because it will facilitate and expand the flow of information from people to people and from place to place.<3> However, many people may be reluctant to use the NII if they are afraid that the personal information transmitted over it can be used in ways that are unexpected or inappropriate. Thus, if government and the private sector want to encourage the vigorous consumer activity needed to unlock the full potential of the information infrastructure, they must acknowledge and safeguard the legitimate privacy interests of NII users.
More than sixty years ago, Supreme Court Justice Louis Brandeis characterized the right to privacy"the right to be let alone [as] the most comprehensive of rights, and the right most valued by civilized men.<4> A 1993 public opinion survey by Louis Harris & Associates found that 83% of Americans are concerned about threats to personal privacy.<5> This reflects a five point increase over responses to the identical question posed a year earlier, and a 49 point increase from a similar poll conducted in 1970.<6> In addition, a survey of members of the U.S. Chamber of Commerce revealed "a staggering 59.2% . . . stat[ing] that they view the emerging issue of privacy in telecommunications as very important; 34.8% felt it was moderately important.<7> Furthermore, the Privacy Rights Clearinghouse (PRC) reports that consumers are "frustrated by a lack of control they have over the use of their personal information;" and "suffer" from a lack of understanding about how information about them is collected, used, and distributed and from a "misunderstanding" of existing privacy protection laws and regula tions.<8>
"Privacy" means different things depending on the context.<9> Among the many notions of privacy, growth of the NII primarily raises concerns about information privacy. That term refers to an individual's claim to control the terms under which "personal information" information that can be linked to an individual or distinct group of individuals (e.g. , a household)<10>is acquired, disclosed, and used.<11>
Information privacy promotes two principal interests. It recognizes that control over personal information is important because mere awareness by others of certain types of information is potentially harmful. For example, an individual may want to keep certain types of health data confidential from the general public because its disclosure could cause the person embarrass ment. Information privacy also recognizes that personal information can be used improperly, unfairly, or for purposes other than those intended by an individual. For example, an individual may refuse to disclose his or her social security number or mother's maiden name, not because disclosure in itself would be harmful but because that information could be used to gain telephone access to banking records.<12>
Concerns about safeguarding privacy will likely grow as the NII becomes a pervasive, functioning reality.<13> As the NII is built, more and more individuals will use it to execute an ever-expanding range of transactions involving, for example, business, entertainment, banking, education, recreation, and even health care. These transactionsby their very execution on the NIIcreate electronic records, which are easily stored and processed.<14>
Further, because the costs associated with storing, processing, and distributing personal records are continuously decreasing, accumulating personal information from disparate sources will become a cost-effective enterprise for information users with interests ranging from law enforcement to direct marketing.<15> For example, in one case, journalists spent an average of $112 and 75 minutes on-line to find financial, legal, marital, and residential histories of various luminaries, such as movie producer George Lucas and White House Chief of Staff Leon Panetta.<16> Finally, entirely new modes of communication and transactions may be created that are not contemplated by current privacy regulations and policies,<17> which are typically tied to today's or even yesterday's technologies. For instance, interactive, switched, broadband communications networks, which will enable individuals to educate and entertain themselves, to shop, to receive health care, to bank, and to participate in government over a single network, could pose new privacy concerns. In the absence of subscriber privacy provisions appropriate to such networks and technologies, it will be possible for others to track and store information about the daily activities of one's life.
These developments presage an information environment in which more personal information will flow more quickly, more widely, more invisibly, and more cheaply with fewer legal and social constraints. To understand better the privacy issues implicated by that environment, the National Telecommunications and Information Administration (NTIA)<18> released a Notice of Inquiry<19> on private sector use of telecommunications-related personal information.<20> We received 46 formal comments from industry, the press, academics, privacy advocates, and individuals.<21> These comments, supplemented by consultations with stakeholders in the privacy debate, feedback from experts, and independent research, form the basis of this report. NTIA hopes that this White Paper will serve as a catalyst, inspiring industry and consumer advocates to work together to instill the consumer confidence essential for the viability of the NII.
As the President's adviser on telecommunications and information policy, NTIA in this paper will focus on private sector collection, use, and dissemination of telecommunications- related personal information (TRPI)personal information that is created in the course of an individual's subscription to a telecommunications or information service or as a result of his or her use of that service.<22> To illustrate the concept of TRPI, consider an electronic mail service that allows individuals to log on to the service via modem and send e-mail messages through the Internet.<23> To subscribe to this service, the provider will typically collect some basic information about the customer, such as name, home address, home telephone number, work telephone number, type of e-mail service requested, and credit card (or other payment) information. Once the e-mail service has been installed, additional data will be generated each time the customer sends an e-mail message. That includes all the personal information created in the course of routing a message from the individual to the addressee (e.g., header information on an e-mail message), as well as certain accounting information, which, depending on how the service charges its customers, could include the date, time, subject line of message, and its length. All of this subscription and usage data constitutes TRPI.
Although most consumers are probably aware that telecommunications and information service providers collect a wide range of subscription data, they may be less aware of providers' accumulation of other TRPI and the uses to which that data can be put. Many consumers may have the same level of awareness as the woman who told a caller trying to sell long distance service that she did not make many out-of-town calls:
"I'm surprised to hear you say that," she recalls him saying. "I see from your phone records that you frequently call Newark, Delaware, and Stamford, Conn." . . . "I was shocked, scared, and paranoid," she recalls. "If people are able to find out who I call, what else could they find out about me?<24>
The risks for consumers will likely increase in the future as several related factors induce providers of telecommunications and information services to become more sophisticated and aggressive in their use of TRPI. First, the continuing growth of competition in those markets will increase the number of firms competing for consumer attention. In that environment, companies like the enterprising long distance service provider in the foregoing anecdote will find TRPI a powerful resource for identifying potential customers and tailoring the companies' marketing strategies to maximize customer response.
Second, as established service providers diversify into other lines of business, their existing reservoir of TRPI will help them sell those new services more effectively and at less cost. Thus, when MCI and Rupert Murdoch's News Corp. announced a joint venture to market on-line information services, MCI executives said that they would use TRPI in their "Friends and Family" database to offer these services to some of MCI's current long distance customers.<25>
Third, as competition continues to squeeze profit margins, more and more telecommuni cations and information service providers may come to view the sale of TRPI as an additional, low-cost revenue stream. However, it is not clear to what extent consumers will accept such practices. For example, although companies have long made a practice of extracting information from local phone books and selling it to marketers, when telephone companies have announced their intent to sell customer listings, they have been met with opposition. In 1990, New York Telephone informed its customers through billing statements about its plans to sell customer listings, and 800,000 customers asked to have their names removed from the lists.<26> Bell Atlantic experienced a similar reaction when it announced plans to sell its "white pages" directory lists in July 1995.<27> Furthermore, in response to the public comments the Federal Communications Commission (FCC) received to its Notice of Proposed Rulemaking on Caller ID,<28> it passed rules prohibiting the sale or reuse of automatic number identification (ANI)- derived information without first notifying the originating telephone subscriber, and obtaining his or her affirmative consent for such reuse or sale.<29> ANI, a subset of TRPI, is a signaling protocol used by carriers to automatically identify a calling party's billing telephone number. Some states have adopted similar rules restricting the use of ANI.<30>
The coming years thus promise increasing tension between the desire of telecommunications and information service providers to expand the use of TRPI to market new servicesmany of which will doubtless benefit consumersand consumers' desire to control the dissemination of potentially sensitive personal information. The relevant questions for policy makers are: what level of privacy protection adequately balances the legitimate interest of individuals and service providers; whether existing laws and regulations provide the desired level of protection; and, if not, what changes should be made.
The United States currently has no omnibus privacy law that covers the private sector's acquisition, disclosure, and use of TRPI. Instead, American privacy law comprises a welter of Federal and state statutes and regulations that regulate the collection and dissemination of different types of personal information in different ways, depending on how it is acquired, by whom, and how it will be used.<31> Although these laws provide some level of privacy protection, they are not comprehensive in the sense that they do not apply uniformly to all service providers.
As discussed more fully below, this is particularly true with respect to the principal regulations governing the acquisition and use of TRPI by certain providers of telecommunica tions and information servicesthe FCC's rules pertaining to telephone companies' use of customer proprietary network information (CPNI) and the provisions of the 1984 Cable Act regulating the disclosure of "personably identifiable" subscriber information by cable television operators.<32> Because those requirements were imposed on a limited group of service providers, they afford consumers little, if any, protection against inappropriate use of TRPI by other types of service providers. As importantly, the limited applicability of those regulations virtually guarantees that different firms will have differing privacy obligations even when they offer similar services, creating a situation that could be potentially disadvantageous to one competitor or group of competitors.
To rectify these limitations in existing telecommunications privacy law and to provide consumers with a uniform privacy standard, NTIA has applied the Information Infrastructure Task Force's (IITF)<33> NII Principles for Providing and Using Personal Information to the telecommunications sector in order to offer a framework for the acquisition and use of TRPI by telecommunications and information service providers. We hope that this recommendation will contribute to the broader debate regarding privacy concerns and the NII, assist the Administra tion's IITF, its Advisory Council,<34> the FCC, Congress, state and local governments, and private sector policy makers as they grapple with this important issue. NTIA also hopes that this application of the IITF's Principles will encourage other sectoral analyses.
As stated above, NTIA's proposed framework draws upon the IITF's Principles and has two fundamental elementsprovider notice and customer consent. Under NTIA's proposed framework, each provider of telecommunications and information services would inform its customers about what TRPI it intends to collect and how that data will be used. A service provider would be free to use the information collected for the stated purposes once it has obtained consent from the relevant customer. Affirmative consent would be required with respect to sensitive personal information. Tacit customer consent would be sufficient to authorize the use of all other information.
This approach, if embraced by industry, would allow service providers and their customers to establish the specific level of privacy protection offered in a marketplace transaction, free from excessive government regulation, so long as the minimum requirements of notice and consent are satisfied. The uniformity contemplated by this approach means its adoption would not create competitive imbalances among rival firms, but would preserve their ability to compete on privacy as vigorously as they compete on price, service, and quality.<35> Further, because NTIA's recommended framework gives companies considerable flexibility in giving notice and securing consent, implementation of that approach should not be overly burdensome. On the other hand, this approach would reassure consumers that their reasonable privacy expectations will be respected when they use the NII. Uniformity across the communications sector should encourage more consumer use of the NII which, in turn, would create and expand market opportunities for information and to service providers of all types. For these reasons, NTIA believes that it is in the private sector's interest to adopt the privacy framework outlined in this paper, without waiting for formal government action.
Communications providers play an absolutely critical role in transmitting information among transacting parties in our society. In the course of transmitting information, communications providers are privy to a wide variety of TRPI. For example, in providing long-distance telephone service, telephone companies generate calling records that identify the origination and destination telephone numbers, and the time and length of each phone call. Such information may be disclosed or used in ways inconsistent with an individual's expectation of privacy. In one prominent case involving two Florida Public Service Commission officials, a private investigator obtained a year's worth<36> of telephone calling records.<37> Although the officials were surprised to learn of the activities of the private investigator, a subsequent investigation confirmed that the disclosure by the telephone company was legal under state and Federal law.<38>
While recognizing a growing variety of services in the communications marketplace, this discussion will focus on two particular communications servicestelephony and videoas representative examples of how and what types of TRPI are routinely collected and of regulatory and statutory protections currently available for limiting the disclosure of TRPI. This review indicates that current legal norms have led to a patchwork of privacy protection that may lead to disparate treatment of different service providers even as they provide similar services. Already, technological advances and market deregulation are dissolving traditional distinctions between communications providers such as telephone companies and cable operators. Telephone companies are beginning to offer cable-like services; cable operators are beginning to offer telephony-like services; and companies are forming hybrid alliances to develop new advanced communications services.<39> With an increasing convergence among services and service providers, differences in the handling of TRPI may lead to competitive inequities and customer confusion, which may in turn hinder the deployment of new services and technologies.
