May 12, 1997 Office of the Secretary COMMENTS OF AMERICAN COLLECTORS ASSOCIATION, INC. CONCERNING CONSUMER PRIVACY 1997 - P954807 PRELIMINARY STATEMENT The following comments are submitted on behalf of the American Collectors Association, Inc. (ACA). The principal focus of these comments is the unauthorized distribution of personal information about a business or its employees which is made available through the Internet, commercial or non-commercial World Wide Web sites (the "Web"), home pages, and other online formats. As such, these comments touch upon issues which the Federal Trade Commission ("Commission") intends to address in Session Two of the June 1997 Public Workshop on Consumer Information Privacy. According to the notice published in the March 6, 1997 edition of the Federal Register (62 Fed. Reg. 10271), Session Two will discuss "Consumer Online Privacy". As an adjunct to the 1996 Public Workshop on Consumer Privacy on the Global Information Infrastructure, Session Two will undoubtedly revisit many of the complex privacy issues that are presented by the burgeoning growth of the online marketplace. As daunting as the task may be, the Commission is well-advised to continue to confront these issues. Given the exponential growth of the computer and online industries in recent years, any delay in addressing the many issues of first impression presented by advances in technology will only augment the damage done to online information privacy. The Commission has already recognized that the content and wide-availability of the Internet and Web sites present potentially "thorny legal problems". See Report of the Federal Trade Commission, "Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace", Vol. II, at 5 (May 1996). See also Anne M. Fulton, "Cyberspace and the Internet: Who Will be the Privacy Police", 3 CommLaw Conspectus 63, 64 (1995) (noting that the immensity and rapid growth of cyberspace already may have outstripped the ability of the law to keep pace). BACKGROUND As a trade association of professional debt collectors, ACA represents some 3,700 professional debt collectors in the United States and 53 other countries. ACA members handle the collection of past-due consumer and commercial accounts receivable for approximately one million credit grantors. ACA's main concern with respect to online information privacy stems from the recent experiences of some of its members. Certain businesses that are members of ACA have been subjected to the unauthorized disclosure of personal information which has been made available by consumers-debtors through Web sites or home pages.(1) In most instances, the information is posted by a debtor from whom the ACA member is attempting to collect a past-due account. The information which is disclosed by the consumer-debtor is publicly available and posted in a defamatory manner. For example, certain ACA members have had the following information posted on one or more Web sites: (1) name of the collection agency; (2) name of employees of the agency; (3) physical description and/or photographs of employees; (4) employees' home addresses with a map-link for directions; (5) employees' residential telephone numbers; and (6) photographs of employees' vehicles, along with the identification of the license plate numbers and any lien holders. AREAS OF COMMENT As mentioned, these comments are submitted at the request of the Commission to document the existing practices of Web sites' with respect to the unauthorized use and/or dissemination of personal information of businesses or their employees. ACA recognizes that this aspect of online information privacy is not directly confronted by the Commission's Federal Register notice and existing plans for the Public Workshop on Consumer Information Privacy. Indeed, the Commission has heretofore focused on the privacy concerns of consumers who have personal information collected and used online by businesses. While, in some instances, consumers may be more vulnerable to privacy infringements, ACA submits that businesses and their employees are equally subjected to invasions of legitimate privacy interests through consumer's posting personal information about the business or their employees. Specifically, ACA comments on the following questions posed by the Commission with respect to Session Two: 2.1 What kinds of personal information are collected by commercial Web sites from users who visit those sites and how is such information subsequently used? 2.3 What are the risks, costs, and benefits of collection, compilation, sale, and use of personal consumer information in this context? 2.6 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers choice with respect to whether and how their personal information is to be collected and subsequently used by those sites? With respect to such Web sites, describe (1) what choices are provided to consumers and how such choices are exercised; and (2) the costs and benefits, for both consumers and commercial Web sites, of providing such choices. As requested in the Federal Register notice, ACA's response to these questions will be set forth using a new page for each question answered. 2.1 What kinds of personal information are collected by commercial Web sites from users who visit those sites and how is such information subsequently used? RESPONSE It is ACA's experience that the personal information collected and disseminated is not obtained through visits to Web sites. In most cases, the personal information is publicly available through federal or state government records and, once obtained, the information is posted on a consumer Web site. The type of information which has been posted on Web sites in the past includes: (1) name of the collection agency; (2) name of employees of the agency; (3) physical description and/or photographs of employees; (4) employees' home addresses with a map-link for directions; (5) employees' residential telephone numbers; and (6) photographs of employees' vehicles, along with the identification of the license plate numbers and any lien holders. The Web site may ask that persons visiting the site who have any other information on identified businesses or its employees to forward the information to the Web site facilitator. The use of the information is calculated to harass debt collectors, even though they are in full compliance with the Fair Debt Collection Practices Act (15 U.S.C. ยง 1692 et seq. (1988)) and other regulations governing the collection of past due consumer debts. 