[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]




``HOW DO BUSINESSES USE CUSTOMER INFORMATION: IS THE CUSTOMER'S PRIVACY 
                              PROTECTED?''

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                COMMERCE, TRADE, AND CONSUMER PROTECTION

                                 of the

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 26, 2001

                               __________

                           Serial No. 107-49

                               __________

      Printed for the use of the Committee on Energy and Commerce


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house

                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
74-846CC                    WASHINGTON : 2001

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001





                    COMMITTEE ON ENERGY AND COMMERCE

               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman

MICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan
JOE BARTON, Texas                    HENRY A. WAXMAN, California
FRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio                RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania     EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California          FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia                 SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma              BART GORDON, Tennessee
RICHARD BURR, North Carolina         PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa                    ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia             BART STUPAK, Michigan
BARBARA CUBIN, Wyoming               ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois               TOM SAWYER, Ohio
HEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona             GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING,          KAREN McCARTHY, Missouri
Mississippi                          TED STRICKLAND, Ohio
VITO FOSSELLA, New York              DIANA DeGETTE, Colorado
ROY BLUNT, Missouri                  THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia                  BILL LUTHER, Minnesota
ED BRYANT, Tennessee                 LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland     MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana                 CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California        JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska

                  David V. Marventano, Staff Director

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

        Subcommittee on Commerce, Trade, and Consumer Protection

                    CLIFF STEARNS, Florida, Chairman

NATHAN DEAL, Georgia                 EDOLPHUS TOWNS, New York
  Vice Chairman                      DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky               LOIS CAPPS, California
BARBARA CUBIN, Wyoming               MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois               CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona             JANE HARMAN, California
ED BRYANT, Tennessee                 HENRY A. WAXMAN, California
STEVE BUYER, Indiana                 EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California        BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire       PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania        BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon                  ANNA G. ESHOO, California
LEE TERRY, Nebraska                  JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana       (Ex Officio)
  (Ex Officio)

                                  (ii)


                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Barrett, Jennifer T., Chief Privacy Officer, Acxiom..........    49
    Ford, John A., Chief Privacy Officer, Equifax, Inc...........    58
    Hourigan, Jacqueline L., Director, Corporation Data Policies, 
      General Motors Corporation.................................    12
    Johnson, David A., Vice President, Direct Marketing, Land's 
      End, Inc...................................................    23
    Misener, Paul, Vice President, Global Public Policy, 
      Amazon.com.................................................    18
    Pearson, Harriet P., Chief Privacy Officer, IBM..............     7
    Swift, Zeke, Director, Global Privacy, Procter & Gamble......    15
    Zuccarini, Deborah, Executive Vice President and Chief 
      Marketing Officer, Experian Marketing Solutions............    65

                                 (iii)

  

 
``HOW DO BUSINESSES USE CUSTOMER INFORMATION: IS THE CUSTOMER'S PRIVACY 
                              PROTECTED?''

                              ----------                              


                        THURSDAY, JULY 26, 2001

         U.S. House of Representatives,    
              Committee on Energy and Commerce,    
                       Subcommittee on Commerce, Trade,    
                                   and Consumer Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 9:35 a.m., in 
room 2322, Rayburn House Office Building, Hon. Cliff Stearns 
(chairman) presiding.
    Members present: Representatives Stearns, Shimkus, Bryant, 
Walden, Terry, Bass, Tauzin (ex officio), Towns, DeGette, 
Doyle, John, and Harman.
    Staff present: Ramsen Betfarhad, majority counsel; Michael 
O'Reilly, professional staff member; Brendan Williams, 
legislative clerk; and M. Bruce Gwinn, minority counsel.
    Mr. Stearns. Good morning, good morning. I welcome all of 
you here. This is the sixth and last in a series of hearings on 
information privacy held by our Subcommittee on Commerce, 
Trade, and Consumer Protection. This hearing concludes one 
phase of the subcommittee's inquiry into information privacy, 
but not the inquiry itself.
    I think these hearings have fulfilled their objective of 
informing members and the public at large, in a deliberate and 
careful manner, of the many issues implicated by the privacy 
debate. The collective record of the six hearings is a rich 
resource of information and opinion on the issue of information 
privacy, and should be used to inform all of us on the debate 
on this issue.
    I commend members of the committee to review the hearings 
that we have had, the record that has been amassed by this 
subcommittee on this important issue of information privacy, 
before they seek to formulate or finalize their judgments on 
this matter. In no other location, either within or without the 
Hill, will we find a more comprehensive record on information 
privacy.
    I am especially pleased to have as witnesses executives 
that represent some of the most revered companies in corporate 
America. We all are or have been, at one time or another, 
customers of General Motors, IBM, Proctor & Gamble, Amazon.com, 
and Land's End. I appreciate the fact that these companies 
didn't have to be here testifying on the difficult public 
policy matter of information privacy. So I recommend--I commend 
all of them for their participation and wish to thank them for 
coming.
    Many have written on or spoken to the issue of information 
privacy in the commercial world, as if the issue existed in a 
vacuum. That is to say, some commentators on information 
privacy speak with little or no consideration of the realities 
that characterize the intersection between privacy and the 
commercial world. Today, we have the rare opportunity to ask 
these large transnational corporations, representing differing 
industries, and the three top compilers, what really transpires 
in the real world with respect to consumer information.
    The witnesses on the first panel represent a diverse group 
of companies, ranging from the world's largest industrial 
corporation with 400,000 employees, to one that markets 300 
brands of consumer products to nearly 5 billion customers--let 
me repeat, 5 billion customers--worldwide, and an online 
company that in less than 6 years has become one of the most 
recognized brands in retailing. These companies will all speak 
to how they collect customer information; what types of 
information they collect; what uses they put that collected 
information to; why they use the information in the way that 
they do; and what business or legal incentives are in place 
assuring the proper utilization of that consumer information.
    Moreover, the witnesses on the second panel, representing 
data compilers, will help us better understand what it is that 
they do. We may know the most about the credit reporting 
services. We have, all of us, invariably been subjected to 
credit checks in the course of our ordinary lives, when 
applying for a car loan, a mortgage, credit cards, et cetera. 
Yet many of us may not know that these three companies provide 
authentication and verification services enabling the seamless 
and speedy execution of millions of small and mundane 
transactions every day, such as the purchase of a CD online 
from Amazon.com or off-line from Tower Records.
    The insight offered by our witnesses is especially 
important when considering the fine balance present between the 
proper and improper collection and use of consumer data. As 
these hearings have established, there are substantial benefits 
that accrue to our economy from the unencumbered flow of 
information, particularly consumer information. Meanwhile, 
these same hearings have highlighted the fact that Americans do 
have concerns regarding abuses that may arise from the 
collection and/or use of certain types of consumer information 
in the commercial context.
    The objective today, in this hearing, is to demystify--make 
concrete--data collection and use practices common in the 
commercial world today. To put it more bluntly, the testimony, 
I hope, will help separate fact from fiction, reality from 
myth, when it comes to the issue of information privacy. Only 
when empowered with real facts can Congress advance good public 
policy addressing information privacy.
    So, Mr. John, you are welcome with an opening statement.
    Mr. John. Yes, thank you, Chairman Stearns. My friend and 
colleague, the ranking member from New York, is tied up at this 
moment in another subcommittee, on Commerce and Health. And I 
temporarily will try to fill his large shoes. Me being from 
Louisiana and him from New York, those are very big and 
different shoes to fill.
    But I ask unanimous consent that all members be permitted 
to include their statements into the record.
    Mr. Stearns. By unanimous consent, so ordered.
    Mr. John. Thank you.
    I am sure that the panelists are ready to get started. I 
want to thank them and welcome them, the first panel and also 
the second panel, and express my really sincere thanks to 
Chairman Stearns for having a series--the sixth, as he said--on 
issues that are very important on information privacy.
    I also believe that these hearings have been useful, and 
helpful, and they have meant a lot because of the issues that 
are confronting businesses, regulators, and consumers. And I 
really look forward to hearing from the folks that deal with 
this issue every day, and working with the chairman and the 
ranking member as we move through this process legislatively.
    So, welcome. And I look forward to hearing your testimony. 
Thanks.
    Mr. Stearns. I thank the gentleman. The gentleman from 
Illinois, Mr. Shimkus?
    Mr. Shimkus. Thank you, Mr. Chairman. I, too, want to 
welcome the panel. I would have walked over and introduce 
myself; I was here early. But I have an athletic injury, that I 
am doing as little walking as possible. But we do appreciate 
your attendance.
    We have dealt with, are trying to understand this from the 
public policy position. Of course, many of us were with the 
Commerce Committee when we passed Graham-Leach-Bliley. But 
statements have constantly been made in this committee that we 
want to get a handle on how privacy is good for business--
obviously, that is what we hope to hear from you all today--and 
how you go about doing that.
    In the financial services arena, there is some argument 
about how sharing of information within a designed arena is 
actually good for some consumers, too. And that may not be true 
in your business. So that is why this panel is unique in some 
of the discussions we have had. I look to focus on that area. I 
appreciate your expertise and your willingness to come before 
us.
    And with that, Mr. Chairman, I yield back my time.
    Mr. Stearns. The gentleman yields back. Mr. Doyle, the 
gentleman from Pennsylvania?
    Mr. Doyle. Thank you, Mr. Chairman. I just want to welcome 
our panelists this morning. I think we're all anxious to hear 
what they have to say. And I will ask unanimous consent that my 
statement may be made part of the record, so that we can hear 
our panelists. And I yield back.
    [The prepared statement of Hon. Mike Doyle follows:]
  Prepared Statement of Hon. Mike Doyle, a Representative in Congress 
                     from the State of Pennsylvania
    Thank you Mr. Chairman and Ranking Member, for holding this 
hearing. I am looking forward to learning about the technologies, 
policies, and approaches that some of the leaders in the electronic 
commerce industry have employed to prevent unwanted dissemination and 
use of our private consumer information. Thank you all for taking the 
time testify this morning.
    As the discussions regarding individual consumer privacy progress 
in America and before this subcommittee, I know think many of my 
constituents back in the Pittsburgh area are not just asking ``how do 
business use my information'' but they are saying, ``wait a minute, you 
mean businesses have been gathering my personal information all 
along?''
    I often find that consumers in Western Pennsylvania seem to have no 
problem allowing certain personal information to be collected and used 
by industry. For example, the regional supermarket, Giant Eagle, asks 
for certain access to personal shopping information through the use of 
the Giant Eagle Advantage Card. I myself use such a card.
    It provides incentives that members undoubtedly find useful, such 
as discount coupons through the mail for items that a customer 
routinely purchases. Obviously, this is an example of personal 
information use that both client and consumer find beneficial and 
acceptable.
    Protecting this type of personal information, while important, is 
decidedly different than protecting against abuses associated Social 
Security numbers, birth dates, mother's maiden names, or health 
records. It is the extent to which this personally identifiable 
information is collected, used, and distributed that pose the greatest 
threat to true privacy and create the need for Congress to find a 
solution to protect consumers.
    The industries represented this morning by our esteemed panelists 
are some of the most successful and profitable companies in America. I 
am anxious to hear of the problems associated with implementing their 
effective self-regulatory policies, for if our Fortune 100 companies 
have difficulty funding privacy protection policies, surely our smaller 
firms or medium size companies will have greater problems generating 
the necessary capital and resources.
    In closing, Mr. Chairman, I look forward to finding a way that 
Congress can augment and aid effective industry self-regulation in a 
manner that will not impede the continued development of e-commerce, 
while protecting and ensuring consumer rights are upheld.

    Mr. Stearns. The gentleman yields back. His opening 
statement will be made a part of the record.
    And the gentleman from New Hampshire, Mr. Bass?
    Mr. Bass. Thank you very much, Mr. Chairman. And I, too, 
join my colleagues in thanking you for having this final 
hearing. It has been a fascinating series of hearings. I have 
learned more, I think--learned a lot more than I have been able 
to impart to other folks about this issue, which is extremely 
complex.
    And I hope that we will be able to clear up some of the 
misconceptions that may exist about corporate or business use 
of personal information vis-a-vis Internet transactions. And I 
also hope, Mr. Chairman, that as we listen to these witnesses, 
we try to separate what may already be illegal anyway under 
existing law from what may need to be attended to by the 
Congress.
    And we may not need to do anything. But again, I think it 
is important that this committee fully and thoroughly 
investigate the issue so that we understand, so that we 
understand its complexity and scope, so that as the Internet 
becomes more and more significant in the economy--not that it 
isn't already--that we will be in a position to deal with it 
from a position of strength, rather than ignorance.
    And I appreciate the chairman holding these hearings.
    Mr. Stearns. I thank the gentleman.
    [Additional statements submitted for the record follow:]
 Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee 
                         on Energy and Commerce
    Thank you, Mr. Chairman for calling this hearing. I understand that 
this will conclude the series of education hearings you have held on 
privacy, so I also want to commend you for developing a process that 
allows us to consider this issue in a thoughtful and deliberative 
manner.
    The topic of today's hearing is very important in the overall 
privacy debate. Too often in Washington we are told how it works in the 
real world through the eyes of Washington-based trade associations, 
lobbyists and consumer groups. Today's witnesses will provide a 
different perspective--from the real world. I appreciate their 
willingness to come forward and share their knowledge and experience.
    As Chairman of the Committee, and as a consumer, I have heard and 
seen a great deal of activity by American companies. Let me sum up what 
they tell me: they like to exploit consumers for all their worth, they 
know consumers don't care about product quality, they don't try to 
maintain good customer relations, they can always find new customers to 
replace dissatisfied customers, they don't think that their brand name 
is that important, and they don't care about consumer privacy. I joke 
for purposes of making a point--Companies Do Care About Consumer 
Relations. The litany of untruths I just rattled off is completely 
opposite from what I have experienced from American business.
    In our market economy, competition compels companies to strive to 
meet consumer needs. If a company doesn't do what customers want, 
they'll go elsewhere. People sometimes seem to forget this. Yet, it is 
a fundamental fact of commerce that service to the consumer is the 
cornerstone of a successful company.
    Privacy is becoming a factor that consumers take into account as 
they shop. It may not be the primary concern, but it is a factor. Many 
companies have recognized this and have responded in kind with improved 
privacy practices. In fact, many of the privacy requirements that some 
want mandated by Washington are already being implemented by reputable 
companies. It is simply sound business practice to do so.
    Some companies even use their privacy practices to gain competitive 
marketing advantage over competitors. IBM, for instance, recently 
plastered a picture of their privacy guru, who is here with us today, 
in countless advertisements. Obviously, they see a positive side to the 
privacy debate.
    So, it is instructive to examine just how real companies are 
dealing with privacy in the real world. We need to learn how 
established leaders in the American economy (and often the trend-
setters) collect customer information, what the information is used 
for, and how companies handle consumer privacy. I hope the panelists 
will enlighten us on these points.
    I also hope that this hearing will help debunk the scary scenarios 
that have been created to stir up consumer angst. Over the past few 
years, we have heard a lot of crazy stories about how consumer 
information is used. Many of these stories have proved to be false.
    Furthermore, I am pleased to see a discussion of the practices of 
the so-called data aggregators. Most people have had experience with 
the credit ratings services of some of these companies, but they often 
offer many other services. It is important to demystify just how they 
operate and what they do.
    I note that one of the benefits of data aggregators is of direct 
benefit to consumer needs--the reduction of junk mail. If you have ever 
received a catalog addressed to you that you have completely no 
interest in then you know firsthand the results of poor information. 
The accurate information provided by aggregators helps companies offer 
consumers the products and services they will find useful. Of course, 
many people have questioned the privacy practices of data aggregators 
and so here is a chance to set the record straight.
    Going forward, one thing should be clear: I don't see a need to 
legislate on false scenarios. We cannot and will not design some 
elaborate new privacy regime that will take into account every possible 
daydream of how information could be used. Reality must be taken into 
account. We will look to all parties to keep this in mind as we proceed 
in this debate.
    I thank the Chairman and appreciate his indulgence.
                                 ______
                                 
Prepared Statement of Hon. Edolphus Towns, a Representative in Congress 
                       from the State of New York
    Thank you Mr. Chairman and I too would like to welcome the 
witnesses to our sixth hearing on Privacy.
    Nearly every company across the country compiles information on the 
consumers who use their products and some companies compile the data to 
sell to other corporations. I am interested to hear what the companies 
assembled here today have to say regarding their handling of personal 
information.
    Consumers across the country are literally begging to be informed 
on how their information is collected, used and PROTECTED. And that is 
assuming they realize who is collecting the information.
    It is my hope today that the witnesses will shed light on not only 
their practices on HOW they collect information, but what they do with 
it after they get that information.
    I would like to commend the witnesses today. They have chosen to 
step forward and educate members of the committee on this topic. You 
all have invested in making consumer's privacy a priority.
    This brings me to the main reason I am advocating some sort of 
minimum privacy standards. Not all companies are doing what Fortune 100 
companies do. Not all of them take their customer's as seriously as do 
others.
    As I weigh this issue over the August recess and decide what type 
of privacy bill to submit, consumer and corporate responsibility will 
serve as my compass and I look forward to reviewing the testimony of 
past witnesses and hearing the testimony of those assembled here today.
    Mr. Chairman, with that I yield back the balance of my time.
                                 ______
                                 
    Prepared Statement of Hon. John D. Dingell, a Representative in 
                  Congress from the State of Michigan
    Mr. Chairman, I want to thank you for holding this important 
hearing. Privacy has been a major consumer concern for a long time, and 
that concern has increased greatly with the advent of the internet and 
e-commerce. In fact, market researchers estimated last year that 
consumer concerns about privacy and security caused e-retailers to lose 
$6.1 billion in sales worldwide. Clearly, business is paying a big 
price for the concerns consumers continue to have about online 
transactions.
    For some online businesses, strong privacy protections have become 
the key to greater competitiveness in the marketplace. Many firms now 
highly publicize their privacy policies as they vie with each other to 
see who can give consumers the greater comfort and security about 
online retailing. Today we will hear from several large businesses that 
have heard and responded to the privacy concerns of consumers.
    While I compliment these companies for their initiative and 
responsibility, I would caution my colleagues against drawing any 
conclusion that what these firms have done is representative of all 
business. It is not. And it is because it is not that the Federal Trade 
Commission (FTC) has recommended that Congress pass online privacy 
legislation.
    The FTC reported to Congress last year, and I quote, ``only 20% of 
the busiest sites on the World Wide Web implement to some extent all 
four fair information practices in the privacy disclosures.'' The FTC 
goes on to say, ``Moreover, the enforcement mechanism so crucial to the 
success and credibility of self-regulation is absent.''
    Mr. Chairman, a privacy right that is not enforceable is not worth 
the paper it's written on, or in this case the screen. That is why this 
Subcommittee needs to complete these hearings and get about the 
important task of considering legislation. The legislation needs to 
establish minimum standards governing the handling of information 
online. It needs to give the FTC authority to promulgate more detailed 
standards as necessary. And most importantly, it needs to provide 
adequate enforcement authority. Without an effective means of enforcing 
consumer privacy rights, consumers have no way to guarantee their 
rights are protected.
    Mr. Chairman, again I thank you for holding this hearing, and I 
look forward to working with you and the Ranking Member of the 
Subcommittee, Mr. Towns, on legislation to make sure that the privacy 
rights of consumers that engage in online transactions are fully 
protected.

    Mr. Stearns. And now we will have our first panel. Let me 
welcome all of you. Ms. Harriet Pearson, Chief Privacy Officer 
from IBM; Ms. Jacqueline Hourigan, Director of Corporation Data 
Policies, General Motors Corporation; Mr. Zeke Swift, Director, 
Global Privacy, Proctor & Gamble; Mr. Paul Misener, Vice 
President, Global Public Policy, Amazon.com; and Mr. David 
Johnson, Vice President, Direct Marketing, Land's End, 
Incorporated.
    I welcome you. And Ms. Pearson, we will have your opening 
statement.

 STATEMENTS OF HARRIET P. PEARSON, CHIEF PRIVACY OFFICER, IBM; 
 JACQUELINE L. HOURIGAN, DIRECTOR, CORPORATION DATA POLICIES, 
   GENERAL MOTORS CORPORATION; ZEKE SWIFT, DIRECTOR, GLOBAL 
PRIVACY, PROCTER & GAMBLE; PAUL MISENER, VICE PRESIDENT, GLOBAL 
     PUBLIC POLICY, AMAZON.COM; AND DAVID A. JOHNSON, VICE 
         PRESIDENT, DIRECT MARKETING, LAND'S END, INC.

    Ms. Pearson. Thank you, Mr. Chairman. And members of the 
committee, thank you for inviting IBM to share our views on 
this important subject.
    My name is Harriet Pearson. I am the Chief Privacy Officer 
for IBM. We are the world's largest information technology 
company, and the world's largest e-business services company. 
We believe that from that vantage point we have a unique 
perspective on the issue of privacy, dealing as we do with so 
many customers who use information in their own businesses 
worldwide.
    IBM has a longstanding commitment to privacy dating back to 
the 1960's. We were among the first corporations to develop a 
global privacy policy, focusing first on our employees. We were 
the first online advertiser to advertise and restrict our 
advertising only to those Internet sites that posted privacy 
policies. We are a leader in privacy and security technologies, 
with over 600 patents in that area.
    As Chief Privacy Officer, I manage our internal privacy 
policies, help bring together our research and technology 
initiatives, and engage customers and policymakers worldwide on 
this issue. The effort is complex for a large company like 
ours. For example, on the web, ibm.com has over a million pages 
of content, and each site needs to have a privacy statement. 
Privacy is a priority for IBM, and for the health of our 
marketplace.
    With that introduction, I would like first to comment upon 
how we use data ourselves, since that is a topic of this 
hearing. Then second, I would like to provide some observations 
from where we sit on how others, thousands of our customers, 
use data for their processes. And finally, I would like to 
close with several recommendations for how you as policymakers 
can continue building a record in this area and further the 
public policy agenda.
    I would like to turn to IBM first. The primary subject of 
this hearing is how companies use data. We at IBM strive to use 
data creatively and responsibly. Most of IBM's customers are 
organizations rather than individuals, but in both cases we use 
data to identify likely customers, understand their needs, and 
to market to them. We use data to offer the right solutions, 
deliver orders efficiently, offer strong service and support, 
and to maintain good relationships.
    These normal business functions require the collection and 
effective use of data about individuals. For example, when a 
consumer purchases an IBM personal computer, whether it is an 
Aptiva or a ThinkPad, we use information about their purchase, 
such as their name, address, phone, e-mail address. And we 
collect their preferences about whether or not they wish to be 
contacted. If they choose to register with what we call our 
Owner Privileges program, we use their information to provide a 
free product update newsletter, prioritize telephone handling 
with a special toll-free number, and other special offers.
    We govern our use of information with corporate-wide 
policies and practices on privacy. They govern how we use 
information worldwide. These policies require us, globally, to 
provide individuals notice of our information practices, and of 
the choices they can make about the use of their data. We 
require, also, ourselves to implement appropriate security and 
accuracy measures. And finally, we also have contractual 
protections for customers when we share data with our business 
partners and suppliers. And we do share data with those 
suppliers and business partners; lots of companies help us go 
to market and do business.
    IBM is leading within the larger business trend of becoming 
accountable on privacy. From our vantage point, working as we 
have with nearly 20,000 businesses in the last several years 
implementing and using the Internet to improve their 
businesses, we see firsthand how they use information to 
improve, in turn, their services and products for their 
consumers. These companies use consumer information in ways 
very similar to those I have just stated. And my experience is, 
personally and my colleagues', is that they have the same level 
of concern for consumer satisfaction and privacy.
    For example, one of our grocery chain customers uses 
information about consumer purchases to improve their decisions 
about which items to stock and when; to offer discounts; and to 
tailor promotions to individual customers. Data helps them 
reduce costs, and to run their company more efficiently, and to 
provide better service for their consumers.
    I have mentioned other examples in my written statement, 
and you will of course hear from the other companies here 
today. I personally have spoken with 100 or more, hundreds, of 
companies in the first 6 months of this year, and I can see 
significant growth in awareness of privacy issues, and a 
commitment to doing the right thing with respect to consumers. 
It is amazing to see how the level of awareness has grown 
within the U.S. business community.
    I believe the heart of the privacy challenge is that 
individuals must understand how information about them is used 
and how they benefit. They should be able to exercise choices 
and feel that the system that handles their information is 
under control. They need to feel confident that the 
relationships in which they enter are going to be ones that 
respect their wishes.
    It is important that we focus on these issues now and 
later. From our vantage point, it is clear that we are still in 
the early stages of a technological revolution that will change 
how we as businesses deal with consumers, and it is only going 
to keep accelerating in terms of how the technology lets us 
manage information. Therefore, I conclude with a few thoughts 
on how you as policymakers can move ahead.
    The point, it seems to me, is to find a balanced approach 
between government regulation, industry action, and individual 
responsibility. And our view is that a framework for those 
issues and how to approach it has emerged in this country. It 
is built on top of over 30 existing laws on privacy; layered on 
top of that, industry initiatives and proactive engagements by 
companies such as ours; and on top of that, the kinds of tools 
and technologies that are available now for companies to use.
    We need to have a deliberative approach, as you, Mr. 
Chairman, and the members of the committee have agreed to, to 
study these issues and find out, where is the harm? Where are 
the issues that need to be addressed? And how public policy 
fits into that picture. I commend you for your approach. We at 
IBM would like to continue to be a constructive player in this 
process. And we thank you for the opportunity to share our 
views.
    [The prepared statement of Harriet P. Pearson follows:]
 Prepared Statement of Harriet P. Pearson, Chief Privacy Officer, IBM 
                              Corporation
    Thank you Mr. Chairman for inviting me to share IBM's views.
    My name is Harriet Pearson and I am the Chief Privacy Officer of 
the IBM Corporation. IBM is the largest information technology company 
in the world. We develop and manufacture many of industry's most 
advanced technologies, including computer systems, software, networking 
systems, storage devices and microelectronics. We also are the world's 
largest e-business services company, delivering strategic consulting 
and helping our clients to use information technology to improve their 
internal operations and service to customers. This gives us a unique 
vantage point from which to comment on privacy issues, working as we do 
on a global basis with companies, governments, and organizations of all 
sizes.
    IBM has a long standing commitment to privacy. In the 1960s, IBM 
developed one of the first global privacy approaches for business, 
focused around employee privacy. As the computer revolution progressed, 
we supported privacy legislation to protect e-mail and medical 
information. IBM remains a leader in privacy and security technology--
currently holding over 600 patents for such technologies. IBM was the 
first online advertiser to announce that it would only advertise on 
Internet sites that posted privacy policies. Last year our CEO, Louis 
Gerstner, appointed me as IBM's Chief Privacy Officer to confirm that 
IBM has the right internal policies in place, to help unify our many 
privacy research and technology initiatives, and to engage customers 
and policymakers worldwide about privacy issues.
    I'm certainly not alone at IBM in my efforts. We have a privacy 
team that works across IBM in areas like marketing, development, 
services, human resources, and legal. The effort is complex for large 
companies. IBM is an $88 billion company that employs more than 300,000 
people in the United States and operates in 160 countries. On the Web, 
ibm.com has more than a million pages of content and each site needs to 
have a privacy statement.
    Externally, IBM's Privacy Consulting and Technology teams are 
helping organizations implement sound privacy practices and giving them 
the tools to do so. At all levels, IBMers speak out about the 
importance of privacy and are backing their words with actions to help 
build a responsible marketplace that can earn people's trust. In short, 
privacy is a priority within IBM and it is important to the health of 
the marketplace in which we operate.
                       how ibm uses customer data
    IBM policies and practices are designed to let us use data 
creatively and responsibly. Most of IBM's customers are corporate 
rather than individual clients. In both situations we work to identify 
likely customers, understand their needs, and market to them. We strive 
to offer the right solutions, deliver orders efficiently, offer strong 
service and support, and maintain good relationships in hopes of 
earning future sales. All of these normal business functions require 
the collection and effective use of data about individuals.
    For example, when an individual or small business owner purchases 
an IBM Aptiva or Thinkpad personal computer, we ask them for 
information about their purchase, their name, address, phone, e-mail 
and preferences about being contacted. As a special service for those 
customers willing to take the time to register with our Owner 
Privileges program, we use this information to provide a free e-mail 
newsletter, prioritized telephone handling through a special toll-free 
number, and special offers for registered customers (e.g. coupon for 
free stamps from Stamps.com).
    We inform customers about their choices not to receive further 
marketing materials from IBM, and respect their preferences. We might 
also use third-party sources like the National Change of Address 
Service managed by the U.S. Postal Service to verify address changes. 
We thus use customer information to provide better and more-tailored 
service, while solidifying the relationship with the customer.
    The net result? In this and other situations involving customer 
information, IBM is able to offer services better-targeted to those who 
might be interested, while at the same time delivering fewer 
solicitations to people who are not.
    IBM has a set of corporate-wide policies and practices to govern 
our actions when we use personally identifiable data and we train IBM 
professionals who are bound by these policies and practices. Our 
policies also require that we put in place contractual protections when 
we share data with business partners and suppliers.
    When IBM gathers personally identifiable information online, we 
offer notice of our privacy practices and inform the individual of 
their choices regarding the use of that data. In the case of e-mail 
solicitations, IBM requires that the individual first give his or her 
permission before the e-mail is sent unless we already have an existing 
business relationship. Our policies require that we safeguard the 
information in our possession and limit its visibility.
    IBM is leading within a larger business trend of taking action to 
be accountable on privacy. In just the past few years, we've seen a 
rapid growth of the number of online privacy statements, chief privacy 
officers, privacy technologies, seal programs, and in the U.S., 
targeted laws to protect sensitive information. This subcommittee 
should be proud its work to explore what further needs to be done. To 
best reap the benefits of the information economy and preserve privacy 
in the process, there must be a balanced approach. IBM believes it 
should begin with an understanding of what the future holds.
                 the future of the information economy
    Much has been said about the demise of the information economy in 
the wake of the dot.com meltdown. In fact, however, we are still in the 
early stages of a global technological transformation that will 
revolutionize our society over the next 25 years, driving our economy 
and exponentially expanding our opportunities. The transformation is 
being fueled by the rapidly increasing power of the technology itself 
and of information networks. These enable new models for business, 
health care, education and government.
    The Internet will transform every important business transaction 
and relationship. This includes improving relations with customers, but 
much more. It also means transforming relations with people who want to 
invest with you and people who want to work for you. Companies also 
will use the Net to integrate supply chains that connect an enterprise 
to markets and industries. Internal transactions, such as order 
processing, fulfillment, logistics, manufacturing and employee 
processes, will be faster and less costly.
    Companies will even be able to be in contact with their products--
appliances, industrial machinery, consumer electronics--so the company 
can provide after-sale service, understand product performance, and 
make improvements. Government will evolve similarly, as taxpayers will 
expect not only online services, but also efficient management. The 
benefit is very significant in hard dollar savings and cost avoidance 
when transactions are performed on the Web as opposed to the old paper 
format. For example, IBM saves 70 percent on transaction costs when we 
use the Web and we have seen many similar results across industry as a 
result of e-transformations.
    However, all this adds up to massive data collection and management 
and requires a heightened awareness and commitment to privacy 
throughout our society.
    My colleagues and I at IBM see first-hand how thousands of 
companies use information to improve their service and products for 
consumers--we've helped over 18,000 businesses successfully leverage 
the Internet. And these companies use consumer information in ways very 
similar to the companies at today's hearing, and with much the same 
level of concern for consumer satisfaction and privacy.
    Here are some examples:

 A multi-billion dollar US-based financial services firm uses 
        state-of-the-art database technology in a way that's allowed 
        them to anticipate customer needs and to respond rapidly. The 
        company uses customer information to help it pinpoint 
        delinquencies early, so it can work harder and earlier with 
        customers to help them become solvent again. It can better 
        tailor product offers to those who might be interested--for 
        example, offering coupons toward phone service for those 
        customers who achieve a certain level of usage. The firm's 
        objective is to treat all of its customers with the same level 
        of respect and to discover what is important to each customer.
 A utility company uses the consumer information it collects to 
        identify customers that may be interested in additional 
        services and market them accurately; to further customize rates 
        and offer analysis to specific customers; to generate 
        personalized reporting much faster than it was able to 
        previously; and to diversify their service offerings and react 
        quickly to new business opportunities.
 A grocery store chain uses information about consumer product 
        purchases to: make better decisions about which items to stock 
        and when; to offer customized discounts and other offers on 
        those products which an individual customer buys or may be 
        likely to be interested in; and overall to reduce cost and run 
        the company more efficiently.
    It is clear that the fullest fruits of the information revolution 
will remain untapped unless individuals can understand how information 
about them is collected and communicated to others. This lack of 
knowledge can drive feelings of mistrust, fear, and a loss of control. 
Individuals also must understand that they benefit from information 
exchanges in terms of savings, convenience, services, and jobs. Many 
surveys show that people want products quickly and conveniently and 
want high levels of service. They realize that some information 
exchange is needed.
    Importantly, individuals must be able to exercise choices and feel 
that the system is under control. They must feel confident entering 
into data sharing relationships with banks, doctors, credit card 
companies, grocery stores and their government. This is the heart of 
the privacy challenge.
                 need for a broader u.s. privacy debate
    Agreement is emerging around the world that private sector 
initiatives are critical to address privacy concerns in day-to-day 
commercial activities. Even in environments that embrace strict data 
processing regimes like the European Union, governments recognize that 
robust and accountable market-led measures must play a prominent, if 
not preeminent, role. Europeans call it ``co-regulation.'' In the 
United States it is often referred to as industry self-regulation.
    Business leadership is crucial because governments do not have the 
manpower, technology, or jurisdictional authority to comprehensively 
monitor consumer transactions in cyberspace, nor would many people want 
government to carry out such a task if it could. This brings me back to 
the question I posed earlier about preserving privacy and the benefits 
of the information economy: Is there a balanced approach between 
government regulation, industry action, and individual responsibility?
    As this subcommittee established at an earlier hearing, 
approximately 30 federal laws regulate privacy in some form. These laws 
tend to focus on (1) preventing fraudulent or harmful uses of data 
(e.g. identity theft, employment discrimination, deceptive trade 
practices, or surreptitious monitoring of e-mail) and (2) establishing 
special rules and protections for sensitive information (e.g. 
financial, medical, and children's data).
    Layered upon these protections are industry initiatives like 
privacy policies, seal programs, industry codes of conduct, and 
suppression lists for telemarketing and commercial e-mail. Furthermore, 
people can use privacy technologies to control cookies or to surf, 
shop, and send e-mail anonymously. Many are free and some are being 
built into the architecture of the online marketplace (e.g. the 
Platform for Privacy Preferences).
    U.S. law and practice reflect a desire to balance individual 
privacy and the societal benefits of data availability (e.g., economic 
efficiency, free speech, accountable government). This is a solid 
framework and should be the basis on which any new or modified U.S. 
privacy regime is built.
    Some have asked, ``where is the harm'' in data collection as a 
rhetorical question to imply there is no harm or risk. We should ask 
the question in earnest. And then answer it by devising responses to 
people's real and legitimate concerns about data, such as identity 
theft, financial fraud, disclosure of embarrassing information, 
employment discrimination, denial of insurance, government seizure, or 
nuisance issues like spam. We should not create laws because of a vague 
notion that data collection itself is harmful.
    We need to examine the incidence of these concerns, identify their 
causes, assess any harm they may cause, and then as leaders--in 
government and the private sector--ensure that an appropriate policy 
regime is in place. Too much of the privacy debate now speculates on 
how commercial data might be used without going through these steps. We 
should identify a spectrum of privacy concerns and link them with 
protections afforded by current law and practice. Most Americans are 
unaware of the privacy protections afforded them now by the Fair Credit 
Reporting Act, the FTC Act, the Network Advertising Initiative, the 
Privacy Act, the Electronic Communications Privacy Act, and the Fourth 
Amendment.
    Against this backdrop we should review proposals by Members of 
Congress and consider what further actions might be appropriate for 
industry or the Administration. This subcommittee has demonstrated that 
privacy has many dimensions and is complex, but I sense that we are 
beginning to gain a fuller knowledge and perspective that will allow us 
enter a more productive dialogue on privacy and to craft appropriate 
responses.
    In summary, we should build on current law where necessary and link 
solutions to people's top priorities. We appreciate the subcommittee's 
thoughtful examination of privacy issues and the critical role you will 
play in shaping balanced, appropriate responses. IBM is committed to 
continue being a constructive player in this process. For example, we 
have joined with other companies in groups such as the Privacy 
Leadership Initiative to further the contributions that the private 
sector can make to understanding these complex issues and communicating 
helpful information to fellow business and consumers.
    Most companies agree that any U.S. privacy regime should be a 
national solution, not a patchwork of fifty conflicting regimes. The 
regime should encourage transparency and choice. It should hold 
government and non-profit organizations accountable to similar 
standards asked of industry. It should neither discriminate against the 
Internet nor create new private rights of action.
    In consummary, IBM believes that the best privacy model is a 
layered approach of responsible industry action, consumer-empowering 
technology, and targeted government action that promotes transparency, 
protects sensitive information, and appropriately addresses harmful and 
fraudulent data practices. This framework can build consumer trust and 
remain flexible enough to allow companies to offer the convenience, 
savings, services, and jobs that benefit our citizens.
    Thank you for this opportunity to share our views.