Telephone servicesboth local and long distance servicesgenerate a wealth of TRPI. When a customer subscribes to a telephone service, TRPI in the form of subscription data is collected to initiate and secure the commercial relationship between the individual and the telephone service provider. Such data might include the subscriber's name and address; number and types of access lines (e.g., residential or business) used; any chosen advanced services (e.g., call handling features such as call waiting, caller ID, call forwarding, and anonymous call rejection); and choice of prescribed interexchange carrier.
With each phone call an individual makes, the telephone service provider collects TRPI in the form of transactional data. This includes routing data necessary to deliver the communicative content between the calling parties, as well as the accounting data necessary to bill the appropriate individuals. As noted above, for each call, this transactional data typically includes the originating phone number, destination phone number, and depending on the circumstances, the time and length of the call.
As Justice Stewart noted,<40> these calling records can reveal a great deal about the individual even without divulging the communicative contents of the phone call. With the help of a reverse- telephone directory, available in many libraries, one can easily identify the names and addresses associated with the originating and destination phone numbers. Such information could reveal the identity of one's friends and colleagues, and the patterns of one's work and sleep.
Video service providers collect types of subscription data similar to that collected by telephone service providers. In addition to name, address, and telephone number, they typically will compile information concerning tiers of service or specific premium channels requested, carrying such programming as popular movies, children's shows, sports, or adult entertainment. Subscription data will also likely include the types of equipment necessary to initiate the video service, such as number and type of wireline outlets or satellite dishes, set-top boxes, and remote controls. In addition, transactional data will be collected whenever individuals select specific video programs that are billed separately, as in pay-per-view programs. This may include the video program selected, the date, and time.
Thus, a great deal of information is collected currently by both telephony and video service providers. However, because of differences in the way that those markets developed and the way in which they were regulated, the regulations and policies governing the accumulation and use of such information vary among markets and, frequently, among firms competing in the same market. The following discussion highlights that variety and outlines some of the problems that it creates for safeguarding personal information privacy, now and in the future.
In addition to government regulations concerning the acquisition, disclosure, and use of TRPI by telephone service providers, many of those companies have long-standing internal policies to safeguard customer privacy.<41> These policies generally make one restriction clear: calling records shall not be disclosed to third parties. For example, BellSouth stated in its comments that it does not provide unauthorized third parties access to consumer toll records or accounts.<42> A few telephone companies have recently developed more formal privacy codes that specifically inform residential customers about company information practices and options for limiting access to personal information. For example, Pacific Bell indicated that its privacy guidelines allow customers to prohibit information collected about them to be used for marketing purposes.<43> Bell Atlantic's residential customer information privacy principles include disclosure policies regarding how personal information is collected and used.<44> In September 1995, MCI announced that online internetMCI customers could call a toll free 800 number to prevent personal information about themselves from being included in on-line directories or made available to third parties.<45>
There is evidence, however, that the privacy policies of telephone companies may not always be followed. For example, it appears that private investigators regularly obtain calling records. As reported in the Wall Street Journal:
Although most phone companies say they won't release information unless they are subpoenaed, the information is released on an informal basis all the time, says Mr. [Robert Ellis] Smith, of Privacy Journal. He says most such releases are arranged by law-enforcement officials who have relationships with telephone-company employees.<46>
In another well known example, an Alaskan oil pipeline company hired a private security firm to obtain the calling records of its critics.<47> During a subsequent investigation, a former state prosecutor testified at the hearings that telephone companies routinely provide calling records to contractors, with knowledge that the records will be sold to private investigators.<48> In fact, companies specializing in calling records target advertisements to private investiga tors.<49>
As for government action, the FCC has established regulations governing the use and disclosure of customer proprietary network information (CPNI).<50> CPNI is essentially TRPI that is collected in providing telephony services and "encompasses any information about customers' network services and their use of those services that a telephone company possesses because it provides those network services.<51> CPNI includes "information related to the type(s), location(s), and quantity of all services to which a customer subscribes, how much the customer uses them, and the customer's billing records.<52> These requirements only apply to interstate services.
The Commission's CPNI rules were not specifically implemented to address privacy concerns.<53> The primary consideration was that if dominant service providers had detailed information about customers' basic service requirements, this information could be used to gain an anticompetitive advantage in unregulated markets, specifically the enhanced service and customer premises equipment markets. Consequently, the rules only apply to a limited number of companiesthe Bell companies,<54> and GTEand do not protect the CPNI of all customers.<55>
Under the CPNI rules, if a customer requests confidential treatment of CPNI, the Bell companies and GTE must not disclose this information to their affiliates or to third parties. If no confidentiality request is made, then the rules vary about the type of protection that the data is accorded.<56> The Bell companies and GTE are required to notify only multi-line customers of the right to request confidential treatment of CPNI. Single-line and residential customers need not be notified, and no prior authorization is required before using the CPNI of these customers for marketing or other purposes ancillary to the provision of telephone service.
More significantly, there are no FCC prohibitions on the disclosure and use of CPNI by more than one thousand independent local exchange carriers, non-wireline cellular carriers, interexchange carriers, competitive access providers, or other businesses engaged in the provision of telecommunications services. Similarly, the FCC's CPNI rules currently would not apply to traditional cable operators when they begin to provide telephone service.
Unlike telephone service providers, video carriage service providers<57> can play a dual role, providing both programming and the transmission service necessary to reach their customers. Although cable television service is the most widely known video carriage service, many telephone companies have announced plans to provide video carriage through wire-based telephone networks adapted to transmit video content. Moreover, a growing number of firms are offering video programming services using wireless technologies such as direct broadcast satellites (DBS) and "wireless cable" services.<58>
The privacy concerns associated with video carriage are similar to those concerns that prompted passage of the Video Privacy Act of 1988 (Video Act). During Judge Robert Bork's Supreme Court nomination hearings, 146 video titles rented by him and his family were disclosed to the press.<59> Congressional testimony revealed that Judge Bork's case was not isolated. Various examples of demands for video transactional records were mentioned, including an attempt to use video tape records to show that a spouse was an unfit parent, and a defendant in a child molestation case who wanted to show that the child's accusations were based on movies viewed at home.<60>
The Video Act prohibits video tape service providers from knowingly disclosing personal information, such as titles of video cassettes rented or purchased, without the individual's written consent.<61> It permits disclosure of mailing list information (names and addresses) if the individual has been given a conspicuous opportunity to prohibit such disclosure.<62> The mailing list can identify the subject matter (but not specific titles) of customer video selections, as long as that mailing list is used solely to market goods and services directly to the individual.<63> Finally, the Video Act requires personal information to be destroyed "as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected," provided that statutorily recognized requests for such information are not pending.<64>
Congress also acknowledged potential privacy concerns associated with delivering video programming over cable networks when it included subscriber privacy provisions in the Cable Communications Policy Act of 1984 (Cable Act). The Cable Act requires cable operators to notify subscribers at the time of subscription and, at least annually thereafter, of the operator's personal information practices.<65> Absent a subscriber's prior written or electronic consent, the Act allows a cable operator to collect personal information only if it is necessary to render the requested services or to detect unauthorized reception of cable communications.<66> Further, the Cable Act generally prohibits the disclosure of personal information unless such disclosure is necessary to render the services requested or to a "legitimate business activity related to" such service.<67> With few exceptions, any other collection or disclosure of personal information requires prior consent by the individual.<68> Finally, the Cable Act requires personal information to be destroyed if the information is no longer necessary for the purpose for which it was collected and if there are no legally recognized, pending requests for such information.<69>
A review of the Video Act reveals that it may not be applicable to consumers of video services provided over telecommunications networks. This is because the Video Act was intended to cover the traditional rental, sale or delivery of video cassette tapes or similar material from a video store.<70> It therefore may be argued that because video carriage does not involve a delivery of a physical tape or similar material to the individual, and is instead transmitted electromagnetically through wireline or wireless facilities, the Video Act does not apply to video programming transmitted through telecommunications networks.<71>
While the Cable Act obviously applies to video carriage provided by cable operators, it does not expressly apply to video carriage by DBS or wireless cable service operators.<72> Moreover, it is uncertain whether it will apply to LEC provision of video programming. This question turns on whether LECs are deemed "cable operators" within the meaning of the Cable Act. If LECs operate under a purely common carrier VDT model, they may not be considered cable operators.<73> On the other hand, if LECs operate in a manner similar to cable operatorsthen they may be deemed cable operators.<74> In absence of other privacy provisions regarding personal information generated as a result of subscribing to video services electronically, consumers of seemingly like video services may or may not receive disparate levels of protection, while providers of these services may or may not be subject to different regulatory requirements.
This brief review of TRPI disclosure protections relating to telephony and video carriage services reveals the lack of intraservice uniformity: like services do not have like privacy protection. With respect to telephony services, for example, Federal regulations grant individuals the right to ask for confidential treatment of CPNI but only from certain telephone companies the Bell companies and GTE. Similarly, the notice requirements that apply to the Bell companies and GTE differ depending on the type of consumer. Multi-line customers are given notice about their privacy rights; single-line customers are not. To complicate matters further, a few states provide privacy protection for intrastate service regardless of which telephone company is involved.
There is also a lack of intraservice uniformity for video carriage. The privacy provisions of the Cable Act do not apply to DBS and wireless cable operations. And it is not clear whether the Cable Act applies to LECs that operate as video service providersalthough from a consumer's perspective, such services are functionally indistinguishable.
In addition, there is a lack of interservice uniformity because like-types of information are not treated in like-ways, across different communications services. Many other types of communications services that generate TRPI, as sensitive as TRPI generated by telephone service and video carriage, are almost entirely unprotected. For example, the Internet, a global network of networks, which can be used for interactive, point-to-multi-point communications, is not subject to consumer privacy regulations. Internet access is provided by dedicated Internet service providers (ISPs) or on-line services that have gateways to the Internet.<75> Depending on the particular technological configuration, the ISP may have TRPI in the form of "calling" records (e.g., what Internet Protocol address communicated with whom and when), transactional records of files uploaded or downloaded, and electronic mail messages sent and received.<76> Besides the Electronic Communications Privacy Act of 1986 (ECPA), which forbids only divulging the contents of a communication, no federal privacy laws apply to TRPI collected by those who provide Internet access.<77>
On the horizon are a new generation of communications services that will combine the two- way, switched features of telephone service, the full interactivity of the Internet, and the broadband capacity of video carriage. LECs planning to carry video may expand their facilities to include fully two-way interactive video traffic.<78> Traditional cable operators are restructuring their service platforms with fiber-optic trunk lines, data compression, and high speed switching to provide interactive multimedia communications.<79> Importantly, convergence will occur not only between technologies, firms, and services, but also between functions so that communica tions providers will become content providers and vice-versa. As these new communications services become widely available, providers will have access to greater amounts of more sensitive TRPI. Of course, one cannot know precisely what sorts of TRPI will be collected because these new communications services are not fully designed, much less fully operational. It is also uncertain which, if any, privacy protections will apply to such new services. For example, it is uncertain whether the Cable Act could apply to these new interactive broadband networks because truly interactive services may not be deemed a "cable service" within the meaning of the Act.<80>
The limitations and weaknesses in the telecommunications privacy regulations discussed above underscore the need for a more comprehensive approach governing the collection, use, and dissemination of TRPI by providers of telecommunications and information services. Of course, any such approach must recognize that information privacy can never be absolute in a sociological setting: no individual who lives in a society can have total control over each bit of personal information. In fact, as various commenters pointed out, the free exchange of personal information promotes consumer welfare by encouraging firms to develop and market the goods and services that most interest their existing and potential customers.<81> On the other hand, the new information environment may promote the acquisition and use of personal information in ways that violate deeply held societal values about confidentiality and fairness.
