Options for Promoting Privacy on the National Information Infrastructure. 3. Direct Marketing

04/01/1997

The direct marketing industry has been a prime beneficiary of the technological advances in information processing. According to one industry commentator "the database revolution is the most significant recent arrival in the direct marketing industry...."230 New technologies that process, manipulate, combine, and exchange personal data both quickly and economically allow industry to target goods and services to consumers in new ways. Implementation of the NII will create even more opportunities to combine and exchange personal data as well as provide additional avenues for communication with prospective customers.

Direct marketing accounts for $350 billion dollars in sales annually.231 About half the people in the U.S. now shop by mail.232 Target marketing increases the likelihood that catalogs and other promotional material will end up in the hands of consumers who are genuinely interested in these materials. Industry and consumers gain: customer service can be improved by target marketing, shoppers are offered extended shopping hours and immediate delivery, and marketers save money by sending marketing materials only to those consumers most likely to be interested in the advertised product.

But the proliferation of databases and lists of consumers they produce also implicates personal privacy.233 By collecting information regarding consumer preferences and purchases, marketers ultimately have possession of a persons's name, address, buying habits, and other individual social and economic data. Individuals have no legally enforceable right to be notified when marketing data is collected, who has the data, who has organized it into lists, and with whom such personal data is being shared. No law prohibits the use of information gathered for one marketing purpose for any other purpose, compatible or not.

The leading consumer complaints about the direct marketing industry concern unsolicited mail and telephone calls.234 Consumers often complain about receiving flyers from stores never shopped in, catalogs from mail order companies never ordered from, and banks and card companies never communicated with.235 This problem appears to stem from the use of personal information by third parties, such as database compilers, credit reporters, or credit-card issuing banks.

The direct marketing industry has worked for years to balance consumer privacy concerns with its use of consumer data.236 The Direct Market Association (DMA)237 has, for example, established an ethical code and guidelines for self-regulatory action, and may refer members found in violation of the code to its ethics group or can suspend membership in the association.238 The DMA sponsors a Mail Preference Service (MPS) and a Telephone Preference Service (TPS) to handle, on a national level, unsolicited junk mail and telemarketing. Both are designed to help consumers decrease the amount of commercial and non-profit mail and commercial telephone calls they receive at home.239 Beyond the MPS and TPS, the DMA recommends that individual companies give consumers an opportunity to opt out of the exchange of marketing data through in-house suppression programs and disclosure notices.240

The DMA encourages its members to adopt its corporate information policies and programs to respond to consumer privacy sensitivities. Adoption of and adherence to the DMA's recommended privacy practices is currently voluntary for its members. Furthermore, not all direct mailers are members of the DMA. Nonetheless, many direct mailers have adopted individual privacy codes tailored to the DMA's recommendations, and DMA continues to update its guidelines to keep pace with digital technology.241

While acknowledging the usefulness of self-regulation, some commentators have expressed concern about whether self-regulation adequately safeguards privacy. Others wonder whether the DMA does (or can) effectively enforce its fair information codes. For example, the fact that adherence to DMA's recommended privacy practices is voluntary has led one commentator to state that "[t]he only rules which limit the use of the most personal information by direct marketers are the rules which the marketers voluntarily choose to follow."242 Concerns have also been raised about whether information brokers will adhere to DMA's recommended practices. Indeed recent news reports illustrate these concerns.243 DMA is taking steps to address these criticisms. For example, it recently began digesting the existence and outcome of investigations and compliance hearings, and had upgraded its World Wide Web site to facilitate online development of compliant privacy policies.244 In November of 1996, DMA initiated a major education effort for DMA members and for consumers.245

The Federal Trade Commission (FTC) has recently assumed a key role in the privacy arena and indeed has been identified as the most privacy active agency.246 The FTC's Bureau of Consumer Protection undertook a Consumer Privacy Initiative in 1995 to educate consumers and businesses about the use of personal information online. As part of this initiative, the Commission held several informal workshops and engaged in a series of discussions with privacy advocated and industry representatives. On January 6, 1997, the FTC issued a staff report entitled The Public Workshop on Consumer Privacy on the Global Information Infrastructure, concluding that notice, choice, security and access are recognized as necessary elements of fair information practices online.247

The FTC report highlights the potential for technological solutions, combined with self-regulation, to address online privacy concerns. The Bureau of Consumer Protection also devoted special attention to issues raised by data gathered from and about children online.248

The FTC has announced that it will hold a follow up workshop in June of 1997 to ascertain the status and effectiveness of self-regulatory and technological approaches to privacy protection. In the meanwhile, the Commission already has broad discretion to prosecute instances of misleading or unfair commercial practices. This authority extends to misleading or unfair practices involving the collection and re-use of personal data by third parties.