    Mr. Stearns. Thank you.
    Ms. Hourigan?

               STATEMENT OF JACQUELINE L. HOURIGAN

    Ms. Hourigan. Good morning, Mr. Chairman and members of the 
subcommittee. My name is Jacqueline Hourigan, and I am the 
Director of Corporate Data Policies for the General Motors 
Corporation. I welcome the opportunity to appear today to 
discuss GM's perspectives of this very complex issue of data 
privacy.
    As you heard earlier, we have over 400,000 employees, 
30,000 suppliers, and 8.7 million vehicles sold last year in 
over 200 countries. As a result, the collection, use, and 
security of personally identifiable data, collected both on the 
Internet and in the off-line world, are critically important 
issues for GM. As a result, we do appreciate the deliberative 
and thoughtful approach this committee has taken to this 
incredibly complex issue.
    Our customers' trust is a priority for GM, and we are 
working to balance our customers' needs and expectations with 
the benefits available from the free flow of information. 
Specifically, we seek to align our internal policies and 
processes with customer expectations and data privacy laws 
worldwide.
    We collect information through a variety of means, 
including standard market research and response techniques; 
visits to GM web sites; product purchase channels; as well as 
in-vehicle technology designed to enhance the safety and 
security of our drivers on the road.
    We are also sensitive to the privacy concerns of our 
employees, as well as our need to effectively deploy and 
support our work force on a worldwide basis. The ability to 
transfer human resource data across borders is extremely 
critical for multinational companies such as GM. We strive to 
balance very significant and legal and societal expectations 
for privacy with the objective of enhancing our customers' 
ownership experience. With a better understanding of our 
customers, we can make their shopping, buying, and owning 
experience more enjoyable, and make the entire process more 
efficient and cost-effective for GM.
    Because the development lead time for vehicles can be up to 
3 years long, it is important for us to understand our 
customers' preferences and the market trends. For example, data 
on customer purchasing and usage patterns can help us target 
products more effectively to meet consumer needs, and also to 
tailor messages and promotions to the interests of current and 
prospective customers.
    We have built a data base about GM vehicle owners to 
facilitate after-market sales, repairs, next vehicle purchase, 
and to cross-market the broad range of GM products and 
services. Customer information is also critical to our U.S. 
vehicle warranty data base, which is used in the event of a 
safety or customer satisfaction recall. In addition, customer 
information may be shared with other parts of the company, so 
we can enhance the shopping, buying, and owning experiences of 
our customers with related information and services.
    The emergence of new technologies has facilitated more one-
to-one communications with our customers. Consequently, we are 
moving toward a process whereby the consumer will control the 
type of information they receive, and the manner in which they 
receive it. The benefits to the customer of this data-rich 
analysis and cross-marketing focus are increased satisfaction 
with products and services that are better suited to their 
needs, and marketing efforts that provide meaningful benefit at 
the appropriate time and through the communication channel of 
the consumer's choice.
    Attention to the issue of data privacy has been elevated to 
the highest levels of management at GM. Last fall, a corporate 
officer assumed responsibility for developing a global data 
privacy strategy, and my position, which focuses on 
coordinating our global business units' implementation of GM's 
privacy strategy, was also created.
    We are implementing the strategy on a scheduled basis 
throughout GM's global marketplace, through the adoption of 
privacy statements by individual GM business units. The privacy 
statements will vary by business unit, and the applicable laws, 
customs, and culture of particular countries. GM already has in 
place a global information security policy that provides 
guidelines for appropriate use and handling of GM data.
    Again, we appreciate the opportunity to be here today to 
discuss GM's approach to data privacy, and our ongoing 
commitment to honoring our customers' privacy preferences. We 
commend this committee for taking a thoughtful approach to this 
complex issue, and hope that you will continue to seek 
industry's input to ensure the approach adopted does not result 
in legislation that could be burdensome, impractical, and could 
produce unintended consequences, such as higher consumer costs, 
prevention of legitimate information collection, and the 
creation of obstacles to the free flow of information.
    Thank you very much.
    [The prepared statement of Jacqueline L. Hourigan follows:]
    Prepared Statement of Jacqueline L. Hourigan, Director of Data 
                  Policies, General Motors Corporation
    Mr. Chairman and members of the subcommittee, my name is Jacqueline 
Hourigan, and I am the Director of Data Policies for the General Motors 
Corporation. I welcome the opportunity to appear before the members 
today to discuss GM's perspectives on the issue of data privacy.
    GM appreciates the deliberative and thoughtful approach this 
committee has taken to the privacy issue. For decades we at GM have 
worked hard to build strong relationships with the millions of GM 
customers. These relationships, based on high quality and exciting 
products and services, are critically important to us. The trust we 
have established and continue to reinforce through our policies and 
practices is key to General Motors' success in this extremely 
competitive automotive and financial services market.
    By way of background, General Motors is the world's largest 
industrial corporation. GM designs, manufacturers, and markets cars, 
trucks, heavy-duty transmissions, and locomotives worldwide. Other 
substantial business interests include Hughes Electronics Corporation 
and General Motors Acceptance Corporation (GMAC). GM cars and trucks 
are sold in 200 countries and the company has manufacturing or assembly 
operations in more than 30 countries. GM employs 400,000 people 
worldwide and partners with over 30,000 suppliers. In 2000, GM sold 8.7 
million vehicles worldwide and had revenues of $185 billion.
                 importance of the privacy issue to gm
    The collection, use, and security of personally identifiable data 
collected on the Internet and in the off-line world are important 
issues for GM. We seek to align our internal processes and policies 
with consumer expectations and data privacy laws worldwide. We collect 
information through a variety of means, such as traditional market 
research and response techniques, visits to GM web sites, subscriptions 
to OnStar', insurance, finance or mortgage products with 
GMAC, and through in-vehicle technology designed to enhance our 
customers' safety and security.
    GM's privacy concerns also apply to data GM maintains on employees. 
A key business objective for GM is the effective deployment and support 
of our workforce. The ability to transfer human resource data across 
borders is extremely important to companies that have a global 
footprint, such as ours.
                 uses of data and benefits to customers
    GM strives to balance the very significant legal and societal 
expectations for privacy with the objective of enhancing our customers' 
ownership experience. With a better understanding of our customers, we 
can make their shopping, buying, and owning experience more enjoyable 
and make the entire process more efficient and cost effective for GM.
    Because the development lead-time for vehicles ranges from 
approximately 24 to 36 months, it is important for us to understand 
customer preferences and market trends. At GM, we apply predictive 
modeling techniques to the data provided us by our customers to assess 
trends and forecast our customers' future preferences. The better we 
understand our customers and where we are gaining or losing sales, the 
better we can focus our product and marketing priorities.
    We also optimize our ongoing marketing efforts by tailoring 
relevant messages and promotions to our current and prospective 
customers. Customers generally own their vehicles for many years 
(almost a decade on average) and we have built a substantial database 
with information on GM vehicle owners that we use to facilitate after-
market sales, repairs, next vehicle purchase, and to cross-market the 
broad range of GM products and services. It is important to note that 
customer information is also compiled to populate our U.S. vehicle 
warranty database so that we can contact customers in the event of a 
safety or customer satisfaction recall.
    Customer information may be shared with other parts of the company. 
By offering a suite of products and services to our customers their 
learning, shopping, buying, and owning experience is enhanced. By way 
of example, GMAC's real estate operation is focused on coordinating 
realtor, mortgage, closing, moving, homeowner, and relocation services 
that are critically important to anyone buying a new home. By sharing 
customer information within the GMAC organization, we can create a 
seamless service delivery platform that gives time back to the customer 
and creates real value for them.
    The emergence of new technologies has facilitated more one-to-one 
communications with our customers. Consequently, we are moving toward a 
process whereby the consumer controls the type of information they 
receive and the manner in which they receive it.
    The benefits to the customer of this data-rich analysis and cross-
marketing focus are increased satisfaction with products and services 
better suited to their needs and marketing efforts that provide 
meaningful benefit at the appropriate time and through the 
communication channel of their choice.
              what data handling practices does gm employ
    Attention to the issue of data privacy has been elevated to the 
highest levels of management at General Motors. Last fall, a corporate 
officer assumed responsibility for developing a global data privacy 
strategy for the corporation, and my position, which focuses on 
coordinating our business units' implementation of GM's privacy 
strategy globally, was also created.
    GM is implementing the strategy on a scheduled basis throughout 
GM's global marketplace through the adoption of privacy statements by 
individual GM business units. These privacy statements will vary by 
business unit and the applicable laws, customs, and culture of 
particular countries. GM already has in place a global information 
security policy that provides guidelines for appropriate use and 
handling of data.
                               conclusion
    Again, we appreciate the opportunity to be here today to discuss 
GM's approach to data privacy and our commitment to respecting our 
customer's privacy preferences. We commend this committee for taking a 
thoughtful approach to this complex issue. We hope that you will 
continue to seek industry's input to ensure the approach adopted does 
not result in legislation that would be burdensome, impractical and 
would produce unintended consequences. These unintended consequences 
could include higher consumer costs, prevention of legitimate 
information collection, and the creation of obstacles to the free flow 
of information.
    Thank you.

    Mr. Stearns. Thank you.
    Mr. Swift?

                     STATEMENT OF ZEKE SWIFT

    Mr. Swift. Thank you, Chairman Stearns and members of the 
subcommittee. I am Zeke Swift, Director of Global Privacy for 
the Proctor & Gamble Company.
    P&G markets 300 brands of consumer products to, as the 
chairman already mentioned, 5 billion consumers in over 140 
countries. These include leading brands like Tide, Pantene, 
Pringle's, and Iams. We are based in Cincinnati, Ohio, and have 
on-the-ground operations in over 70 countries.
    Privacy is a public policy issue long associated with 
direct marketing and high-tech industries. So why does P&G, a 
consumer products manufacturer, care about privacy? Let me 
summarize our interest in three points.
    First, information about consumers is central to a consumer 
products business. We rely on information to better understand 
consumer needs and produce products, information, and services 
to better meet them. As a result, we have an enormous stake in 
fostering an environment in which consumers confidently share 
their information with us. Creating this climate includes 
making sure that our practices meet or exceed consumer 
expectations, and contributing to industry and policy 
initiatives to enable other companies to do the same.
    Second, new technologies are enabling us to deliver 
benefits that were previously impossible. When consumers share 
information with us, we can now deliver tailored offers, such 
as samples or coupons, customized products and information, or 
opportunities to test new products not yet available in stores. 
This increases satisfaction among consumers who are interested, 
and ultimately reduces costs of marketing to consumers who are 
not. We want to preserve the ability to take full advantage of 
current and emerging technology to target consumer needs.
    Third, handling personal data is a complex issue for a 
company the size of P&G. We receive consumer data from sources 
including off-line promotions, online web sites, consumer 
relations contacts, market research, and clinical studies, just 
to name a few. We operate in over 70 countries. We have about 
200 corporate entities, and relationships with hundreds of 
vendors and contractors. We have about 375 web sites globally. 
Administrative processes such as those required by recent 
European legislation impose an unimagined burden for a company 
like ours, with little or no substantive benefit to the 
consumer. We hope that any steps taken in the United States 
reflect this learning.
    Now, let me share two examples of more sophisticated uses 
of data to meet consumer needs. Both involve interactions with 
consumers over the Internet.
    First, with Reflect.com, a woman provides information about 
her physical attributes and lifestyle preferences, and then 
creates personalized skin care, hair care, fragrance, and 
cosmetic products from some 50,000 possible product 
combinations. The items are delivered to her door in a 
personalized package within 3 to 7 business days.
    Second, at our Pampers.com web site, parents can sign up 
for a free monthly newsletter tailored to the age by month of 
their baby, and delivered to their e-mail inbox. The newsletter 
offers expert information about raising children, tips from 
bathing to discipline, coupons, and opportunities to try new 
products like our Bibster disposable baby bibs--just a word 
from our sponsor.
    In order to deliver these benefits, we collect, obviously, 
data such as a person's name and address. To increase the 
tailoring of those offers, we may collect demographic, 
lifestyle, or product usage information. Consumers give us most 
of the information we use. In some cases, we get additional 
information from data compilers such as Acxiom, Equifax, and 
Experian. And I've given them all equal time because they will 
be following us in the next panel.
    We do not sell personal information. We do share 
information with vendors acting on our behalf to process data 
or fulfill a promotion. We do not share data with companies 
beyond our vendors without the individual's consent.
    We are committed to keeping data secure, and take 
precautions against loss, misuse, or alteration of the data. 
These measures include physical security, controlled access to 
data, and encryption for data transmission. We require our 
vendors and partners to provide privacy practices equivalent to 
our own, and we forbid them from any additional use of our 
data.
    In conclusion, we believe that understanding consumer 
needs, delivering consumer benefits, and generating consumer 
trust, are three pillars that should be at the center of any 
policy discussion on privacy. If I may paraphrase 
Representative DeGette from an earlier hearing, there are two 
secrets about privacy: taking care of personal information is 
good for business; and sharing personal information is good for 
consumers.
    Thank you very much.
    [The prepared statement of Zeke Swift follows:]
Prepared Statement of Zeke Swift, Director, Global Privacy, The Procter 
                            & Gamble Company
                              introduction
    Thank you, Chairman Stearns and members of the Subcommittee, for 
the opportunity to testify on this important issue. My name is Zeke 
Swift and I am Director, Global Privacy for The Procter & Gamble 
Company.
    As background, Procter & Gamble markets 300 brands of consumer 
products to nearly five billion consumers in over 140 countries. These 
brands include Tide, Swiffer, Crest, Pantene Pro-V, Pringles, Pampers, 
Olay, Iams and Vicks. We are based in Cincinnati, Ohio and have on-the-
ground operations in over 70 countries.
                              key messages
    Privacy is a public policy issue long associated with the high tech 
and direct marketing industries. So why does P&G, a consumer products 
manufacturer, care about the privacy issue? Let me summarize our 
interest in three key points.
    1. First, information about consumers is central to our business. 
We rely on information to better understand consumer needs, and produce 
superior products, information and services to meet them. As a result, 
we have an enormous stake in fostering an environment of trust in which 
consumers confidently share their information with us. Creating this 
climate includes making sure that our practices meet or exceed consumer 
expectations, and contributing to industry and policy initiatives that 
enable other companies to do the same.
    2. Second, new technologies are enabling us to deliver a level of 
benefit on the basis of personal information that was previously 
impossible. When consumers share information with us, we now can 
deliver tailored offers such as samples or coupons, opportunities to 
test new products, or customized products and information. We want to 
preserve the ability to take full advantage of current and emerging 
technology to meet consumer needs.
    3. Third, privacy--or more broadly the way we handle personal 
data--is a complex issue for a company the size of P&G. We receive 
consumer data from many sources including offline promotions, online 
websites, Consumer Relations contacts, market research and clinical 
studies. As mentioned, we operate in over 70 countries. We have about 
200 corporate entities and relationships with hundreds of vendors and 
contractors. Administrative processes, such as those imposed by recent 
European legislation, impose unimaginable burdens for companies like 
ours with little or no substantive benefit to consumers. We hope that 
any steps taken in the United States would reflect this learning.
                         p&g privacy practices
    Now, let me share a couple of points about our overall approach to 
privacy.
    First, we're guided by two fundamental principles:

(a) We strive to treat information provided by individuals as their 
        own, which has been entrusted to us; and
(b) We strive for transparency with consumers about how their 
        information is used. We inform people about how we handle 
        information they provide us. We give them choices about further 
        communication with P&G or further uses of their data. We offer 
        them reasonable access to data they've provided to review it, 
        correct it or ask us not to use it.
    Second, we have a long history of responsible treatment of personal 
information. Our employee privacy policy, for example, dates back more 
than 20 years. And, we posted our first on-line privacy statement in 
1997.
    Third, for consistency's sake we've chosen to take a global 
approach to privacy. We have a single global privacy policy. We have a 
global structure for developing and implementing our information 
practices worldwide. We are building a global IT system to implement 
and monitor our policy globally.
                           consumer benefits
    Now let me provide some examples of the way we're using consumer 
information today. At the most elemental level, when consumers share 
their information with us, we can give them information, services and 
products tailored to their needs or interests. These may include new 
product announcements, free sample offers, participation in contests 
and sweepstakes, and opportunities to test new products not yet 
available in stores.
    But at a more sophisticated level we use interactions with 
consumers over the Internet to deliver personalized or customized 
products and services. For example:
    1. With Reflect.com, a woman provides information about her 
individual attributes and lifestyle and creates personalized skin care, 
hair care, fragrances and cosmetics. The items are delivered to her 
door in a personalized package within 3 to 7 business days. The beauty 
products are produced from some 50,000 possible product combinations 
based on P&G formulas.
    2. Our Pampers.com website strives to be the best resource on the 
web for parents and parents-to-be. It offers parents an opportunity to 
sign up for a free monthly newsletter from the Pampers Parenting 
Institute, tailored to the age of their baby and delivered to their e-
mail inbox. The newsletter is full of information about child rearing 
written by experts, offers tips from bathing to discipline, coupons, 
and opportunities to sample new products like our disposable Bibster 
baby bibs.
              how we collect and use personal information
    In order to deliver offers such as these, we collect data such as a 
person's name, address, email address or phone number so that we may 
contact them or send them items they have requested. To increase the 
likelihood that our offers will be of interest, we collect demographic 
information such as age or gender, lifestyle information such as 
household status or personal interests, and other relevant information 
such as product usage and preferences.
    Consumers volunteer most of the information we store in our 
databases. In some situations we use additional demographic information 
purchased from data aggregators such as Acxiom, Equifax or Experian. 
The data provided by aggregators is from publicly available sources 
such as telephone directories and public records, or from information 
reported by consumers themselves through vehicles such as warranty 
cards.
    We seek to build our relationships with consumers on the basis of 
transparency and trust. We offer individuals who have provided us with 
information choices about further communications. We ask whether or not 
a consumer would like to be contacted about additional offers or 
services. We seek wherever we can to provide consumers with a 
convenient means to tell us, yes or no, whether we may use the 
information they provided to re-contact them.
    We do not sell personal information. We obviously do share data 
with vendors acting on our behalf to fulfill a promotion. We do not 
share data with companies beyond our vendors without the individual's 
consent.
    We are committed to keeping data secure and take precautions 
against loss, misuse or alteration. These measures include physical 
security, controlled access to data and encryption for data 
transmission. We require vendors, partners and contractors to provide 
equivalent privacy measures and forbid them to use data for any 
additional purpose.
                                summary
    In conclusion, we believe that understanding consumer needs, 
delivering consumer benefits and generating consumer trust are the 
issues at the heart of any policy discussion on privacy. If I may 
paraphrase Representative DeGette from an earlier subcommittee hearing, 
``There are two secrets about privacy: privacy--the stewardship of 
personal information--is good for business, and information sharing is 
good for consumers.''
    Thank you.

    Mr. Stearns. Thank you.
    Mr. Misener, your opening statement?

                    STATEMENT OF PAUL MISENER

    Mr. Misener. Thank you, Chairman Stearns and members of the 
subcommittee. My name is Paul Misener. I am the Vice President 
for Global Public Policy at Amazon.com. Thank you very much for 
inviting me here to testify today.
    Mr. Chairman, Amazon.com is pro-privacy. The privacy of 
personal information is important to our customers, and thus it 
is important to us. Indeed, as Amazon.com strives to be the 
Earth's most customer-centric company, we must provide our 
customers the very best shopping experience, which is a 
combination of convenience, personalization, privacy, 
selection, savings, and other features. At Amazon.com, we 
manifest our commitment to privacy by providing our customers 
notice, choice, access, and security.
    Before I describe these four facets of privacy protection 
at Amazon.com, please allow me to explain how we use customer 
information. In general, Amazon.com uses personally 
identifiable customer information to personalize the shopping 
experience at our store. Rather than present an identical 
storefront to all visitors, our longstanding objective is to 
provide a unique store to every one of our customers, now 
totaling well over 35 million people. In this way, our 
customers may readily find the items they seek, and discover 
other items of interest.
    Amazon.com now inserts, among the familiar tabs across the 
top of our web pages, a special tab with our customer's name on 
it. When I visited Amazon's site on Monday, for example, the 
tabs included books, electronics, DVDs, and ``Paul's store.'' 
By clicking on the ``Paul's store'' tab, Amazon.com introduced 
me to six smaller stores, including one named ``Your kitchen 
and housewares store,'' which featured a Calphalon professional 
nonstick 5-quart saucepan, which I promptly bought, and it was 
delivered yesterday.
    Now, it was no coincidence, of course, that Amazon.com 
recommended this saucepan to me, and that I liked it. Using so-
called collaborative filtering techniques, which compare my 
past purchases to anonymous statistics on thousands of other 
Amazon.com purchases, Amazon.com computers automatically, and 
correctly, predicted that I would want this saucepan. Similar 
personalization is provided in the traditional Amazon.com 
recommendations on the home page, and purchase follow-up 
recommendations in the ``New for You'' feature, and in some 
varieties of e-mail communications.
    Obviously, Amazon.com's personalization features directly 
benefit our customers. And just as obviously, these features 
require the collection and use of personally identifiable 
customer information. The question then is how do we protect 
the privacy of this information?
    As I indicated earlier, Amazon.com manifests its privacy 
commitment by providing notice, choice, access, and security. 
Amazon.com was one of the very first online retailers to 
provide a clear and conspicuous privacy notice. We also provide 
our customers meaningful privacy choices. In some instances we 
provide opt-out choice, and in other instances we provide opt-
in choice.
    We are an industry leader in providing our customers access 
to the information we have about them. They may easily view and 
correct, as appropriate, their contact information, payment 
methods, purchase history, and even the clickstream record of 
products they view while browsing Amazon.com's online stores. 
And finally, Mr. Chairman, Amazon.com vigilantly protects the 
security of our customers' information.
    It is very important to note here that, other than an 
obligation to live up to pledges made in our privacy notice, 
there is no legal requirement for Amazon.com to provide our 
customers the privacy protections that we do. So why do we 
provide notice, choice, access, and security? The reason is 
simple: privacy is important to our customers, and thus it is 
important to Amazon.com. We simply are responding to market 
forces. Indeed, if we didn't make our customers comfortable 
shopping online, they will shop at established brick-and-mortar 
retailers, who are our biggest competition.
    These market realities lead us to conclude that there is no 
inherent need for privacy legislation. That said, we have been 
asked whether Amazon.com could support a privacy bill. Perhaps 
we could, but only under certain circumstances.
    At the Federal level, Amazon.com could support a bill that 
would require notice and meaningful choice, but only if it 
would pre-empt inconsistent State laws, bar private rights of 
action, and address both online and off-line activities. Please 
allow me to explain each of these points.
    First, any Federal privacy legislation applied to online 
activities must pre-empt inconsistent State laws, for it would 
be virtually impossible for a nationwide web site to comply 
with conflicting rules from multiple jurisdictions.
    Second, Amazon.com could support a privacy bill only if it 
would bar private rights of action. The threat of aggressive 
private litigation would companies to balkanize their privacy 
notices for the sake of legal defensibility, at the expense of 
simplicity and clarity.
    Third and finally, Amazon.com believes that privacy 
legislation must apply equally to online and off-line 
activities. It makes little sense to treat information 
collected online differently from the same, and often far more 
sensitive, information collected through other media, such as 
mail-in warranty registration cards, point-of-sale purchase 
tracking, and magazine subscriptions.
    On one hand, such parity is necessary in fairness to online 
companies. But more importantly, it would be misleading to 
American consumers to enact a law that applies only to online 
entities, because for the foreseeable future the putative 
protections of such a law would apply only to a very tiny 
fraction of consumer transactions. Last year, online sales 
accounted for less than 1 percent of all retail business. 
Obviously, any law that addresses only online transactions 
could not benefit consumers much at all compared to one that 
equally addresses online and off-line activities.
    Moreover, to the extent it provides any real consumer 
benefits, a law that addresses only online activities would 
have the perverse effect of failing to provide any benefits to 
those on the less fortunate side of the digital divide. Indeed, 
consumers who, because of economic situation, education, or 
other factors, are not online, would receive no benefits of a 
new online-only law.
    In sum, Mr. Chairman, Amazon.com is pro-privacy in response 
to consumer demand and competition. We believe market forces 
are working, and thus believe there is no inherent need for 
legislation. Nonetheless, Amazon.com could support limited 
Federal legislation, but only if it pre-empts State laws, only 
if it bars private rights of action, and only if it applies to 
off-line as well as online activities.
    Thank you again for inviting me to testify. I look forward 
to your questions.
    [The prepared statement of Paul Misener follows:]
   Prepared Statement of Paul Misener, Vice President, Global Public 
                           Policy, Amazon.com
    Chairman Stearns, Mr. Towns, and members of the Subcommittee, my 
name is Paul Misener. I am Amazon.com's Vice President for Global 
Public Policy. Thank you for inviting me to testify today.
    A pioneer in electronic commerce, Amazon.com opened its virtual 
doors in July 1995 and today offers books, electronics, toys, CDs, 
videos, DVDs, kitchenware, tools, and much more. With well over 30 
million customers in more than 160 countries, Amazon.com is the 
Internet's number one retailer.
    Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal 
information is important to our customers and, thus, is important to 
us. Indeed, as Amazon.com strives to be Earth's most customer-centric 
company, we must provide our customers the very best shopping 
experience, which is a combination of convenience, personalization, 
privacy, selection, savings, and other features.
    At Amazon.com, we manifest our commitment to privacy by providing 
our customers notice, choice, access, and security. Before I describe 
these four facets of privacy protection at Amazon.com, please allow me 
to explain how we use customer information.
    In general, Amazon.com uses personally identifiable customer 
information to personalize the shopping experience at our store. Rather 
than present an identical storefront to all visitors, our longstanding 
objective is to provide a unique store to every one of our customers, 
now totaling well over 35 million people. In this way, our customers 
may readily find items they seek, and discover other items of interest. 
If, for example, you buy a Stephen King novel from us, we likely will 
recommend other thrillers the next time you visit the site.
    Amazon.com now inserts, among the familiar ``tabs'' atop our Web 
pages, a special tab with the customer's name on it. When I visited 
Amazon.com's site yesterday, for example, the tabs included Books, 
Electronics, DVDs, and ``Paul's Store.'' By clicking on the ``Paul's 
Store'' tab, Amazon.com introduced me to six smaller stores, including 
one named, ``Your Kitchen and Housewares Store,'' which featured a 
Calphalon professional nonstick 5-quart saucepan (which I promptly 
bought).
    It was no coincidence, of course, that Amazon.com recommended this 
saucepan to me, and that I liked it: using so-called ``collaborative 
filtering'' techniques, which compare my past purchases to anonymous 
statistics on thousands of other Amazon.com purchases, Amazon.com 
computers automatically--and correctly--predicted that I would want the 
saucepan.
    Similar personalization is provided in the traditional Amazon.com 
recommendations on the home page, in purchase follow-up 
recommendations, in the ``New for You'' feature, and in some varieties 
of email communications. Customers can improve the quality of these 
recommendations in several ways, including by removing individual 
Amazon.com purchases from consideration, and by rating the products 
they buy at Amazon.com or elsewhere. For example, I bought my niece a 
few CDs from the singer Britney Spears but, because I did not want 
similar music recommended to me, I removed these CDs from the list of 
items Amazon.com uses to produce my recommendations. In addition, on 
Amazon.com's site, I can rate a CD that I might have purchased at Wal-
Mart to improve the quality of my music recommendations.
    Obviously, Amazon.com's personalization features directly benefit 
our customers. And, just as obviously, these features require the 
collection and use of personally identifiable customer information. The 
question, then, is how do we protect the privacy of this information?
    As I indicated earlier, Amazon.com manifests its privacy commitment 
by providing notice, choice, access, and security.
    Notice. Amazon.com was one of the first online retailers to post a 
clear and conspicuous privacy notice. And last summer, we proudly 
unveiled our updated and enhanced privacy policy by taking the unusual 
step of sending email notices to all of our customers, then totaling 
over 20 million people.
    Choice. We also provide our customers meaningful privacy choices. 
In some instances, we provide opt-out choice, and in other instances, 
we provide opt-in choice. For example, Amazon.com will share a 
customer's information with a wireless service provider only after that 
customer makes an opt-in choice. We simply are not in the business of 
selling customer information and, thus, beyond the very narrow 
circumstances enumerated in our privacy notice, there is no information 
disclosure without consent.
    Access. We are an industry leader in providing our customers access 
to the information we have about them. They may easily view and correct 
as appropriate their contact information, payment methods, purchase 
history, and even the ``click-stream'' record of products they view 
while browsing Amazon.com's online stores.
    Security. Finally, Amazon.com vigilantly protects the security of 
our customers' information. Not only have we spent tens of millions of 
dollars on security infrastructure, we continually work with law 
enforcement agencies and industry to share security techniques and 
develop best practices.
    It is very important to note that, other than an obligation to live 
up to pledges made in our privacy notice, there is no legal requirement 
for Amazon.com to provide our customers the privacy protections that we 
do.
    So why do we provide notice, choice, access, and security? The 
reason is simple: privacy is important to our customers, and thus it is 
important to Amazon.com. We simply are responding to market forces.
    Indeed, if we don't make our customers comfortable shopping online, 
they will shop at established brick and mortar retailers, who are our 
biggest competition. Moreover, online--where it is virtually effortless 
for consumers to choose among thousands of competitors--the market 
provides all the discipline necessary. Our customers will shop at other 
online stores if we fail to provide the privacy protections they 
demand.
    These market realities lead us to conclude that there is no 
inherent need for privacy legislation. That said, we have been asked 
whether Amazon.com could support a privacy bill. Perhaps we could, but 
only under certain circumstances.
    Under no circumstances would we support state or local laws 
governing online privacy. Not only would such laws be constitutionally 
suspect, a nationwide website like Amazon.com would find it difficult 
if not impossible to comply with fifty or more sets of conflicting 
rules.
    At the federal level, Amazon.com could support a bill that would 
require notice and meaningful choice, but only if it would preempt 
inconsistent state laws, bar private rights of action, and address both 
online and offline activities. Please allow me to briefly explain each 
of these points.
    Preempt State Law. First, any federal privacy legislation applied 
to online activities must preempt inconsistent state laws, for it would 
be virtually impossible for a nationwide website to comply with 
conflicting rules from multiple jurisdictions. Even though such laws 
most likely would fail a constitutional challenge, the expense and 
uncertainty of litigation should be avoided with a Congressionally 
adopted ceiling.
    Bar Private Rights of Action. Second, Amazon.com could support a 
privacy bill only if it would bar private rights of action. The threat 
of aggressive private litigation would cause companies to balkanize 
their privacy notices for the sake of legal defensibility, at the 
expense of simplicity and clarity. Ten-page privacy statements and 
fine-print legalese would become the norm. A regulatory body such as 
the Federal Trade Commission, on the other hand, could balance the 
competing interests of legal precision and simplicity. A class action 
plaintiffs' lawyer would have no such motivation.
    In addition, the aforementioned uniformity necessary to run 
nationwide websites would be destroyed by a host of trial lawyers suing 
companies all across the country. A single authority, such as the FTC, 
could provide the nationwide approach that private litigation cannot.
    Parity with Offline Activities. Third, and finally, Amazon.com 
believes that privacy legislation must apply equally to online and 
offline activities, including the activities of our offline retail 
competitors. It makes little sense to treat information collected 
online differently from the same--and often far more sensitive--
information collected through other media, such as offline credit card 
transactions, mail-in warranty registration cards, point-of-sale 
purchase tracking, and magazine subscriptions.
    On one hand, such parity is necessary in fairness to online 
companies. It simply would not be equitable to saddle online retailers 
with requirements that our brick-and-mortar or mail order competitors 
do not face.
    But more importantly, it would be misleading to American consumers 
to enact a law that applies only to online entities because, for the 
foreseeable future, the putative protections of such a law would apply 
only to a tiny fraction of consumer transactions. Last year, online 
sales accounted for less than one percent of all retail business. 
Obviously, any law that addresses only online transactions could not 
benefit consumers much at all compared to one that equally addresses 
online and offline activities such as using a grocery store loyalty 
card or subscribing to a magazine.
    Moreover, to the extent it provides real consumer benefits, a law 
that addresses only online activities would have the perverse effect of 
failing to provide any benefits to those on the less fortunate side of 
the digital divide. Indeed, consumers who, because of economic 
situation, education, or other factors, are not online would receive no 
benefits from a new, online-only law.
    In sum, Mr. Chairman, Amazon.com is pro-privacy in response to 
consumer demand and competition. We believe market forces are working 
and, thus, believe there is no inherent need for legislation. We firmly 
oppose the adoption of any non-federal privacy law that addresses 
online activities. Nonetheless, Amazon.com could support limited 
federal legislation, but only if it preempts state laws, only if it 
bars private rights of action, and only if it applies to offline as 
well as online activities.
    Thank you again for inviting me to testify, I look forward to your 
questions.