The Administration recognizes that, in some circumstances, "an individual's privacy can often be best respected when individuals and information users come to some mutually agreeable understanding of how personal information will be acquired, disclosed, and used.<82> Under this "contractual approach" to privacy protection, companies would inform their customers about what sorts of personal information the firms intend to collect and the uses to which that information would be put. Consumers could then either accept a company's "offer," or reject it and shop around for a better deal. The contractual approach reflects the hope that individuals and the parties with whom they do business can agree, in whatever form the agreements may be made, about how TRPI and other personal information will be acquired, disclosed, and used all without substantial involvement by the government as referee. Rather than relying on the government to determine what information should be protected, consumers and service providers could decide among themselves what is the optimal level of privacy protection. In this way, the contractual approach seeks to minimize government involvement in assessing and resolving privacy problems.
Nevertheless, although the contractual approach has many virtues in theory, it may not provide a sufficient level of privacy protection in practice. That approach yields maximum benefit in a vigorous competitive marketplace, where privacy is one of the terms on which businesses struggle for customers and where consumers can walk away from transactions that do not provide adequate privacy protection, secure in the knowledge that other offers will be readily available. In contrast, in markets where essential or highly desired services are provided by a single firm or a small group of dominant firmssuch as the local telephone and video service marketscompetition on privacy will be, at best, weak and consumers will not be able to reject or renegotiate unacceptable privacy "offers." In other circumstances, a contractual approach could produce instances where service providers offer privacy protection only at a premium, to the detriment of poor and low income consumers.
For these reasons, NTIA does not support adoption of a "pure" contractual approach. Rather, we favor a modified contractual model that allows businesses and consumers to reach agreements concerning the collection, use, and dissemination of TRPI, subject to two fundamental requirementsprovider notice and customer consent. Our recommended approach should adequately protect individuals' legitimate privacy interests without excessive government intervention in the marketplace. Further, by giving consumers effective controls over the use of TRPI generated by their subscription to and use of the NII, that approach should expand consumer demand for NII facilities and services. That, as noted above, should produce substantial benefits for individuals, businesses, and society as a whole. Because these benefits can be produced with minimal costs to business, NTIA expects that the private sector will have strong incentives to voluntarily implement the modified contractual framework outlined below. If such private sector action is not forthcoming, however, that framework can and should form the basis for government-mandated privacy regulations or standards.
The notice component of NTIA's modified contractual framework is grounded in the principles of fair information practices released by the IITF's Privacy Working Group in June 1995, after two years of deliberation, including field hearings and two rounds of public comment.<83> At the crux of these principles is the Notice Principle, which states:
Information users who collect personal information directly from the individual should provide adequate, relevant information about:
- Why they are collecting the information;
- What the information is expected to be used for; [and]
- What steps will be taken to protect its confidentiality, integrity, and quality<84>
Adequate notice requires that consumers be informed about how personal information is collected, processed, exchanged, disclosed, and used in our rapidly evolving information infrastructure.<85> In any particular transaction, an individual should have adequate information on which to decide whether to accept the offered service under the clear terms concerning the use of personal information. Such notice should be conspicuous and in plain language so that consumers have the necessary information to exercise sound judgment about the level of privacy protection that they desire and what is available to them.<86> It must clearly instruct the consumer that a choice is required, and it must reach the consumer before the company uses the TRPI for unrelated purposes.
These criteria provide a framework against which "adequacy" may be assessed. When personal information is collected and used only to render a service, explicit notice may not be required because the individual is already aware of the extent of that information's collection and use. For example, if a company sells long distance service to an individual, that company ought to be able to use TRPI to detail the customer's calling patterns and to develop a long distance offering that better suits the consumer's needs. However, for uses unrelated to the original service offering, consumers may have no such expectation and, indeed, may have given little thought to how their TRPI could be used. Put another way, a consumer's decision to purchase one service cannot reasonably be seen as tacit consent for company use of TRPI to develop and market another service. Thus, telecommunications and information service providers should give their customers plain and conspicuous notice of any unrelated or ancillary use of their TRPI.<87>
Notice requirements should also change as telecommunications and information companies become multiple service providers. For instance, local exchange carriers will likely offer a variety of different services, including access to the Internet and interactive multimedia services in addition to local telephone service. Although many consumers might have implicitly understood, in the past, that phone companies would use information collected about them for offerings tailored to their particular needs, subscribers to these more advanced networks may not understand that TRPI collected about them for telephone and video service purposes could also be used to sell them on-line shopping services, for example. As a result, more explicit notification may be needed for subscribers of multiple service networks to understand how their TRPI will be used for internal customer marketing purposes.<88>
There may be a range of notice procedures that will adequately inform consumers about the intended use of their TRPI, while minimizing costs for industry and, ultimately, customers. For some service providers, notice can most easily be given at their first contact with prospective customers. For example, when individuals subscribe to most on-line information services, such as CompuServe or Prodigy, they are typically given several choices concerning dissemination of their TRPI, including the option not to have such information disclosed at all. Other companies may find it more cost effective to include a privacy notification in the written materials they send to consumers to confirm the terms and conditions of their service agreement. Still other firms may provide notice as one of the myriad inserts that they commonly include in their customers monthly bills. If the notification meets the criteria outlined above, it should adequately address the needs of consumers.<89>
This approach gives companies sufficient flexibility that they should be able to notify their customers about their information practices without incurring excessive costs. When firms receive service requests from customers over the phone, companies typically spend time to collect a wide range of information from those customers. Similarly, companies commonly send a mass of written materials to their current and prospective customers, seeking to interest them in new services. The incremental costs of including a privacy notification in those phone conversations or those written solicitations should not be significant.
The other fundamental component of NTIA's privacy framework is customer consent. Notifying consumers of company practices concerning TRPI would have little practical effect if consumers did not have a meaningful opportunity to accept or reject the terms offered. Indeed, in those service markets dominated by a single suppliersuch as local telephone service and the delivery of multichannel video programming to the home, the absence of any consent requirement would give consumers only a Hobson's choicebetween accepting company TRPI policies that do not provide an acceptable level of privacy protection and foregoing a highly desired, even essential service.
Most companies agree that individuals should have the right to limit or prohibit ancillary or unrelated uses of personal information, such as disclosing information to third party marketers. In the words of the Direct Marketing Association (DMA)<90>whose membership includes many communications providers:
Consumers who provide data that may be rented, sold, or exchanged for direct marketing purposes periodically should be informed of the potential for the rental, sale, or exchange of such data. Marketers should offer an opportunity to have a consumer's name deleted or suppressed upon request.<91>
Consumers who provide data that may be rented, sold, or exchanged for marketing purposes should be informed . . . of the opportunity to opt-out of the marketing process.<92>
Similarly, Time Warner encourages the use of the Department of Health, Education and Welfare's 1973 privacy principles which, among other things, state that "[i]ndividuals should have the ability to limit the disclosure of information about them that was obtained for one purpose from being disclosed for other unrelated purposes.<93>
The more controversial policy issue is how consumer consent should be obtained. That debate centers around two contending concepts"opt-in" and "opt-out.<94> Under an opt-in approach, companies cannot use TRPI for ancillary purposes until the individual first gives consent. In an opt-out program, information can be used in an ancillary manner unless the individual affirmatively opts-out of such practices within some allotted time. Opt-in thus requires expressed consent: an individual's silence means that the information cannot be used. Opt-out garners tacit consent: silence means that the information can be used.
The choice between opt-in and opt-out is not a simple one. Although privacy is a fundamental personal right that must be adequately protected, it is also true that the level of privacy protection desired varies widely among consumers. Furthermore, the free flow of informationeven personal informationpromotes a dynamic economic marketplace, which produces substantial benefits for individual consumers and society as a whole.
Not surprisingly, many service providers argue that securing customer consent through an opt-in procedure "could harm innovation and prevent desirable services from emerging.<95> They also contend that individuals cannot accurately predict today what they may find useful tomorrow. As a result, an opt-in approach may prevent uses of personal information that individuals may in fact want.<96> In fact, in a national survey conducted by Louis Harris, a majority of consumers polled (52%) indicated that they would be interested in participating in subscriber profiling activitiesreceiving advertising and information about products and services matching their particular interestsover interactive networks, and 48 percent would be "somewhat" interested in supplying information that would enable them to receive special offers.<97> On the other hand, it may be argued that individuals cannot accurately predict how seemingly innocuous information may be used in inappropriate ways. Thus, an opt-out approach may lead to uses of personal information that individuals would reject.
NTIA believes, on balance, that the mechanism for securing customer consent for company use of TRPI should depend on the nature of that information. Companies should not make any ancillary use of "sensitive" TRPI without first obtaining explicit authorization from the relevant customer. On the other hand, a company should be allowed to use non-sensitive TRPI for unrelated purposes unless the customer affected, having been notified of the company's plans, takes some action stopping such usesuch as making a telephone call or mailing in a form by a certain date.<98> When the date for customer action has passedbut not beforethe company should be free to use the customer's TRPI in the ways identified. Whatever the mechanism for securing customer consent, however, consent should never be a precondition for receiving service. That is to say, subscribers may not be denied service because they decline to authorize use of their TRPI for purposes other than rendering the service requested.<99>
Requiring affirmative consumer consent in the case of sensitive information is consistent with the intuition that individuals should have greater control of sensitive information because of the greater harm that improper disclosure or use of such information may cause.<100> It has the added benefit of minimizing the aggregate transaction costs in obtaining an individual's authorization. Many individuals would likely reject the ancillary use of sensitive TRPI. Instead of requiring the many who reject the ancillary use from bearing the transaction costs of opting- out, it is more efficient to require the few who approve that use to opt-in. On the other hand, because most people would likely not object to ancillary use of non-sensitive TRPI, it makes sense to give the responsibility of protecting that information to the few consumers who want it protected.
The promised interactivity of the NII may diminish the need to make a policy choice between opt-in and opt-out. Such interactivity would make it possible for service providers to obtain consent to use TRPI from subscribers electronically before any services were rendered. This development would reduce the need for privacy protection policies that impede the flow of information exchange by creating "a process that requires mailing out consent forms, waiting for them to return, and then processing them before any data can be used or collected.<101> It would also allow providers greater flexibility to construct a variety of contract levels with subscribers for use of their TRPI, while leaving it up to consumers to ultimately determine which levels of access and use of their TRPI they will allow.
NTIA also recognizes the importance of enhanced consumer education in this area.<102> Education serves two purposes: empowerment giving consumers control of how their personal information is used; and understandinghelping consumers to understand how their personal information can be used in beneficial ways, thereby increasing their willingness to use the NII. Similar to the efforts of some Bell companies to educate consumers about their options for handling unwanted sales calls according to the provisions of the TCPA,<103> NTIA recommends that industry work with consumer advocacy organizations, industry associations, and community groups to more effectively educate consumers about their opportunities to limit disclosure of TRPI.<104> Consumer education should be an integral part of any effective provider notification policy.
Although the United States currently has a number of laws and regulations governing private sector acquisition, use, and disclosure of TRPI, those provisions are limited in scope and inconsistent in application. They generally are confined to a specified group of existing services, and do not apply to all providers of any one service. Developed to address particular problems in particular circumstances, prevailing privacy protections in this area do not apply to many of the next generation of services that are rapidly arriving and could not readily be adapted for that purpose.