2.3 What are the risks, costs, and benefits of collection, compilation, sale, and use of personal consumer information in this context? RESPONSE The costs associated with the unregulated use and dissemination of personal information online clearly outweigh any perceptible benefits. One of the defining stories of the 1990s has been the dramatic escalation of computer-based communications and the development of the "information superhighway." However, the evolution of the computer communication revolution has increasingly begun to affect broad areas of law which seem ill-prepared to accommodate this new medium. To name just a few examples, existing laws simply do not adequately address questions such as jurisdiction via e-mail addresses or Web sites; tortious conduct such as defamatory statements posted on Web sites, the Internet or interactive computer networks;(2) and infringements upon privacy through unsolicited e-mail and the use and dissemination of personal information. The inability of existing federal law to dispel these problems has come at a very high cost. In the case of ACA members who have been harassed by the unauthorized posting of personal information online, the costs include the knowledge that personal information such as their names, addresses, phone numbers, occupation, vehicle make and model, and vehicle license plate number have been released on the World Wide Web without their consent and with no notice. In fact, many state laws actually facilitate privacy infringements when they expressly forbid the use of an alias or "desk name" by collectors. Consequently, collectors in states which preclude the use of an alias--New Hampshire, North Carolina, and North Dakota--are especially vulnerable to unfounded personal attacks. While other states allow collectors to use aliases, they often require that desk names be used not only consistently but also registered with the state authorities along with their home address, in order to allow identification of any collector who is accused of violations of law. In Minnesota, for example, where individual collector names and aliases must be registered with the Department of Commerce, Department officials have take the position that the Minnesota Government Data Privacy Act does not allow them to withhold release of such personal identification and home address data if requested. Under the Act, a person requesting the information does not have to give a reason for the request. Clearly, release of personal names and address information renders useless the use of an alias, and places collectors in a position of severe jeopardy. We are aware of several instances where collectors have been threatened, their personal safety was directly at stake, and there was fear for the safety of their family members. 2.6 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers choice with respect to whether and how their personal information is to be collected and subsequently used by those sites? With respect to such Web sites, describe (1) what choices are provided to consumers and how such choices are exercised; and (2) the costs and benefits, for both consumers and commercial Web sites, of providing such choices. RESPONSE Typically, the non-commercial Web sites do not offer a choice to ACA members and their employees before posting the personal information online. In one case, the Web site posted a variety of personal information about the employees of an ACA member (including their names, addresses, home telephone numbers, photographs of their vehicles, and directions to their residence) and informed the employees that "[i]f you don't like what you see on this site, you can e-mail me to request that your information be removed. This does not assure that the information will be removed upon the request." Consequently, there is no notice before the dissemination of personal online information and, in some cases, no legal mechanism to require that the posted information be removed once disseminated. CONCLUSION In the debate over the secondary uses of personal consumer information, the Commission should recognize that the same concerns over privacy protections are applicable to businesses and their employees. In the absence of federal law, the Commission has already taken steps to outline several options designed to uphold the privacy protections of consumers. See Report of the Federal Trade Commission, "Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace", Vol. II, at 36-37 (May 1996). These options include: (1) pre-use notice to consumers of the intended use of non-sensitive information; (2) application of contract principles to define permissible uses; and (3) the development of electronic privacy policy screens. ACA seeks to add a new wrinkle to the Commission's plan of action. That is, the Commission also needs to address invasions upon the privacy of businesses and their employees. In doing so, the Commission must take into consideration the unauthorized posting of personal data on a Web site, home page or the Internet where there is no pre-posting notice, no opportunity to correct the information, and no choice as to how the personal information is used or disseminated. Indeed, with the active guidance and oversight of the Commission, "a market in privacy protections might develop, with the best schemes emerging as the standards." See Report of the Federal Trade Commission, "Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace", Vol. II, at 37 (May 1996). Respectfully submitted, ______________________ CONSUMER PRIVACY 1997 -
COMMENT, P954807 1. One example can be found at http://www.billsheenan.com (no period). 2. At least one court has attempted to graft principles of defamation on the operation of a computer network. In Stratton Oakmont Inc. v. Prodigy Services Co., 23 Media L. Rep. (BNA) 1794 (N.Y. Sup. Ct. 1995), a New York court held that a one of the most popular commercial online services was liable for the content of potentially defamatory electronic messages sent by a user of its service. The online service operator, Prodigy Services Co., was liable based upon its failure to intercept a defamatory statement. The case, however, has little precedent because it was ultimately settled. In fact, Congress sought to limit the rationale set forth in Stratton through the 1996 Communications Decency Act, Pub. L. 104-104, 1996 U.S.C.C.A.N. (110 Stat.) 133-139 (to be codified at 47 U.S.C. 223 (a)-(h), 230) (section 230, subsection c states that "no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.") |