    Mr. Stearns. Thank you.
    Mr. Johnson, your opening statement?

                  STATEMENT OF DAVID A. JOHNSON

    Mr. Johnson. Mr. Chairman and members of the sub-
committee----
    Mr. Stearns. You might just pull the microphone a little 
closer and just maybe straighten it--yes.
    Mr. Johnson. Okay. Mr. Chairman and members of the 
subcommittee, I am pleased to appear before you today on behalf 
of the National Retail Federation, and thank you for the 
invitation to speak on this important issue. My name is David 
Johnson, and I am Vice President of Direct Marketing for Land's 
End in Dodgeville, Wisconsin.
    Although we are now an international merchant, many of the 
things that today sets Land's End apart are those same values 
on which our founder, Gary Comer, built the business he founded 
in 1963. Indeed, one of the principles that continues to guide 
our business states: ``We believe that what is best for the 
customer is best for all of us.''
    When people are asked to define good customer service, they 
commonly say that it involves dealing with consumers honestly 
and fairly, a view that no one can seriously dispute. Many 
others also view a component of good customer service as 
treating everyone equally. Let me suggest, however, that equal 
treatment is not good customer service. Rather, great customer 
service recognizes the very unique wants and needs of each 
individual consumer, and strives to meet those needs. Great 
customer service uses all available information to assess each 
individual's particular tastes, and then delivers goods and 
services that meets those desires. In short, rather than 
treating all customers equally, great customer service is built 
on the premise of treating different customers differently.
    In testimony before Congress in July 1999, Federal Reserve 
Board Governor Edward Gramlich stated: ``Information about 
individuals' needs and preferences is the cornerstone of any 
system that allocates goods and services within an economy.'' 
The more such information is available, he continued, ``the 
more accurately and efficiently will the economy meet those 
needs and preferences.'' What Governor Gramlich was talking 
about on a macro level, Land's End is striving to do on a micro 
level.
    The information required to provide these tailored 
interactions with our customers does come from a wide variety 
of sources. We look to our customer purchase history and other 
acquired information in order to more reliably assess our 
customers' needs and wants. By assessing information on 
purchases that consumers actually make, and services that they 
actually use, consumers are offered products and services that 
respond to their demonstrated needs and desires. This greatly 
reduces the cost of developing those products and services, and 
the risk that they will be out of line with consumer demand, 
thereby reducing the price that consumers pay for them, and 
mitigating the inconvenience and delay associated with stopping 
consumers to ask about likely preferences.
    Admittedly, we often hear complaints about customers 
receiving mailings that they don't want. But Land's End--and I 
strongly suspect every other direct merchant--has no interest 
in sending catalogues or other information to customers that 
have no desire to receive it. Frankly, that is a waste of our 
time and money, and a disservice to the customer. Thus, we use 
all information available to us to assess the likelihood that 
any catalogue sent will be welcome in the customer's home. To 
the extent that cataloguers send mailings to people who are not 
interested in the offering, I suggest that the problem is not 
one of too much information sharing, but rather too little 
reliable information, forcing businesses to employ mass 
marketing techniques instead of more targeted efforts to a more 
appropriate and appreciative audience.
    Moreover, the ability to collect and assess individual 
purchasing activity gives Land's End the ability to provide 
services to customers that we might not otherwise. As an 
example, Land's End sells its products with a guarantee that is 
second to none. Under our ``Guaranteed. Period.'' policy, any 
customer can return any product, at any time, for any reason. A 
guarantee this sweeping is by its nature subject to abuse, and 
by offering it Land's End has placed unprecedented faith in its 
customers that they will not exploit the policy.
    But we comfort in offering our ``Guaranteed. Period.'' 
policy, because it is enhanced by the ability of individualized 
purchasing and return data that allow us to track and check 
abuses. In short, this information ensures that the few that 
might exploit the guarantee don't ruin it for the overwhelming 
majority of our customers that are fair and reasonable.
    And consistent with the trust and loyalty that our 
customers have shown us, Land's End is also quite responsible 
with the information we share with others. Indeed, the only 
data we currently provide to others are one-time use list 
exchanges, which include only customers' names and addresses, 
and then only with high-quality companies that share our 
commitment to product quality, customer service and value, and 
could, therefore, offer products and services attractive to 
Land's End customers. And regardless of the medium by which we 
interact with the customer--the Internet, phones, or mail--
customers may at any time request that their information not be 
shared with others, or that they be removed from our files 
altogether. And that is a request that will be honored. 
Guaranteed. Period.
    So in answer to the question posed by this hearing--``Is 
the Customer's Privacy Protected?''--the good news is that 
currently available information is used responsibly, consistent 
with the expectations of consumers, and in furtherance of 
everyone's interest, the consumer's, as well as the companies 
that serve them.
    Again, thank you for this opportunity to speak this 
morning, and I welcome your comments and questions.
    [The prepared statement of David A. Johnson follows:]
    Prepared Statement of David A. Johnson, Vice President, Direct 
Marketing, Lands' End, Inc. on Behalf of the National Retail Federation
    Mr. Chairman and Members of the Subcommittee: I am very pleased to 
appear before you today on behalf of the National Retail Federation, 
and thank you for the invitation to speak on this subject. My name is 
David Johnson, and I am Vice President of Direct Marketing for Lands' 
End, Inc., in Dodgeville, Wisconsin. Lands' End employs approximately 
7,600 people in the U.S. and abroad. We are a global direct merchant of 
classically-inspired clothing for men, women and children, soft luggage 
and products for the home, sold through regular mailings of our 
catalogs, our Web site--landsend.com--and a number of retail outlets. 
Last year, Lands' End's revenues exceeded $ 1.4 billion, and we mailed 
packages to approximately 6.7 million customers.
    The National Retail Federation (NRF) is the world's largest retail 
trade association with membership that comprises all retail formats and 
channels of distribution including department, specialty, discount, 
catalog, Internet and independent stores. NRF members represent an 
industry that encompasses more than 1.4 million U.S. retail 
establishments, employs more than 20 million people--about 1 in 5 
American workers--and registered 2000 sales of $3.1 trillion. NRF's 
international members operate stores in more than 50 nations. In its 
role as the retail industry's umbrella group, NRF also represents 32 
national and 50 state associations in the U.S. as well as 36 
international associations representing retailers abroad.
    Although we are now an international merchant, many of the things 
that today set Lands' End apart are those same values on which our 
founder, Gary Comer, built the business he founded in 1963. Indeed, one 
of the principles that continues to guide our business states: ``We 
believe that what is best for our customer is best for all of us. 
Everyone here understands that concept. Our sales and service people 
are trained to know our products, and to be friendly and helpful.''
    Through this dedication to the customer, Lands' End has been able 
to separate itself from the pack in customer service. Indeed, in the 
book Customer Service,1 author Fred Wiersema lauds Lands' 
End (along with five other companies) for its ability to service the 
customer above and beyond the call of duty.
---------------------------------------------------------------------------
    \1\ Customer Service by Fred Wiersema (Harper-Collins Publishers, 
Inc. 1998).
---------------------------------------------------------------------------
    When people are asked to define good customer service, they 
commonly say that it involves dealing with consumers honestly and 
fairly, a view that no one can seriously dispute. Many others also view 
a component of good customer service as treating everyone equally. Let 
me suggest, however, that equal treatment is not good customer service. 
Rather, great customer service recognizes the very unique wants of each 
individual consumer and strives to meet those needs. Thus, great 
customer service does not view every customer as a nameless, faceless 
person without individual preferences--someone that in the absence of 
any other information needs to be treated just like the next person. 
Instead, great customer service uses all available information to 
assess each individual's particular tastes, and then deliver goods and 
services that meet those desires. In short, rather than treating all 
customers equally, great customer service is built on the premise of 
treating different customers differently.
    Access to information is critical to our ability to deliver this 
level of service. Information is used to identify and satisfy customer 
needs. Lands' End does not automatically know which products and 
services consumers want. Information beyond a person's name and address 
allows us to tailor our interaction with the customer to make it more 
effective and more satisfying for the consumer. As Mr. Wiersema states 
in his book Customer Service, two of the most key components underlying 
the ability to provide exceptional customer service are (1) the 
employment of up-to-date information technology, and (2) the personal, 
one-to-one relationship built with every customer.
        ``Although they conduct their business in completely different 
        areas of industry, these organizations actually have many 
        things in common with regard to how they function:
                                *  *  *
        ``They employ the latest information technology at each level 
        of their business. This shouldn't be surprising: Information 
        technology lends itself to strong customer service, and early 
        on, these companies all recognized the advantages, the instant 
        gratification, that the Internet and other technological 
        advances could offer them. Rather than trying to dazzle the 
        customer with the latest bells and whistles, they use 
        technology to make their products and services easier to 
        acquire and operate--as well as more efficient.
                                *  *  *
        ``. . . [T]hey use that technology to gain a profound 
        understanding of what these customers want and need. The notion 
        of building profiles on every customer they interact with is 
        important to them. If Customer A likes something different from 
        Customer B, these companies want to know that ahead of time . . 
        .
                                *  *  *
        ``These companies build personal relationships with their 
        customers. They are not mass-production factories when it comes 
        to connecting with their constituents. Each customer who deals 
        with these organizations is given premium treatment and made to 
        feel he or she is valued as an individual, able to call a 
        service representative time and again . . .
        This degree of one-to-one attention requires a commitment to 
        training, to coaching, and to teaching associates the best 
        listening strategies and most efficient methods for giving and 
        receiving input. It takes computer technology, as well as 
        dedicated personnel willing to record each customer interaction 
        onto databases so that it can be activated later and used as a 
        learning tool for fellow workers.'' 2
---------------------------------------------------------------------------
    \2\ Customer Service at xiv-xviii.
---------------------------------------------------------------------------
    In testimony before Congress in July 1999, Federal Reserve Board 
Governor Edward Gramlich stated: ``Information about individuals' needs 
and preferences is the cornerstone of any system that allocates goods 
and services within an economy.'' The more such information is 
available, he continued, ``the more accurately and efficiently will the 
economy meet those needs and preferences.'' What Governor Gramlich was 
talking about on a macro level, I can guarantee Lands' End is striving 
to do on a micro level.While many of our customers love the technology 
and the wealth of information that is available over the Internet, many 
other customers want the direct interaction that they can get over the 
phone from one of our highly trained customer sales representatives. We 
are agnostic as to how we interact with the customer--whether it be 
through the Internet, the phone, mail or one of our outlet stores--but 
we do need to know their preferences in order to build the 
infrastructure necessary to effectively communicate with them via their 
preferred medium. We also need to know our customers' preferences with 
respect to the products and services available--either now or in the 
future--to our customers. While some would prefer to learn about the 
entire array of Lands' End product offerings, others' interests are 
more limited and they would prefer to only receive catalogs from a 
certain selection of our assortment of apparel and home goods. This 
type of information educates us not only on what we should be 
communicating to our customers today, but also provides Lands' End with 
information on every detail--including assortment, color, fit, level of 
quality, and price--that we should provide in future products and 
services.
    The information required to provide these tailored interactions 
with our customers comes from a wide variety of sources. One obvious 
source is the customer himself or herself in the form of preference 
surveys. It is possible to extensively survey customers to determine 
their individual preferences, but such data is not only expensive to 
acquire, its acquisition runs contrary to the customer service 
commitment of an organization such as Lands' End. Frankly, it is a 
bother for a customer to complete questionnaires telling businesses 
what they expect in products and services. Because of these 
limitations, such direct information is oftentimes unavailable and 
somewhat unreliable. For that reason, we look to customer purchase 
history and other acquired information in order to more reliably assess 
our customers' needs and wants. By assessing information on purchases 
that consumers actually make and services they actually use, consumers 
are offered products and services that respond to their demonstrated 
needs and desires. This greatly reduces the cost of developing those 
products and services and the risk that they will be out of line with 
consumer demand--thereby reducing the price that consumers pay for 
them--and mitigating the inconvenience and delay associated with 
stopping consumers to ask about likely preferences.
    Admittedly, we often hear complaints about customers receiving 
mailings that they don't want. But Lands' End--and I strongly suspect 
every other direct merchant--has no interest in sending catalogs or 
other information to customers who have no desire to receive it. 
Frankly, that is a waste of our time and money, and frustrating to the 
consumer as well. Thus, we use all information available to us to 
assess the likelihood that any catalog we send out will be welcome in 
the customer's home. To the extent that cataloguers send mailings to 
people who are not interested in the offering, I suggest that the 
problem is not one of too much information sharing but rather too 
little reliable information, forcing businesses to employ mass 
marketing techniques instead of more targeted efforts to a more 
appropriate and appreciative audience.
    Moreover, the ability to collect and assess individual purchasing 
activity gives Lands' End the ability and comfort to provide enhanced 
services to customers that we might not otherwise. As an example, 
Lands' End sells its products with a guarantee that is second to none. 
Under our ``Guaranteed. Period.''' policy, any customer can 
return any product at any time for any reason. A guarantee this 
sweeping is, by its nature, subject to abuse, and by offering it Lands' 
End has placed unprecedented faith in its customers that they will not 
exploit the return policy. But Lands' End's comfort in offering our 
``Guaranteed. Period.''' policy is enhanced by the 
availability of individualized purchasing and return data that allows 
us to track and check abuses. In short, this information assures that 
the few that might exploit the guarantee don't ruin it for the 
overwhelming majority of our customers that are fair and reasonable in 
their returns.
    Likewise, the availability of certain products and services by 
their nature--and particularly so of many of the services available 
over the Internet--all but require that some information be shared 
among companies. As examples, Lands' End offers online models which a 
customer can use to virtually ``try on'' clothes, and a ``personal 
shopper'' that, applying conjoint analysis techniques, offers 
purchasing recommendations to online shoppers much as a sales clerk 
would do in a retail store. For these types of services to become 
accepted and useful to the consumer, they must also become standardized 
throughout industry with the individualized models and preferences 
portable from site to site. This type of information sharing will 
ultimately enhance the breadth of products and services available to 
the consumer.
    And consistent with the trust and loyalty that our customers have 
shown us, Lands' End is also quite responsible the information we share 
with others. Indeed, the only data we currently provide to others are 
one-time-use list exchanges, which include only customers' names and 
addresses, and then only with high quality companies that share Lands' 
End's commitment to product quality, customer service and value and 
could, therefore, offer products and services attractive to Lands' End 
customers. And regardless the medium by which we interact with our 
customer--the Internet, phones or mail--customers may at any time 
request that their information not be shared with others, or that they 
be removed from our files altogether, and that request will be honored.
    So in answer to the question posed by this hearing--``Is the 
Customer's Privacy Protected?''--the good news is that currently 
available information is principally shared responsibly, consistent 
with the expectations of consumers and in furtherance of everyone's 
interests--the consumer's as well as the companies that serve them.
    Again, thank you for this opportunity to speak before this 
Subcommittee, and I welcome your questions and comments.