Some remedial action is warranted. The privacy framework described in this paper enables service providers and their customers to come to mutually agreed upon contracts regarding the use of TRPI independent of government intervention. The advantages for consumers and the private sector are obvious. Consumers benefit from a privacy standard that affords them with the same TRPI safeguards for like services across the communications sector. Uniform, effective and understandable privacy protections should also reduce a major potential barrier to consumer use of the NII as consumers better understand how their personal information is used and exercise their right to control its use. Increased public confidence in how personal information is acquired, disclosed, and used could thereby stimulate consumer demand for the many services that businesses will seek to offer over that network of networks.
Uniform privacy requirements will further benefit the private sector by eliminating a potential source of competitive advantage or disadvantage among rival providers of telecom munications and information services. At the same time, NTIA's recommended approach gives private firms considerable flexibility to discharge their privacy obligations in a way that minimizes costs to the firms and to society. For all of these reasons, NTIA believes that both consumers and the private sector will benefit substantially from voluntary implementation of that approach. If, however, industry self-regulation does not produce adequate notice and customer consent procedures, government action will be needed to safeguard the legitimate privacy interests of American consumers.
Ultimately, defining the balance between the free flow of information and an individual's right to privacy over an NII revolves around trust. If consumers feel that their personal information will be misused or used in ways that differ from their original understanding, the commercial viability of the NII could be jeopardized as consumers hesitate to use advanced communications networks. Whether through government intervention or industry self-regulation, consumers will have to feel comfortable with how personal information is used, and with their ability to control its use in a meaningful way.
So, we can look at your customers and tell you a lot more about them. More than you ever thought possible. And not as a group, but as individuals. By exact age. Sex. Income. Lifestyle characteristics. Life event. And more. And we can help you decide the most effective ways to use this type of information to achieve your marketing goals.
In addition to communications providers, many other parties will also have access to consumer information on the NII. These others include transacting parties, such as merchan disers, that do business with individuals via telecommunications but have no role in the communications service itself. They also include other types of transaction facilitators, such as electronic payment providers, that help individuals and transacting parties execute their transactions.
The enormous variety of transacting parties and transaction facilitators makes it impos sible to analyze the particular privacy concerns associated with each party. One common thread, however, links how nearly all these players seek to use TRPI: to create marketing profiles. A marketing profile is a record of an individual's characteristics created by acquiring personal information from multiple sources and used to target products and services. Given the impossibility of analyzing each type of transacting party and transaction facilitator, it makes sense to explore the privacy issues implicated by this one common thread.<2>
The general subject of marketing profiles does not fall squarely within the scope of this paper because, as explained below, such profiles comprise information not classified as TRPI. Nevertheless, an examination of marketing profiles is germane to this paper for two reasons. First, the electronic nature of TRPI makes it inexpensive to access and combine into marketing profiles. Second, as more daily transactions take place on the NII, more TRPI will be available to be incorporated into profiles.<3>
Selling personal information is big business. By one estimate, it has risen to a $3 billion per year industry and generates more than ten thousand different types of lists,<4> brokered by more than one thousand commercial services.<5> At the heart of this information indus try is the marketing profile. Marketing profiles are created and used by the private sector to maintain old customers and to target new ones. Companies sift through their internal records of customer purchaseswho bought what, when, how often, and for how muchin order to identify and cater to their most profitable customers.<6> For example, certain merchandisers now have computerized marketing profiles in "client books," which give salespeople immed iate access to "the preferences and sizes of frequent customers.<7> Using statistical modeling techniques, companies also use their sales records to determine the attributes of the "model customer" most likely to purchase a particular product or service.<8> Actual mar keting profiles are then compared with this model profile to identify those persons warranting solicitation.<9>
To refine this solicitation process, companies enrich their proprietary databases with information available from major list-compilers, which maintain sizeable national consumer databases on American households.<10> A list-compiler will enrich and analyze the com pany's proprietary personal information, develop a profile of the model customer, and identify "profile clones" from its national database as prospective customers.<11> Or, if a company knows exactly what type of person to solicit, the list-compiler can provide a customized list of names, addresses, and telephone numbers by geographical site. For example, list brokers have created catalogs of "Arabs, in Their Native Lands, Who Gamble and Invest;" "Doctors Who Are Known to Have Gambled;" and "Jewish Philanthropists and Investors.<12>
The personal information found in marketing profiles comes from three sources: public records; internal recordsrecords collected directly from the individual by the profiler; and external recordsrecords obtained by the profiler not directly from the individual but from some third party.
Public records are records collected by the government pursuant to various research, licensing, administrative, and adjudicatory schemes, that are somehow made available for public inspection. Depending on the state, such records could include "census tract data, county assessments, deed transfer records, electoral records, suits, liens, and judgments, [and] business and professional licensing records.<13> They may also include automobile registration, driver's license registration, birth records, and death records. Finally, they even include the National Change of Address ("NCOA") file, sold by the United States Post Office to those tracking individuals on the move.<14> Public records can reveal volumes about an individual. Moreover, based on this information, profilers can make educated guesses about other characteristics, such as income.<15>
Internal records are records collected by the profiler directly from the individual. As previously noted, both transacting parties (e.g., clothier) and transaction facilitators (e.g., credit card company) can collect various forms of TRPI in the course of an NII transaction. Given the marketing value of such information, many profilers analyzing their customers and subscribers are "aiming for 100% information capture" in the course of any single transac tion.<16>
Finally, external records are records obtained by the profiler not directly from the individual but from some third party. These third parties include, for example, social and political organizations; news and entertainment publications; and merchandisers that sell their internal records about members, subscribers, and customers to outside profilers. Profilers can obtain external records at different levels of detail. Consider, for instance, the external records that a profiler could obtain from a general clothier in a virtual mall. The profiler could rent a complete mailing list of the clothier's entire clientele. Such a list could include only the name and address (e-mail or postal) of every customer who ever made a purchase. The profiler could also buy a customized mailing list of some subset of the clothier's clientele, such as the names and addresses of customers who have purchased lingerie from the clothier in the last two years. Finally, the profiler could obtain more than just names and addresses and obtain transactional data, detailing additional fields of information in the clothier's internal records. This could include, for example, product purchased (e.g. large, red, cotton sweater), time and date, and purchase price.
By drawing from all three sources of informationpublic records, internal records, and external recordsprofilers may have a detailed marketing dossier, which includes demo graphic and psychographic information. A profile available from a national-list compiler could include: name, gender, address, telephone number, age, estimated income, household size and composition, dwelling type, length of residence, car ownership, pet ownership, responsiveness to mail offers, contributor status, credit card ownership, lifestyle, hobbies, interests, and neighborhood characteristics including average education, house value, and racial composition. This information could be added to whatever additional TRPIrevealing specific communications, purchases, services, and other transactionsin a profiler's posses sion.
The creation of marketing profiles involves first, accessing personal information, and second, matching it to a particular individual. Theoretically, legal constraints on the creation of marketing profiles could exist at each stage of the profile development process.
As discussed in the main body of this paper, a patchwork of Federal and state laws regulate the private sector's access to certain types of personal information. Of the three categories of information mined by profilerspublic records, internal records, external recordsaccess to public records is least restricted. This is because by definition, public records are made available to the public in some form, to serve some public interest such as maintaining open and accountable government. Nevertheless, access and use of certain public records have been somewhat limited despite their "public" nature. For example, various states, such as California, forbid voter registration rolls from being used for commercial purposes.<17> Another important example is the recently enacted federal Driver's Privacy Protection Act of 1994.<18>
Internal records are records collected by the profiler directly from the individual in the course of some transaction. The law can restrict a profiler's access to internal records in two ways. First, it can limit collection of TRPI to the degree that is functionally necessary. Second, the law can require the profiler to purge its internal records after it becomes no longer functionally necessary to keep.<19> For example, the Cable Act contains both types of provisions. Even though a cable operator has the technological capability to collect more TRPI than is necessary to render cable service, the Act bars them from taking advantage of that capability, unless it obtains the individual's consent. Second, a cable operator must destroy personal information when no longer necessary.<20>
The Cable Act is the exception, not the rule. The law generally does not limit a profiler's collection of TRPI in the course of transacting with an individual or facilitating that transaction. Furthermore, the law does not generally require profilers to purge their internal records after some established period. In sum, the law leaves transacting parties and transaction facilitators free to collect whatever TRPI they can and to keep whatever informa tion they collect.
The law does put various constraints on profilers from accessing certain types of external records. Federal and state laws protect to varying degrees the confidentiality of certain bank, credit, medical,<21> cable, electronic communications, and videotape rental information. But access to many other types of external records is unrestricted. Significantly, no Federal law limits a profiler's ability to access TRPI held by payment providers, such as credit card companies. Credit card companies, some of which keep permanent records of a cardholder's transactions, "can name each cardholder's favorite restaurants and vacation spots, their hobbies and where they shop for gifts.<22> These companies can compile the information from an individual's credit card purchasesthe merchant, the item, the amount, and the date and sell it to profilers without federal restrictions.
Besides access, legal constraints on the creation of marketing profiles could also conceivably be placed on the matching of lawfully obtained data into a marketing profile. For example, computer matching performed by federal agencies is somewhat regulated by the Computer Matching and Privacy Protection Act of 1988 ("Matching Act").<23> In contrast to this restraint on federal government agencies, no regulations govern the way that private sector profilers may match personal information once it is properly accessed. In other words, once a profiler legally acquires personal information, the profiler is free to sort that informa tion by individual and compile it into a marketing profile. Indeed, many commenters argued that governmental interference with how private parties "match" information legally obtained would infringe the First Amendment.<24>
B. Market Environment
Even though the access and matching of TRPI into marketing profiles are not substan tially regulated by law, the "law of the market" may nevertheless prompt adequate self- regulation. As succinctly observed by one commenter, "companies do not prosper by alienating customers.<25> For instance, market forces have prevented certain marketing profile products from reaching the market. Lotus Development Corporation, a software company, and Equifax, one of the nation's largest credit reporting bureaus, abandoned plans to market a CD-ROM database called "Marketplace: Households" in the face of widespread public criticism.<26> Many commenters pointed to such incidents as evidence that the mar ketplace protects privacy interests adequately and that governmental regulation is unneces sary.<27> Further, they cite examples of voluntarily adopted privacy codes that regulate the disclosure and use of personal information.<28>
Of course, none of these examples suggests that market forces have prevented the creation and use of marketing profiles. Without question, public records, internal records, and external records are being accessed and matched into marketing profiles. Indeed, profilers have shown much ingenuity. For example, one way for a merchandiser to acquire more telling internal records is to issue a merchandiser credit card that is co-branded with a national credit card chain such as Mastercard or Visa. As provider of the credit card, the merchandiser has complete access to the credit card holder's transaction history, including the individual's shopping history at competing stores. By issuing such credit cards, merchandisers get "a tantalizing glimpse at what its shoppers buy from rivals.<29> This information is then used to market the card holder for the merchandiser's own products.
There is evidence, however, that market forces have prevented curious members of the public from accessing marketing profiles. Many list-compilers emphasize that their databases are used only for marketing, not to satisfy anyone's idle curiosity. For instance, it is the official policy of Donnelley Marketing Inc. and Database America Co., both national list- compilers, not to allow their national consumer database to be accessed for non-business purposes.<30>
Also, comments received by NTIA did not reveal incidents of profilers obtaining external records at the transactional data level of detail. Profilers apparently obtain personal information from third parties in the form of mailing listscomplete or customizedwhich lack some of the details that transactional records tend to reveal.<31> In particular, the com ments described no instance in which profilers had official, authorized access to transactional records from payment providers, such as credit card companies. For example, American Express and Citibank have adopted policies that prohibit the disclosure of transactional records to third parties without customer consent, unless such disclosure is required by law.<32> This is not, however, to say that electronic payment providers disclose absolutely no personal information to profilers. For example, both American Express and Citibank sell customized mailing lists of cardholders (names, addresses, and telephone numbers), generat ed by profiling cardholders in-house on the basis of their purchases.<33> Depending on how customized the list is, it may be nearly as sensitive as transactional data.