In a related development, by letter dated October 8, 1996, Senators Bryan, Hollings, and Pressler asked the FTC to investigate and report on the non-consensual compilation, sale, and usage of electronically transmitted data bases.


230. See Gary Levin, Database Draws Fevered Interest, Advertising Age, June 8, 1992, at 31.

231. Rosenstiel, supra note 29 (reporting comments of Direct Marketing Association spokeswoman Lorna Christi).

232. See Judith Waldrop, The Business of Privacy, Am. Demographics, Oct. 1994, at 47.

233. Upwards of five billion records exist in the United States containing personal information about individuals. This information about each person is moved from one computer to another on the average of five times per day. See Rothfeder, supra note 139, at 17, 90.

234. Privacy Rights Clearing House, Second Annual Report, Jan. 1995, at 23.

235. See Henry Hoke, editorial, Direct Marketing, Oct. 1994, at 82.

236. See Tim Little, Privacy vs. Data Use: A Matter of Survival, Catalog Age, May 1992, at 103.

237. The Direct Marketing Association (DMA), with a membership of some 3,500 manufacturers, wholesalers, and retailers, is the largest national trade association serving this industry. For information on DMA, see generally, Direct Marketing Association, Privacy Action Now! (1996); Privacy, The Key Issue of the 90's: A Direct Marketer's Guide to Effective Self Regulatory Action in the Use of Information (1993); and see the Direct Marketing Association Home Page at <http://www.the-dma.org> (visited Mar. 24, 1997).

238. See Rosenstiel, supra note 29.

239. See Direct Marketing Association, Fair Information Practices Manual 7-11 (1994).

240. Id.

241. See Federal Trade Commission, supra note 32, at 27 n.152.

242. See Rosenstiel, supra note 29 (reporting statement of Professor Mary J. Culnan, Georgetown U. ); see also Wilson, supra note 23 ( "It costs pennies to draw a list of names from a computer data base and start assembling a marketable profile that can be sold for as much as $200 per thousand names. There is only one other industry that operates on that kind of markup, and that's illicit drugs. So long as the list business is that profitable, it is going to spawn greed, and privacy invasion and corruption, just as illicit drugs do." Reporting comments of Denison Hatch). See also, Shelly Reese, Future Shop Customers Draw Line on Privacy Issue, Cincinnati Enquirer, May 24, 1994 (reporting on the fact that there are currently about 10,000 lists which get sold and rented to other retailers usually at a rate of about $50 or $55 per 1,000 names).

243. Metromail, a subsidiary of R.H. Donnelley and Sons Company, maintains mail-order and telephone information on 92 million households, broken down by consumer tastes and demographics. Metromail has recently been involved in a number of privacy related controversies; for example, the release of information concerning 5000 Los Angeles households, including the addresses and ages of children, to a television reporter using the name "Richard Allen Davis" (Davis was recently convicted in San Jose for the kidnap and murder of 12 year old Polly Klaas). See Kathryn Dore Perkins, Huge Market in Data on Kids, Sacto. Bee (Calif.), June 24, 1996, at A1. Metromail was also sued by an Ohio woman who received sexually offensive mail from a Texas prison inmate who was provided access to a consumer questionnaire she had filled out. The questionnaire had originally been sent to Metromail who in turn passed it on to a contractor for further processing. The contractor, in turn, passed this information on to the Wynne prison unit in Huntsville, Texas for prisoners to process the questionnaires. The woman asserts that this use of her personal information was done without either her knowledge or consent. Id.

244. See DMA, supra note 237.

245. See Dan Harrison, DMA Initiates Major Privacy Push; Self-Policing Seen Essential to Blunt Government, DM News at 1 (Nov. 4, 1996).

246. See 2 Priv. & Am. Bus. Vol. 2, Aug., 1995, at 4-5. See also, Jay Greene, Eluding Their Gaze//The Way to Protect Personal Info is to Leave No Trace but Remember - The Rules Aren't In Your Favor, Orange County Reg. (Calif.), Apr. 25, 1996, at C01, available in 1996 WL 7024132 (reporting that in privacy matters "[t]he FTC, which regulates unfair and deceptive trade practices, has been perhaps the most aggressive federal agency in reining in credit bureaus, medical-records gatherers and others").

247. Federal Trade Commission, supra note 32.

248. See Federal Trade Commission, supra note 32 at 41-50. See also, Gary Chapman, Protecting Children Online is Society's Herculean Mission, L. A. Times, June 24, 1996, at D14.