    Mr. Stearns. I thank the panel. Let me start by asking some 
of the basic questions I think all consumers are concerned 
about. And this sort of touches into what Mr. Hourigan had 
talked about--that they build a substantial data base with 
information on GM vehicle owners, and that GM uses this to 
facilitate after-market sales, repairs, next vehicle purchase, 
and to ``cross-market the broad range of GM products and 
services.'' Is this a singular data base?
    Ms. Hourigan. It is not a singular data base. We have 
separate data bases. The data base that I mentioned is 
primarily used for market segmentation, and in our product 
development phase.
    Mr. Stearns. Give me, for example, examples of the type of 
information that is contained in this data base. Other than the 
ones I mentioned, is it pretty much just the name of the owner, 
the purchase? Are there preferences and things that are in this 
data base?
    Ms. Hourigan. It actually is, if I can mention one thing, 
our divisions have operated on a tremendously autonomous basis 
for many years. And we just recently have elected to streamline 
many of our processes and practices. Data handling is one such 
practice.
    And so what we have attempted to do is, again, move toward 
a process by which all divisions will operate under the same 
policies and practices. The information that is contained in 
that data base is vehicle name and type of vehicle. We will 
augment that with information we obtain from the aggregators, 
but again, it is only for the purpose of market segmentation.
    Mr. Stearns. How do you protect that information? For 
example, within the company, and also protect it when you deal 
with subcontractors, or other organizations that you deal with?
    Ms. Hourigan. Well, we obviously use the highest standards 
of security to protect the information. We also use managerial 
security techniques, along with physical security measures.
    In terms of working with our suppliers, we obviously only 
deal with credible suppliers to process the transactions on 
behalf of our customers. We also have contractually limited how 
our suppliers can use that information for any subsequent 
purposes.
    Mr. Stearns. Mr. Misener has talked about not having 
legislation, but if we have legislation, he would say it should 
be three items: pre-emptive rights, of course, so that if 
States start to develop it, that there would be Federal 
legislation to pre-empt the States, so you wouldn't have to 
comply with 50 States; what would apply to online would also 
apply to off-line; and then he talked about private rights of 
action.
    And just for the benefit, the private rights of action, we, 
of course, on this committee would not all agree with this, but 
basically this would prevent class actions suits as I 
understand it against you individuals, based upon something 
that perhaps you compromised privacy, and then this would turn 
out to be, among thousands of people who would come together 
with a class-action suit.
    Now, he mentioned those three that he would like to see, if 
there is Federal legislation. Are there any other ones? And I 
will just go from my left to my right and ask each of you if 
there are any besides those three? And if you disagree with Mr. 
Misener, that you don't think they should be part of this, now 
is the time to tell us.
    Ms. Pearson. I would agree with those three features being 
reflected that way in possible legislation. I would just go 
back to the point of, as your committee has begun a process of 
deliberation and understanding how information flows in our 
economy, and how consumers can be affected by that information, 
is to start with a more fundamental question: where is the 
issue that needs to be addressed? Once we understand what 
companies do with information, what government does with 
information, and then go from there.
    I think if there is legislation affecting commercial 
practices, there ought to be some level of understanding of why 
commercial practices versus other kinds of uses of information. 
So there ought to be that.
    Mr. Stearns. I could give you a list of what I think the 
consumer wants. But I am just asking you now, just, because I 
don't have a lot of time, just quickly to go through and say, 
Yes, I think those three are the basic----
    Ms. Pearson. Yes, I think those three features are basic.
    Mr. Stearns. Basic for Federal legislation?
    Ms. Pearson. Yes.
    Mr. Stearns. Is there anything you would add to it?
    Ms. Pearson. I think there ought to be technology 
neutrality, so that you don't get into specific requirements 
about this technology or that technology being used, so that 
you accommodate flexible changes. The world is changing 
extremely rapidly, and we need to have that ability to 
innovate. There ought to be, I think, some basic guidelines so 
that you encourage transparency in information practices 
without requiring specific content for notices or specific 
practices. Those are two.
    Mr. Stearns. Okay.
    Ms. Hourigan. I would just second what Harriet said, 
technology-neutral, in addition to what Mr. Misener mentioned 
earlier.
    Mr. Stearns. Okay. Mr. Swift?
    Mr. Swift. The one addition that we would have is that the 
legislation would recognize the role of industry self-
regulation, and possibly the role of TrustMark programs in the 
self-regulatory process.
    Mr. Stearns. What does that last part mean?
    Mr. Swift. A BBBOnLine or Trustee, a program that validates 
and sets criteria for appropriate practices.
    Mr. Stearns. Best business practices?
    Mr. Swift. Correct.
    Mr. Stearns. Okay. Mr. Misener?
    Mr. Misener. I thought Mr. Misener's list was pretty good.
    Mr. Stearns. I thought so, yeah.
    Mr. Johnson?
    Mr. Johnson. We believe that any legislation should move 
incrementally, and allow us to really understand the impact 
that it ultimately has in helping us to serve our customers.
    Mr. Stearns. Okay, my time has expired, and we are eager to 
hear other members. But I think, just briefly in the 5 minutes 
I have had, you have outlined what, if any, Federal legislation 
should include. And I think that is the purpose, to get from 
you your heartfelt opinion of what we should do. And we have 
come up with 1, 2, 3, 4, 5, 6, 7 components of this Federal 
legislation.
    I am very pleased to welcome the ranking member, the 
gentleman from New York, Mr. Towns.
    Mr. Towns. Thank you very much, Mr. Chairman. Let me say 
that I am happy that you are having this hearing. I think it is 
so important that we listen to people before we move forward on 
legislation.
    I would like to know, I guess, Mr. Misener, what do you 
deem as an appropriate penalty for those companies who abuse 
consumer privacy, by breaking their own privacy laws? What 
would you consider an adequate penalty?
    Mr. Misener. An adequate penalty? Well, certainly it would 
depend upon a lot of factors going into the abuse. If it is 
repetitive, if it is willful, intentional, deliberate--all 
those sorts of things--then I would think that the penalty 
could be greater. But those are the sorts of issues that, for 
example, the Federal Trade Commission could take into account.
    If a privacy policy is announced by a company, and then not 
followed by that same company, the Federal Trade Commission, 
under its powers in Section 5 of the Federal Trade Commission 
Act, could go after that company and apply a variety of 
remedies, including injunction and fines.
    Mr. Towns. Let me ask you, if I buy ten books through your 
company, are those records available to data collectors? In 
other words, do you sell the products that I purchase through 
Amazon.com to data collectors?
    Mr. Misener. Yes, that is an excellent question, Mr. Towns. 
Absolutely not. Amazon.com is emphatically not in the business 
of selling customer information. We do not transfer that 
information to unaffiliated third parties at all. And for the 
few affiliated third parties, we transfer it only with opt-in 
consent from our customers.
    Mr. Towns. On that note, Mr. Chairman, I yield back.
    Mr. Stearns. Okay. I thank the gentleman. We have the 
distinguished chairman of the full committee, the gentleman 
from Louisiana, Mr. Tauzin.
    Chairman Tauzin. I thank you, Mr. Chairman. Again, thank 
you for this series of hearings, because I think they are 
better preparing this committee, and hopefully the Congress, 
for whatever privacy decisions we need to make, either 
generally or, as some of you point out, incrementally.
    Let me first say that one of the concerns I have as we 
explore all the edges of this privacy debate, is that we very 
carefully remember that we ought to avoid solutions simply 
looking for problems. It is easy to do in this area. It is easy 
to begin imagining how data could be misused and how people 
might do something with data, and then make a great deal of 
complex Federal laws and solutions designed to fit imagined 
problems. And what you are doing, Mr. Chairman, is actually 
focusing on the real world, the reality of how data is 
exchanged, and how the industry is really working for its own 
customers' sake and its own business self-interest, in building 
self-regulatory regimes and regulating itself. And that is an 
important part of this process, I think, understanding where 
the real problems are, not the imagined ones.
    In that regard, in the very short time we each have, I want 
to do just one thing with this very important panel. I would 
like each of you to answer this question in order, and I will 
be very satisfied with my 5 minutes. It is a very basic 
question, and it is a question that goes to what is probably 
the most important decision we first make on privacy. And that 
is whether to make privacy policy Internet-specific or not.
    Now, you all operate your businesses in different ways, 
online and off-line. Some of you are strictly online. But the 
question I have is that, recognizing that if we made privacy 
policy that was Internet-specific--which could, theoretically, 
prejudice commerce against online activities in favor of off-
line activities--recognizing that, is there a good reason to 
make privacy policy special and different and unique for the 
Internet world, the online world, as opposed to making it 
consistent for all activities, whether it is online or off-
line?
    If each of you will comment on that in a row, I would 
deeply appreciate it.
    Ms. Pearson. I get to start. From IBM's point of view, it 
is the same data base or set of data bases, in back of that 
curtain, that receive the information, no matter where it comes 
from. So our view has been that if we are going to be 
deliberative about this, we ought to realize that. And 
therefore, particularly since the Internet is so new as a 
mechanism for communicating, that we ought to think about all 
the media equally--that there shouldn't be a disadvantaging of 
the Internet over other media. That is a starting point for 
discussion.
    Chairman Tauzin. Okay. As you go down, I want--if any of 
you have a good reason to believe that the Internet is so 
different that it needs special rules, if you don't mind 
commenting on that. Please?
    Ms. Hourigan. Sure. I think--we actually had this exact 
debate in our company, as to whether it was appropriate to 
apply a different set of standards to the Internet. And we came 
to the conclusion that it did not.
    However, I think to the extent that there may be specific 
abuses that may occur in the online world that would not exist 
in the off-line world, then it may be appropriate to treat 
those particular instances differently. But for General Motors, 
we still collect a tremendous amount of information off-line, 
and so to apply different standards would be challenging. And, 
you know, it is complex enough as it is, I guess. So, thank 
you.
    Chairman Tauzin. Thank you.
    Mr. Smith. Let me answer by just talking about how we are 
looking at this within P&G. Our dream is that we would be able 
to bring together information that we have about a single 
consumer, regardless of how that information was collected--
through consumer relations contact, a web site, whatever. And 
the reason is that when the consumer calls the next time, or 
when we make an offer, we would like to reflect everything we 
know about that consumer. And when we recognized that, we said, 
we need to apply the same information practices to all the 
data, because it is going to end up in the same place.
    So, you know, we would obviously believe that looking at 
that information, regardless of its source, regardless of where 
it is stored, being treated in the same way.
    Mr. Misener. Mr. Tauzin, we strongly believe at Amazon.com 
that any new legislation ought to apply both to the online and 
the off-line worlds. There are a couple of reasons. One is the 
fundamental fairness that you mentioned to online companies who 
would be potentially burdened by a new regulation that would 
not apply to our off-line competitors.
    But more fundamentally, it is a consumer issue. Consumers 
spent, in the retail world, 99-plus percent of their dollars in 
the off-line world. Less than 1 percent of the retail 
transactions were made online. And so an online-only law is 
going to do very, very little for consumers more broadly.
    Moreover, the consumers that it would help, that it would 
effect, would be only those on the fortunate side of the 
digital divide. If you don't have the education or money to be 
shopping online, that privilege, you would get no benefits from 
an online-only law.
    Mr. Johnson. Mr. Tauzin, we believe that there is not a 
reason to make it Internet-specific per se. Our customers shop 
with us via the phone, via the Internet. Many of our customers 
interact with us through numerous different ways.
    One position that we do take, however, is that there is a 
need to be sure that we really understand the implications that 
it may have on companies like us that are a multi-channel 
business, and the implications in the long run that it may have 
for the consumer in ultimately providing the high level of 
customer services that our consumers expect.
    Chairman Tauzin. There you go, Mr. Chairman. I have found 
you unanimous consensus.
    My work is done. Thank you very much.
    Mr. Stearns. I thank the chairman. Mr. John? Oh, no, he is 
not here. Mr. Doyle?
    Mr. Doyle. Thank you, Mr. Chairman. Boy, I sure hate to 
rain on the parade here. And I think this has been a good 
discussion, and a helpful one. But let us all remember here, 
too, that sitting before us are representatives of Fortune 100 
companies, and I think that in an ongoing basis we also need to 
hear from consumers and from small businesses, because I think 
they face some different problems complying with and adhering 
to privacy policies than some of these companies here, who have 
vastly greater resources. And that needs to be kept in mind.
    Mr. Misener, at Amazon.com you sell videos, right?
    Mr. Misener. Yes, sir.
    Mr. Doyle. We have a Federal law that if I walk into 
Blockbuster and buy a video, they are not allowed to keep a 
record of what kind of videos I am buying. Now, obviously that 
law doesn't apply to Amazon.com online, because you keep 
records of what kind of videos your customers buy?
    Mr. Misener. We keep those records in the ordinary course 
of our business, which is a specific exclusion in that law.
    Mr. Doyle. Yes, exactly. So in that respect, your online 
service is treated somewhat differently than an off-line 
service.
    Mr. Misener. Well, if off-line services were using those 
records in the ordinary course of their business like we do, 
they also could keep those records.
    Mr. Doyle. But Blockbuster could never disclose or keep 
records of anybody's purchases, I am saying. You could share 
that information, could you not?
    Mr. Misener. Let me be clear on a couple things.
    Mr. Doyle. Sure.
    Mr. Misener. First of all, we would be delighted to be in 
the Fortune 100. We would actually be delighted to be in the 
Fortune 500.
    Tune in this time next year. But we are fully compliant 
with that video restriction law that you mentioned, because we 
do use those in the ordinary course of business. We do not 
reveal--repeat, do not reveal--that information to third 
parties at all.
    Mr. Doyle. But you do that voluntarily, is what I am 
saying. There is no law requiring you to do that. You do that 
as a matter of policy.
    Mr. Misener. I think it could be argued that that law 
applies to us. But we are responding to what our customers 
demand. If we did that, we would lose customers, and therefore, 
because our customers want it, and because we are pro-privacy, 
we do it. And so therefore, the market forces are forcing us to 
do this. Just like keeping our prices low and providing a high 
level of convenience, we are providing a level of privacy 
protection that consumers demand.
    Mr. Doyle. Yes. And I guess the point I am trying to--and 
it is certainly not an attack against Amazon.com--but we have 
all kinds of vendors and entities out there that all have 
varying degrees of privacy policies, and do things that they 
are not really required to do. You do it because it is good for 
your customers. And that is what we are hoping for, that there 
isn't going to be a need for heavy regulation because the 
industry understands that that is the way to go.
    But I can tell you that most consumers don't have a clue 
how data is being collected on them. They don't understand what 
a cookie is; they don't know, when they are surfing the web, 
what is happening to them. Trust me, they don't.
    And I guess it doesn't bother me so much in the retail end. 
I mean, I go to Giant Eagle and I have got my little Advantage 
Card, and you know, I swipe that across the deal and I get some 
discounts for doing it. But it also allows that supermarket to 
track what I am buying, and make sure that the stuff I want is 
there. I think it is helpful that we don't get junk mail, if 
people know what our preferences are. So I see tremendous 
benefits from it.
    But I also see the tremendous potential for abuse, 
especially in things like medical records and issues of 
personal behavior, where consumers have the right to expect 
that those types of information aren't being shared with 
anyone, and that when you are dealing with vendors--I know you 
say some of your vendors have the same privacy policies that 
you do. I just don't understand what the enforcement mechanisms 
are. How do you know they are not violating their own policy?
    So I guess, you know, we struggle with these things. And it 
is politically unpopular to want to do anything against the 
Internet, because it is such a sexy new thing, and you know, 
everybody wants to be seen as high-tech up here on this panel. 
But I think there are some real concerns, and we appreciate 
your input at these hearings. And I think we have a long way to 
go, Mr. Chairman, to hear from many different groups, so that 
when we do fashion legislation we do it thoughtfully.
    But I appreciate your testimony today.
    Mr. Stearns. I thank the gentleman. The gentleman from 
Illinois, Mr. Shimkus?
    Mr. Shimkus. Thank you, Mr. Chairman. And I am glad my 
colleague Diana DeGette here, because I used her phrase, since 
you mentioned it, in hearings earlier this year about 
individuals not----
    Ms. DeGette. See that you get it right.
    Mr. Shimkus. Yes, she is concerned that I am using some of 
her quotations. But how much individuals--we don't understand 
the benefit we have from some information sharing. And although 
we want to find out the benefits to you from having good, 
strict policies.
    And I was just interested here in how much you actually are 
using the information in product-specifics at P&G, personalized 
beauty care products to individuals, and the information and 
the like.
    I want to boil it down a little simpler, in the debates 
that we use here and the terminology that we use here in 
legislating in this arena, and get a few comments. And I want 
to address questions on this opt-in/opt-out aspect, because in 
some aspects, when people order from Amazon.com--which we have 
done--it is almost implied that you are opting in, because you 
are providing the information that they have to send you the 
product. And then there may be some other boxes to put. And I 
am not sure if it is a total requirement to fill in all the 
boxes before you get an order processed--versus an opt-out 
provision which would say, I want to buy your product. But I 
don't want you to get any more information on me. All I want to 
do is purchase your product, and opt out--do not use this for 
anything else.
    We also use here in Washington-speak the telephone 
directory as an opt-out system that works. We wouldn't have a 
telephone directory that worked if everyone had to call in and 
say, yes, I really want my phone number listed in a directory. 
But we do know that if you call, you will get an unlisted 
number. For a price, as I'm being corrected. But that is a 
price that some people are willing to pay.
    So I would like to have your comments on how the whole 
debate on opt-in/opt-out affects you individually as you do 
this planning, and how you are going to respond to whatever it 
is that we end up doing. And I would do it the same way--
actually, yes, let's just go the way the chairman did at the 
table. And if you don't want to add, then you can just pass.
    Ms. Pearson. Opt-in versus opt-out, from a business 
perspective it boils down to choice, and what is the right 
amount of choice to provide the consumer when you are dealing 
with a consumer? And that is really, if you are a customer-
centric business, is what is the expectation of that consumer, 
and what is going to result in a better environment, a more 
trusted relationship? Because I want to continue my 
relationship with that consumer. And so sometimes you market 
and you use opt-in.
    Particularly for us, in e-mail solicitations, we will only 
send out e-mails if somebody has opted in or we have a prior 
existing business relationship, where there is no surprise when 
you are going to get that e-mail.
    Sometimes it make a lot of sense to do opt-out, because all 
we are going to do is, if you are not going to check here, we 
are going to take advantage of your not opting out and send you 
an additional piece of literature about that IBM Aptiva. And we 
want to do that. And there is really very little harm that 
comes from doing that.
    So sometimes it is opt-in, sometimes it is opt-out. And 
then the debate becomes, should there be a national requirement 
as to one certain level? And should you impose that on every 
kind of business decisionmaking, or how you interact with the 
consumer? That is the real question.
    Ms. Hourigan. I would agree with Ms. Pearson's statements, 
and also add: it comes down to prominence, and making sure that 
you are doing it in a way that is understandable to the 
customer.
    I think--wearing my consumer hat for a minute--I have seen 
it done, opt-in and opt-out, done in very positive ways, and in 
very sort of, you know, less than satisfactory ways. So again, 
I think the important concept here is choice, and prominence, 
and presenting it in a conspicuous and understandable way.
    Mr. Smith. I would second the call for the fact that the 
prominence and the clarity of the choice is more important than 
what the default is. We use a system in Proctor & Gamble, and 
we are moving it to universality in our company. But we ask, 
you know, would you like to have other offers from this brand? 
Would you like to have other offers from other Proctor & Gamble 
brands? Would you like to have offers from other reputable 
companies who are partners? And so we get kind of a hierarchy 
of choices for our consumers.
    Mr. Misener. My wife is from the North Hills, just north of 
Pittsburgh. And we go up to the area frequently. And we have a 
Giant-Eagle card. And I can assure you, down at the bottom of 
that application form--I don't recall it exactly. But I am sure 
that there is a little check box that says that you can 
probably opt out of getting solicitations based on your 
purchases there. Small print, down at the bottom, didn't pay 
attention to at the time, probably wouldn't care much about it.
    On Amazon.com's site, when we talk about information with 
one of our affiliates--for example, ToysRUs.com for certain 
toys deliveries--we actually have a little cartoon picture 
prominently displayed on the site, which shows Geoffrey the 
Giraffe, the Toys R Us giraffe, sitting in an Amazon.com box. 
Now, that little picture makes it crystal clear to our 
customers, without having read a long privacy policy or read 
the fine print at the bottom of the page, that Amazon.com is 
going to be delivering a Toys R Us product. Real simple. That 
is meaningful choice, in our view.
    And so yes, as I mentioned before, we provide opt-in choice 
for any kind of sharing with our affiliates, and we don't share 
any information, period, with any non-affiliated third parties. 
But when there is that choice, we want to make it meaningful 
choice, so that customers and consumers actually understand 
what is going on. Frankly, Geoffrey sitting in the box makes a 
lot more sense to consumers than small type at the bottom of a 
form.
    Mr. Johnson. There is not a whole lot I can add to what has 
already been said. With respect to our business, our business 
is very different from Amazon's in that we are a well 
established direct merchant. The opt-in aspects of 
communication via the Internet is only relatively new to us in 
the history of our business.
    It would be fair to say that in transacting our business, 
to an earlier point raised, there is a certain amount of 
information that is required. But with respect to opt-in versus 
opt-out, depending on online or off-line aspects of our 
business, we comply with what we believe to be the expectations 
of our customers. So with respect to our Internet business, our 
communications via e-mail, it is very clearly opt-in. On the 
catalogue mailing side of our business, we certainly give our 
customers choice there as well, making sure that they know that 
if they want to limit that sharing of their name and address 
with like-minded companies, that that option is available to 
them.
    Mr. Shimkus. Thank you very much. I yield back.
    Mr. Stearns. The gentleman's time has expired. The 
gentlelady from California, Ms. Harman?
    Ms. Harman. Thank you, Mr. Chairman. I have an opening 
statement which I would like to submit for the record.
    Mr. Stearns. By unanimous consent, so ordered.
    Ms. Harman. And I would mention that in it, I attach an 
interesting op-ed that appeared earlier this week in the New 
York Times, authored by Peter Wallison, a friend of mine who is 
a former counsel to President Reagan, in which Wallison points 
out the difficulties of opt-in and what it would do to the 
financial community. I thought it was very interesting to read 
that author make that point.
    At any rate, I have appreciated the testimony of the 
witnesses, and would like to declare, at least for myself, that 
these are the good guys. You are all good guys. And I 
congratulate you on being sensitive to privacy concerns.
    My question, Mr. Chairman--maybe it is for you and the 
committee, more than it is for our panel--is what about the bad 
guys? What about the people who are not sitting here, who don't 
think that privacy and protecting our privacy matters?
    And interestingly, I understand that today's Industry 
Standard reports a list of sites with the greatest 
concentration--not absolute numbers, but the greatest 
concentration--of teen users. I raise this because I know we 
are all concerned with teenagers. As a mother of two of them 
myself, I certainly am. But none of those people are sitting 
here. Let me just read this list: Teen.com, TeenPeople.com, 
Katrillion.com, SparkNotes.com, BadAssBuddy--I'm sure we would 
love that one--dot-com, Blink182.com, CoolQuiz.com, TeenMag.
com, TeenChat.com, and Seventeen.com. Some of these sound 
pretty antiseptic. There is one word I read that I am sure we 
are all going to now check out.
    But at any rate, here is the Katrillionsite, just so you 
know. Katrillion is reported to be an entertainment and gossip 
portal. Here is what it says on the site: ``By using this site, 
you agree to the terms and conditions outlined below. If you do 
not agree to these terms and conditions, please do not use this 
site.''
    Okay, good.
    ``We reserve the right to change, modify, add, or remove 
portions of these terms at any time, whenever we want. If you 
continue to use the site after we have posted changes to the 
terms, it means you have accepted those terms.''
    Now, if you are 16 or 17, you won't even read this. But if 
you read this, and then you logged on to the site--at least the 
way I understand this, and I realize my mind is not as agile as 
my children's--the way I understand this, they can do whatever 
they want.
    So I would at least postulate that Katrillion would not be 
a good guy in the way that you are, because I don't think that 
is what you would do.
    I want to ask the panel, Mr. Chairman, I really have only 
one question, what do you have to say about this kind of 
information? Your kids, presumably, or your nieces and nephews, 
or your brothers and sisters, or teenagers that you know, are 
logging on to these sites much more than they are having 
anything to do with you. And what advice do you have for us 
about this kind of stuff?
    Ms. Pearson. I have a 9-year-old daughter who, when she is 
old enough to go on the web by herself--which is when she is 
going to be 18----
    Ms. Harman. Good luck.
    Ms. Pearson. I would be--yes, you're right. I am very 
concerned about that, as a mother. And there are not only 
privacy issues raised in what you said, Ms. Harman. There are 
many other issues raised. It is absolutely critical that we 
educate our children, particularly those who are old enough to 
be on their own on the web, about what to look for. There is 
absolutely no reason that a teenager should not be looking for 
some sort of privacy policy or seal, or other kind of indicator 
of what is good for them.
    But we all know that they are going to go wherever they 
shouldn't go anyway. Those sites, no matter what they say, are 
still bound by laws. And they still should be bound by industry 
practices, so that if they are not doing what they say they are 
doing, they ought to be prosecuted, and there should be 
enforcement. If they are doing something misleading, collecting 
information and abusing that information to hurt a child, they 
should be prosecuted to the fullest extent of the law. And 
there are laws that can get you there.
    If they are a bad guy and they disregard industry practices 
and they disregard existing law, then they are a bad guy, 
period. And I am afraid that a law or industry practice, 
whatever that is, is still going to lead to having some bad 
guys out there. So for us, it fundamentally becomes an issue of 
education. Educating our kids, and making sure parents are 
involved with the children.
    Ms. Harman. Other comments?
    Ms. Hourigan. I would just add, with respect to that site, 
and actually just general commercial web sites, with respect to 
privacy and consumers, education is absolutely key. Technology 
is challenging; you know, I have to read new articles on a 
daily basis to keep up. And so making education part of any 
comprehensive privacy solution is appropriate.
    I would also say, with respect to the bad guys, you lose 
customers if you don't treat them well. From a large company's 
perspective, if we lose a customer, it is hard for us to get 
them back. And so that really drives us to say, hey, this is 
incredibly important, and we need to respect our customers and 
respect their preferences.
    Mr. Smith. I think empowering consumers to make decisions 
is important. And that probably means parents need to step up 
to the responsibility of training their kids. Some interesting 
data: 82 percent of people on the web have seen privacy 
statements. That is going up. Sixty-seven percent say they 
sometimes or always read them. I suspect that that is an 
overstatement, to a degree. But you know, they are aware of 
them. Fifty-six percent of people say that privacy statements 
are important. And the great thing about the web is that you 
are always one click away from--you know, if you make the 
consumer mad, boom, hit the ``Back'' button, and you are 
absolutely out of there.
    So I think the issue is how do we enable people to 
understand privacy policies and make choices?
    Ms. Harman. Well, my time is up, Mr. Chairman. Any other 
comments?
    Mr. Stearns. Sure.
    Ms. Harman. I thank you. I just want to state for the 
record that I am quite dubious about whether Federal 
legislation will work here, with the exception of some bright 
lines around medical and financial privacy, personal privacy. I 
think the rest of it might better be handled by responsible 
actors in the industry. But having said that, there are 
irresponsible actors. And particularly when they interact with 
teenagers, whom--I would volunteer, as one parent who attempts 
to be responsible--who are difficult to fathom.
    I think we are at risk, and I don't know what the answer 
is. And it sounds good to say we should all make good choices. 
Yes. I agree. Mr. Chairman, I think you should make good 
choices, and I hope you have a better ability than I do to 
understand what is in your kids' head, and to guide them 
perfectly.
    But I think, as a society, we are at risk here. And I don't 
know whether we are yet finding the best tools to help 
overworked parents deal with kids. And I would welcome some 
enlightenment here. And I hope that all of you, in your role as 
parents, keep thinking about this, because we certainly have a 
lot of work to do.
    Thank you, Mr. Chairman.
    Mr. Stearns. I thank the gentlelady. The gentleman from New 
Hampshire, Mr. Bass?
    Mr. Bass. Thank you, Mr. Chairman. Two or three 
observations about what I have heard in the last hour or so. 
First of all, only an absolute dyed-in-the-wool retail 
salesperson could characterize an unsolicited e-mail offer or 
advertisement as a benefit. It is the computer equivalent to 
seeing somebody drive up your driveway in a car full of clothes 
or something in the back and saying, ``Oh, boy, this is just 
what I have been waiting for all morning long!'' I am not sure 
how popular that really is.
    Second, I myself, and my wife, buy products online, and 
from nothing but very reputable firms. And yet I receive on 
average 4 or 5 solicitations on my e-mail address to 
consolidate my loans, to travel to faraway places, to make 
money fast. All you have to do is click this button and you're 
rich. And I don't know how it ever got there, and I think that 
is part of--by illustration at least--what we are facing here 
today. I am not--these are companies like yours.
    The third observation I have is that we really are--I as a 
consumer, am presumably at least moderately knowledgeable--
really don't know what to look for. You mentioned, Ms. Pearson, 
that we need to educate our children about what to look for. 
Well, if we don't know what to look for, then it is hard to 
educate anybody else.
    My question for you folks, if you wish to answer--you can 
or not--is, you have high standards. I think, Mr. Misener, you 
mentioned that you sell your list to other people that have the 
same standards that you have.
    Mr. Misener. I did not say that.
    Mr. Bass. Oh, somebody else did.
    Mr. Misener. We absolutely do not sell our list.
    Mr. Bass. Okay, Land's End, Mr. Johnson did. To use the 
analogy of whispering in a circle, after a while the message 
may begin to get indistinct. What happens to the lists that you 
sell to them, and then they sell, and so forth and so on? I 
guess you said your clients have the same standards that you 
do. That is a requirement internally, is that correct?
    Mr. Johnson. That is correct.
    Mr. Bass. And is there any way that that information can be 
abused by your clients?
    Mr. Johnson. We take a number of measures to protect 
against that. As I stated in my testimony, it is for one-time 
usage only, and that is by a contractual agreement. We also, in 
managing that process, we plant what we call our decoys. I 
myself am a decoy on that list. So we track usage by those 
companies, and we track it very closely, so that we can ensure 
that it is a one-time usage, and that the usage of it is as was 
stated in the original agreement.
    Mr. Bass. And you are adequately protected should there be 
abuse? You could seek civil action of some sort?
    Mr. Johnson. Absolutely. Yes.
    Mr. Bass. All right. Let's see. Does your commitment to 
consumer privacy extend to sites that might link to or from 
your sites? In other words, there might be people that are 
linking. Can you control the ability for other sites to link to 
your site, or vice versa? Does that make sense, or not?
    Mr. Smith. The answer is you really can't control who can 
link to your site. On our sites, if you are moving out of a 
Proctor & Gamble site somewhere else that we have linked, there 
is a notification that you are leaving the Proctor & Gamble 
area, and that different policies may pertain.
    Mr. Bass. Okay. I have no further questions, Mr. Chairman.
    Mr. Stearns. Thank you.
    Ms. Pearson. Can I make one point on education?
    Mr. Bass. Sure.
    Ms. Pearson. Mr. Bass, you mentioned that it would be great 
to know what to look for. And I just want to come back to that 
and say that this education, this need for further education, 
is a bipartisan, it is an industry-government--we all need to 
work together on education.
    And I would commend the Federal Trade Commission for 
providing a certain level of education. I would say FTC.gov and 
the material there is what every consumer ought to take a look 
at. I think any number of our companies has been involved in 
this kind of effort. Trustee.org, BBBOnLine.org, and a few 
other organizations such as UnderstandingPrivacy.org, the web 
site for the Privacy Leadership Initiative, all have 
information about what a consumer could look for. And any kind 
of assistance you can provide in this committee to highlight 
the availability of those materials, or to suggest further 
activities, or to encourage the Federal Trade Commission to 
encourage that kind of activity, I think would be appreciated 
and welcome by the American public.
    Mr. Stearns. I thank the gentleman. The gentlelady from 
Colorado, Ms. DeGette?
    Ms. DeGette. Thank you, Mr. Chairman. I would like to add 
my thanks for having this series of hearings, and also to 
announce that at the conclusion we are going to pull my 
original comment I made at the first hearing, and whoever 
paraphrased it the most closely is going to win a prize.
    Mr. Stearns. Skiing in Aspen.
    Ms. DeGette. Skiing in Aspen? Yeah, okay, I'll work on 
that.
    I want to go back to something Ms. Harman talked about and 
others touched on. And Ms. Pearson, you were just talking about 
it briefly, which is, how do we educate consumers? Because I 
hear everybody up here talking. I hear Ms. Hourigan talk about 
what they do internally to help identify consumer preferences, 
and to help their customers, and so on. And I hear others 
talking about what happens online.
    And I guess my question--I think we all know consumers are 
really not educated at all as to what is going on with their 
personal information. Some of it, we might agree with the uses, 
some we may not. But consumers don't know--despite disclaimers, 
despite privacy policies on web sites, despite some kind of 
education effort. So my question to you is, do you think 
industry has any obligation to find some way, jointly or 
separately, to increase consumer education, and what would that 
be? Beyond what we are doing now, because what we are doing now 
is not educating consumers. Anyone?
    Mr. Smith. Well, I think industry does sense the 
responsibility to communicate and improve the education. A 
number of firms in industry and leading trade associations 
about a year ago created the Privacy Leadership Initiative. A 
key element of that work was consumer education. We have 
developed, and will soon launch, a web campaign with privacy 
tips for consumers.
    Ms. DeGette. And how is that going to be disseminated to 
consumers, so that they can actually know?
    Mr. Smith. As they visit web sites, a banner ad will pop up 
with a privacy tip, that explains a privacy practice. You know, 
how to create a good password, for example. And then have the 
URL to visit the Privacy Leadership site for additional tips.
    Ms. DeGette. And how widely is that going to be 
disseminated?
    Mr. Smith. I don't have specific impression estimates at 
the moment. But the members of the Internet Advertising Bureau 
have very generously committed to run these ads on a pro bono 
basis.
    Ms. DeGette. Anyone else with thoughts on that?
    Ms. Hourigan. I would just add a couple of comments. The 
concept that Trustee, which is one of these seal programs, 
recently announced regarding labeling, so you would basically 
develop a label for a particular practice on a web site--I 
think that will go to at least alleviating some of the burden 
on a customer to go through and read a privacy statement and 
understand. And hopefully, again, that will serve to--it will 
be a little more transparent to the customer. I think that is 
an interesting concept. I am not sure what the status of that 
initiative is, however.
    The other thing I would mention is the introduction of the 
platform for privacy preferences, or P3P, which will be built 
into Internet Explorer 6.0. What I think we hope for is this 
becomes almost a transparent issue for customers, and they 
become familiar with it, because it is built into their 
browser, they can select their preferences, and basically it 
will be an effort for the browser to look in course and 
communicate that information back to them.
    Ms. DeGette. Well, you know, I appreciate these answers. 
But as you yourself can realize, they are not very specific or 
broad. And so my suggestion to the industry--I know we have 
many representatives here today--would be you start to think 
about these things on a much broader scale, especially because 
we are all loath to have over-reaching government regulations, 
which means there is a big responsibility for companies.
    And let me follow up, because the title of this hearing is 
``How do Businesses Use Customer Information: Is the Customer's 
Privacy Protected?'' This hearing, and your testimony, is not 
just about online privacy, but privacy in general. And I am 
wondering if any of you can talk about whether you think 
standards for privacy for data that is not online should be 
different than online data. And if not, how do we deal with 
that? All of your answers were related to Internet privacy.
    Mr. Misener. Ms. DeGette, thank you. As I mentioned in my 
testimony, we strongly believe it ought to apply equally off-
line as to online, for a variety of reasons, not the least of 
which that so few transactions and so few consumers actually 
are online.
    My wife and I purchased a small $15 space heater a few 
months back, and inside was a warranty registration card. In 
the card, in filling it out in pencil, they wanted me to list 
our household income, where we took our last vacation, whether 
or not we read the Bible, and whether or not someone in the 
household has prostate problems.
    Now, I assure you this information is far, far more 
sensitive than any information Amazon.com collects. It would be 
patently unfair to consumers--to consumers--not to address that 
issue, as well as the online issue.
    Ms. DeGette. Right. And how do we address that issue 
without passing a law?
    Mr. Misener. All I am suggesting is that when we think 
through whether or not the market is taking care of it, whether 
or not there are real problems out there, they ought to be 
addressed equally on- and off-line.
    Ms. DeGette. Thank you.
    Ms. Pearson. Ms. DeGette, my answer, and I think a number 
of the other answers, were that our practices apply online, 
off-line, no matter where we're getting information, throughout 
our companies. And there is sort of, within my company there is 
an equal level of protection for information.
    I think in terms of how to handle these issues, I would 
suggest focus first on that information that is the most 
sensitive. For example, medical information. You know, we have 
strongly supported Federal-level legislation on medical, very 
sensitive information for a long time, and we are very happy 
that there has been some activity and movement in that area, to 
create Federal-level protections. Those are absolutely 
sensitive information.
    Ms. DeGette. Thank you. Thank you, Mr. Chairman.
    Mr. Stearns. I thank the gentlelady. The gentleman from 
Oregon, Mr. Walden?
    Mr. Walden. Thank you very much, Mr. Chairman. I have a 
couple of questions. I want to follow up on something Mr. Bass 
said I think is of interest to me. I get those same sort of 
junk e-mails, if you will allow me to use that term.
    And I guess I am probably not unlike a lot of other 
consumers who want to be able to respond and tell somebody no, 
stop sending that to me, get me off your list. And yet I am 
sort of fearful that if I do, I may actually end up on more 
lists. You know, because I have heard that if you open some of 
those, then you really connect, and away you go. So I think as 
you wrestle with that one, I would be interested in your 
comments.
    I would also be interested in your comments on 
international standards, because the Internet is so ubiquitous. 
We run into this issue with other Internet-related problems--we 
can establish a standard here, but what are you facing in other 
countries, in terms of privacy? You talk about State pre-
emption. What are you facing in terms of other countries?
    And then I guess another question I would have for you is 
have you analyzed these off-line laws on privacy--you talked 
about the collection of data there--to see how and if they 
should be applied to online data collection and privacy 
standards? I understand what Mr. Doyle was saying regarding the 
rental of movies, and I understand Amazon, you know, abides by 
that same sort of carve-out in the statute. But are there other 
off-line--if we are going to treat everybody equally--statutes 
regarding privacy that we need to follow?
    So I will throw it open to you for your responses.
    Ms. Pearson. Let me address the international question, Mr. 
Walden. I will let my colleagues address the question of 
unsolicited commercial e-mail.
    We operate in 160 countries, and so we have deep experience 
handling information all over the world, both on our own 
behalf, as well as on behalf of many companies and 
organizations. And I can tell you, similar to what Mr. Swift 
said in his oral remarks, that many countries have data 
protection, data privacy legislation. Most others do not. And 
it is a concept that is kind of foreign and not really 
developed in many parts of the world, particularly in Asia-
Pacific and in Latin America.
    I can tell you that we provide the same level of protection 
throughout the world, and that the requirements that are 
imposed on us in Europe, of course we comply with. But I 
cannot, as Mr. Swift said, say to you that we are providing any 
greater level of protection to the average European citizen by 
virtue of that. Sure, we have to go through some more 
administrative steps. We have to have a few more managers doing 
different things. But I have to tell you that we are probably 
more conscious of the issue and more innovative in the United 
States than we are almost at any other place.
    This is where we have developed our policies. This is where 
we have a chief privacy officer. This is where we have engaged 
in industry leadership activities, to try to move forward on 
the issue. So, that is my comment on the international side.
    Mr. Walden. Anyone else on any of those three points?
    Ms. Hourigan. I would add to the complexity of dealing with 
the international standards. And it is not just the privacy 
laws; it is what the consumer expectation is. And that varies 
dramatically by country.
    We continue to actually look at the options available to 
us, to determine what the most appropriate approach is, given 
that we are in over 200 countries. But very, very complex and 
very complicated.
    Mr. Smith. I think the international requirements--and just 
looking at the European Commission principles--I think align 
very well with principles of the OECD of 10 or 15 years ago, of 
the FTC fair information practices. When I began working in 
privacy about 2 years ago, it seemed to me that those 
principles were how I wanted to be treated, or how I would want 
my children to be treated.
    So I think it is fairly easy, on a principle standpoint, to 
get to appropriate principles. The question really is in the 
administration. And if I were to test--the question is whether 
the process benefits the consumer or not. You know, I think 
there is a fair amount of the process that benefits lawyers and 
paper manufacturers, and does darn little for the consumer.
    Mr. Walden. Mr. Misener?
    Mr. Misener. I might take up the question of unsolicited e-
mail. First of all, Amazon.com never, ever sends unsolicited e-
mail to those who are not customers. And as far as e-mails 
marketing certain products, at Amazon.com we provide a menu of 
some 150-plus different categories that you can go in and 
select, choose opt-in to receiving e-mails on specific items of 
interest.
    Mr. Walden. Right. Different deal.
    Mr. Misener. So, for example, I have mine set up to send me 
information on history books and jazz music, two interests of 
mine. This is the kind of thing that is being addressed, by 
this committee and also the Judiciary Committee in the House, 
and also in the Senate as well, in the context of spam. And we 
are trying to get at--as I understand, the industry and 
Congress are trying to get at these nasty e-mails that we 
receive from random places about all sorts of get-rich-quick 
schemes and such. And so hopefully those can be addressed. But 
I think those are outside the context of these privacy sorts of 
discussions.
    Mr. Walden. Yes, to an extent. Although it seems like if 
you respond to some of those, they are able to apparently take 
your data and go and send it elsewhere, it seems like. I don't 
know.
    Do you have a comment on the off-line laws, privacy laws 
that are out there, versus online?
    Mr. Misener. Yes, and it is a huge topic. There are several 
trade associations, the ITI in particular, who has done an 
extensive listing of the extant off-line privacy protection 
laws. And so we would be happy to provide that to you. It is 
actually quite long in different areas. And they tend to be 
targeted, as Ms. Pearson was saying earlier, to things like 
medical privacy and children's privacy--things that are the 
most sensitive kinds of issues.
    Mr. Walden. Okay, that would be helpful. Thank you.
    Mr. Johnson. Just with respect to the off-line versus 
online issue, I don't believe that our customers view 
themselves as off-line customers or online customers. They are 
Land's End customers, and they have expectations of us. And it 
is so critical for us to maintain that relationship with that 
customer, and do everything in our power to further the 
customer's interest and make sure that we are not in any way, 
shape, or form risking that wonderful relationship we have with 
our customers. So I don't see the consumer as necessarily 
differentiating between an online versus off-line.
    Just one other point with respect to off-line. As we 
consider off-line, I think we do need to be very careful about 
the implications that off-line legislation potentially has for 
very small companies, very small retailers that are not 
involved in the online arena. You know, it potentially has an 
impact on the many very small companies that do business in 
this country.
    Mr. Walden. Thank you, Mr. Chairman.
    Mr. Stearns. I thank the gentleman. Mr. Terry is going to 
pass?
    Mr. Terry. Yes, I could be redundant and repetitive, but I 
will relieve you of that.
    Mr. Stearns. Okay. Before I let you go, if any other member 
has a quick question--I had a quick one. Mr. Swift, you 
mentioned in your opening testimony about the recent European 
legislation dealing with information privacy on the Internet, 
and how you said it was ``unimaginable burdens'' for a company 
like yours, with no substantive benefits. But I understand you 
have joined the safe harbor decision, to have Proctor & Gamble 
go into safe harbors. Is that a compromise? Or are you--tell me 
your reasoning on that.
    Mr. Swift. Well, the issue is really not safe harbor. The 
issue really is not the European Data Directive. The issue is 
that the Data Directive required 15 European countries to 
create their own privacy legislation that comported with the 
Directive. Twelve of the 15 have. The three others are in the 
process.
    So as a company that operates, and has data, and has 
employees and consumers in all 15 of those countries, I need to 
obey those laws. And the issue of the Data Directive really was 
to facilitate transfer of data within European countries. So we 
observe the European laws and have no problem transferring data 
there.
    The issue is that I need to be able to move employee data 
anywhere in the world. I may choose to move employee data from 
the U.S. to Europe for processing, or from----
    Mr. Stearns. By joining the safe harbors, you are complying 
with the European Union Internet privacy.
    Mr. Swift. I am. But it is one choice. In non-U.S. 
countries, I have contracts. In other words, if it is going 
from Europe to Japan, I have to have a contract. And what I 
have chosen for the United States, for administrative 
efficiency, really what I have done is I have created 400 
contracts between my P&G entities. Which means that I don't 
have a contract when I transfer a specific type of data. I have 
freedom to transmit any type of data within our corporate 
entities.
    Mr. Stearns. So you did it for self-survival?
    Mr. Smith. Well, it is obey the law, and what seems to be 
the most efficient or effective way to obey the law.
    And honestly, what I have found as I have gotten into 
privacy, half of my time needs to be spent in making sure that 
our information practices enable our business practices, not 
impede them. You know, our lawyers, the easy answer from a 
lawyer in Europe is, ``Well, don't move the data out of 
Europe.'' But that is not the right thing for the business.
    So I have to continually look at how can we do what is 
right for the consumer, what is right for the business, and at 
the same time obey the law? And in this case, I had no choice 
by to do 400 internal contracts, and uncountable external 
contracts.
    Mr. Stearns. Now, Ms. Pearson, IBM, I understand, has not 
signed up. Why haven't you signed up?
    Ms. Pearson. Not yet. As you can tell, this stuff is mind-
numbingly complex. It can get really complex. We similarly have 
operations everywhere in Europe, and we move data globally. So 
we have come up with a fairly complex--and I will spare you the 
details--way of complying with the European law.
    The safe harbor framework is a framework of principles that 
very importantly, between the U.S. and the EU, there is a 
handshake that says, the EU says, okay, if U.S. companies 
comply with that framework and use U.S. mechanisms, including 
self-regulatory mechanisms, you are okay for Europe. That is a 
very important statement. And we believe in the safe harbor; I 
support it in principle.
    It may or may not be the right fit for our operations, 
because we are this big enterprise that is really complex. I 
think it is an ideal mechanism----
    Mr. Stearns. Proctor & Gamble is pretty big and complex.
    Ms. Pearson. And actually we are still looking at the safe 
harbor for our web operations, because that is an area where it 
makes a lot of sense, since we do use a self-regulatory trust-
mark, the Trustee program, for our web. So we actually may 
still enroll in it for that purpose. And I think it makes a lot 
of sense for companies who are doing business over the web, in 
particular small- or medium-sized.
    Mr. Stearns. And of course GM, I understand, has not signed 
up either. And you are a big company, too, and complex.
    Ms. Hourigan. That we are.
    Mr. Stearns. So why haven't you signed up?
    Ms. Hourigan. We actually are--safe harbor is one of the 
alternatives we are looking at. As of today, we comply with the 
European laws; therefore I don't have an issue with 
transferring information within the EU countries.
    Mr. Stearns. But if the data base is outside of Europe, you 
would have to comply.
    Ms. Hourigan. That is correct. And we actually, as we 
speak, are investigating all of our options available. And we 
will make a decision in the near term.
    Mr. Stearns. Just tell me why you haven't joined. What is 
there, the part about the European legislation that you don't 
like? What specifically is preventing you from joining? Last 
year, I think the Clinton administration had negotiated 30 
large companies. And you folks weren't one of them. What is 
there specifically why you didn't buy?
    Ms. Hourigan. I don't think there is any specific part that 
we dislike. I think it is the challenge of--we are looking at--
again, we operate in over 200 countries. So the EU is one 
issue, but because we are global we are trying to come up with 
a global solution. And to the extent that--we may decide to 
take advantage of safe harbor.
    Mr. Stearns. Is there anything that Congress could do to 
make this simpler for companies like yourself?
    Ms. Hourigan. I don't think so.
    Ms. Pearson. The issue is, we have a European law, and we 
are complying with a European law, in various ways. And the 
safe harbor framework is one way to do it.
    Mr. Stearns. But you have not signed up, and I just want to 
know why IBM and General Motors have not signed up. What 
specifically is the reason?
    Ms. Pearson. There are other ways of complying with the 
European law. So the safe harbor is 1 of 3 or 4 or 5 ways of 
achieving compliance with that law.
    Mr. Stearns. I am not saying you should necessarily. I am 
just curious.
    Ms. Pearson. And so, at this point, I think what help the 
government, from the U.S. side, could do is to keep actively 
engaged with Europe in oversight capacity and dialog capacity, 
to make sure that U.S. companies are treated similarly with 
European companies with respect to how this law is implemented. 
Because it is a very important issue going forward.
    Mr. Stearns. Anyone else like to mention anything else? And 
then if any other member would like to add another question, I 
would be glad to welcome that. Mr. Doyle?
    Ms. Hourigan. I will add one--I'm sorry--one very brief 
comment. And that is when safe harbor was negotiated, as you 
all know, there was a carve-out for financial services. We have 
a tremendous presence, with our GMAC operations, in Europe. And 
that is one thing that we are looking at, because that is not 
included in safe harbor.
    Mr. Stearns. Okay. Mr. Misener?
    Mr. Misener. Mr. Chairman, thank you for this question. And 
actually it gives us an opportunity to hopefully clear up some 
of the misconceptions that have been produced in the press 
recently.
    Safe harbor does not imply one way or another necessarily 
compliance with the underlying national privacy laws in 
European countries. We are fully compliant with all the 
national privacy laws there that govern the transfer of 
information in and out of the European economic area. However, 
we have not sought safe harbor protection; we have not yet been 
convinced of the value of the safe harbor in itself. Yet we are 
fully compliant with the national laws.
    And so it is not the same to say that we are not complying 
or interested in complying.
    Mr. Stearns. Well, you were just saying that if you had 
signed a legal document, then the enforcement mechanism in the 
European Union would apply to you. And right now----
    Mr. Misener. That is correct.
    Mr. Stearns. [continuing] that is what it sounds like you 
are worried about.
    Mr. Misener. Well, I am not sure we are worried, actually, 
Mr. Chairman.
    Mr. Stearns. Not worried--it's a word. But I mean, it is 
another ambiguous set of circumstances that you don't know the 
implication of, and yet you are complying.
    Mr. Misener. I think that is fair to say. We are just not 
yet convinced of the value of seeking safe harbor treatment per 
se. Although, again, I clarify that we are fully compliant with 
the national laws in Europe, and therefore don't necessarily 
need to attain that safe harbor protection.
    Mr. Stearns. Okay. Mr. Doyle?
    Mr. Doyle. Yes, thank you. Just one quick follow-up. Just 
before you leave--and if you could take off your company hats 
and just be citizens and consumers, we won't hold you 
responsible for anything you say.
    Mr. Stearns. Just forget the camera.
    Mr. Smith. Oh, sure.
    Mr. Doyle. We will never tell anyone else what you said.
    Mr. Smith. You will protect our privacy, right?
    Mr. Doyle. You have got complete privacy here.
    But just to help us with this, you know, these computers, 
they are getting faster every day. They store more information. 
It is scary to think 5 years from now how quick they will be, 
and how rapidly we will be able to collect and disseminate 
information. What scares you, or concerns you, as a private 
citizen, about the ability that many people are going to have 
to collect and disseminate information on just about 
everything? I mean, what scares you when you just think as a 
private citizen about this technology, and what is the 
potential for abuse?
    I mean, I get these things on my--maybe because we are in 
politics. But I think we get them all the time. ``You can spy 
on your neighbors and friends,'' you know, just sign up here 
and you can learn anything you want to learn about your 
political opponents. And I have always been tempted to click on 
that.
    But I haven't. But think--I mean, 5, 10 years from now, 
given what is happening in this technology, what really scares 
you about this ability to collect all this information on one 
another?
    Mr. Smith. I think to me the question is, where does harm 
occur? If someone takes a communication out of a mailbox that 
has a person's Social Security number, and from that steals a 
person's identity, that is concerning. And you know, that has 
been possible as long as there have been mailboxes and Social 
Security numbers. And if we find that there are elements that, 
you know, at some level of frequency create harm, then we have 
got to break the code. We have got to stop the pipe on that.
    Typically, that is not where companies in commerce are. I 
mean, our consumers vote for us every day, and we are trying 
the best we can to get them information. And those are the 
things where we don't want to break the code or break the bank.
    Mr. Doyle. But just as a citizen.
    Mr. Smith. I don't want my identity stolen. I don't want my 
credit cards stolen. I appreciate it when people inform me of 
practices that can help me for those things not to happen.
    I think, you know, some of the software that is being 
developed that will give us more choices about the data that we 
give up on the Internet all make good sense. You know, if you 
don't want people to have the answers to what is on the 
warranty card information, don't do it. You know, most of the 
stuff that you get on the web, it has an unsubscribe at the 
bottom. Let's help people hit the unsubscribes. And my bet is 
that most of the things that we are most concerned about would 
be something that may be facilitated to a degree by technology. 
But it is, you know, how do you stop a criminal from doing a 
criminal act?
    Ms. Hourigan. I would just add to the concept of identity 
theft, I have had two people very close to me undergo--it has 
just been an absolute nightmare for them. And it has got such a 
tremendous ripple effect, sweeping consequences. And it really 
requires a tremendous amount on a consumer to try and rectify a 
wrong that was completely outside his or her control.
    Mr. Doyle. We are getting called to vote.
    Mr. Stearns. Yes. Anyone else?
    Mr. Misener. Well, Mr. Doyle, very quickly, before I was 
brainwashed in law school I was an electrical engineer and a 
computer scientist. And I do have an appreciation for those 
huge data bases that are out there, that you mentioned. Those 
exist quite distinct from the Internet. The Internet is a 
communications medium, as we all understand. But those data 
bases are also connected to a typist who actually took that 
little warranty card asking about the prostate problems in my 
family, and typed it into those data bases.
    I think what the concern is, as a citizen, is the type of 
information that we are talking about here. I don't care if 
someone knows that I bought that pan at Amazon.com. I really 
don't care. I do care, however, about medical records, 
financial information, information about young children, those 
sorts of things. And those things deserve a higher level of 
scrutiny and protection.
    Mr. Johnson. I agree absolutely with what everyone here has 
said. As a consumer, as a citizen, the technology itself 
doesn't scare me a bit. A concern, though, as a consumer is 
with respect to, as Mr. Misener stated, financial information, 
health care information, which is dealt with separately and is 
protected. So the technology itself and the communication 
mediums and whatnot really don't frighten me.
    Mr. Doyle. Thank you all.
    Mr. Stearns. Ms. DeGette? Mr. Towns?
    Mr. Towns. Hearing all of this--and believe me, there are a 
lot of problems--you still feel that we should not do anything? 
The Congress?
    Mr. Misener. Do I feel that you should not do anything? I 
don't think legislation is inherently necessary, as I mentioned 
before, because I think companies are being forced to address 
these issues head-on, or they are not going to survive. These 
are the kinds of issues that we must do, simply to please our 
customers and to survive in the marketplace.
    So no, Mr. Towns, I don't believe that legislation is 
inherently necessary. But if there is a belief that there is a 
need to address specific areas of information--for example, 
financial or medical or children's information--I think that 
strong arguments could be made to go after those specific types 
of information, as opposed to the medium through which they are 
collected.
    Mr. Smith. And one of the things that I would urge is that 
we start from where the harm is. You know, with Graham-Leach-
Bliley, all of us have had our mailboxes full of disclaimers 
that are too long to read and incapable of being misunderstood. 
And the reason was that we didn't look at where the harm was, 
but we looked at a type of data. And I think we need to find 
where the difficulty is and then address that difficulty, 
rather than to take a blanket approach on a specific type of 
data. As important as it is.
    Ms. Pearson. I hope you will pass new privacy legislation, 
at the right time, on the right subject. I am not smart enough 
today to tell you exactly what it is, but I hope we can work 
together to find it.
    Ms. Hourigan. And I would also urge, if that were to take 
place, industry appreciates being involved. And there are a lot 
of practical complexities associated with this issue. And so we 
would appreciate having our input heard.
    Mr. Towns. Mr. Johnson?
    Mr. Johnson. I concur with Mr. Misener. I believe the vast 
majority of companies doing business today are doing everything 
in their power to protect their relationships with the 
consumer. And I would just caution that we not do something 
that inhibits our ability to ultimately serve our customers and 
provide benefits and valued services and products to them. As 
Ms. DeGette said earlier, how do we target the bad guys, the 
very few that raise these kinds of issues? I don't know that I 
have answers for that, but I am not convinced necessarily that 
legislation is going to be successful at doing it.
    Mr. Towns. Thank you very much, Mr. Chairman.
    Mr. Stearns. I thank my ranking member. We have finished 
with panel No. 1. We have been called to vote. So it is 
probably appropriate to reconvene after these--I think we have 
two votes. So we will do that, which would be--we have 10 
minutes left on this, and then 5, 15. So hopefully we will 
reconvene in about 15, 20 minutes. And so I thank panel No. 1, 
and if panel No. 2 will hold, we will be right with you.
    [Recess.]
    Mr. Stearns. The committee will reconvene, and we will have 
panel No. 2. And we thank you for waiting.
    We have Jennifer Barrett, Chief Privacy Officer of Acxiom. 
And we have Mr. John Ford, Chief Policy Officer, Equifax, 
Incorporated. And Ms. Deborah Zuccarini, Executive Vice 
President and Chief Marketing Officer of Experian. Welcome to 
you.
    And Ms. Barrett, if you don't mind, we will have your 
opening statement.