Besides transaction facilitators such as credit card companies, profilers can obtain external records from parties that transact directly with the individual to provide some product or service. These transacting parties include, for example, other merchandisers, mail-order companies, and entertainment and information providers. The comments generated little information about the privacy policies of these varied transacting parties.<34> It is widely known that magazine publishers and book and music clubs often sell information about their customers to other merchandise profilers. However, NTIA received little comment on how exactly this information is divulgedas a complete mailing list (e.g., entire clientele of a CD club), customized mailing list (e.g., classical music buyer), or transactional data (e.g. , a particular individual purchased Vivaldi's Four Seasons in a particular month).
<1>World Wide Web Computer Home Page of Privacy Rights Clearinghouse, http://www.man ymedia.com/prc (quoting U.S. Privacy Protection Study Commission, 1977).
<2>Smith v. Maryland, 442 U.S. 735, 748 (1979) (Stewart, J., dissenting).
<3>The Clinton Administration envisions the NII as "a seamless web of communications networks, computers, databases, and consumer electronics that will put vast amounts of information at users' fingertips." Information Infrastructure Task Force, U.S. Dep't of Commerce, The National Information Infrastructure: Agenda for Action, 58 Fed. Reg. 49,025 (1993) [hereinafter Agenda for Action]. Many of the individual components of this "network of networks" are in place already, and U.S. companies are investing more than $50 billion annually to upgrade existing facilities and to construct new ones. The Administration's NII Initiative seeks to develop policies and programs to spur the evolution of the existing infrastructure into a network of networks. See National Telecommunications and Information Administration, Inquiry on Privacy Issues Relating to Private Sector Use of Telecommunications-Related Personal Information, 59 Fed. Reg. 6842, 6842 n.5 (1994) [hereinafter Privacy NOI].
<4>"Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting).
<5>Privacy NOI, supra note 3, at 6842 n.6 (citing Public's Privacy Concerns Still Rising, Privacy & Am. Bus., Sept./Oct. 1993, at 3).
<6>See Larry Tye, Proposed "Bill of Rights" Would Limit Personal Data, Boston Globe, Sept. 8, 1993, at 6 (electronic version).
<7>"Letter from Fred H. Williamson, Chairman, Telecommunications Infrastructure Task Force, U.S. Chamber of Commerce, to the National Telecommunications and Information Administration (July 12, 1994) (On file at NTIA).
<8>Privacy Rights Clearinghouse, First Annual Report of Privacy Rights Clearinghouse 11-14 (Center for Public Interest Law, University of San Diego) (Jan. 1994).
<9>Even a partial list of these ideas includes such disparate concepts as: the privacy of private property; privacy as a proprietary interest in name and image; privacy as the keeping of one's affairs to oneself; the privacy of internal affairs of a voluntary association or of a business; privacy as the physical absence of others who are unqualified by kinship, affection, or other attributes to be present; respect for privacy as the respect for the desire of another person not to disclose or to have disclosed information about what he is doing or has done; the privacy of sexual and familial affairs; the desire for privacy as the desire not to be observed by another person or persons; and the privacy of the private citizen as opposed to the public official. U.S. Congress, Office of Technology Assessment, OTA- TCT-606, Information Security and Privacy in Network Environments 82 (Sept. 1994) (quoting Edward Shils).
<10>Personal information also includes information that is not personally identifiable on its face, but identifiable in context. In contrast, aggregate information about society as a wholeits average age, income, or ethnic characteristics; its television viewing habits; its consumption patternsdoes not implicate the reasonable privacy interests of any of its members.
<11>See Information Infrastructure Task Force, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information, Commentary ¶2, (June 1995) [hereinafter IITF Principles]. Similar definitions of information privacy appear in the literature. See, e.g., Alan F. Westin, Privacy and Freedom 7 (1966) ("Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others."); W.A. Parent, Recent Work on the Concept of Privacy, 20 Am. Phil. Q. 341, 346 (1983) (Privacy is "the condition of a person's not having undocumented personal information about himself known by others."); Advisory Committee on Automated Personal Data Systems, U.S. Dep't of Health, Education & Welfare, DHEW Pub. No. (OS) 73-94, Records, Computers, and the Rights of Citizens at xx (July 1973) [hereinafter DHEW Principles] ("Concern about computer-based record keeping usually centers on its implications for personal privacy, and understandably so if privacy is considered to entail control by an individual over the uses made of information about him.").
<12>See generally Privacy Rights Clearinghouse, Second Annual Report 28-32 (1995).
<13>Such concerns will also be present with respect to a "Global Information Infrastructure," or GII, and these issues are already being addressed in other parts of the world. For example, the European Union has adopted a directive "on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The European Parliament and the Council of the European Union, Directive of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, (Directive 95, 12003/4/94 REV 4) (Brussels 1995).
<14>For example, by following a users' mouse-click patterns and trails over the Internet, direct marketers can improve their ability to target users interested in a specific product. See Andy Kessler, Tracking Mouse Droppings, Forbes ASAP, Aug. 28, 1995, at 67.
Several on-line companies already track and sell information derived from "mouse droppings." For instance, Internet Profiles Corp. in San Francisco uses its software to track who visits a particular Web site, what is looked at and for how long. This company sells this information to the relevant Web site operator for $5,000 per report. John W. Verity, Bites & Bytes: Market Data for Online Advertisers, Bus. Wk. Aug. 28, 1995, at 72.
<15>Appendix A discusses privacy issues related to marketing profiles, which are records of an individual's characteristics created by accessing personal information from various sources and matching that information to a particular individual. The Appendix focuses on how merchandisers and national list-compilers acquire and process TRPI to create profiles to market products and services.
<16>See Charles Piller, Privacy in Peril, MacWorld, July 1993, at 12.
<17>See infra text at Part II (discussing these privacy protections).
<18>NTIA, a part of the U.S. Department of Commerce, is the Executive Branch agency principally responsible for developing and articulating domestic and international telecommunications and information policies. As the principal adviser to the President on these policies, NTIA conducts studies and makes recommendations regarding telecommuni cations policies, activities, and opportunities, and presents Executive Branch views on telecommunications matters to the Congress, the Federal Communications Commission (FCC), state and local governments, and the public. NTIA was established by Executive Order in 1976. Exec. Order No. 12,046, 3 C.F.R. (1978), reprinted as amended in 47 U.S.C. § 305 note (1988). Congress codified NTIA's functions in the National Telecommu nications and Information Administration Organization Act of 1992, 47 U.S.C. §§ 901-927 (Supp. V 1993).
<19>Privacy NOI, supra note 3.
<20>Without question, equally important issues regarding governmental use of personal information exist, but those issues have been discussed and analyzed elsewhere. See, e.g., The Privacy Protection Study Commission, Personal Privacy in an Information Society 345- 91 (1977). By contrast, relatively little attention has been paid to the private sector's use of personal information. Partly due to decreasing costs of information processing, the private sector has come to rival the government in acquiring and using personal information. See, e.g., John Markoff, Remember Big Brother? Now He's a Company Man, N.Y. Times, Mar. 31, 1991, at E7, ("[N]ow many computer professionals and civil liberties specialists say they fear that if a Big Brother finally arrives he may be wearing not a police uniform but a business suit."). In fact, recent polls indicate that the American public is concerned about threats to privacy from the private sector as much as from government. See Anne Wells Branscomb, Who Owns Information?: From Privacy to Public Access 17 (1994).
<21>The 46 included six local exchange carriers (LECs), three interexchange carriers, 11 information service providers and associations representing information service providers, 13 private citizens, seven public interest groups, two state public utility commissions, the American Bankers Association, the United States Council for International Business, the Independent Data Communications Manufacturers Association, and the National Cable Television Association. For convenience, all subsequent citations to "Comments" shall refer to papers filed in response to NTIA's Privacy NOI.
<22>This paper does not address privacy issues related to the contents of a communication. Content data is the content of a communication between two parties. It is information, typically authored or prepared by one party, and sent to another party. By contrast, transactional data is information created in the course of transmitting content data. Although privacy of content data raises important questions, these questions have been examined, principally in the debate over law enforcement's ability to intercept digital and encrypted communications. See generally U.S. Congress, Office of Technology Assessment OTA- TCT-606, Information Security and Privacy in Network Environments (Sept. 1994); U.S. Congress, Office of Technology Assessment OTA-BP-ITC-147, Issue Update on Information Security and Privacy in Networked Environments (June 1995). Less understood is how privacy may be threatened not by disclosing a communication's contents but by collecting information about how individuals will use the NII.
At times, the difference between transactional data and content data may be meaningless. Consider a movie delivered through a cable system. In some sense, the content data is the signal carried through the cable and deciphered into video frames displayed on the television. But from a privacy perspective, there is no difference between this data and the transactional data that identifies the title of the movie.
<23>The Internet is an outgrowth of U.S. government-supported research and development in networking. It connects millions of computers and users in over 160 countries. People use the Internet to exchange e-mail, browse through digital libraries, publish multimedia documents, conduct electronic commerce, participate in video-conferences, and engage in a variety of social activities. See generally Ed Krol, The Whole Internet Users Guide and Catalog (2d ed. 1994).
<24>"Jeffrey Rothfeder, Is Nothing Private?, Bus. Wk., Sept. 4, 1989, at 74.
<25>John M. Higgins, Benefits Hazy for MCI's Murdoch deal, Multichannel News, May 15, 1995, at 2.
<26>New York Telephone withdrew its proposal to market its white pages directory database because of a high level of customer opposition. See Internal Memorandum from the Communications Division, New York Telephone, to the New York State Department of Public Service at 2 (July 5, 1990) (on file with NTIA).
<27>Bell Atlantic also withdrew its plans to sell directory listings to marketers. See, e.g., Communications Daily, July 25, 1995 (electronic version).
<28>See Rules and Policies Regarding Calling Number Identification Service, Notice of Proposed Rulemaking, 6 FCC Rcd 6752 (1992).
Caller ID is a service that enables telephone subscribers to see a calling party's telephone number. As this paper addresses the commercial use of TRPI and Caller ID is primarily marketed to residential consumers, it does not examine the privacy issues related to Caller ID.
<29>See Rules and Policies Regarding Calling Number Identification Service - Caller ID, Report and Order and Further Notice of Proposed Rulemaking, 9 FCC Rcd 1764 (1994). Order stayed see Rules and Policies Regarding Calling Number Identification Service - Caller ID, 10 FCC Rcd 4364 (1995).
Historically, local telephone companies have passed ANI on to long-distance carriers for routing and billing purposes. However, recently ANI has been passed on to third parties for marketing purposes.
<30>For example, New York's Public Service Commission has also issued terms and conditions for how ANI is derived and disseminated to parties. See Comments of the State of New York, Dep't of Pub. Serv. at App. B.
<31>For a comprehensive review of U.S. privacy statutes, see Robert Smith, Compilation of State & Federal Privacy Laws (Privacy Journal 1992).
<32>47 U.S.C. § 551 (1990). Personally identifiable subscriber information and CPNI are both subsets of TRPI.
<33>The IITF is a Federal inter-agency group convened by President Clinton to "work with Congress and the private sector to propose the policies and initiatives needed to accelerate deployment" of the NII. See Agenda for Action, supra note 3, at 49,027.
<34>The President created the NII Advisory Council (NIIAC) to advise the Secretary of Commerce, and the Administration, on a national strategy for promoting the development of the NII. The Council is comprised of individuals representing various interests including industry, labor, academia, public interest, and state and local governments. See Exec. Order No. 12,864, 58 Fed. Reg. 48,773 (1993).