   STATEMENTS OF JENNIFER T. BARRETT, CHIEF PRIVACY OFFICER, 
ACXIOM; JOHN A. FORD, CHIEF PRIVACY OFFICER, EQUIFAX, INC.; AND 
DEBORAH ZUCCARINI, EXECUTIVE VICE PRESIDENT AND CHIEF MARKETING 
             OFFICER, EXPERIAN MARKETING SOLUTIONS

    Ms. Barrett. Thank you, Chairman Stearns, Ranking Member 
Towns. For more than 30 years, Acxiom has been a leaders in 
responsibly providing innovative data management services to a 
who's who of America's leading companies. And we do it in a way 
that goes beyond what is required by law or self-regulation, in 
order to respect consumer privacy.
    Acxiom believes that any use of information to defraud or 
discriminate must be illegal. At the same time, we strongly 
believe in a balanced approach to the collection and use of 
information. The free flow of information we enjoy today has 
greatly contributed to our Nation's economic growth and 
stability. Consumers have greater choice and variety. Goods and 
services cost less. And transactions are completed faster and 
more easily.
    It takes much more than just instinct to recognize what 
consumers want. One hundred years ago, the local shopkeeper 
knew just what his customers bought, but knew them also 
personally, knew how they spent their time, and he knew their 
family.
    Today's consumers are as likely to shop through a catalogue 
or over the Internet as they are in a store. The business-to-
consumer relationship requires new information tools. Acxiom 
helps businesses recognize and engage consumers who likely have 
the greatest need for what they are selling. Our operations 
include two distinct components: data base management services, 
and information products.
    Specialized computer services represent 90 percent of our 
revenue, and help companies manage their customer information. 
This includes keeping up-to-date customer records in order to 
ensure opt-in or opt-out requests are properly honored, and 
saving companies millions of dollars when unwanted duplicate 
promotions are eliminated.
    The other 10 percent of our business comes from a separate 
line of information products. These allow businesses to improve 
their relationship with consumers, irrespective of whether they 
live in a city or in a rural area, whether they are a parent or 
an elderly shopper. For example, a major kitchen and bath store 
used our product to reach households with elderly patrons 
likely interested in learning more about their new senior 
product line, including shower grips, bath stools, and large-
print clocks.
    The real winner in the use of information to engage in the 
consumer is the consumer. To fit all the pieces of the 
marketplace together that we have learned and heard about 
today, I have provided a chart on page six of my testimony, and 
as well on the easel you see over here to your right. Point A 
on the chart represents the consumer, who expects to complete 
transactions quickly, obtain the best prices, and choose from 
the widest variety of products and services. At point B, we 
find the business, who responds to these expectations by 
understanding their customers and their market. To do this, 
they need information beyond that collected during a sale. For 
example, the characteristics of a household, such as are there 
elderly consumers in the home?
    This information is available from two points, or from two 
sources: point C, which is directly from another merchant; or 
point D, from information compilers such as Acxiom.
    For example, our customer enhancement products give 
businesses the demographic, lifestyle and interest information 
they need to understand their customers and the market. And our 
compiled list products provide access to likely new consumers 
who would like to be customers.
    We compile or acquire the relevant information from a 
variety of sources, points E and F on the chart, and aggregate 
this data by household. We compile public records and we 
acquire self-reported and other general information directly 
from companies that sell products and services to consumers, 
and who offer a third-party opt-out.
    We only receive general summary information, indicating 
probable interest or lifestyle data. We do not have detailed 
data about individual transactions. Acxiom only sells data to 
qualified businesses, under contract for specific use. We do 
not sell data on one individual or a household, and we do not 
sell data to the general public. Our information products help 
businesses and consumers fill in some of the missing pieces in 
today's relationship gap.
    We are also very proud of our ingrained culture of respect 
for privacy. Since we do not have a relationship with the 
consumer, we ask our customers to refer any consumer to us who 
inquires about our data. We have posted a privacy policy on our 
web site since 1997, and we maintain a consumer care department 
to handle inquiries. We also provide an opt-out to all 
marketing products through our web site and via a toll-free hot 
line.
    We have consistently not only met but exceeded all 
requirements placed on us by law and industry self-regulation, 
by establishing our own even more restrictive policies.
    In closing, there are a few things that I would like to add 
that we do not do. Acxiom does not have one big data base 
containing data on every individual. Instead, we have many 
different information products designed to meet the various 
business needs of our customers. The information we provide 
cannot be used for decisions of credit, insurance, or 
employment. And we do not sell Social Security numbers, credit 
or other detailed personal financial information that could be 
used to steal someone's identity.
    In short, we are committed as business leaders and 
consumers ourselves to protecting consumer privacy.
    Mr. Chairman, on behalf of our more than 5,000 associates, 
I wish to thank you for the thoughtful approach which your 
subcommittee continues to use in studying this very important 
issue. And we appreciate the opportunity to be here.
    [The prepared statement of Jenniffer T. Barrett follows:]
 Prepared Statement of Jennifer Barrett, Chief Privacy Officer, Acxiom 
                              Corporation
                              introduction
    Chairman Stearns, Ranking Member Towns, and members of the 
Subcommittee, thank you for the opportunity to participate in this 
timely hearing and to share Acxiom Corporation's perspective on how the 
current flow of information powerfully underpins the vibrancy of the 
new American economy.
    As your Subcommittee continues to explore the issue of privacy in 
the responsible manner that this series of hearings evidences, we 
strongly support the concept that a balanced approach to the use of 
information must be achieved. We believe that inappropriate use of 
information to defraud or discriminate against consumers should be 
illegal, as it is already in most situations. Furthermore, the 
relatively free flow of information we find today in the U.S. has 
significantly contributed to our nation's economic growth and stability 
by enhancing variety in consumer goods and services, by facilitating 
lower domestic prices as compared to foreign markets, and by 
accelerating the speed and ease with which transactions can be 
completed. We believe that it is imperative that consumers be protected 
from fraud and discrimination while the benefits to both consumers and 
businesses are preserved.
    When privacy laws and implementing regulations overreach, the 
results can be devastating: legitimate businesses suffer irreversible 
damage, and consumers unintentionally lose many advantages. It is our 
hope that by sharing our story with you--as well as by separating 
information myths from reality--we will aid you in evaluating an 
appropriate legislative direction.
                        about acxiom corporation
    Founded in 1969, Acxiom Corporation has more than thirty years 
experience in customer data management services, technology leadership, 
and awareness of and sensitivity to consumer and business privacy 
concerns. We are based in Little Rock, Arkansas, with operations 
throughout the United States, Europe, and Asia. Our annual revenues 
approach $1 billion. Our company has over 5,000 employees worldwide: 
with over 2,800 of them working in Arkansas, almost 1,000 in Illinois, 
more than 200 in California, and 170 in Arizona.
    Acxiom's business includes two distinct components: database 
managment services and information products.
Database Management Services
    Acxiom's database management services, which represent ninety 
percent of the company's revenue, include a wide array of leading 
technologies and specialized computer services. These services help 
large companies improve and boost customer loyalty, retention, and 
market share by making accurate ``customer recognition'' possible 
across multiple lines of business and across multiple points of sale, 
including the Internet, call centers, and retail outlets.
    Customer recognition is critical to delivering an exceptional 
initial customer experience, retaining that customer, honoring consumer 
preferences about how personal information is used, and improving 
business profitability. Although e-commerce has increased consumer 
product availability, it also has made customer recognition more 
difficult.
    Acxiom's database management services assist companies in better 
managing their customer information to address this need. For example, 
it is not uncommon for a company's databases to contain several 
different names and address variations for the same person. We provide 
services that will accurately recognize a particular individual. Our 
services can save a company millions of dollars when, for example, 
unwanted duplicate catalogs or other mailings are eliminated. Moreover, 
we assist companies maintain up-to-date records to ensure that their 
customers' opt-in or opt-out requests are properly honored.
Informational Products
    Acxiom also offers a complementary line of information products 
that represent the remaining ten percent of our gross revenues. Our 
InfoBase information products allow businesses to make smarter and 
faster strategic decisions, streamline customer communication at every 
point of contact (Website, telephone, store, wireless, and more), 
personalize and target various communications, and strengthen 
relationships with their customers. The majority of our testimony today 
further explains these products.
          the economic need for acxiom's information products
    Acxiom's information products help fill an important gap in today's 
business to consumer relationship. Think back to 1901. The local shop 
owner knew his customers and his market well. The shop owner was 
familiar with what they bought, what they liked to do, how they spent 
their time and something about their family. Today, large and small 
businesses are trying to achieve the same level of knowledge about 
their customers' interests and needs as the small shop owner enjoyed a 
hundred years ago. This need for knowledge is not new. In the current 
environment, however, with customers shopping remotely via the 
Internet, on the phone and through catalogs, securing information about 
customers that allows companies to better serve them is more difficult 
to accomplish.
    In our information-based economy, companies grow by exceeding 
consumer expectations with unparalleled products and services of the 
highest quality. Despite technological advances, businesses do not 
instinctively know what their customers want and need. Acxiom's 
information products provide the additional knowledge necessary for 
businesses across diverse industry sectors to stay in touch with and to 
satisfy their customers in order to achieve profitability and market 
growth.
    Our role is to help businesses systematically recognize and engage 
consumers who, with the aid of our information products, are believed 
to be those with a likely interest or need for their products, or 
services. While changing technology, such as the Internet, has largely 
reshaped the mechanics of how commerce is conducted, the basic strategy 
of marketing remains constant--the operational need to focus a 
company's marketing efforts on those most likely to have an interest or 
need in their products or services.
    With Acxiom's information products, companies have been able to 
accomplish goals such as:

 A kitchen and bath store used age to recognize their elderly 
        customers in order to offer them a new senior-lifestyle product 
        line of kitchen and bath enhancements--shower grips, bath 
        stools, large print stove dials, large print clocks, and better 
        grip door-knob covers.
 A bookstore used age to recognize the right audience to 
        promote a new line of large-type books, including large-print 
        Bibles.
 A major publisher used the knowledge of which subscribers had 
        younger children in the household to promote a new publication 
        for kids, which was co-branded with Crayola.
 A computer software company used the knowledge that certain 
        households owned a computer to promote in-home access to 
        educational software.
 A computer manufacturer employed information on households 
        that did not have computers to offer a special purchase price 
        in order to encourage the use of educational and in-home 
        financial management software.
 A retailer used the knowledge about which customers in their 
        area had swimming pools to offer special products and prices 
        for pool toys and supplies, as well as an inventory management 
        resource to determine how much merchandise of this type to 
        stock in each local store.
 A local bass fishing supply store launched a catalog to reach 
        customers outside their store trading area by knowing which 
        households had a passion for their specialty--fishing.
 A small tool company expanded their customer base by mailing 
        catalogs to professionals interested in power tools at a 
        discounted price.
 A local day care program promoted a special offer to single 
        moms in their local community.
 A literacy program in English was focused on reaching non-
        English speaking families in rural areas.
    Without the use of our information products, each of the businesses 
in the preceding examples would have been less effective in 
communicating with their existing and potential customers. 
Consequently, the real winner in the use of information to engage 
consumers is the consumer.
    The following chart has been provided to assist the Subcommittee in 
understanding the information marketplace from a more macro 
perspective, as well as the key role that Acxiom plays in this 
interchange.
[GRAPHIC] [TIFF OMITTED] T4846.001

    Consumers expect to complete transactions quickly, obtain the best 
price possible, and be able to choose from a wide variety of products 
and services--as reflected in point A on the chart. Businesses--point B 
on the chart--respond to the expectations by working hard to understand 
their customers and their market. To do this effectively, they need 
information beyond that collected during the sale. If the information 
cannot be collected directly from the consumer, then it is available 
from two sources--either directly from other merchants--point C--or 
from information compilers, including Acxiom--point D. Information 
compilers use public information, primarily obtained from the 
government, or in some cases collected from other businesses--point E--
that obtain the information through their relationship with the 
consumer--point F.
Information Product Development
    Acxiom begins its information product development with the 
identification of a marketplace need. For example, in order to achieve 
growth and product objectives, businesses may need to know something 
about the characteristics of a household. Is it a single adult 
household, or is it a married couple? Do they have children, and if so, 
are they small children, teenagers, or college aged? Other relevant 
characteristics might include whether the household has an interest in 
certain hobbies, such as cooking or gardening, or participates in 
certain activities--do they play tennis, golf, or both? Such 
characteristics are extremely relevant in determining whether a 
consumer in that household may want to learn more about a product or 
service.
    Once a particular information need by business has been identified, 
Acxiom compiles or acquires the relevant information from a variety of 
sources and aggregates it by household. This is a complex process which 
varies on a case-by-case basis. However, it is important to emphasize 
that in all such efforts, any data collected is general in nature and 
not specific to transactions or events. It does not include details on 
specific actions that an individual has taken, confidential medical 
information, or specific information regarding children. Once the data 
is collected, Acxiom must clean, integrate, and package the information 
into a product that meets the marketing needs and information demands 
of businesses. We invest significant time and resources in developing 
these products. Finally, a successful information product provides 
Acxiom's customers with enough of the right information to solve their 
specific business problem or need.
    Acxiom does not sell data on one individual or one household at a 
time. We do not sell information to the general public. Information is 
sold by the thousands of elements or records to qualified businesses. 
We perform a credit check on all pro-
spective customers. Once we are satisfied about our customer's 
qualifications, we require them to sign a contract that binds their use 
of the information acquired from us for specifically articulated 
purposes. Acxiom and our customers typically enter into long-term 
contracts--one, three, or five years--for use of a particular 
information product.
Categories of Acxiom's Information Products
    Our information product offerings provide needed intelligence for 
three primary functions: (1) our directory products provide telephone 
information necessary to locate, verify or contact consumers by phone; 
(2) our enhancement products provide the information businesses need to 
better understand their customers and their market; and (3) our list 
products provide access to consumers who are potential future 
customers. As mentioned earlier, these products comprise about ten 
percent of Acxiom's gross revenues.
    Directory Products: Containing name, address, and telephone number, 
Acxiom's line of directory products are compiled primarily from the 
white and yellow pages of published U.S. and Canadian telephone 
directories--5,900 different directories in the U.S. alone.
    For example, we license some of our directory products to companies 
as an inexpensive form of directory assistance and to Websites that 
provide free nationwide directory assistance. These Web-based 
directories benefit consumers in many ways, such as providing help in 
finding friends or family members with whom individuals may have lost 
touch.
    In all our directory products, Acxiom respects a consumer's choice 
regarding unpublished numbers. The names and numbers we include in 
these widely-used directories are derived only from those consumers who 
have elected to have their number made publicly available by their 
local telephone carrier. Moreover, for consumers who contact us in 
writing, through our Website, or by calling our toll-free Consumer 
Hotline, Acxiom offers the option to opt-out of this service if, for 
instance, the consumer wants to keep a published number in the local 
printed telephone book, but not have it available on a Web-based 
directory.
    Enhancement Products: Acxiom also offers businesses lifestyle, 
demographic, and interest data on their customers to enhance the 
company's knowledge about their customers and provide a better 
understanding of their customer's desires, needs, and changing 
characteristics. Demographic data includes such information as the 
makeup of the household--single, married, with or without children. 
Lifestyle data might include information such as home ownership, 
retirement status, or average income strata of the neighborhood. 
Interest information would identify a passion for cooking or golfing.
    This demographic, lifestyle and interest information is added to a 
company's already-existing customer files, known as ``response lists.'' 
The information is general in nature. We do not provide detailed 
transactional information. We license enhancement information to 
qualified businesses through a menu-oriented approach. Businesses 
license only the data needed for a particular business decision or 
process. In many cases, we have pre-packaged information groups to meet 
common or recurring business needs for specific industries.
    How might a business use enhancement information? First, it is used 
to better understand the interests and needs of current customers. 
Second, enhancement data is employed to identify the best market 
segments for up-selling or cross-selling particular products. Finally, 
demographic, lifestyle, or interest data can help identify 
characteristics common in a business' best customers in order to target 
similarly-situated prospective customers who may be more likely to have 
an interest or need for the company's products or services.
    List Products: Acxiom offers prospect lists as a third type of 
information product. These lists are built from a variety of 
information sources, and represent broad coverage of the population. 
Prospect lists, which contain much of the same information contained in 
our enhancement products (including demographic, lifestyle, and 
interest information), differ from a particular company's response 
lists in so far as they contain information about consumers with whom 
the company has had no prior relationship.
    Prospect lists allow businesses to take the information about their 
best customers and apply that knowledge to selecting likely households 
of potential new customers. Acxiom sells prospect lists to businesses, 
not-for-profit organizations, and political parties and candidates.
Data Sources for Acxiom's Information Products
    The information we acquire to build our information products is 
obtained from three general types of sources--public information, self-
reported information, and summary customer information from companies 
who have consumers as customers. Acxiom compiles or acquires this 
information from several hundred carefully chosen sources with whom we 
have cultivated and maintained long-term contractual relationships.
          Public Information: Public records and publicly-available 
        information are the foundation of Acxiom's information 
        products. The types of data that Acxiom acquires or compiles 
        include: telephone directories and other types of publicly-
        available directories, property records, and other state and 
        county public records. This information provides the basic 
        names, addresses, and general demographic information, such as 
        home ownership, profession, and the age of members of a 
        household.
          Self-Reported Information: Surveys and questionnaires are an 
        additional source for demographic information and provide much 
        of the lifestyle and interest information we acquire. Consumers 
        are asked to voluntarily complete surveys, such as those 
        contained on warranty cards, from a variety of companies asking 
        for specific information. In these cases, the consumer is 
        customarily provided the opportunity to opt-out of further use 
        of the information beyond that of the company conducting the 
        survey.
          Information from Merchants: Acxiom acquires some information 
        directly from companies who sell products and services to 
        consumers. In these instances, we ensure that consumers have 
        received an opportunity to opt-out of their information being 
        shared with a third party, such as Acxiom. Also, we only 
        receive very general summary information that indicates 
        possible lifestyle or interest data. We never receive detailed 
        transaction information. Rather, general information that we 
        acquire is used to extrapolate lifestyle or interest 
        characteristics. For example, knowing that certain households 
        subscribe to a magazine on golf would indicate that those 
        households have an interest in golf, just as the fact that 
        those households ordered that subscription from a Website would 
        indicate that they are Web-enabled.
    In some cases, Acxiom compiles information directly from the 
source, such as the telephone directory and the property records. In 
other cases, Acxiom acquires this information from other reputable 
information providers, who perform the original compilation, or we 
acquire the information directly from the business holding the 
relationship with the consumer. Acxiom carefully screens all 
information providers and businesses from which we receive information 
to assure that the information has been legally obtained and is 
appropriate for the intended use.
    The information Acxiom collects on an individual or a household is 
always incomplete. Acxiom does not have information on every 
individual, and we do not have the same kind of information on all 
individuals. For example, we may or may not have the telephone number 
of a household. We may or may not have property information. We may or 
may not have lifestyle or interest information. Our goal as an 
information provider is to provide sufficient coverage of various data 
elements to meet the market needs for that particular piece of 
information.
    The following chart summarizes the process Acxiom uses to take 
information from a variety of sources and to develop specific 
information products designed to meet the business needs of various 
markets.
[GRAPHIC] [TIFF OMITTED] T4846.002

                      respecting consumer privacy
    Acxiom has a long-standing tradition and engrained culture of 
respecting consumer privacy in the development and marketing of our 
information products. I have been employed by Acxiom for 27 years, and 
I have been responsible for privacy oversight since 1990. Privacy has 
been my full-time job over the past three years.
    Since Acxiom does not have a customer relationship with individual 
consumers, we do not routinely have direct contact with the individuals 
whose data we hold. Therefore, we ask our customers to refer any 
individual consumer to Acxiom who may inquire about the sources of data 
they have obtained from us. Since 1997, we have posted our privacy 
policy on our Website, before it was an established and common 
practice. Acxiom maintains a Consumer Care Department to handle 
consumer inquiries. We also provide consumers who contact us in 
writing, through our Website, or by calling our toll-free Consumer 
Hotline the option to opt-out of all of our marketing products.
    Our privacy policy is designed to adhere to all Federal, State, and 
local laws and regulations on the use of personal information. In 
addition, Acxiom follows the industry self-regulatory guidelines of a 
number of trade associations in which we are active members, including 
the Direct Marketing Association, the Online Privacy Alliance, and the 
Individual Reference Services Group. These guidelines include posting a 
notice that describes what data we collect, how we use it, to whom we 
sell it, as well as what choices consumers have about the use of that 
data. We recently certified under the European Union Safe Harbor and 
have applied for and are in the final stages of being certified for the 
BBBOnline Seal.
    Acxiom is also an active member of the Privacy Leadership 
Initiative and the Coalition for Sensible Public Record Access. We 
believe that consumers should be educated about how businesses use 
information. To that end, we publish a booklet, entitled ``What Every 
Consumer Should Know About the Use of Their Individual Information,'' 
which is available both on our Website and upon written or telephone 
request.
    Acxiom takes its responsibility toward protecting consumer 
information seriously. Beyond the industry accepted guidelines which we 
follow, we have also established our own guidelines which are more 
restrictive than industry standards. For example, we do not provide 
Social Security numbers or other personally identifiable information 
about children in any of our products. Moreover, we only capture the 
specific information required to meet our customers' information needs, 
discarding the remaining data, when we compile information from public 
records. These voluntary information practices are internally and 
externally audited on a regular basis.
                   myths about information providers
    With the full picture of Acxiom's business operations now outlined 
to better explain what we do, I believe it is important to close by 
reiterating for you what Acxiom does not do. Over the years, a number 
of myths have developed about the information industry that require 
clarification. Please allow me to set the record straight:

 Acxiom does not have one big database that contains detailed 
        information about all individuals. Instead, we have many 
        databases developed and tailored to meet the specific needs of 
        our business customers--entities that are carefully screened 
        and with whom we have legally-enforceable contractual 
        commitments.
 Acxiom does not provide information on a particular individual 
        to the public. The information we sell is provided only to 
        qualified businesses for specific legitimate business purposes. 
        I cannot call up from our databases a detailed dossier on any 
        of you, let alone me.
 The information we provide cannot be used, according to 
        existing law, for decisions of credit, insurance or employment. 
        These activities are regulated by the Fair Credit Reporting Act 
        and such uses are prohibited under our contracts.
 Acxiom does not contribute to the nation's identity theft 
        problem. We do not sell Social Security numbers or credit card 
        numbers to anyone, nor do we sell credit or other detailed 
        personal financial information that could be used to steal 
        someone's identity.
 Acxiom does not develop any information products containing 
        sensitive information. We define sensitive information as 
        personal information about children, medical information, and 
        detailed financial information. The only exception to this 
        would be a situation where the consumer has opted-in to 
        volunteer such information for distribution or where the 
        information may be a part of the public record.
 Acxiom does not sell detailed or specific transaction-related 
        information on individuals or households, such as what 
        purchases an individual made on the Web or what Web sites they 
        visited. The information we provide is general in nature and 
        not specific to an individual purchase or transaction. For 
        marketing purposes, businesses need information about the 
        household, not the specific individuals comprising the 
        household.
    Mr. Chairman, on behalf of our over 5,000 associates, Acxiom 
appreciates the opportunity to appear today to share with the 
Subcommittee a detailed overview of our core business operations. We 
also wish to thank you, Mr. Chairman, for the deliberative and thorough 
approach with which this committee has studied the appropriate and 
inappropriate uses of information in our economy. Acxiom is available 
to provide any additional information the Subcommittee may request.