<35>To a certain degree, AT&T is already competing with MCI on privacy. Whereas MCI uses information from its customers' "Friends & Family" portfolios to target new customers and present new services, AT&T advertises over national television that it does not.
<36>See L. Morgan, High Stakes Data Gathering Raises Query: How Far Is Too Far?, St. Petersburg Times, Oct. 2, 1993, at 4B.
<37>See B. Moss, Release of Phone Records Was Legal, PSC Determines, St. Petersburg Times, June 16, 1994, at 4B.
<38>See Investigation Into Dissemination of Long Distance Telephone and Other Customer Records and Related Customer Privacy Issues, Florida Pub. Serv. Comm'n, Docket No. 931019-TP, Order No. PSC-94-0695-FOF-TP, 94 FPSC 6:92 (June 7, 1994).
<39>Telephone and cable companies are already teaming up to provide video programming, local, and long-distance telephone service over the same network. For example, Sprint has formed a joint-venture with TCI, Comcast Corp., and Cox Communications to offer local, long distance, and wireless phone service. Martin Rosenberg, Sprint Cites Ambitious Goal; Boosted by Cable Alliance, it Aims to Add a Million Customers, Kansas City Star, July 14, 1995, at B1. Time Warner and AT&T are considering forming a venture to sell a full range of phone services through Time Warner's cable system. John Keller, Time Warner's Cable- TV Unit & AT&T in Talks, Wall St. J., May 16, 1995, at A3. Also, cable companies and Internet Service Providers are making plans jointly to provide broadband access to the Internet. See Leland L. Johnson, Toward Competition in Cable Television 46 (1994).
<40>See Smith v. Maryland, 442 U.S.735, 748 (Stewart, J., dissenting).
<41>See Comments of GTE at 3; Comments of Bellsouth at 14-16; Comments of Bell Atlantic at 4; Comments of AT&T at 6; Comments of Southwestern Bell at 5; Comments of U S West at 3; Letter from Gerald J. Kovach, Senior Vice President, External Affairs, MCI, to Chairman Edward Markey, House Subcommittee on Telecommunications and Finance (May 20, 1992), (on file at NTIA).
<42>See Comments of BellSouth at 14-15; see also Comments of U S West at 16 (stating that transactional data is not released without customer consent); Letter from Gerald J. Kovach, Senior Vice President, External Affairs, MCI, to Chairman Edward Markey, House Subcommittee on Telecommunications and Finance (May 20, 1992) (on file at NTIA) (noting that MCI does not sell or rent its customer lists or information about customers to third parties).
<43>See Pacific Bell, Customer Privacy Guidelines (Sept. 1993) (brochure).
<44>These principles also commit Bell Atlantic to evaluating "potential privacy impacts" associated with providing interactive multimedia services. See Bell Atlantic Network Services, Inc., Residential Customers Information Privacy Principles (Jan. 1995) (brochure).
<46>Bruce Knecht, A New Casualty in Legal Battles: Your Privacy , Wall St. J., Apr. 11, 1995, at B1.
<47>See Telephone Privacy: Hearings Before the Subcomm. on Telecommunications and Finance of the Comm. on Energy and Finance, House of Representatives, 103d Cong., 1st Sess., 4-5 (1993) (statement of Hon. George Miller, Cal.) [hereinafter Miller Statement]; see also S.T. Parker, Alyeska "Spy" Witness Heard By House Panel; Committee on Interior and Insular Affairs, Oil Daily, Nov. 5, 1994, at 1.
<48>See Miller Statement, supra note 46, at 7.
<49>See L. Morgan and E. Wilson, Anyone Can See Your Toll Charges, St. Petersburg Times, Oct. 1, 1993, at 1B.
<50>A number of States have adopted laws and regulations regarding disclosure of CPNI, which generally apply only to intrastate telephone services. For example, California prohibits disclosure of calling records to third parties, without the subscriber's prior written authorization. In addition, California also prohibits telephone or telegraph corporations from disclosing the "services which the residential subscriber purchases from the corporation or from independent suppliers of information services who use the corporation's telephone or telegraph line to provide service to the residential subscriber." See Cal. Pub. Util. Code sec. 2891 (1995). Similarly, New York and Hawaii adopted privacy provisions covering telephone subscriber information in 1994 and 1995. Sector Reports: Telecommunications, Privacy & Am. Bus., May/June 1995, at 21.
<51>"See Additional Comment Sought on Rules Governing Telephone Companies' Use of Customer Proprietary Network Information, Public Notice, 9 FCC Rcd 1685 (1994) citing Filing and Review of Open Network Architecture Plans, 4 FCC Rcd 1, ¶ 403 (1988) [hereinafter ONA Plans].
<52>"ONA Plans (noting general description given by NYNEX). The FCC clarifies that CPNI does not, however, include credit information. Id. ¶412.
<53>The FCC has consistently stated over the years that its CPNI rules are "intended to balance considerations of efficiency, competitive equity, and privacy." Computer III Remand Proceedings: Bell Operating Companies Safeguards and Tier I Local Exchange Carriers, 6 FCC Rcd 7571, ¶ 84 (1991) [hereinafter BOC Safeguards Order].
<54>The term "Bell companies" as used here refers to the seven Regional Holding Companies formed as part of the divestiture of AT&T in 1984, and their operating subsidiaries.
<55>These rules also applied to AT&T until recently. On October 12, 1995, the FCC reclassified AT&T as a non-dominant interexchange carrier. This decision frees AT&T from regulations such as the CPNI rules that apply specifically to dominant carriers. See Commission Declares AT&T Non-dominant, FCC Press Release No. 95-60, Common Carrier Action (Oct. 12, 1995).
<56>BOC Safeguards Order, supra note 53, pt. III.C. For example, the FCC requires the Bell companies and GTE to obtain the prior authorization of customers with twenty lines or more before disclosing the CPNI of these customers to enhanced service provider (ESP) affiliates. No prior authorization is required for customers with fewer than twenty lines, nor is any prior authorization requiredregardless of the number of customer linesfor CPNI disclosures to Bell companies and GTE customer premises equipment affiliates. Id. at ¶ 89.
<57>For this discussion, "video carriage" includes all communications services that transmit television-like content through wireline and wireless technologies.
<58>Of course, television broadcasts also transmit video programming. There have been no privacy concerns, however, associated with this communications service because so far TRPI has not been collected about an individual's television viewing patternsexcept for those cases in which an individual agrees to record his or her viewing for a survey company in exchange for consideration.
<59>See Michael Decourcy Hinds, Personal But Not Confidential: A New Debate Over Privacy, N.Y. Times, Feb. 27, 1988, at 56.
<60>See Video and Library Privacy Protection Act of 1988: Joint Hearing on H.R. 4947 and S. 2361 Before the Subcomm. on Courts, Civil Liberties, and the Administration of Justice of the Senate Comm. on the Judiciary, 100th Cong, 2d Sess. 80, 84 (1988) (testimony of Vans Stevenson for the Video Software Dealers Association and Erol's Inc.).
<61>See 18 U.S.C. § 2710(b)(1) (1988).
<62>See id. § 2710(b)(2)(D)(i). Disclosures "incident to the ordinary course of business of the video tape service provider" are also permitted. Id. § 2710(b)(2)(E).
<63>See id. § 2710(b)(2)(D)(ii).
<64>Id. § 2710(e). The Video Act also has specific provisions governing governmental access to video tape records, see id. § 2710(b)(2)(C), as well as court ordered requests in a civil proceeding, id. § 2710(b)(2)(F). States have passed similar video tape laws. See, e.g., Cal. Civ. Code § 1799.3 (West 1995); Del. Code Ann. tit. 11, § 925 (1994).
<65>See 47 U.S.C. § 551(a) (1988 & Supp. V 1993). Among other things, such notice must state the nature of the personal information collected and its use; the nature, frequency, and purpose of disclosures; the length of time the information is kept; times and places where the subscriber may have access to the stored information; the legal limitations of the service operator; and the enforcement rights of the subscriber. See id. Federal case law has established a sufficiency test for notice similar to that used in a Truth In Lending Act analysis. See Scofield v. Telecable of Overland Park, Inc., 973 F.2d 874, 879 (10th Cir. 1992). "Clear and conspicuous" notice (as required under the Cable Act) must provide "meaningful disclosure" which is essentially "warn[ing] an ordinary subscriber of practices that materially affect his privacy interests." Id. at 880. Perfect disclosure is not required, rather, only that which is reasonable. Id.
<66>See 47 U.S.C § 551(b)(2) (1988).
<67>Id. § 551(c)(2)(A).
<68>See id. §§ 551(b)(1), 551(c)(1) (1988 & Supp. V 1993). The exceptions include disclosure of information pursuant to a court order, see id. §§ 551(c)(2)(B), 551(h); disclosure of mailing list information (names and addresses) if the individual had a prior opportunity to prohibit such disclosures, see id. § 551(c)(2)(C)(i); and the disclosure that does not reveal, even indirectly, the subscriber's viewing habits or use of the service or any nature of a subscriber's transactions over the service. Id. § 551(c)(2)(C)(ii).
<69>See id. § 551(e) (1988). States have passed similar cable privacy laws. See, e.g., Cal. Penal Code § 637.5 (1995); Conn. Gen. Stat. Ann. § 53-421 (1994); Ill. Ann. Stat. ch. 38, para. 87-2 (1995); and Wisc. Stat. Ann. § 134.43 (1994).
<70>Furthermore, it is not clear whether video carriage providers could be considered "video tape service providers" within the meaning of the statute. The Act defines "video tape service providers" as any person engaged in the "rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials." 18 U.S.C. § 2710(a)(4) (1988).
<71>Commenters to the Privacy NOI concurred with this interpretation. See, e.g., Comments of Time Warner at 11; Comments of Bell Atlantic at 8; Comments of Southwestern Bell at 12-13; Comments of AT&T at 13-14.
Although commenters argued that the Video Act does not apply to service providers that distribute video over telecommunications networks, some recommended that similar privacy provisions be applied to such services since there is little difference between renting a video from a store and ordering to view it over a communications network. See Comments of MCI at 12-13; Comments of National Cable Television Association at 5-6.
<72>See Definition of a Cable Television System, 5 FCC Rcd 7638, 7638 (1990) ("[T]he term cable system as used in the [Cable] Act encompasses only video delivery systems that employ cable, wire, or other physically closed or shielded transmission paths . . . . [D]irect broadcast satellites and so-called `wireless cable' . . . are not cable systems.").
<73>See NCTA v. FCC, 33 F.3d 66, 71 (1994). To be a "cable operator," an entity must engage in the "transmission" of video programming. See 47 U.S.C. §§ 522 (5),(6) (1988). In NCTA , the court upheld the FCC's determination that "transmission" requires "active participation in the selection and distribution of video programming." NCTA, 33 F. 3d at 71, 73 (quoting FCC Order). LECs serving purely as common carrier conduits would thus not be transmitting programming.
Although LECs providing video programming might not be subject to the Cable Act's subscriber privacy provision, GTE and the Bell companies would still be subject to the FCC's CPNI rules. See Telephone Company-Cable Television Cross-Ownership Rules, Sections 63.54-63.58 10 FCC Rcd 244 ¶ 239 (1994).
<74>In comments to the FCC, NTIA has argued that when a LEC offers video programming via a VDT platform, the LEC should not be deemed a "cable operator." See Comments of NTIA in CC Docket No. 87-266, at 22-28 (filed July 11, 1995).
<75>As of 1994, approximately 300 regional and national ISPs offered individuals access to the Internet at various levels. ISPs can provide dedicated access, which may involve leasing a dedicated telephone line and installing an Internet routing computer at the individual's site. ISPs can provide software that allows individuals to connect their home computers to office, university, or private time-sharing networks that have dedicated access to the Internet. In addition, many on-line services, which principally provide information products and discussion fora to subscribers, have gateways to communicate via the Internet. The distinction between ISPs and on-line services is dissolving as ISPs provide more information products and as on-line services provide less restricted access to the Internet through their gateways. See Ed Krol, The Whole Internet 456-66 (2d ed. 1994).
<76>For example, CompuServe sells mailing lists to third-parties "broadly based on member segments or selections," Communications Daily, Oct. 25, 1994, at 3 (electronic version), making available "interest categories which represent the on-line use of CompuServe members." Id. (quoting Direct Media, list-compiler). Similarly, America Online sells personal information about its subscribers: name, address, [and] type of customer . Communications Daily, Oct. 26, 1994, at 4 (electronic version) (emphasis added). Both America Online and CompuServe allow individuals to opt-out of such mailing lists. See text at Part III (analyzing opt-in and opt-out schemes).
In contrast, Prodigy has a policy of not disclosing any personal information about its subscribers to third-parties. Prodigy Services Co., Policy on Protecting Member Privacy (on file at NTIA). In addition, Apple Computer, Inc. (AppleLink, Eworld), Delphi Internet Services Corp., New York Times Service/Syndication, ProductView Interactive, and Dow Jones & Co., Inc., have internal policies prohibiting release of personal information to third parties. See Communications Daily, Oct. 26, 1994 (electronic version).
<77>18 U.S.C. § 2511(3)(a) (1988). The ECPA forbids a provider of "electronic communication service to the public" to "intentionally divulge the contents of any communication . . . while in transmission on that service" to any unauthorized entity. Id. The term contents "includes any information concerning the substance, purport, or meaning of that communication." The ECPA, however, makes clear that "contents" do not include "the identity of the parties or the existence of the communication." § 2510 (8). The ECPA allows providers to "disclose a record or other information pertaining to a subscriber . . . not including the contents of communications" to any nongovernmental entity. See 18 U.S.C. § 2703(c)(1)(A) (1988) (emphasis added). The ECPA does not explicitly define "record" and, to date, no court has interpreted this term. Thus, it is an unsettled question of law whether information, such as the subject line of an e-mail message or the title of video programming viewed, qualifies as "content" or merely as a transactional "record."
A strong argument may be made that by transaction records, Congress meant nothing more than information that reveals the origin, destination, and existence of a communication. The legislative history of the ECPA reveals that transactional records were left out of the definition of contents in order to harmonize the statute with Fourth Amendment jurispru dence that left calling record information unprotected. See S. Rep. No. 541, 99th Cong., 2d Sess., 13 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3567. ("The Supreme Court has clearly indicated that the use of pen registers, i.e. calling records associated with telephone service, does not violate either chapter 119 of title 18 or the fourth amendment. [This section] of this legislation makes that policy clear."). See also Office of Enforcement Operations, Criminal Division, U.S. Dep't of Justice, Analysis of the Electronic Communi cations Privacy Act of 1986, Public Law No. 99-508 (Dec. 15, 1986) ("In electronic communications [transactional records] are the records that are the equivalent of the traditional telephone toll records maintained by a telephone company."). Based on this interpretation, from a privacy point-of-view, there may be no meaningful difference between, for example, the contents of a communication and transactional data that identifies the title or the specific nature of the communication.
<78>See Mark Berniker, Bells Close Disney Video Services Deal, Broadcasting & Cable, Apr. 24, 1995, at 34.
<79>Many cable operators are currently restructuring their networks to deliver a variety of services. These services range from traditional one-way multi-channel video programming to telephony, to higher-speed access to remote databases, and using these networks as the backbone for various wireless services. See Interview with Amos Hostetter, Chairman/CEO of Continental Cablevision, The Once and Future Cable, Broadcasting and Cable, May 8, 1995, at 33.
In October 1994, Time Warner introduced the first switched, digital interactive, multimedia network, called the Full Service Network (FSN) in Orlando, Florida. An existing coaxial cable network in Orlando was upgraded with fiber-optic technology to develop this FSN. In addition, high capacity multi-access digital storage systems-servers were added to facilitate the transactions of multiple customers simultaneously, and a form of high speed switching called asynchronous transfer mode (ATM) technology was added to route digital, video, voice, or computer data from digital libraries to individual homes. Eventually, Time Warner hopes to use this network to bring a host of services to consumers' homes including: access to libraries, distance learning, news-on-demand, long distance telephone access, banking and other financial services, driver's license renewal or tag registration, grocery and drugstore shopping, medical imaging, high-speed data transport for business, video conferencing, HBO-on-demand, sports-on-demand, and music-on-demand. Time Warner Cable, Full Service Network, Background: Time Warner Introduces World's First Full Service Network in Orlando (May 1995).
<80>Cable service refers to video programming similar to current television broadcasts. See 47 U.S.C. § 522(6)(a)(b) (1988). Limited subscriber interaction is included in "cable service," but only to the extent of selecting video programming from a menu typical of pay-per-view. Interactive multimedia services may not be considered a "cable service" because they do not resemble today's one-way video programming and involve a high level of subscriber interactivity.
<81>"Presently, more than 111 million Americans rely upon the convenience and diversity of products when shopping by phone or mail. Because of direct response marketing, consumers can select from thousands of essential, hard-to-find products and services in the comfort of their living rooms." Comments of the Direct Marketing Association at 4.
<82>". IITF Principles, supra note 11, at Commentary ¶ 4.
<83>IITF Principles, supra note 11. Those principles begin with the Information Privacy Principle, which states: "Personal information should be acquired, disclosed, and used only in ways that respect an individual's privacy." Id. at Commentary sec. I.A. The remaining principles create a framework that places rights and responsibilities on individuals and information users so that the Information Privacy Principle is satisfied.
<84>IITF Principles, supra note 11, at Commentary sec. II.B. See also Organization for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Purpose Specification Principle at 10 (Paris 1981) [hereinafter OECD Guidelines ("The purposes for which personal data are collected should be specified not later than at the time of data collection . . . .").
<85>An important corollary to the Notice Principle is the Fairness Principle, which insists that information users keep their promise to the individual by abiding by the terms set out explicitly in their notice, or, in the absence of notice, by respecting the individual's reasonable contemplation of how personal information will be used. See IITF Principles, supra note 11, at Commentary sec. II.D. See also OECD Guidelines, supra note 84, Use Limitation Principle at 10 (stating that "Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except with the consent of the data subject or by the authority of law."). Indeed, the Notice Principle would amount to mere formalism if information could be used in ways completely divergent from the individual's understanding.
<86>In a limited number of circumstances, merely notifying a customer of a company's policies and practices with respect to TRPI will not be enough. For example, when a prospective customer's primary language is not English, it is incumbent on the service provider to take steps to ensure that notice is not merely given but understood.
<87>Similarly, provisions under the pending House telecommunications reform legislation, H.R. 1555, would prohibit carriers from disclosing or using CPNI for purposes other than to provide a particular service, without subscriber permission.
<88>Recognizing that privacy is a "core value in modern society," Microsoft developed a set of principles for how customer information is gathered, processed, used and stored over its on- line Microsoft Network (MSN). These principles include provisions for notifying subscribers about how information about them will be collected and used and imposes limitations on how information can be used by MSN content providers. For example, a content provider may be asked "to specify the legitimate business purpose for gathering information from a Member and to provide that Member with the opportunity to opt-out of the processing or use of that information for direct marketing purposes." MSN, The Microsoft Network, Summary of Principles on Gathering, Processing, Using and Storing Member Information (July 1, 1995).
<89>A company should generally not be required to provide its customers with recurrent notices about its privacy policies. Such requirements would merely impose costs on businesses most of which may be passed on to consumers. Thus, after the first notice has been given, a company should provide additional notices only if there has been a change in its privacy policies and practices.
<90>DMA has produced industry guidelines for "Ethical Business Practices," "Personal Information Protection," "Telephone Marketing," "Acceptance of Print Advertising," "Mailing List Practices," "Broadcast Advertising," and a "Fair Information Practices Checklist." Comments of DMA at 5-6.
<91>DMA Guidelines for Personal Information Protection, Art. 5 in Direct Marketing Association, Inc., Fair Information Practices Manual: A Direct Marketer's Guide to Effective Self-Regulatory Action in the Use of Information (Oct. 1994) [hereinafter Fair Information Practices Manual]. This document provides direct marketers with information about how to implement corporate fair information policies and how to comply to these self- regulatory programs. DMA has received approximately 1,000 requests from industry for this manual since its release.
<92>DMA Guidelines for Ethical Business Practice, Art. 32 in Fair Information Practices Manual.
<93>"Comments of Time Warner Inc. at 6. The five basic principles of this code are: 1) Personal data record-keeping practices should not be kept secret; 2) Individuals should have the ability to find out what information about them is on record and how it is disclosed; 3) Individuals should be able to correct or amend records of identifiable information about them; 4) Individuals should be able to limit the disclosure of information about them that was obtained for one purpose from being disclosed for other unrelated purposes; and 5) An organization creating, maintaining, using, or disseminating records of identifiable personal data must guarantee the reliability of the data for their intended use and must take precautions to prevent misuse of the data. Id. at 4-5; see also DHEW Principles, supra note 11.
<94>"Congress grappled with this very issue with respect to telemarketing sales calls before passing the Telephone Consumer Protection Act of 1991, which, among other things, requires telemarketers to consult a list of persons who do not wish to receive telephone sales calls and prohibits telemarketers from calling them. See 47 U.S.C. §227. In the end, Congress chose to balance the concerns of an emerging industry and consumers by deciding in favor of an opt-out approach and establishing a national clearinghouse that would maintain a list of consumers who did not wish to be called. Id.
<95>"Comments of Bell Atlantic at 4. Cf. Comments of AT&T at 9-10; Comments of Time Warner Inc. at 12; and Comments of The Newspaper Association of America at 2, 3-4 (all favoring an opt-out approach).
<96>See Comments of TRW Inc. at 11-12.
<97>Louis Harris and Associates, Inc., Interactive Services, Consumers, and Privacy: A National Survey 94 (1994). However, this same group expressed privacy concerns. For example, 60% indicated that they would like to be fully informed about a provider's collection of subscriber profile information before deciding to subscribe to its services; 74% indicated that they would like to review the information in their profile, correct errors, and indicate which sets of information they would allow to be used for marketing. Id. at 95.
<98>The distinction between sensitive and non-sensitive data is not clear-cut; information that is sensitive to one person may be innocuous to another. Although NTIA does not suggest a definitive answer to this question, we do believe that information relating to health care (e.g., medical diagnoses and treatments), political persuasion, sexual matters and orientation, and personal finances (e.g., credit card numbers) should be considered "sensitive." The same is true for an individual's social security number, which has become a universal personal identifier, a passkey that allows the holder to unlock and accumulate the vast storehouse of information on most people that is available from a host of different databases.
<99>See generally Comments of The Consumer Interest Research Institute at 8.
<100>The IITF Fairness Principle states that "the nature of the incompatible use will determine whether such consent should be explicit or implicit. In some cases, the consequences to an individual may be so significant that the prospective data user should proceed only after the individual has specifically opted into the use by explicitly agreeing." See IITF Principles, supra note 11, at Commentary ¶ 22.
<101>"See Comments of Time Warner at 12.
<102>The IITF's Education Principle also recognizes the importance of enhanced consumer education. See IITF Principles, supra note 11, at Commentary sec. II.E.