    Mr. Stearns. Thank you.
    Mr. Ford, your opening statement?

                    STATEMENT OF JOHN A. FORD

    Mr. Ford. Mr. Chairman, Mr. Towns, counsel. I am John 
Ford--that's Chief Privacy Officer, sir--for Equifax. I thank 
you for this opportunity to summarize the written statement 
that Equifax submitted for the record.
    I am going to talk a bit fast so that I can stay within the 
time limit, so let me get straight to the point. Equifax's view 
is that personal information for marketing purposes provides 
important benefits to consumers, to businesses, and to our 
economy, and that the potential privacy risks or harm arising 
from these uses are small, are already subject to effective 
privacy safeguards, and need not be subject to further privacy 
regulation.
    Founded in 1899, Equifax is the oldest and the largest of 
the credit reporting companies in the United States. Our 
activities here are regulated under the Fair Credit Reporting 
Act and related State statutes. As a separate company, Equifax 
Direct Marketing Solutions maintains one of the largest 
marketing data bases in the world.
    I want to emphasize that our consumer reporting data base 
is entirely separate and distinct from our direct marketing 
data bases--physically, managerially, operationally. As a 
responsible steward of information, Equifax is committed to the 
fair and ethical use of data, the free flow of information, 
self-regulatory initiatives, and to forging effective 
information privacy solutions.
    When assessing privacy risks and harms, at least four key 
topics, I think, are relevant. First is source: is the source 
of the information reputable and reliable? Second, content: is 
the data base information aggregated, anonymous, or is it 
personally identifiable, is it sensitive?
    Use: will the information be used to benefit the 
individual, or does its use put the individual at risk for 
adverse action? And finally, privacy protections: are there 
adequate privacy protections already in place?
    The answers to all of these questions, I believe, support 
the conclusion that the privacy risk or harm from direct 
marketing is minimal, the benefits are substantial, and little 
basis exists for more governmental regulation.
    Regarding sources, at Equifax much of the personally 
identifiable information provided for marketing purposes is 
consumer self-reported data. Third-party data sources include 
public record repositories, other government agencies that 
provide, for example, hunting or fishing license information, 
and other types of reputable sources using publicly available 
data, such as telephone white pages or other directories and 
exchanges, and census data.
    Regarding content, our marketing data bases contain 
primarily information that is predictive: that is, information 
that describes the characteristics that people who live in a 
particular geographic area are likely to have. Even when the 
information is more granular, it typically describes buying 
characteristics of a household, not necessarily of a specific 
individual.
    We do collect sensitive, personally identifiable 
information, but only when the consumer has voluntarily 
provided it. The personal information we obtain for marketing 
purposes is not used for risk assessment; rather, the 
information is used to efficiently shape and deliver the kinds 
of offers an individual is most likely to want. As a result of 
direct marketing, consumers become aware of new products and 
services, businesses sell more products more cost-effectively, 
and the economy grows.
    Some have suggested that such target marketing provides 
some consumers advantages over others who do not receive the 
direct mail offer. The fact is, businesses have a limited 
number of dollars to support marketing campaigns. It only makes 
sense that businesses would seek to achieve the best return 
possible by focusing on those most likely to respond. 
Similarly, Members of Congress do not mail campaign 
solicitations to every constituent, but usually only to those 
who have given before or who are more likely to respond.
    As I said at the outset, Equifax has adopted privacy 
protections for marketing data that are appropriate to the use 
and any potential harm. For example, we have always 
contractually prohibited our customers from using our data base 
for individual lookup, and our system has no delivery mechanism 
for a customer to query the data base based on a name. Data 
collection or exchange, rather, is done in batch mode, usually 
computer to computer or via mag tape, making review by an 
individual virtually impossible.
    In sum, direct marketing is a societal and economic good. 
Overall, the process is profitable, efficient, and benign. The 
concept is consumer-oriented and privacy-sensitive.
    In closing, I want to congratulate you, Mr. Chairman and 
the subcommittee, for your leadership in this privacy arena. We 
look forward to working with you so that the marketplace might 
achieve the further synergies that can arise from a better 
understanding, and a greater appreciation, of the important 
benefits of direct marketing.
    [The prepared statement of John A. Ford follows:]
Prepared Statement of John A. Ford, Chief Privacy Officer, Equifax Inc.
                            i. introduction
    Mr. Chairman and members of the Subcommittee, I am John Ford, Chief 
Privacy Officer for Equifax. I want to congratulate you, Mr. Chairman, 
and the members of your subcommittee and its excellent staff for the 
thoughtful and thorough manner in which your subcommittee is reviewing 
the information privacy issue.
    In this statement, I briefly describe Equifax; our commitment to 
protecting consumer privacy; and, from the Equifax perspective, the 
sources, content, and uses of marketing data and the associated 
protections.
    I recognize that the primary purpose of this hearing is to better 
understand the flow of data in the marketing process. Beyond that, it 
is my intent to discuss this process in a way that supports Equifax's 
view that personal information, when collected and used for marketing 
purposes, provides important benefits to consumers, to businesses, and 
to our economy. Further, the potential privacy risks and harm arising 
from the use of personal information for marketing purposes are small, 
are already subject to effective privacy safeguards, and need not be 
subject to further privacy regulation at this time.
                              ii. equifax
A. Background
    Founded in 1899, Equifax is the oldest and largest of the companies 
that provide consumer information for credit and other risk assessment 
decisions. These activities are regulated under the Fair Credit 
Reporting Act and dozens of related state statutes. In addition, 
Equifax Direct Marketing Solutions, formerly part of Polk, maintains 
the largest marketing database of lifestyle and compiled data in the 
world. At the outset, I want to emphasize that the personally 
identifiable information in our consumer-reporting database is entirely 
separate and distinct from information contained in our marketing 
databases. In fact, the databases are managed by totally separate 
Equifax companies.
B. Equifax's Longstanding Commitment to Privacy
    More than a decade ago, Equifax was one of the first U.S. companies 
to develop and adopt a meaningful privacy policy. At the risk of 
sounding flippant, we were privacy before privacy was cool. As a 
responsible steward of information, our commitment to consumer privacy 
has remained steadfast. We remain committed to three Core Values, 
described in greater detail in Section III.D. below, in order to foster 
the fair and ethical use of data. We support self-regulatory and 
marketplace initiatives to balance the substantial benefits of the free 
flow of information and the legitimate concerns about the privacy of 
personally identifiable data, and we seek opportunities to work with 
governments, consumers, and businesses to forge effective solutions to 
the complex information-use issues worldwide.
C. Equifax Products
    Equifax believes that the marketplace can offer solutions that 
enlighten, enable and empower our customers and consumers to address 
effectively some of the information-use issues today. So, increasingly, 
Equifax is providing products directly to consumers to assist them in 
understanding their credit profiles and to empower them to fight 
identity theft and manage their fiscal health. For example--

 Equifax's Score Power gives consumers access to their actual 
        BEACON credit score, along with an explanation of how that 
        score is used by credit grantors and recommendations about how 
        consumers may ``improve'' their score.
 Equifax's Credit Profile gives consumers online access to the 
        information in their Equifax credit file.
 Equifax's Credit Watch provides consumers with online 
        notification of changes to their credit file within twenty-four 
        hours, thereby providing early detection of potential identity 
        theft.
 Equifax's eIDverifier patent-pending product permits consumers 
        to use information from their consumer credit report to 
        establish their identity virtually instantaneously in a 
        reliable and secure manner so that they can obtain products and 
        services online. This service deters identity theft and fosters 
        trust in e-commerce by facilitating an electronic handshake 
        between a known consumer and the online vendor. Subsequent 
        online transactions are encrypted, further enhancing trust and 
        protection.
                       iii. marketing and privacy
    When assessing privacy risks and harm, at least four key topics are 
relevant:

1. Source. Is the source of the information reputable and does it put 
        the record subject on notice that information is being 
        collected?
2. Content. What is the content of the information--is the information 
        aggregated or anonymous or is it personally identifiable and is 
        it sensitive?
3. Use. Will the information be used to benefit the individual or does 
        its use put the individual at risk for adverse, substantive 
        action?
4. Privacy Protections. Are there privacy protections already in place 
        to eliminate or minimize privacy risks?
    When it comes to marketing, the answers to all of these questions, 
I believe, support the reasonable conclusion that the privacy risk or 
harm is minimal; the benefits to consumers, to business and to the 
economy are substantial; and little basis for more governmental 
regulation exists.
A. Sources
    Equifax provides information to its customers for marketing 
purposes from the following categories of data sources, in conjunction 
with an array of analytical services.
    At Equifax, most of the personally identifiable information 
provided for marketing purposes comes from consumer self-reported data. 
For example, Equifax's Survey of America and our online survey, 
RightOffers (www.rightoffers.com), give millions of consumers an 
opportunity to voluntarily provide information about themselves and the 
members of their households and to exercise choice in what kind of 
marketing offers they receive. Another source of self-reported data 
included in the Equifax marketing databases is product registration 
cards. On a voluntary basis, consumers may provide information about 
themselves by responding to lifestyle or buying preference questions 
included on paper product registration cards, electronic product 
registrations, or Internet registrations.
    Other data sources include third-party data sources such as public 
record repositories and other government agency data sources (e.g., 
land records, certain license information such as hunting and fishing 
licenses, and census data), and other types of reputable third-party 
sources including those using publicly-available data such as telephone 
white pages or other directories and exchanges.
    In essence, our databases contain personal or aggregated data about 
individuals or households that is self-reported, inferred through 
sophisticated modeling procedures, or obtained from reputable third-
party sources, including public record or publicly-available sources.
B. Content
    The vast majority of information held by Equifax for marketing 
purposes is not personally identifiable information. Information does 
not have to be personally identifiable in order to be useful to 
marketers. Marketers can successfully market their products and 
services on the basis of predictive, aggregated information. Whether 
aggregated data is appended to a client's list of names and addresses, 
offered with our analytical services, or used to develop a predictive 
model, the key purpose is to help companies market products and 
services to consumers who are likely to be interested. This information 
is very valuable to marketers for predicting consumer spending 
patterns. Consumers benefit because they receive only those offers in 
which they are likely to have an interest. What's the result: Consumers 
become aware of new products and services, businesses sell more 
products more cost-effectively and the economy grows.
    While the vast majority of information held by Equifax in its 
marketing databases is not personally identifiable, as indicated above, 
Equifax's marketing databases do contain some name and address 
information. Naturally, marketers must have name and address 
information in order to communicate their offers directly to consumers. 
It is important to note, however, that the information included within 
the Equifax marketing databases is not organized so as to be readily 
and easily retrievable by personal identifiers (i.e., name and 
address).
    Our marketing databases contain primarily information that is 
predictive, psycho-demographic information, such as ``Zip+4'' 
information--that is, information that describes the characteristics 
that people who live in a particular geographic area are likely to 
have, including lifestyle information.
    Even when the information is more granular than geographic 
``Zip+4'' type information, the information describes some of the 
buying characteristics of a household, not necessarily of a specific 
individual. For example, both the Survey of America and the online 
RightOffers survey provide information that is used as a primary source 
for our marketing databases. Both surveys ask participating consumers 
to provide certain lifestyle information, including information about 
their leisure activities and hobbies and those of the other members of 
their household, as well their preferences regarding product categories 
and/or brands. In addition, consumers are asked to provide certain 
demographic information such as marital status, month and year of 
birth, and occupation for household members. The information collected 
from surveys is used in the aggregate to better understand consumer 
preferences, past buying behavior, and responsiveness to direct 
marketing.
    Finally, in no instance is the marketing information we collect 
sensitive personally identifiable information, unless the consumer has 
voluntarily provided it. Even then, the data pertain to the household, 
not an individual.
C. Uses
    It is very important to emphasize that personal information 
obtained for marketing purposes is not used for risk assessment 
purposes. Marketing data is not used to make decisions about whether an 
individual obtains or retains a job, insurance, or a government license 
or benefit. Instead, the information is used merely for the purpose of 
efficiently shaping the kinds of offers an individual receives.
    Some have suggested that such target marketing provides some 
consumers with an advantage over others who do not receive the direct 
mail offer. It only makes sense that businesses would seek to cost-
effectively align their marketing with their markets, achieving the 
best return possible by focusing on those most likely to respond. The 
simple truth is that businesses have a limited number of dollars to 
support marketing campaigns. Similarly, Members of Congress do not mail 
campaign solicitations to every constituent but only to those in their 
party and then only to those who have given before or who are more 
likely to respond. In order to accomplish this goal, marketers must 
direct their offers based upon their understanding of consumers' buying 
preferences and willingness to respond to direct marketing offers. 
Individual consumers are not excluded from receiving marketing offers.
    In addition, marketers constantly refine their marketing campaigns 
based upon changes in consumer spending patterns and other predictive 
information. As a result, the audience to which a marketer directs its 
offers may change. Furthermore, consumers who express an interest in a 
particular product or service directly to a marketer are likely to be 
included in marketing campaigns.
D. Privacy Protections
    As I said at the outset, Equifax has adopted privacy protections 
for marketing data that are appropriate to the use and any potential 
harm. For example, we provide consumers with notice and opportunities 
to opt-out (sometimes opt-in) of Equifax's use of marketing 
information. We provide consumers who participate in our Survey of 
America with the opportunity to specify on the Survey how their 
information may be used. Survey of America participants may opt-out of 
receiving future survey questionnaires, product samples and coupons in 
the mail, or coupons and special offers from companies via email by 
simply checking the appropriate boxes on the Survey form. Consumers who 
complete product registration cards have similar opt-out opportunities.
    In addition, in some situations, we provide opt-in opportunities. 
At our ``RightOffers'' website, not only do we provide consumers with 
the ability to opt-in to marketing uses by selecting only those 
categories of offers that they want to receive, but we have implemented 
a double opt-in system. Under that system, once we receive a completed 
RightOffers survey, we send the consumer an email asking the consumer 
to confirm his/her desire to receive offers. Furthermore, RightOffer 
participants may update their information by revisiting the site and 
are free to unsubscribe at any time.
    We also employ state-of-the-art technology to help ensure data 
integrity and security. In addition, our customers are prohibited from 
using our marketing databases for individual look-up purposes. We have 
always contractually prohibited our customers from using our database 
for this purpose. Furthermore, we have designed our system so that we 
have no delivery mechanism for a customer to query the database based 
on a name; therefore, no individual look up is offered or feasible.
    Further, Equifax provides consumers with meaningful and practicable 
privacy protections through our compliance with a variety of self-
regulatory programs providing consumer rights and redress. We adhere to 
the self-regulatory principles of organizations such as the BBBOnline 
Privacy Seal program, the Online Privacy Alliance, and the Direct 
Marketing Association.
    Finally, in consultation with renowned privacy expert, Dr. Alan 
Westin, Equifax conducts privacy audits of our procedures as well as 
our products and services to ensure high standards of privacy 
protection and, in fact, to provide a value-added quality.
    All of these protections are consistent with Equifax's three Core 
Values to which we adhere in order to protect the fair and ethical use 
of data--

Core Value I: Equifax is committed to the ethical use of data and to 
        maintaining the highest standards of consumer information 
        privacy. We adhere, therefore, to a meaningful set of self-
        regulatory privacy principles enterprise wide.
 Responding to and anticipating evolving technology and 
            changing societal demands, we have managed sensitive 
            consumer data in an ethical manner for more than 100 years, 
            earning a reputation as a responsible steward of 
            information.
 We provide consumers with notice--the ability to know what and 
            for what purpose personally identifiable information about 
            them is collected and used.
 We provide consumers with choice--the ability to opt-out of 
            our use of marketing information about themselves; and 
            where feasible, the ability to opt-in to certain marketing 
            uses.
 When feasible, we provide consumers with access to and a 
            correction procedure for personally identifiable 
            information about themselves used for non-credit-marketing 
            purposes.
 To ensure data integrity and security, we employ state-of-the-
            art technology and tested procedures to collect, store and 
            transmit personally identifiable information. Because 
            commerce and our reputation are on the line, we have a 
            vested interest in the quality of the information in our 
            databases. Thus, we employ stringent practices and 
            procedures to maintain the highest standards of data 
            accuracy, reliability and completeness that humans and 
            technology can achieve.
 Equifax provides individuals with meaningful and practicable 
            remedies and redress in the event individuals are harmed by 
            the misuse of personally identifiable information about 
            them. These remedies arise from several sources: Equifax 
            adherence to our own privacy principles and to other 
            industry self-regulatory principles governing the use of 
            personally identifiable consumer and commercial 
            information; adherence to the requirements of the BBB 
            Online Privacy Seal; from the Federal Trade Commission's 
            enforcement of the unfair and deceptive practices 
            provisions of its charter, and from compliance with US and 
            international laws, including the European Union Data 
            Protection Directive.
Core Value II: Equifax supports and has launched business self-
        regulatory and marketplace initiatives designed to balance the 
        substantial societal benefits of the free flow of information 
        and the legitimate concerns about the privacy of personally 
        identifiable data.
 Equifax adheres to the privacy principles and requirements of 
            the BBBOnline Privacy Seal, the Online Privacy Association, 
            and the Direct Marketing Association, as well as to the 
            information-use initiatives of the Coalition for Sensible 
            Public Record Access (CSPRA) and the Associated Credit 
            Bureaus, Inc.
 Equifax will only do business with entities that adhere to 
            meaningful fair information practices that effectively 
            address the concepts of notice, choice, access, security, 
            and redress.
 Equifax enlightens, enables and empowers consumers to monitor 
            their financial health using product solutions to address 
            consumer privacy issues such as identity theft and credit 
            score disclosure.
 Equifax employs and provides our customers with patent-pending 
            identity authentication technology and a wide range of 
            other products and services that enable our business 
            customers to make sound risk assessment decisions and 
            relevant marketing offers to consumers through the 
            appropriate and ethical use of personally identifiable 
            information.
 Consumers and business both expect to conduct business 
            transactions instantaneously and securely. The free flow of 
            relevant information to legitimate businesses makes this 
            possible.
 Legitimate business access to relevant consumer information is 
            critical to achieving a number of societal benefits: 
            thwarting identity theft, locating estate heirs, witnesses, 
            child support delinquents, debtors, missing children, organ 
            donors, etc.
Core Value III: Equifax seeks opportunities to work harmoniously with 
        governments, consumers and businesses to forge effective 
        solutions to the complex privacy and ethical information-use 
        issues worldwide.
 Governments first must enforce existing laws concerning use of 
            personally identifiable information and should consider 
            enacting applicable laws only after industry self-
            regulatory measures fail.
 If industry self-regulatory initiatives fail after being given 
            a fair chance, Equifax then supports government regulation 
            that is relevant, not unduly restrictive, and that clearly 
            resolves the perceived imbalance.
 In an e-commerce, online environment, national governments 
            must adopt preemptive measures to ensure that the 
            transmission of information and online transactions are 
            seamless across geographical boundaries.
 In considering privacy law and policy, governments should 
            recognize the differences between the impact of and the 
            potential harm arising from the use of personally 
            identifiable information for financial decisions and that 
            used for marketing or other less serious purposes. Privacy 
            laws should pivot not on the source, but on the content and 
            the use of the individual information.
 Consumers must take some responsibility for educating 
            themselves about privacy policies, procedures, products, 
            and technologies that enhance consumer information 
            protection and increase trust in transactions.
 Under the privacy bargain, consumers should expect the level 
            of information privacy protection commensurate with their 
            demands on business, the benefits sought and the 
            sensitivity of the information exchanged.
 Businesses that collect, maintain and use personally 
            identifiable data have a responsibility to develop and 
            implement an effective privacy program and to employ 
            ethical information practices.
 The business community has a responsibility to develop 
            products and services that allow consumers to participate 
            safely in the information marketplace and to protect their 
            own privacy.
 Equifax has taken the lead by providing online solutions that 
            enlighten, enable and empower consumers to manage their 
            financial health. These easily accessible products allow 
            consumers to examine their credit file, monitor changes in 
            it to thwart identity theft, and to obtain and understand 
            their current credit score.
 Equifax will continue to develop products and services and, in 
            concert with other industry members and associations, 
            develop programs designed to empower and enable consumers 
            and customers to better manage privacy and risk issues.
                             iv. conclusion
    In sum, direct marketing is a societal and economic good. The 
process is profitable, efficient and benign. The concept is consumer 
oriented and privacy sensitive.
    In closing, I want to thank you again for the opportunity to 
testify and to congratulate the Chairman and the Subcommittee for their 
leadership in the privacy arena. We look forward to working with you so 
that the marketplace might achieve the synergies that can arise from a 
greater understanding and appreciation of the important societal 
benefits of direct marketing--that is, efficient direct marketing 
conducted in a self-regulatory environment that embraces effective 
privacy protections.

    Mr. Stearns. Thank you, Mr. Ford. And we have corrected 
our--we have you as Chief Privacy Officer, instead of Policy 
Officer, and we are sorry.
    Mr. Ford. Thank you.
    Mr. Stearns. Opening statement?

                 STATEMENT OF DEBORAH ZUCCARINI

    Ms. Zuccarini. Good morning, Mr. Chairman and subcommittee 
member Towns. Thank you for the opportunity to address the 
subcommittee as it studies information use, particularly as it 
relates to marketing.
    My name is Deborah Zuccarini. I am Executive Vice President 
and Chief Marketing Officer for Experian Marketing Solutions. 
My comments today summarize key issues addressed in a much more 
detailed statement I have submitted for the record.
    Experian is one of the world's leading information services 
providers, with more than 30,000 North American customers. Our 
information solutions help businesses in over 50 countries 
expand their markets, make sound lending decisions, and provide 
the products and services their customers need and desire.
    We have been responsible stewards of the information we 
collect, maintain, and utilize for decades. Experian takes 
information security and consumer privacy very seriously. Our 
business practices and culture reflect our resolve to ensure 
information is used to bring benefit to both businesses and 
consumers, while ensuring consumer privacy is protected. A 
thorough discussion of our approach to privacy is included in 
my written statement, including consumers' choice to opt out.
    There is a great deal of misunderstanding about marketing 
information use, which has led to a number of popular myths 
about direct marketing. During the next few minutes, I would 
like to try to dispel a few of the most pervasive myths.
    I suspect the myth most responsible for this meeting is 
that marketing information is used to create detailed 
individual consumer profiles. That simply is not true. Mr. 
Chairman, subcommittee member Towns, with all due respect, data 
compilers don't care who you are as an individual. From our 
information, marketers want to know about the general 
characteristics of their overall market or key market segments. 
Specific characteristics about a single individual do not 
provide useful marketing insight. For that reason, marketing 
data bases typically are not designed to provide a list of one.
    Our marketing information consists of estimated or modeled 
data, summarized U.S. Census data, other publicly available 
information, or self-reported consumer survey data. It is 
typically used to reach lists of thousands of consumers with an 
offer of interest to them, not to review a single record about 
an individual.
    In the end, direct marketing using our compiled data is 
just advertising. Just as television advertising brings you the 
Super Bowl, direct marketing advertising brings you the 
products, services, and other benefits that businesses have to 
offer. Direct marketing allows many small businesses and new 
market entrants to advertise and compete, even without a Super 
Bowl budget.
    The second common myth is that marketing information is 
used for individual look-up. Experian marketing information 
services are not utilized to locate, identify, or verify the 
identity of individuals. In fact, our contracts prohibit the 
use of marketing information for such applications. In the 
information industry, we refer to such information use as 
individual reference services. We separately offer these 
services to law enforcement and other qualified users such as 
government agencies, who use the services for child support 
enforcement, locating witnesses and victims, and preventing 
fraud. However, such services are not derived from information 
compiled for marketing purposes.
    The third myth I would like to address today is that 
marketing information is used for credit, insurance, or 
employment underwriting. This is not the case. This myth arises 
from confusion between marketing information and credit 
reporting. The Fair Credit Reporting Act governs third-party 
information used for credit, employment, or insurance 
underwriting. Use of a marketing data base for FCRA-permissible 
purposes could subject that data base to all of the 
requirements of the FCRA, making it unusable for marketing. 
Therefore, Experian prohibits such use. And that is why the 
urban legend about grocery store purchases being shared for 
insurance underwriting is just that--a legend.
    These and other misunderstandings contribute to heightened 
privacy concerns. We understand and respect these concerns, and 
we work diligently to ensure consumer privacy is protected. 
Experian believes that marketing information use is not a 
privacy threat, but it is vital to our economy.
    In the privacy debate, there seems to be an assumption that 
such information use somehow causes harm, yet no evidence of 
real harm has been shown. Hard questions must be asked to 
determine if any real or perceived harm truly outweighs the 
demonstrated economic benefits of information use for 
marketing. A recent study by the Information Services Executive 
Council estimated consumers save over $1 billion annually as a 
result of information sharing in the catalogue apparel industry 
alone. A WEFA Group study estimated that in the year 2000, 
total consumer sales attributable to direct marketing would be 
nearly $940 billion, and that more than 14.7 million people 
would be employed throughout the U.S. economy as a result of 
direct marketing activities.
    We believe that responsible information use for marketing 
is in the best interests of both businesses and consumers. The 
quality of offers today has improved significantly over the 
years, resulting in greater efficiency for businesses, lower 
costs for consumers, less mail, and more opportunity.
    Mr. Chairman, this concludes my remarks. Thank you for 
inviting Experian to present our view on these important 
issues. We would be happy to answer any questions you or other 
subcommittee members may have.
    [The prepared statement of Deborah Zuccarini follows:]
 Prepared Statement of Deborah Zuccarini, Executive Vice President and 
         Chief Marketing Officer, Experian Marketing Solutions
                                summary
    For more than 50 years Experian has been a leader in the 
information industry. In fact, the company's roots date back more than 
100 years to the pioneers of credit reporting. Its success is based on 
sound information values that guide the development of practices and 
policies that protect consumer privacy, ensure security and provide 
benefit to consumers and our business clients alike.
    Responsible information use today affords consumers greater choice, 
convenience, and lower prices than ever before. In past decades, our 
economy was local. Consumers lived where businesses were located. 
Product and service choices were limited to what was available in a 
consumer's neighborhood, the local main street, or perhaps a nearby 
city. Consumers learned about businesses by walking down the street, or 
reading ads in the local newspaper.
    Today, our economy is national. Businesses in Los Angeles and New 
York compete daily for sales to consumers in Kansas. Where once there 
was only a single provider of a product or service, or maybe two or 
three to choose from, there now are hundreds. Because of responsible 
information sharing, those businesses can reach consumers who are most 
likely to need their products and services. That greatly increases 
consumer choice and promotes competition, which drives down prices.
    Unfortunately, a number of myths and misunderstandings have arisen 
about information use for marketing purposes. Those myths and 
misperceptions are the basis for many of the privacy concerns that have 
brought us here today. This testimony attempts to dispel three of those 
myths:

 MYTH: Marketers want to know specific information about 
        individual consumers. In fact, marketers don't focus on 
        individual consumers. Instead, they are interested in overall 
        market characteristics.
 MYTH: Marketing databases are used for individual ``look-up.'' 
        In reality, marketing information is used for overall market 
        analysis. It is not used to identify, locate, or verify the 
        identity of individuals.
 MYTH: Marketing information is used for credit, insurance or 
        employment underwriting. The Fair Credit Reporting Act governs 
        information use for these purposes. Therefore, marketing 
        information is not utilized for these purposes.
    Unintended and unforeseeable consequences of new legislative 
mandates based on such myths may jeopardize today's robust, 
information-based economy.
    Dozens of federal and state laws govern information use for 
marketing purposes, along with multiple industry self-regulatory 
regimes. We are concerned that current legislation may already have 
gone too far, and has failed to balance economic vitality with 
legitimate consumer interests.
    Legislation already strictly controls the use of sensitive 
information, including credit, financial, medical and children's data. 
Additional government-mandated restrictions on marketing information 
use may result in unexpected and unintended consequences. Small 
businesses, relying on cost-effective direct marketing as an 
advertising channel, could be forced out of the marketplace, 
diminishing consumer choice and opportunity. Yet, consumers would 
likely not benefit from any substantive privacy protections.
    Experian applies stringent information values to all of its 
information uses through a strict assessment process that ensures 
privacy concerns are addressed and that the information use benefits 
both businesses and consumers.
    We consider ourselves to be stewards of the information we collect, 
maintain and utilize. Our responsibility is to ensure the security of 
the information in our care is protected and that the privacy of 
consumers is maintained through appropriate, responsible use.
    Through its Consumer Advisory Council, Experian receives valuable 
insight and guidance from consumer advocates, legislators, scholars and 
business leaders regarding our information services. In addition, our 
Corporate Privacy Council, a group of company leaders, meets regularly 
to ensure Experian information services provide consumer and business 
benefit while upholding the Experian Information Values and ensuring 
privacy expectations are met.
    Although the pervasive myths discussed above inaccurately suggest 
otherwise, Experian and others in the direct marketing industry work 
diligently to understand and address consumer privacy concerns. We 
encourage you to continue to study the importance of information flows 
to our economy. We believe the current legal and self-regulatory 
framework best serves consumers and businesses. The greatest consumer 
and business benefit is achieved through consumer notice and the 
opportunity to opt-out.
                             about experian
    Experian is one of the world's leading information solutions 
companies. Primarily involved in credit reporting and direct marketing 
services, we also provide references services, analytic services, and 
consulting solutions, helping businesses make better, faster decisions, 
and efficiently reach consumers with new product and service offerings. 
Our annual sales are in excess of $1.5 billion. The chart in Appendix A 
outlines Experian's history.
    Experian employs more than 6,500 people in North America. Our 
corporate headquarters are in Orange, CA, where we have 1,364 
employees. Other major U.S. employment centers include:

 Colorado--209 employees (Denver)
 Georgia--157 employees (Atlanta)
 Iowa--585 employees (Mt. Pleasant)
 Illinois--1,398 employees (Lombard, Schaumburg)
 Nebraska--1,218 employees (Lincoln, Seward)
 New Jersey--79 employees (Parsippany)
 New York--220 employees (Albany, New York, Rye)
 Texas--802 employees (Allen, McKinney)
 Vermont--263 employees (Rutland)
                   experian's primary business areas
    Experian has six key business areas: direct marketing services, 
credit reporting, automotive information services, customer 
relationship management, electronic commerce services and individual 
reference services.
Direct marketing services
    Experian direct marketing services help bring businesses and their 
customers together. The company touches nearly one in four pieces of 
mail delivered by the U.S. Postal Service. But Experian direct 
marketing services extend beyond targeted mailing. Businesses rely on 
Experian to help them better understand their markets and the 
characteristics of the people who do business with them. Understanding 
the marketplace makes possible faster, more efficient product 
development and delivery, better retail outlet and service center 
locations, improved customer service, more cost-effective advertising 
and lower costs for consumers.
    Each year, Experian ships 1.7 billion pieces of mail from its 
processing centers and provides address information for more than 20 
billion promotional mail pieces delivered to more than 100 million 
households. Those offers present consumers with products and services 
from companies about which they may otherwise never have known. By 
identifying the characteristics of consumers likely to be interested in 
certain kinds of products and services, Experian helps marketers more 
efficiently reach consumers who are most likely to be interested in a 
business' products or services.
Credit reporting
    Experian and the companies from which it was formed have provided 
credit reporting services for more than 100 years. J.E.R. Chilton began 
credit reporting in Dallas, TX in 1897 by taking notes from local 
merchants in a little red book. Decades later, the TRW Corporation 
pioneered computerization of the credit reporting process, leading to a 
national credit reporting system. In 1996, TRW sold its credit 
reporting unit, which became Experian.
    Today, hundreds of millions of credit reports are provided to 
lenders annually. The ability of creditors to check a person's credit 
references in an instant enables them to make rapid, sound, and 
objective lending decisions. That ability helps consumers get the 
credit they need and deserve faster and cheaper than anywhere else in 
the world. Enabling lenders to make objective, safe, secure loans and 
minimize other credit-related losses, while providing consumers instant 
access to credit, has contributed greatly to the robust U.S. economy.
Customer relationship management
    Business success is built upon positive relationships with 
customers. Relationships are built on information. Experian helps 
businesses establish and develop long-lasting customer relationships 
through responsible information use. We help businesses get a clearer 
picture of their customers across multiple business units and market 
segments. We help companies understand why certain kinds of people shop 
with them and what the customer needs. With that clearer understanding, 
Experian then is able to provide information services that help 
businesses initiate relationships with new customers, assist the 
businesses in developing new, desirable products and services and aid 
in providing pleasant shopping and effective customer service. The 
result is a better shopping experience for consumers and more 
profitable operation for businesses.
Automotive Information Services
    Experian Automotive Information Services specialize in the 
collection and dissemination of vehicular data from each of the 51 
United States jurisdictions. The information is utilized to provide 
valuable services to auto dealers, manufacturers, consumers and 
advocacy organizations, advertising agencies and internet information 
sites, law enforcement and tollway authorities. Detailed vehicle 
history reports enable consumers to make informed used-auto purchasing 
decisions. Manufacturers rely on our services to manage recalls and 
conduct market analysis to manage product supply and improve service.
Electronic commerce services
    Experian's electronic commerce division helps businesses establish 
a presence in the electronic marketplace, develop relationships with 
online consumers and ensure consumers and businesses enjoy positive, 
safe transactions. Our e-commerce division focuses on both consumers 
and the businesses that reach them with patented delivery systems and 
best-in-the-industry security processes and systems.
    For our business partners, we verify, authenticate and enhance 
identity information about consumers and businesses. With enhanced 
authentication, clients reduce fraud by making confident transaction 
decisions in real time.
    For consumers, we offer a range of personal information solutions 
ranging from our online credit report with real-time dispute 
registration, to our vehicle history report--a must for used car 
purchases. We offer a subscription service for unlimited access to 
credit report and credit score information along with the tools 
required to better understand them. We also offer a property report--to 
better understand the value of your home--or prospective home.
Individual reference services
    Our reference services help people, businesses, non-profit 
organizations, government agencies, law enforcement, and other 
organizations identify, locate, and verify the identity of individuals. 
The most recognized individual reference services are the telephone 
book and directory assistance--services you use every day. They usually 
include only names, addresses and telephone numbers.
    More sophisticated reference services may include information about 
whether you own a home or rent an apartment, how long you have lived in 
the same location, and if there are additional household members.
    Sensitive identifying information such as your Social Security 
number, driver's license number, and date of birth is included in some 
reference services. These services, however, are limited to use by law 
enforcement, government agencies, and other organizations with a 
legitimate and appropriate need for such information.
                    the benefits of information use
    Because of the information services provided by Experian and its 
counterparts, the United States has the most robust economy in the 
world, and its consumers have greater choice and receive greater value 
than consumers anywhere else in the world.
Consumer benefits of information use
    Direct marketing: Direct marketing services increase choice and 
opportunity and reduce costs. Each year, Experian ships 1.7 billion 
pieces of mail from its processing centers and provides address 
information for more than 20 billion promotional mail pieces delivered 
to more than 100 million households. Those offers present consumers 
with products and services from companies about which they may 
otherwise never have known. By identifying the characteristics of 
consumers likely to be interested in certain kinds of products and 
services, Experian helps marketers reduce unwanted mail and send only 
offers that consumers are likely to want or need. But targeted mail 
processing is only one of many direct marketing services provided by 
Experian and its industry associates.
    Market analysis services help businesses identify the common 
characteristics of their customers. A richer understanding of their 
customer base helps businesses better plan media campaigns, determine 
retail site location, develop new product offerings, better position 
their brands, have a clearer understanding of their customers' service 
needs, and reach new customers. For consumers, the result is lower 
product cost, better customer service, more convenient shopping, faster 
delivery, reduced unwanted mail and exposure to useful new products and 
services.
    An April 2001 study by the Information Services Executive Council 
found restrictions on marketing information use would cost catalog and 
Internet apparel shoppers $1 billion annually.\1\ According to the 
study, that cost would be shared disproportionately by inner city and 
rural catalog shoppers. Inner city neighborhoods generally are under-
served by traditional retail stores, and rural consumers often live 
long distances from the nearest mall or retail center. As a result, 
these two groups are more reliant on catalog or Internet shopping 
alternatives.
    Similarly, a December 2000 study by Ernst & Young found members of 
the Financial Services Roundtable (FSR)--a group of 90 of the nation's 
top banking, insurance and securities firms--save approximately $1 
billion a year by using targeted marketing. Much of that savings is 
passed directly on to consumers.\2\
    ``FSR members report that they would send out about three to six 
times more direct marketing if they could not use information sharing 
for targeted marketing. Targeted marketing results in real savings for 
financial institutions, some or all of which will be passed forward to 
customers in price reductions,'' the study said.
    According to the study, FSR customer households annually save $17 
billion and 320 million hours as the result of information sharing 
among affiliates and third parties.
    Credit reporting: The United States' unique credit reporting system 
dramatically increases American consumers' choices and opportunities 
for financial services. Because of the U.S. automated credit reporting 
system, American consumers can obtain credit and secure other financial 
services at lower costs from a larger number of providers than anywhere 
else in the world.
    By comparison, economist Walter Kitchenman said of nations without 
an open credit reporting system, ``As a result, financial services are 
provided by far fewer institutions--one-tenth the number serving U.S. 
customers, despite the fact that the pan-European market has almost one 
and one-half times as many households.'' \3\ He added, ``consumer 
lending is not common, and where it exists, it is concentrated among a 
few major banks in each country, each of which has its own large 
databases. ``In fact, European consumers, although they outnumber their 
U.S. counterparts, have access to one-third less credit as a percentage 
of gross domestic product.''
    The open U.S. credit reporting system provides a foundation for 
lender confidence, increasing the availability of loans, reducing the 
cost of credit and increasing competition for customers, all of which 
benefit the U.S. consumer.
    Individual reference services: Often the benefits of individual 
reference services, and the services themselves are taken for granted. 
Yet they are used everyday. People, businesses, law enforcement and 
other organizations utilize individual reference services routinely to 
locate, identify and contact people for a variety of very positive 
reasons. Basic reference services, such as a telephone book, are 
available to almost anyone. Experian separately provides more 
sophisticated services only to law enforcement or other qualified 
users. A few of the users of individual reference services and how such 
services are utilized are listed below.

 You: through the telephone book or directory assistance to 
        find a telephone number or an address to send a thank you note 
        or holiday greeting.
 Lenders, retailers, e-tailers: to verify the identities of 
        potential customers and protect you from fraud.
 Law enforcement agencies: to locate crime witnesses and 
        apprehend criminal suspects.
 Child support agencies: to locate parents who are behind in 
        their child support payments.
 Government agencies: to find missing pension fund 
        beneficiaries and heirs.
 Alumni Associations: to contact recent graduates and send 
        event notices to current members.
 Businesses: for product recalls and product notices.
    The information included in individual reference services can range 
from just names, addresses and telephone numbers, to more sensitive 
identifying information including dates of birth, Social Security 
numbers and drivers license numbers. Access to certain types of 
reference information is carefully monitored and controlled. For 
instance, an individual only is allowed access to published telephone 
book information. Law enforcement agencies, however, can access more 
sensitive data for use in criminal investigations.
    During 1998, the FBI made 53,000 inquiries into commercial 
individual reference services. According to then FBI Director Louis 
Freeh, utilization of these services aided in the arrest of 393 
fugitives, identification of more than $37 million in seizable assets, 
locating 1,966 wanted individuals and location of 3,209 witnesses 
wanted for questioning.\4\
Overall economic benefits of information use
    Experian information services promote competition in the 
marketplace. Information sharing for target marketing and credit 
reporting opens the door for small, emerging businesses to compete with 
larger, established companies. It levels the playing field by making 
the cost of entry affordable to everyone.
    Information sharing ``allows new market entrants, which cannot 
afford mass market advertising and lack the customer lists of their 
well-established competitors, the ability to reach those people most 
likely to be interested,'' said Fred H. Cate and Michael E. Staten in 
their paper, Putting People First: Consumer Benefits of Information-
Sharing.\5\
    According to the Ernst & Young study, ``FSR members save about $1 
billion per year through targeted marketing based on shared 
information--savings that can then be passed forward to customers. 
Almost all of the survey respondents said that if they could not use 
targeted marketing, they would resort to mass marketing instead, while 
a few said that they may eliminate direct marketing completely.''\6\
    The implication is that large companies could bear the cost of mass 
marketing--ostensibly unfettered distribution to every U.S. consumer. 
For small businesses, it means being forced out of the marketplace. 
With reduced competition, consumers would be faced with higher prices 
and less choice. The French financial banking industry provides a good 
example.
    In a 1999 study, Walter Kitchenman said:
          In France, for example, the EU country with the strictest 
        financial privacy laws, seven banks control more than 96 
        percent of banking assets. The seven dominant French banks, 
        each with assets of over $100 billion, already own extensive 
        databases--and don't need to share customer information with 
        anyone. The fact that this system restrains innovation, hurts 
        customer choice, and increases price is not a great concern to 
        those banks because the same system also restrains competition 
        and makes it easier to hold customers and capital captive.\7\
    As he points out, while solicitations may sometimes seem annoying 
to consumers, the solicitations in fact represent a free flow of 
information that promotes competition among businesses of all sizes, 
giving U.S. consumers far more choice and opportunity at significantly 
lower costs.
    The direct marketing industry also is an important source of 
employment and a significant part of the overall consumer market. A 
recent WEFA Group study estimated that in the year 2000, total consumer 
sales attributable to direct marketing would be nearly $940 billion. 
The same study estimated more than 14.7 million people would be 
employed throughout the U.S. economy as a result of direct marketing 
activities.\8\
Building relationships between businesses and consumers
    It has been said that credit reporting is a secret ingredient of 
the U.S. economy's resilience. The availability of automated, 
nationwide credit histories enable lenders to make objective, sound 
lending decisions, reducing risk, attracting investment and 
strengthening the economy.\9\ As a result, U.S. consumers benefit from 
widely available credit at lower costs than anywhere else in the world. 
Some estimate that because of the U.S. credit reporting system, 
consumers in this country save as much as $80 billion a year on 
mortgage loans alone.\10\ But the robust nature of the U.S. economy 
does not rest only with information use for credit reporting purposes.
    Direct, or target, marketing results in significant savings for 
businesses each year. Those savings are passed on to consumers. An 
Ernst & Young study indicated members of The Financial Services 
Roundtable (FSR) would have to send out three to six times more 
marketing offers if they could not use information sharing for targeted 
marketing purposes. The result would be far greater costs, which would 
be passed on to consumers, not to mention increased volumes of mail in 
their mailboxes.\11\
    Restricting information use also threatens the backbone of the U.S. 
economy: small businesses. Today, small businesses rely on the 
availability of information to establish and expand their markets. They 
could not compete with corporate giants if they were unable to utilize 
target marketing to reach consumers who otherwise would not even know 
the business existed. Experian provides marketing solutions to almost 
4,000 small businesses across the country.
    In a July 2000 paper, Fred Cate and Michael Staten presented very 
clearly the danger to our economy of interfering with information 
sharing:
          Interfering with the availability of that information hurts 
        both consumers, who miss out on opportunities, and businesses, 
        who face higher costs to reach consumers, but such interference 
        imposes an especially heavy burden on small companies, which 
        cannot afford mass market advertising and lack the customer 
        lists of their well-established competitors. Open access to 
        third-party information and the responsible use of that 
        information for target marketing is essential to leveling the 
        playing field for new market entrants.\12\
    The ISEC study reached the same conclusion when looking at an opt-
in approach to marketing information as opposed to the current opt-out 
standard. Implementation of data use restrictions would drive up total 
costs to consumers from 3.5 to 11 percent. The result would be 
devastating to small firms and new market entrants.
    According to the study, ``Since marketing costs will likely 
increase if external opt-in restrictions are put in place, some 
retailers will be forced to exit the market and other, new companies 
will be deterred form entry. With a smaller marketplace, competition 
suffers, giving consumers less choice and higher costs when distance 
shopping.'' \13\
    It is easy to overlook the impact of information use on our local, 
small businesses. We too often take for granted the local food store, 
pharmacy or men's clothing store. In today's economy, they are 
competing not only with giant supermarkets, drug outlet stores and 
shopping malls, but also with online services that may deliver to your 
door. In such an environment, information sharing is critical for small 
businesses just to maintain a storefront in the community.
Detecting and preventing fraud
    Experian's information services are a key resource in providing 
assistance to businesses, consumers and law enforcement to detect, stop 
and recover from fraud--both online and offline. Consumer information 
maintained under Experian's stewardship is fueling new, state-of-the-
art online verification and authentication systems, including digital 
signatures. The new technology, used responsibly, is critical to the 
continuing growth of e-commerce.
    Individual reference services provided by Experian help law 
enforcement identify and locate suspects and perpetrators of fraud, 
speeding arrest and prosecution.
    Recently, Experian launched the National Fraud Database, the 
nation's first repository of known fraudulent activity. Participants 
include representatives from a variety of industries, such as financial 
services, insurance, retailing and telecommunications. Members 
contribute known fraud data to Experian, which then enters it into the 
database. A National Fraud Database Report will be provided to a 
participating lender, for example, when a loan application is 
submitted. Information in the report matching a previously verified 
fraud case will help lenders prevent fraud from occurring at the point 
of origin.
    Participation in this ground breaking initiative has been offered 
to Experian's competitors--Trans Union and Equifax--as a way of 
solidifying the industry's resolve to fight fraud and identity theft.
            helping businesses build customer relationships
Why marketing information is important to businesses
    Businesses rely on Experian to provide accurate, reliable 
information services that help them better understand their markets and 
identify, contact and build profitable relationships with new 
customers. Experian's information solutions help businesses better 
understand their markets and more efficiently reach consumers likely to 
be interested in the products and services the businesses offer. That 
reduces marketing costs and increases new customer satisfaction. 
Customer analysis and resultant market segmentation also enables 
business to tailor their advertising outlets to reach interested 
consumers, better position their brands, improve customer service, and 
better locate retail outlets and delivery centers. The result is 
greater efficiency, lower costs passed on to consumers, greater 
customer satisfaction and increased customer loyalty, all of which make 
a business more successful.
Some myths about marketing information use
    There are a number of myths and misperceptions about direct 
marketing and the information in direct marketing databases. Many of 
these myths appear to drive the debate about increasing restrictions on 
marketing information to protect consumer privacy. Here are a few of 
those myths and the facts that will help dispel them.
    1. MYTH: Marketers want to know specific information about 
individual consumers. Direct marketing is simply another form of 
advertising, not unlike television ads aired during the Super Bowl. 
Like Super Bowl advertisers, direct marketing advertising are 
attempting to reach a large group of individuals who have certain 
demographic characteristics that indicate they may be interested in 
purchasing their products or services. Unlike Super Bowl advertisers 
that have millions of dollars to spend on promotions, direct marketers 
often are small businesses, or new market entrants without large 
budgets. Therefore, they need more efficient ways to advertise to their 
marketplace.
    Marketing databases are not designed to provide a ``list-of-one.'' 
Instead, businesses want to know about the characteristics of their 
overall market. The consumer characteristics of a single individual do 
not provide useful market insight. Once a market is better understood, 
a business may want to send an offer (whether offline or online) to 
hundreds, thousands, or even tens-of-thousands of consumers. For that 
they may receive a mailing list of names and addresses, but again, the 
business is not interested in the specific information about a single 
individual.
    Further, information in most marketing databases is summarized at 
the household, not individual level. Rather than analyzing information 
about specific individuals, businesses typically consider household-
level information. Much of that information is estimated or modeled 
using U.S. Census data or consumer survey data. Estimated age and 
income ranges and general interests are examples. For more information 
about the types of information utilized for direct marketing and 
information sources, see Appendix B.
    2. MYTH: Marketing databases are used for individual ``look-up.'' 
Experian marketing information services are not utilized to locate, 
identify or verify the identity of individuals. Our contracts prohibit 
the use of marketing information for such applications.
    In the information industry, we refer to such information use as 
individual reference services. Appropriate use of these services is 
ensured through a strict self-regulatory code and related industry 
practices.
    Although you don't realize it, you probably use reference services 
every day. The most common is the telephone book.
    Experian separately offers more sophisticated services to law 
enforcement and other qualified users, such as government agencies, who 
use the services for child support enforcement, locating witnesses and 
victims, and preventing fraud.
    However, such services are not derived from information compiled 
for marketing purposes.
    Marketing databases are used for overall market analysis and 
identifying households with consumers who are most likely interested in 
purchasing a product or service. The information in marketing databases 
generally are not intended to be used to locate, identify or verify the 
identity of individuals and is not used in that manner. Again, 
marketing databases are not designed to return a ``list-of-one.''
    3. MYTH: Marketing information is used for credit, insurance or 
employment underwriting. The Fair Credit Reporting Act governs third-
party information used for credit, employment or insurance 
underwriting. Use of a marketing database for FCRA permissible purposes 
would subject the database to all of the requirements of the FCRA. The 
database then could be used only for FCRA permissible purposes. It 
could no longer be used for marketing.
    For that reason, Experian's marketing database and credit reporting 
database structures are entirely different and distinct.
    And it's why the legend about grocery store purchases being shared 
for insurance underwriting is just that--a legend.
       compiling and utilizing information for marketing purposes
    Experian is a data aggregator. Our company collects and maintains 
information for marketing purposes and provides information solutions 
enabling marketers to efficiently reach consumers who are interested in 
purchasing their products and services. We are committed to providing 
information solutions that benefit both our business clients and 
consumers. We also recognize and take very seriously our responsibility 
to protect consumer privacy.
    We must ensure the security of the information we collect and 
maintain, and ensure that it is used appropriately. Experian takes a 
``values approach'' to privacy, which is described in greater detail 
below.
    We provide consumers with notice regarding our information 
collection and use and choice regarding that information collection and 
use including an opportunity to opt-out of information collection and 
use by Experian.
    To opt-out of Experian marketing information use, consumers need 
only call 1 800 407 1088.
    Experian also is a member of the Direct Marketing Association 
(DMA). We honor the DMA mailing and telephone preference lists.
    The following sections describe Experian's role as a data compiler 
and our approach to addressing privacy issues.
Experian's role as a data compiler
    Experian marketing databases contain information about more than 98 
percent of U.S. households. The information is utilized to help 
businesses analyze their overall markets and market segments and to 
contact consumers who will most likely be interested in the products 
and services they offer.
    Experian maintains databases for two distinct purposes: credit 
reporting and direct marketing. The data for those uses is kept 
separate, both physically and electronically. Experian's credit 
reporting database is physically located near Dallas, TX. Its marketing 
databases are in Schaumburg, IL. The information is maintained and 
utilized for appropriate purposes and is not combined or commingled 
except as allowed by law.
The information Experian collects
    The information Experian collects for direct marketing purposes 
comes from a number of sources, first and foremost directly from 
consumers. Warranty cards, surveys, magazine subscriptions and 
sweepstakes entries all are provided by consumers and are utilized for 
direct marketing services. Other sources include non-personally 
identifiable United States Census information, public records and 
telephone directory information. Experian direct marketing information 
includes:

 Census information (median or percentage values based on 
        census track)
 Lifestyle information (reported by consumers)
 Interests, hobbies, activities
 Public records/telephone directory information
    For more information about the types of information utilized for 
direct marketing and information sources, see Appendix B.
Ensuring appropriate information use
    Experian found that rigid rules directing information use are 
quickly outdated by today's rapidly evolving technology and constantly 
changing consumer and business needs and expectations. For more than a 
decade Experian has taken a values approach to information use. Our 
five global information values ensure Experian information services 
provide value and benefit to both businesses and consumers while still 
enabling adaptation to cultural and regulatory changes and 
technological advances.
    The Experian global information values are:
Balance
    Experian strives to balance the interests of consumers with the 
business needs of customers to ensure both receive benefit from 
information use.
Accuracy
    Experian strives to ensure the information it collects and 
maintains is as accurate and up-to-date as possible and that the 
information is appropriate for its intended use.
Security
    Experian protects the information it maintains from unauthorized 
access or alteration.
Integrity
    Experian complies with all laws and applicable industry codes and 
operates its businesses in accordance with these information values.
Communication
    Experian communicates openly about the information it maintains, 
how it is used and seeks to inform consumers of their rights regarding 
the use of information.
    Every Experian information service undergoes a formal Information 
Values Assessment before it is approved. The assessment ensures the 
service not only meets all legal and self-regulatory requirements, but 
that it also meets security standards, addresses consumer privacy 
concerns and provides value and benefit to both businesses and 
consumers.
    Teams within each Experian business unit is tasked with ensuring 
new information services undergo values assessments. These individuals 
and their teams work integrally with Experian sales staff and marketing 
units to ensure the Information Values are built into all of Experian's 
products and services.
    In addition, Experian seeks input from consumer groups, consumer 
advocates and its business partners regarding information use to 
further ensure the services it provides incorporate appropriate 
security and privacy provisions and provide benefit to both consumers 
and its business clients.
    Our Consumer Advisory Council was among the first organizations of 
its kind. Composed of consumer advocates, legislators, scholars and 
business leaders, the Council provides valuable insight and guidance 
regarding Experian information services. Consumer Advisory Council 
opinions and suggestions help us provide information services that 
provide value and benefit to both businesses and consumers while 
effectively addressing privacy issues.
    The Experian Corporate Privacy Council is comprised of senior-level 
managers. Its members meet regularly to discuss and address privacy 
issues and to ensure Experian information services uphold the Experian 
information values and exceed privacy expectations.
    Experian is committed to providing consumers with notice and choice 
regarding its information services. Whenever Experian direct marketing 
services are utilized, consumers must be given notice of the 
information use and provided with an opportunity to opt-out of that 
information use. To opt-out of Experian marketing information use, 
consumers need only call 1 800 407 1088. We comply strictly with the 
Direct Marketing Association (DMA) Privacy Promise and honor the DMA 
opt-out lists.
Consumer education
    We produce a number of education materials that describe how 
information is collected and utilized, our Information Values and 
information use policies and consumer choices regarding information 
collection and use. All of the materials are provided free to consumers 
through many partnerships, among them:

 State attorneys general
 State and federal legislators' offices
 State and federal government agencies
 The United States Army
 The United States Navy
 Offices of consumer affairs
 Consumer organizations
 High school and university educators
 Student organizations
 Divorce attorneys
 Marriage counselors
 Realtors
 Lenders
 The media
    There are many others. Experian is committed to reaching consumers 
with the information they need to understand how they can be actively 
involved in our information economy.
    We have delivered to consumers more than 1 million copies of our 
various Reports on series. Our four-part Reports on Direct Marketing 
describe how the direct marketing process works, what information 
Experian collects and how it is used, and provides details on the 
choices consumers have and what they need to do if they choose to opt-
out.
    Hundreds-of-thousands of Experian's booklet 12 Common Questions 
about Credit Reporting and Direct Marketing have been distributed 
directly to consumers and through our many partnerships. The booklet is 
printed in both English and Spanish versions.
    Much of the consumer education material is available online. 
Experian also offered the first online advice column about information 
use, called Ask Max. During the past four years, more than 50,000 
questions have been received from consumers, and more than 100 columns 
have been published. Most column responses address credit reporting 
issues because few consumers have submitted questions about direct 
marketing.
Access
    Marketing databases often are erroneously compared to credit 
reporting databases. However, the data, data uses and structures of 
marketing databases and those of credit reporting databases are 
entirely different. Comparison is, to use a cliche, apples and oranges. 
To suggest an access and dispute process for marketing databases like 
that for credit reporting is unrealistic.
    The information in a credit reporting database is used to make 
critical lending, insurance, housing and employment decisions about 
specific individuals. Therefore, the data must be as precise as 
possible. Because the information is specific to the individual and of 
such a crucial nature, consumers need to know and have the ability to 
play a role in ensuring the accuracy of the information. Information 
service providers store data and manage its use. The source of the 
information generally must correct any inaccuracies and update that 
information with the credit reporting agency, which essentially serves 
as a library.
    Marketing databases also serve, in a sense, as a library. But the 
nature of marketing databases makes such a disclosure and dispute 
process very impractical, if not impossible.
    Unlike lenders, who need to know precise details about an 
individual's repayment history, marketers need only to understand the 
general characteristics of their overall markets. By identifying those 
characteristics, businesses are better able to reach consumers who will 
most likely be interested in purchasing the products and services they 
offer. Because marketers need only to contact a broad group of 
consumers who may be interested in a product or service, the 
information in marketing databases is not precise. In fact much of the 
information in marketing databases is derived from computer models, is 
estimated or is presented in ranges.
    Consumers would expect a level of precision and accuracy that 
simply is not present, which would make a dispute process impractical, 
if not impossible. Because most information in a marketing database is 
of this nature, such a disclosure would be of little, if any benefit to 
the consumer.
    While providing a disclosure would be of little benefit, it likely 
would pose a greater threat to privacy than currently exists. The 
nature of marketing databases would limit identification authentication 
largely to name and address, which is widely available in public 
sources, such as telephone directories. Access requirements, therefore, 
should be constructed by balancing the benefits to consumers against 
the risks to them and the costs to companies that hold the data.
    Requiring access would require information aggregators like 
Experian to create the very kind of database you are most concerned 
about. In order to provide access, a marketing database would have to 
include detailed, personal information that could be compiled and 
provided easily and quickly in highly detailed individual dossiers. 
This is the very thing we want to avoid.
    Allowing access to marketing databases would be enormously 
expensive. In fact, it would require retooling of an entire industry. 
Existing database architecture would have to be redesigned and 
disparate databases linked together to form name-driven profiles. Large 
customer service staffs would have to be hired and stringent security 
safeguards put in place. While that expense is justified and necessary 
with regard to information governed by the Fair Credit Reporting Act, 
it is of questionable value for data collected only for marketing 
purposes.
    A consumer's current ability to opt-out of having their name shared 
for direct marketing purposes satisfies the underlying concern about 
privacy without imposing undue and unnecessary costs to businesses and 
risks to consumers that would result from access requirements.
The current regulatory environment
    A significant body of legislation and self-regulatory regimes 
already govern the use of consumer information. All information 
collected and utilized by Experian is governed either by specific 
legislation or industry self-regulatory guidelines. The following lists 
describe the statutory and self-regulatory regimes currently governing 
information use for marketing and credit reporting purposes, for both 
online and offline applications.
    Regulatory requirements governing marketing information:

 Drivers Privacy Protection Act (DPPA)
 Fair Credit Reporting Act (FCRA; for pre-approved credit 
        offers)
 Children's Online Privacy Protection Act (COPPA)
 Telephone Consumer Protection Act and Telemarketing Sales Rule
 State do-not-call requirements
 Census Confidentiality Act
 State Voter Records Acts
 Gramm-Leach-Bliley Act
    Self-regulatory standards for marketing information:

 Direct Marketing Association (DMA) Privacy Promise
 DMA Telephone Preference Service
 DMA Mail Preference Service
 DMA Electronic Mail Preference Service
 DMA Ethical Guidelines
 Experian Information Values and associated practices
    Regulatory requirements for credit information:
 FCRA
 Equal Credit Opportunity Act (ECOA; relates to risk score 
        development)
 Fair Debt Collection Practices Act (FDCPA)
 Gramm-Leach-Bliley Act
    Experian supports the House Commerce Subcommittee's efforts to 
thoroughly investigate the issue of consumer privacy before concluding 
that more legislation is necessary. The Subcommittee is wise to focus 
on what gaps exist, if any, and whether there is a need for new 
regulatory mandates or enforcement regimes.
    The combination of existing statutory requirements and self-
regulatory guidelines of marketing information already is substantial. 
Experian is constantly working with its trade groups to strengthen and 
improve existing self-regulatory standards. For these reasons, Experian 
opposes further federal regulation of marketing and reference service 
information at this time.
    The debate about privacy is incomplete and evolving. We do not yet 
fully understand the importance of information flows to our robust 
economy. Enacting legislation based on incomplete knowledge could 
result in additional, negative, unintended consequences to our economy 
and greater consumer inconvenience with no meaningful privacy 
protection.
    The above listed regulations and self-regulatory regimes must be 
allowed time to work and the impact of their restrictions on 
information use studied. The affects of the safeguards implemented by 
these laws and of the recently enacted Gramm-Leach-Bliley Act are as 
yet unknown. It is essential that we allow some time for these new laws 
to bear out any unforeseen or unintended consequences.
    To reiterate, Experian strongly believes existing law, industry 
self-regulation and market responses are providing more than adequate 
consumer protection.
    In fact, we are concerned that current legislation may already have 
gone too far, and has failed to balance economic vitality against 
legitimate consumer interests.
    The scale is often tilted by the assumption that direct marketing 
somehow causes harm. A number of studies, including a report by the 
Federal Trade Commission,\14\ have found no evidence of real harm 
resulting from marketing information use.
    Hard questions should be asked of those who claim consumers have 
suffered real harm. How do they define harm? Where are the examples of 
real harm? Is there truly harm, or are they erroneously equating harm 
with annoyance?
    New legislation should be considered only if specific consumer harm 
can be demonstrated and must be implemented only in a manner that 
carefully balances intended consumer privacy protection against the 
economic benefit of accessible marketing information.
                               conclusion
    Thank you for the opportunity to submit these remarks on behalf of 
Experian. I hope this document helps dispel a few of the myths about 
marketing information use, addresses important privacy concerns and 
clarifies the importance of information use to our robust economy. I 
look forward to future opportunities to work with the subcommittee as 
it studies privacy and information use.

                      Appendix A--Experian History
------------------------------------------------------------------------
                   Year                                 Event
------------------------------------------------------------------------
1932......................................  Michigan Merchants Co.,
                                             later known as Credit Data
                                             Corp., is formed to provide
                                             credit-reporting services.
1966......................................  Metromedia acquires
                                             lettershop capabilities and
                                             begins operation of its
                                             direct marketing division
                                             called Metromail.
1969......................................  Conglomerate TRW buys Credit
                                             Data Corp.
1979......................................  Metromedia buys Marketing
                                             Electronic Corp. to provide
                                             list enhancement services
                                             within Metromail.
1981......................................  Direct Marketing Technology,
                                             Inc. is founded in the
                                             Chicago area.
1987......................................  TRW buys Executive Service
                                             Co. to expand into the
                                             direct marketing industry.
                                            Metromail is acquired by
                                             R.R. Donnelly & Sons Co.,
                                             the world's largest
                                             printer.
1989......................................  TRW buys Chilton Corp., a
                                             credit-reporting company
                                             founded in 1897.
1996......................................  TRW sells Information
                                             Systems & Services unit to
                                             a group of investors.
                                            Experian name and logo are
                                             introduced.
                                            Group of investors sells
                                             Experian to The Great
                                             Universal Stores P.L.C., a
                                             British conglomerate.
1997......................................  CCN/MDS is integrated with
                                             Experian North America.
                                            Experian buys Direct Tech, a
                                             leading provider of list
                                             processing, database
                                             marketing, and consulting,
                                             analytical and information
                                             services.
                                            Direct Tech buys Brigar
                                             Computer Services.
                                            Metromail buys Saxe Inc.,
                                             Marketing Information
                                             Technologies, and Atlantes
                                             Corp.
1998......................................  Experian buys Metromail, a
                                             leading provider of
                                             database marketing, direct
                                             marketing, mail processing
                                             and distribution, and
                                             reference products and
                                             services.
2001......................................  Experian buys Exactis, the
                                             global leader in multi-
                                             platform interactive
                                             marketing.
------------------------------------------------------------------------

                                             [GRAPHIC] [TIFF OMITTED] T4846.003
                                             
                                             [GRAPHIC] [TIFF OMITTED] T4846.004
                                             
                                             [GRAPHIC] [TIFF OMITTED] T4846.005
                                             
                                 Notes

    \1\ Michael A. Turner, Executive Director, Information Services 
Executive Council, The Impact of Data Restrictions On Consumer Distance 
Shopping, 2001.
    \2\ Ernst & Young LLP, Customer Benefits from Current Information 
Sharing by Financial Services Companies, conducted for The Financial 
Services Roundtable, December 2000.
    \3\ Walter F. Kitchenman, Senior Analyst, Commercial Banking, The 
Tower Group, Summary of Tower Group Studies Related to European System 
of Opt-In, 1999
    \4\ Fred H. Cate, Professor of Law and Director of the Information 
Law and Commerce Institute, Indiana University School of Law, Michael 
E. Staten, distinguished Professor and Director of the Credit Research 
Center, The Robert Emmett McDonough School of Business, Georgetown 
University, Putting People First: Consumer Benefits of Information-
Sharing: Summary, December 2000
    \5\ Fred H. Cate, Professor of Law and Director of the Information 
Law and Commerce Institute, Indiana University School of Law, Michael 
E. Staten, distinguished Professor and Director of the Credit Research 
Center, The Robert Emmett McDonough School of Business, Georgetown 
University, Putting People First: Consumer Benefits of Information-
Sharing, December 2000
    \6\ Ernst & Young LLP, Customer Benefits from Current Information 
Sharing by Financial Services Companies, conducted for The Financial 
Services Roundtable, December 2000.
    \7\ Walter F. Kitchenman, Senior Analyst, Commercial Banking, The 
Tower Group, Summary of Tower Group Studies Related to European System 
of Opt-In, 1999.
    \8\ WEFA Group, 2000 Economic Impact: U.S. Executive Marketing 
Today Executive Summary, http://www.the-dma.org/library/publications/
libres-ecoimp1b1a.shtml
    \9\ Fred H. Cate, Professor of Law and Director of the Information 
Law and Commerce Institute, Indiana University School of Law, Michael 
E. Staten, distinguished Professor and Director of the Credit Research 
Center, The Robert Emmett McDonough School of Business, Georgetown 
University, The Value of Information-Sharing, July 2000.
    \10\ Walter F. Kitchenman, Senior Analyst, Commercial Banking, The 
Tower Group, US Credit Reporting: Perceived Benefits Outweigh Privacy 
Concerns, January 1999
    \11\ Ernst & Young LLP, Customer Benefits from Current Information 
Sharing by Financial Services Companies, conducted for The Financial 
Services Roundtable, December 2000.
    \12\ Fred H. Cate, Professor of Law and Director of the Information 
Law and Commerce Institute, Indiana University School of Law, Michael 
E. Staten, distinguished Professor and Director of the Credit Research 
Center, The Robert Emmett McDonough School of Business, Georgetown 
University, The Value of Information-Sharing, July 2000.
    \13\ Michael A. Turner, Executive Director, Information Services 
Executive Council, The Impact of Data Restrictions On Consumer Distance 
Shopping, 2001.
    \14\ Paul H. Rubin and Thomas M Lenard, The Progress & Freedom 
Foundation, Privacy and the Commercial use of Personal Information, 
July 2001.

    Mr. Stearns. Thank you. Ms. Zuccarini, I have a question. 
You talk about these myths that you mentioned. You have a 
national fraud data base, though, right?
    Ms. Zuccarini. Yes, we do.
    Mr. Stearns. And why was it established? And isn't it 
oriented toward individuals?
    Ms. Zuccarini. It is, but that is not a marketing use. It 
is not for marketing purposes.
    Mr. Stearns. Why was it established?
    Ms. Zuccarini. To help prevent identity fraud, and detect 
fraud.
    Mr. Stearns. And who gets access to that?
    Ms. Zuccarini. That would be businesses that have a need 
for that. That is not a marketing purpose, and covered under 
the----
    Mr. Stearns. So a business could subscribe to this? Any 
business could subscribe to this fraud data base?
    Ms. Zuccarini. I am not positive of the answer to that. I 
would have to get back to you. It is in a different division.
    Mr. Stearns. Okay. When you go on the Internet, you see 
these web sites that say, we go and get credit information. We 
go to public courthouses, and we go across the board, and find 
all this information, and we compile it. Does your company do 
that?
    Ms. Zuccarini. We do that in a separate division.
    Mr. Stearns. Okay. And then you provide this information 
for law enforcement, government agencies, and you say ``other 
organizations with legitimate and appropriate need for such 
information,'' I think you are indicating.
    Ms. Zuccarini. Other qualified users, such as----
    Mr. Stearns. Yes. What other organizations would have 
access besides law enforcement, government agencies, and how 
would they get it?
    Ms. Zuccarini. It would have to be a purpose that would be 
covered under the Fair Credit, or the exemptions to the Fair 
Credit Reporting Act. In terms of examples of users, I believe 
I gave some in my written testimony: child support enforcement, 
witness look-up and protection, those types of things.
    Mr. Stearns. In your testimony, you indicated that Experian 
has found that ``rigid rules directing information use are 
quickly outdated by today's rapidly evolving technology and 
constantly changing consumer and business needs and 
expectations.'' You might just help us with what you mean by 
that, how it has changed, and you know, what impact that would 
have, from our standpoint as a legislator.
    Ms. Zuccarini. Experian has five core information values 
that we live by and we practice within our business: balance, 
accuracy, security, integrity, and communication. We have 
privacy compliance teams within each business unit that are 
responsible for enforcing these values and the written policies 
that support them.
    By ensuring that our entire organization is aware of these 
five values--in addition to written policies and the officers 
that are responsible for making sure that they are employed--
that gives us flexibility in making sure that we are 
recognizing whether technologies are advancing, or there are 
different needs to protect certain types of sensitive data, for 
example.
    Mr. Stearns. Okay. Ms. Barrett, you make the point that 
``e-commerce has increased consumer product availability. It 
has also made consumer recognition more difficult.'' What do 
you mean by that?
    Ms. Barrett. Well, I will go back to the example I used 
earlier of the store owner of 100 years ago, where he knew his 
customer because he walked in. Today, many customers buy from 
the Internet, they buy over the telephone, or they order 
through a catalogue, and the merchant has no opportunity to 
interact with that customer beyond the purchase.
    That makes it much more difficult for a company to really 
understand, beyond what a customer bought, who that customer 
is, what they are interested in, what other products and 
services might be of likely interest.
    Mr. Stearns. Going back to this web site, where you can pay 
$35 and find this information that Mr. Doyle talked about--you 
know, if a corporation came to you and said, we want to buy 
this information, or--you would give him this information, he 
might put it on the web site. How do you protect the consumer 
whose information you have?
    Ms. Barrett. We have a variety of products that are 
designed and developed for very specific business purposes. We 
do not sell data in bulk to anyone for any purpose. Our 
contracts limit what the data can be used for by the purchaser, 
and we monitor that to assure that those contractual 
restrictions are enforced.
    Mr. Stearns. Mr. Ford, you highlight that ``the harm of 
using personal information practices for marketing is 
minimal.'' Can you describe the harm that such information, I 
guess--how can it be misused, or how do you go to protect so 
that the marketing information would be misused? Did that make 
sense?
    Mr. Ford. Let me make sure I understand your question, Mr. 
Stearns. Are you asking me to define some ways in which 
marketing data might be misused?
    Mr. Stearns. You are saying it is minimal. Give me examples 
of how it would be misused, and what you are doing to protect 
it, so that you don't have that case.
    Mr. Ford. I think one example comes in the use of the 
information that we have. For example, what restrictions do we 
place on who is able to receive that information? We, for 
example, have a policy that we do not provide certain data to 
insurance companies. We make sure that when a subscriber, or 
someone who uses our data, we have policies and procedures in 
place that allow us to check and make sure that the information 
we have provided is only being used in accordance with the 
contract.
    We have review authority for any of the copy or the direct 
marketing materials that go out. So we are in a position to 
take a look at what our customers are doing with the data that 
we provide.
    Mr. Stearns. You mentioned that you have undergone privacy 
audits conducted by Dr. Westin?
    Mr. Ford. Correct.
    Mr. Stearns. And can you explain how, how comprehensive are 
these audits? And what standards do they meet? Is there a seal 
of approval or best business practices-type of thing? And what 
is the cost of such an audit?
    Mr. Ford. Okay, that is a great question, I appreciate your 
asking it. Without sounding too flippant, we like to say at 
Equifax that we were for privacy before privacy was cool. We 
engaged Dr. Alan Westin in 1988 as a privacy consultant for us.
    Since that time, he has helped us develop our privacy 
policies and our procedures. And he has developed, with our 
input, too, a template that we use, that we overlay for each 
product or service before it goes out the door. And in fact, 
the template has evolved to where it covers issues like notice, 
and choice, and access, and security, and the standard fair 
information practices that I think we are all accustomed to.
    So we have an internal process in our company that forces 
our products and services to go through this review before it 
goes to the marketplace.
    Mr. Stearns. And what does it cost, such an audit?
    Mr. Ford. Alan Westin is on retainer, annual retainer to 
us. This is part of his consulting assignment for us.
    If I might add, too, sir, we also were one of the first 
companies to qualify for and earn the Better Business Bureau 
Online Privacy seal. So in terms of audit, in terms of 
consumers going to our web site--I think the previous panel 
mentioned a visible way of generating trust and confidence at 
the site; having that seal up there is one way to do that.
    Mr. Stearns. Okay. My time has expired. Mr. Towns?
    Mr. Towns. Thank you very much, Mr. Chairman. I think all 
of you, I think I hear you saying that self-regulation is the 
key to your business growth and development. And I trust and do 
believe that all of you are good actors and so on, in terms of 
you doing things right.
    Would your organizations support a bill which would create 
financial penalties for companies who commit online fraud and 
abuse? Go right down the line, starting with Ms. Barrett.
    Ms. Barrett. Okay. We believe that online fraud and abuse 
is already illegal, and certainly would support any legislation 
that strengthens those penalties.
    Mr. Towns. Mr. Ford? I know you say that harm is minimal, 
but----
    Mr. Ford. Well, I agree with Ms. Barrett that the fraud and 
deterrence act that was passed a couple of years ago was a bill 
that Equifax supported. I think your larger question might be 
would we support further legislation, and I don't mean to put 
the question in my words. But it is not a perfect world, and I 
don't think there is such a thing as perfect legislation. So 
our view, Equifax's view, is that we would like to see self-
regulation be given a chance to run its course. If it doesn't 
work, and there is an actual, demonstrated, real harm, then 
let's focus on legislation that would address that particular 
harm.
    Mr. Towns. Yes, I was thinking that the bad actors that 
would be punished, while still being held to some kind of 
minimum standards. I am a little concerned about not having 
one.
    Mr. Ford. Again, sir, I would say that if responsible 
companies do business with responsible companies, then those 
bad actors ultimately are going to be weeded out of the 
marketplace.
    Mr. Towns. Ms. Zuccarini?
    Ms. Zuccarini. I would agree with Jennifer and John, that 
online fraud, we believe, is already illegal, and prosecuting 
that should definitely be encouraged.
    With regard to additional legislation, we too believe that 
the record is not yet clear whether there are unintended 
consequences that might come from restricting further use of 
marketing information, and what the impact might be, both on 
businesses and on consumers, in terms of choice.
    Mr. Towns. Well, you know, you are right, I mean, it is 
illegal. But you know, but it is being done. And I am not sure 
how much--you said ``minimal,'' but I am not sure in terms of 
how much is going on.
    But let me ask this: how secure are your data bases? How 
certain are you that you can prevent unauthorized access?
    Ms. Zuccarini. Question for me?
    Mr. Towns. I am going down the line.
    Ms. Zuccarini. Sure, I can take that. We have been 
responsible stewards of consumer information for over 50 years. 
Making sure consumer information is secure is mission-critical 
for Experian.
    We have a variety of different security techniques that 
range from our general security environment of being password-
protected with encrypted data transfer, to requiring IDs with 
security cameras. We have automated system monitoring that 
indicates what type of data is being accessed and when and by 
whom. We have automated and manual systems that flag when 
sensitive data is being accessed, and bring transactions to a 
halt until we can actually manually inspect that and approve 
it.
    In addition to that, we have contractual requirements in 
our contracts that state that the data must be used for 
marketing purposes; that we have the right to inspect any 
communication associated with it. We have the right to audit, 
and we do business with legitimate businesses.
    Mr. Ford. I don't know that there is much I could add to 
that. That covers the gamut for Equifax as well, in terms of 
the physical security, in terms of the technological security, 
in terms of--maybe one thing I could add is let's remember that 
most of this data, even if someone were to be able to get 
access to it, most of this data is probability data. It is 
characteristics about a particular zip code or geographic area, 
for example.
    The data is not organized by name. So it is not as if there 
is an Equifax direct marketing file for John Ford, and there is 
this little pigeonhole, and all this data about me is in there. 
The file is not organized that way.
    Ms. Barrett. I would concur with the comments from Mr. Ford 
and Ms. Zuccarini. I might add that Acxiom also employs 
external auditors, security auditors, to come in on a regular 
basis to test our processes and our systems to make sure they 
are current with technology and the latest security updates.
    Mr. Towns. Right. Is any opportunity provided for a person 
to make a request, that I would like to come in and review, you 
know, my files with you? Is it possible for that to happen?
    Ms. Barrett. We do not provide access to our marketing 
information. Our systems are not designed in a way that you can 
go in and look up information on one individual. If a consumer 
contacts us and is interested about what information we have on 
them, we tell them what types of information we might have in 
the data base, and if they are uncomfortable with that, we 
offer them the opportunity to opt out of that data base.
    Mr. Ford. Again, Mr. Towns, the data base is not organized 
by name and address. So it would take a programmer to go in and 
obtain the personally identifiable data, name and address, and 
then associate the characteristics that we ascribe to that 
person in some kind of file. So yes, it can be done, but it is 
not a feasible process at the moment.
    Ms. Zuccarini. I would echo their comments. First of all, 
our data is not in any single giant data base. It is in 
multiple places. We have no mechanism as well to provide 
access. If a consumer comes to us with questions about 
information we may have about them, we also describe the type 
of information that we have and offer them the opportunity to 
opt out.
    Mr. Towns. Well, let me make sure I understand this. I 
mean, this is a complicated issue.
    Ms. Zuccarini. Yeah.
    Mr. Towns. Okay. I'm happy that I'm not alone.
    If you don't have it by individual, how can a person opt 
out?
    Ms. Barrett. The data is actually stored in large files 
that are not accessible by individual record.
    Mr. Towns. Then how can I opt out?
    Ms. Barrett. The files are updated and maintained on a 
batch basis. And the ability to opt out occurs when maintenance 
transactions are applied to those files. It is not a look-up 
type of service that allows you to go retrieve the data on an 
individual.
    Mr. Ford. If I can interject, I think maybe another way to 
look at it is the outcome of the process by which a customer of 
ours obtains data is a list of name and addresses. Before that 
list goes anywhere, we run it up against any opt-out list--our 
own, or whether it is the Direct Marketing Association's list--
to take those names out at the back end of the process. That is 
how people can opt out.
    Mr. Towns. I guess by now you know that there is a 
tremendous amount of pressure from a lot of us, from our 
consumers, you know, to really take a very serious look at this 
and do something. And there are complaints; every time I have a 
town hall meeting, you know, I always get one person--and the 
funny thing about this is that one person can tell a story and 
there comes a situation where everybody wants to top it. And 
this goes on, and it gets bigger and bigger.
    So it is at the point where I really feel that Congress has 
to take some kind of action. And I am happy that the chairman 
is moving very slowly, because I wouldn't want to just jump and 
do something. We are hearing from a lot of folks; I think that 
is important.
    But eventually, I really feel that we will have to take 
some kind of action. And I don't want to do anything that is 
going to jeopardize any company's ability to continue to grow 
and to expand. But at the same time, we need to reassure our 
consumers, the clients out there, and our constituents, that 
there is this kind of protection in terms of privacy.
    Every now and then things happen. I will give you an 
example. I played at a golf course not too long ago. I mean, I 
don't even play a lot of golf; I just signed up, went out there 
and banged away. And now I am getting all this material. Now, I 
realize that it is from playing at that golf course.
    I don't want this material. I don't want anything. I don't 
want to know anything about it, because I don't ever plan to go 
back there again. So, you know, these are the kinds of things 
that when you hear this, you know that these things are going 
on.
    And I don't question for a moment the fact that you are 
doing the right thing. But my problem is, is with those that 
are not doing the right thing, and that I am not sure the 
penalties are great enough, or strong enough, to really give 
the kind of protection that we need to give.
    And that is where I am coming from. I don't question 
anything you have said today in reference to your companies. I 
do believe you are doing the right thing. But you must know, 
too, there are some folks out there that are not doing the 
right thing, and that is our problem. That is our problem. And 
they make it bad for you as well.
    Mr. Chairman, on that note I yield.
    Mr. Stearns. Okay. We can go a second round. I just have 
some illustrative points along where my colleague from New York 
brought this discussion. Experian has, in Appendix B to their 
testimony--and I just want to list some of the things that they 
seek, in terms of marketing data.
    They go to public records, and they go to white page 
telephone listings, to get information. And then they go to 
real estate information--your home ownership, the type of home 
you have, the characteristics. They go to voter records--name, 
address, date of birth. They go to occupational licenses, State 
professional licenses, whether it be medical, attorney, 
cosmetology. Then they will go to recreational license, to see 
if you have a fishing license or a hunting license.
    Then, if they have back from you a card that you have 
filled out--perhaps you filled this card out because you want 
to get a new car, or you want to get a free gift--they would 
have lifestyle information. They would have, you know, things 
that you enjoy--whether it is sports, music, investing, 
hobbies, great outdoors, world environment. And then it gets to 
your age, your marital status, gender, home ownership, number 
of children. And they ask for an estimated home income.
    Now, you take all that information and you try and 
correlate it with the census information, which doesn't have 
the name, but does have a lot of information that you filled 
out. You can get a pretty good picture of a person. Am I wrong? 
Is that true, that with this kind of data base, that the 
Americans who are, I think, unaware of the kind of information 
that you would have--and you say it is not for individual, but 
it is provided with a name with it.
    Ms. Zuccarini. That is correct, it is. It is demographic, 
lifestyle, and interest information. And the lifestyle and 
interest information is either self-reported or public record 
data.
    Mr. Stearns. Now, let's say I want to get a copy of 
everything you have on me. How would I do it?
    Ms. Zuccarini. We wouldn't provide that to you, because we 
have a policy of not providing data to individuals.
    Mr. Stearns. Okay. Yet you could sell that information--and 
I am not being critical; I am just exploring this for whoever 
is interested. A non-profit organization could come to you and 
say, you know, I want to buy this from you. You would sell it 
to a not-for-profit organization, wouldn't you?
    Ms. Zuccarini. We would sell a list.
    Mr. Stearns. A list?
    Ms. Zuccarini. Of no less than 50. Our systems don't even 
return a list of under 50.
    Mr. Stearns. Okay. And so I would have to specify all these 
lifestyle characteristics and the information in here to get 
the list? But you would not provide individual names correlated 
with all this information?
    Ms. Zuccarini. We would provide a list back to you that had 
a list of people that satisfied your request for different 
lifestyle interests.
    Let's say, if you were interested in selecting people that 
enjoy cooking, because you have a cooking catalogue, you would 
get back a list of individuals that enjoy cooking.
    Mr. Stearns. So I could come to you and say, okay, I want 
somebody who is making between $50,000 and $100,000 who is 
interested in rhythm and blues music, who enjoys skiing, who 
has a fishing license, and attends church, and also interested 
in gardening, and is married with three children. You could 
come back with a list?
    Ms. Zuccarini. We could come back with a list, yes.
    Mr. Stearns. And you would give me names?
    Ms. Zuccarini. We would. So you could send an advertising 
offer to them. For marketing purposes.
    Mr. Stearns. Now, let's say a person is in your data base 
and he or she wants to get out of that data base. How do they 
get out?
    Ms. Zuccarini. A variety of different ways. We honor the 
Direct Marketing Association mail preference service and 
telephone preference services and e-mail preference services, 
which are widely publicized, which allow people to go directly 
to the DMA--they don't even have to contact us.
    We publicize, on our web site and with a toll-free phone 
number, that you can call, if you would like to remove yourself 
from our mailing list. In addition, we provide consumer 
advocate groups, legislators, States' attorney general's 
offices, a variety of different groups, with an extensive 
consumer outreach program, where we outline the steps that you 
can take to remove yourself from our marketing information 
list.
    Mr. Stearns. Okay. What would be your worst nightmare? For 
example, Ms. Barrett, your company makes most of its money 
dealing with the management of these data bases. And I assume, 
certainly Experian is, you're owned by Europe, by a European 
company.
    Ms. Zuccarini. We are owned by Great Universal Stores.
    Mr. Stearns. Yes, so you are over in Europe. Does that mean 
you are complying with the European Internet privacy----
    Ms. Zuccarini. Our international operations are largely 
autonomous. We are compliant with the country laws in Europe. 
We have not subscribed to safe harbor.
    Mr. Stearns. You have not subscribed?
    Ms. Zuccarini. No, we have not.
    Mr. Stearns. But since you are a European Union company, I 
would think you would have to comply.
    Ms. Zuccarini. Our U.K. operations, our international 
operations. I am talking about Experian Marketing Solutions, 
the organization that I am representing today here in the U.S.
    Mr. Stearns. Oh, okay. Okay, I see that. So the worst 
nightmare would be, Ms. Barrett, for your company, is if the 
Federal Government came up with this Internet privacy 
legislation like the European Union's, so that your data bases 
would be affected, don't you think?
    Ms. Barrett. Well, in that we operate in five countries in 
Europe as well as here in the United States, we appreciate the 
differences between the European law and the U.S. law.
    Mr. Stearns. Right. I am just trying to help you out. You 
are trying to tell us as legislators, please, Mr. Legislator, 
don't do this, because this would harm us because we get most 
of our income from the management of these data bases. So I am 
just trying to understand from your point of view, as I try to 
understand for consumer groups--when they come in here, I ask 
them the same question: what is the thing that concerns you 
most? What should I do as a legislator, and Mr. Towns, and so 
on?
    And so I am asking you, what would be your concern if we 
developed an Internet privacy bill that would, you know, do 
something with the data bases that you manage?
    Ms. Barrett. If it restricted the flow of information for 
legitimate businesses to use for marketing purposes, then not 
only Acxiom but our customers, and ultimately the consumers, 
are going to have serious economic impacts. A number of studies 
show the variety of economic benefits and savings that our 
customers, through the use of our data, get. An apparel study 
showed that somewhere between 3 and 11 percent, if you 
restricted in the way that the Europeans have, some of the 
data, the costs in the apparel industry would go up between 3 
and 6 percent. We view that really as a means of taxing the 
consumer to pay for the lack of economic benefit that we enjoy 
today.
    Mr. Stearns. Mr. Ford? Either one of the other panelists 
would like to comment, what would be your worst nightmare?
    Mr. Ford. I haven't given it a great deal of thought. But 
in the past minute, I would have to say that probably mandated 
opt-in--and I am speaking about off-line and online.
    Mr. Stearns. Now, there are a lot of people that want to do 
a mandated opt-in. Particularly with financial and medical 
records.
    Mr. Ford. Well, that is a different story, because in the 
direct marketing business that we are talking about, we don't 
have financial records or medical records. We are only talking 
about the kind of direct marketing information that we have. I 
think what you are about ready to refer to is ailment data that 
is self-reported by the consumer.
    Mr. Stearns. The problem is that people say, well, just 
financial or medical information is sensitive. But if you take 
all this information that I mentioned here, in terms of the 
lifestyle, and then you combine that with public records and 
telephone directory information, and then the census 
information that I can glean from your neighborhood and where 
you live, you come up with some pretty sensitive information 
about individuals. And maybe people want to be able to opt in.
    Mr. Ford. Well, I would ask that you remember, sir, that 
the kind of information that is sensitive there is self-
reported information. It is not information that my company 
goes out and gleans from someplace.
    Mr. Stearns. No, I understand.
    Mr. Ford. So there is a built-in--there is a built-in opt-
in, if I am filling out----
    Mr. Stearns. Because they volunteered?
    Mr. Ford. Because they volunteered the information. And we 
make it possible for them to opt out of what they have opted 
into. They can come back later on and say, no, I want to take 
that back.
    In fact, on our web site, which conducts this same kind of 
survey, there is a double opt-in. They fill out the survey, 
they are asked if they are comfortable with it, if they really 
want to send it. They hit the button, yes, they do, we come 
back at them and say, ``Are you sure?'' And then, each time we 
ask them to fill out the survey again, they have the ability to 
unsubscribe.
    So I submit that the sensitive information, such as it is, 
is voluntarily provided.
    Mr. Stearns. Anything you would like to add to that? What 
your worst nightmare is?
    Ms. Zuccarini. My worst nightmare? I have many nightmares, 
but my worst one is mandated opt-in, because I think what we 
are doing then is setting the default standard for the majority 
of the population, whether we are looking at opt-in or opt-out. 
And if we are looking at opt-in, then we believe that that 
default standard will be not so much a sincere concern about 
protection of privacy, but may be as a result of consumer 
inertia, people not wanting to respond back affirmatively. And 
we are concerned about the potential unintended consequences, 
again, both economically and to consumers in terms of less 
choice, higher prices, and less competition.
    What you would start to look at in that case is an extreme 
challenge for a new market entrant or a small business to 
actually be able to compete and advertise effectively.
    Mr. Stearns. Yes, Mr. Ford?
    Mr. Ford. May I make one more comment about that, sir?
    Mr. Stearns. Sure.
    Mr. Ford. I think that we are all in agreement that we want 
consumers to have informed choice. And we do both; at Equifax, 
we provide the ability for consumers to opt out of this data 
off-line, and we provide online the ability to opt in.
    But I think there are a number of national surveys who have 
kind of segmented the American population into a group that is 
called privacy fundamentalists, a group that is probably 20 
percent or so, maybe more, 20, 25 percent, at one end that are 
privacy fundamentalists. At the other end, you have the privacy 
unconcerned, maybe 15 percent.
    Mr. Stearns. Libertarians.
    Mr. Ford. And then in the middle, you have got this 55 
percent that are the pragmatic middle. So we need a system that 
satisfies the needs of that full range of people who want to 
have different choices.
    By making opt-in the default mechanism, we satisfy probably 
the privacy fundamentalists, and we disenfranchise the other 
two-thirds who may want to see those offers. They may want to 
become informed citizens by receiving these offers. So my 
argument is, let's go with an opt-out mechanism. It still 
protects the fundamentalists who want to not receive any more, 
and it offers the choice to the other two-thirds.
    Mr. Stearns. Well, I think--Mr. Towns?
    Mr. Towns. Yes. Well, you know, I want to go back to the 
bad actors. You know, they are out there. What should we do 
about them? Because what is going on now is really not working. 
It is not that effective. So what do we do to sort of address 
that issue? Other than pray?
    Mr. Ford. That, too.
    Ms. Barrett. Mr. Towns, I think we have--if there is any 
area for criticism, both of the government and of industry, is 
that we have not done a good job of educating the consumer 
about not only what their choices are, but how to watch out for 
bad actors.
    There are many things that industry is working on in that 
regard. I think individual companies need to take the 
initiative as well. We have produced a booklet called ``What 
Every Consumer Should Know About the Use of Personal 
Information.'' It is available on our web site. We would love 
to have it distributed by anyone who wants to distribute it.
    I think that we have an obligation and a responsibility to 
consumers to tell them about not only the valuable uses of 
information, but the tools and choices that they have at their 
hands, so that those that do want to exercise them can.
    Mr. Towns. The accuracy in your data base, do you feel 
comfortable with that? In terms of the accuracy, do you think 
it is very accurate?
    Ms. Barrett. We strive very hard to make the data in our 
data bases accurate. And in our interactions with consumers, we 
actually have consumers that contact us and have learned that 
it is inaccurate, and give us corrected information. So we are 
always striving to keep the data accurate and current.
    Mr. Ford. Perhaps a better word for us is, is the data base 
reliable? Is it predictive? Can our customers use it reliably 
to make sure that they are sending the kind of offers to the 
kind of people who are interested in receiving those offers? 
And I think our data bases are highly reliable.
    Ms. Zuccarini. We would concur with that as well. We put an 
enormous amount of resources and effort against making sure 
that the information is as accurate as we can make it, and 
making sure as well that it is reliable, so that businesses, 
again, can try to determine whether consumers are interested in 
receiving marketing offers.
    Mr. Towns. Mr. Ford and Ms. Zuccarini, I still want to get 
your views and feelings on what we should do about these bad 
actors.
    Ms. Zuccarini. Can I comment on that?
    Mr. Ford. Go ahead.
    Ms. Zuccarini. Yes, again, our first recommendation would 
be, make sure that we are strictly enforcing the existing laws. 
There are, I believe, eight laws at least that currently govern 
the type of marketing information that we are discussing today. 
In addition to that, we have very strict self-regulatory 
guidelines through our trade organizations, and our clients are 
members of those. And to make sure that we are doing that, and 
really step up the enforcement.
    The second thing would be to echo what Ms. Barrett said 
with regard to consumer education. We need to do a better job 
of making sure consumers understand how to recognize bad 
actors, and how they can contribute to making sure that they 
are no longer in business.
    Mr. Ford. I look at it as a three-pronged initiative, or 
three sets of responsibilities. Business has a responsibility 
to educate consumers about the products and the services, and 
the technologies that are out there that they can use to help 
them protect their privacy.
    Government has a responsibility in two ways. No. 1, to 
enforce the laws that have already been enacted. And No. 2, I 
think that on the political side, that peeling this onion, 
which this series of hearings is really trying to do, to 
understand the complexities of this issue, is very, very 
important to making good public policy. And that is what you 
are doing, and I very much appreciate that.
    On the consumer side, though, they have an obligation and a 
responsibility, I think, as well, to make themselves informed 
consumers; to take advantage of the information that is out 
there, the products, the technologies.
    And there is also something known as the teachable moment: 
to send out some educational material to a consumer who is not 
at a teachable moment is not very effective. So finding those 
opportunities when consumers are, if not eager, at least 
willing to learn more, is a task that business must set itself, 
too.
    Mr. Towns. Thank you very much. Thank you, Mr. Chairman.
    Mr. Stearns. I thank my colleague. We will complete the 
second panel. We want to thank you, again, for waiting for us. 
We had a very good hearing, and I think, as you pointed out, 
that we are moving incrementally to try to understand this very 
broad and significant and comprehensive area. And we thank you 
again for testifying.
    And the subcommittee is adjourned.
    [Whereupon, at 12:55 p.m., the subcommittee was adjourned.]