<103>A report conducted by the staff of the House Subcommittee on Telecommunications and Finance found that Bell Atlantic-Maryland had undertaken efforts to educate its customers about how to avoid unwanted intrusions from telemarketers through billing statements. See Letter from Edward J. Markey, Chairman, Subcommittee on Telecommunications and Finance, U.S. House of Representatives, to Mr. Sam Ginn, Chairman and CEO of Pacific Telesis Group (July 14, 1994) (on file at NTIA).
Pacific Telesis Group has also taken a number of steps to educate its consumers about avoiding unwanted telemarketing sales calls. For instance, Pacific Telesis Group's subsidiariesPacific Bell and Nevada Bellinclude a "Consumer Rights and Information" section in their directories and bill inserts which describe how consumers can handle telephone sales calls. A 24-Hour Customer Guide Information Line also offers audiotext messages about how to use the phone, including information on how to "reduce sales calls." See Letter from P.J. Quigley, Chairman, President and Chief Executive Officer, Pacific Telesis Group, to Hon. Edward J. Markey, Chairman, Subcommittee on Telecommuni cations and Finance, U.S. House of Representatives (June 26, 1995) (on file at NTIA).
<104>The Privacy Rights Clearinghouse recommends in its comments that consumer education, among other things, should include "plain language descriptions of how new technologies affect privacy, explanations of consumers' legal privacy rights, [and] guidelines for effective consumer-privacy practices." See Comments of the Privacy Rights Clearinghouse at 3.
<1>Metromail, The New Marketing: Selling in the Age of the Individual 7 (1994) (brochure).
<2>The privacy issues associated with communications providers, which have already been discussed, are not revisited here. Profiles used to determine whether an individual receives consumer credit is governed by the Fair Credit Reporting Act of 1970, 15 U.S.C. §§ 1618a - 1681t (1988). Such profiles are also outside the scope of this appendix.
<3>Not all personal profiles are compiled for marketing purposes. Certain profiles are created, for example, to aid private investigators, media, and lawyers in search of missing individuals and their assets. See Teresa Pritchard-Schoch & Susan Hutchens, Remote Access to Public Records: An Update, Database, Feb. 1994, at 14.
<4>See Jill Smolowe, Read This!!!!!!!!, Time, Nov. 26, 1990, at 62, 66 (referring to the Direct Mail List Rates and Data published by the Standard Rate & Data Service). An average person appears on one hundred mailing lists and fifty databases. See Anne Wells Branscomb, Who Owns Information?: From Privacy to Public Access 11 (1994).
<5>See Charles Piller, Privacy in Peril, MacWorld, July 1993, at 8, 11 (describing contents of the Burwell Directory of Information Brokers).
<6>See Laura Bird, Department Stores Target Top Customers , Wall St. J., Mar. 8, 1995, at B1 ("Such department stores as Bloomingdale's, Nordstrom and Saks Fifth Avenue are starting to tap their vast customer databases to identify their most profitable shoppers.").
<8>See David Zielinski, Database: the Heart of Relationship Marketing, 27 Potentials in Marketing 66 (1994); Jonathan P. Graham, Note, Privacy, Computers, and the Commercial Dissemination of Personal Information, 65 Tex. L. Rev. 1395, 1401 (1987) (discussing how computers are used to produce "psychographics"psychological profiles of consumers) (emphasis added).
<9>See generally Jonathan Berry, Database Marketing, Bus. Wk., Sept. 5, 1994, at 56-61.
<10>For example, the consumer information database of Donnelley Marketing Inc. contains "consumer data on over 150 million individuals and 90 million households." Donnelley Marketing Inc., Donnelley Marketing Inc. Consumer Information 1 (brochure). Metromail advertises a database of 133 million people. See Metromail, supra note 1.
<11>"Companies can now buy lists of customers who have bought products similar to their own, or who share characteristics, and merge them with other databases giving further information on the individuals named." Alan Shipman, Scanned and Deliver: Mailshot Marketing, 49 Int'l Mgmt. 27 (1994).
<12>"See Bill Granger, The Name Traders, Chi. Trib., Nov. 15, 1992, (Magazine), at C22.
<13>"Comments of Mead Data Central, Inc. and Dun & Bradstreet Corp. at 3.
<14>Until recently, the Post Office released Change of Address information for a particular person to anyone for a $3 fee. In 1994, the Post Office discontinued that practice. However, the Post Office continues to sell the entire NCOA (principally to mass mailers). Representative Gary Condit has introduced the "Postal Privacy Act of 1995," H.R. 434, 104th Cong., 1st Sess. (1995), which would require notice and opt-out for NCOA forms.
<15>Income is often estimated on the basis of census neighborhood information, real property records, and vehicle registration.
<16>See Bird, supra note 6, at B1.
<17>See Rick Wartzman, Information, Please: A Research Company Got Consumer Data from Voting Rolls, Wall St. J., Dec. 23, 1994, at 1 (referring to Cal. Elections Code § 2194 (Deering 1994)).
<18>See 18 U.S.C. §§ 2721-2725 (1988 & Supp. V 1994).
<19>47 U.S.C. § 551(b), (e)(1988 & Supp. V 1993). Similarly, the Video Privacy Protection Act of 1988 requires the destruction of "personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected . . . ." 18 U.S.C. § 2710(e)(1988 & Supp. V 1994).
<20>47 U.S.C. § 551(b), (e) (1988 & Supp. V 1993).
<21>See, e.g., N.Y. Pub. Health Law § 17 (Consol. 1994) (records of sexually transmitted disease or abortion for a minor cannot be disclosed, even to parent).
<22>"John Healy, Just Between Us, Cong. Q., May 14, 1994, at 41.
<23>5 U.S.C. § 552a(o)-(q) (1988). The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) has amended the Privacy Act to add several new provisions. See 5 U.S.C. § 552 (a)(8)-(13), (e)(12), (o), (p), (q), (r), (u), (1988 & Supp. V 1993). These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunity to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.
More recently, Congress enacted the Computer Matching and Privacy Protection Amendments of 1990 (Pub. L. No. 101-508), which further clarify the due process provisions found in subsection (p). Office of Information and Privacy, U.S. Dep't of Justice, Freedom of Information Act Guide & Privacy Act Overview 458-59 (Sept. 1994).
<24>Various commenters assert that governmental restrictions on the creation of personal profiles could infringe the profilers' First Amendment rights. See Comments of Mead Data Central, Inc. and Dun & Bradstreet Corporation at 9-23; Comments of Information Industry Association at 8-10.
<25>"Comments of Time Warner Inc. at 17.
<26>The proposed data base would have contained such personal information as the name, sex, age, estimated income, purchasing habits, and marital status of 120 million Americans. See Piller, supra note 5, at 11 (noting that Equifax received 30,000 angry letters from consumers protesting Marketplace plan); See also Daniel Mendel-Balck & Evelyn Richards, Peering into Private Lives, Wash. Post, Jan. 20, 1991, at H1.
<27>See Comments of GTE Services Corp. at 3 (existing business relationship between customers and service providers naturally provides privacy safeguards); Comments of AT&T at 8 (stating "Firms operating in competitive markets must honor reasonable customer expectations of privacy in the use of individually-identifiable information, or risk losing customers to competitors who are willing to respect and fulfill those expectations."); Comments of Southwestern Bell at 3 (stating that "If a company violates the expectations of its customers, over time that company is unlikely to continue [the] commercial relationship..."); Supp. Comments of Direct Marketing Association at 9 (noting that DMA fully appreciates that industry cannot thrive without consumer confidence and trust and "did not become a multi-billion dollar industry in the era preceding the NII by ignoring its customers.").
<28>See generally Privacy and American Business, Handbook of Company Privacy Codes 20 (1994) (hereinafter Privacy and American Business) (compiling industry codes); Direct Marketing Association, Fair Information Practices Manual: A Direct Marketer's Guide to Effective Self-Regulatory Action in the Use of Information (1994).
<29>"Bird, supra note 6, at B12.
<30>See Telephone Conversation with Harry Kitchen, Director of Database Analysis at Donnelley Marketing, Inc., September 29, 1994; Letter from Paul Sobel, Senior Vice President, Database America Companies, to Jerry Kang (Oct. 11, 1994) (explaining that its software is not configured to answer queries about specific individuals) (on file at NTIA).
In contrast, marketing profiles maintained by companies such as Lexis/Nexiswhich contain personal information derived principally from public recordscan be accessed by anyone who can afford the on-line charges. Another company, American Information Network, Inc., acts as an electronic information broker that can supply, among other information, criminal, driving, credit, motor vehicle, and property records. Also offered are license plate searches, national social security number locators, national address locators, workers' compensation records, and state corporate records. In addition, with increasing amounts of public record and other information available on-line, it has become easier to compile public record profiles by oneself. See Pritchard-Schoch & Hutchens, supra note 3, at 14 ("Approximately 90% of the nation's millions of public records are not yet accessible remotely . . . . Nonetheless, the market for online access to public records continues to experience steady growth, especially due to the demands of insurance companies, law firms, private investigators, and financial institutions.").
<31>For example, the industry advertisements and promotional materials of major list- compilers suggest that while they may know whether an individual holds a major credit card or not (by getting complete lists from credit card companies), they do not know what specific purchases have been made with that credit card. Similarly, although major list-compilers may know whether an individual subscribes to magazines (by getting complete lists from publishers), they do not seem to know which particular magazines one orders. Finally, although they may know whether an individual has made political contributions, they do not seem to know to whom, when, and how much.
<32>See Privacy and American Business, supra note 28, at 20 ("We will release individual information about direct American Express customers only if the customer has consented . . . or when we are required to do so by law . . . ."); Citibank states that it "will not reveal specific information about a customer transaction (what, where, when, how much) to third parties except as previously disclosed to the customer in any communications and agreements." Id. at 27.
<33>In its "Privacy Notice to Cardholder" American Express states: "We [American Express] try to make sure that [promotional] offers reach only those card members most likely to take advantage of them. To do this, we develop lists for use by us and our affiliates based on information you provided on your initial application and in surveys, information derived from how you use the Card that may indicate purchasing preferences and lifestyle, as well as information available from external sources including consumer reports. We may also use that information, along with non-credit information from external sources, to develop lists which are used by the companies with whom we work." Privacy and American Business, supra note 28, at 16.
Citibank's notice contains a similar message: "If we [Citibank] find a product or special offer that we think would be of interest to you, we work with the companies involved to let you know by mail or phone." See id. at 24; see also Jeff Smith, Privacy Polices and Practices, 36 Comm. of the ACM 104 (1993) (describing one credit card company in its survey used "cardholders' purchases to create psychographic purchasing profiles").
<34>Commenters provided some information about an important source of TRPInational on-line services. Two major on-line servicesAmerica Online and CompuServe disclose personal information in the form of customized mailing lists created by profiling their subscribers on the basis of the transactions they make on-line. Compuserve sells mailing lists to third-parties "broadly based on member segments or selections," Communications Daily, October 25, 1994, at 3 (electronic version), making available "interest categories which represent the on-line use of CompuServe members." Id. (quoting Direct Media, list-compiler). Similarly, America Online sells personal information on its subscribers: name, addresses, [and] type of customer. Communications Daily, October 26, 1994, at 4 (electronic version) (emphasis added). Both America Online and Compuserve allow individuals to opt-out of such mailing lists.
In contrast, Prodigy has a policy of not disclosing any personal information about its subscribers to third-parties. Prodigy Services Co., Policy on Protecting Member Privacy (on file at NTIA). In addition, Apple Computer, Inc. (AppleLink, Eworld), Delphi Internet Services Corp., New York Times Service/Syndication, ProductView Interactive, and Dow Jones & Co., Inc., have internal policies prohibiting release of personal information to third parties. See Communications Daily, October 26, 1994 (electronic version).