Before the DATA BASE STUDY--P974806 Consumer Privacy 1997--P954807 WRITTEN COMMENTS OF April 15, 1997 For more information, contact:
INTRODUCTION & EXECUTIVE SUMMARY The Direct Marketing Association (DMA), the largest trade association for businesses interested in direct marketing and database marketing, is pleased to participate in the Federal Trade Commission's (FTC) ongoing effort to study consumer privacy issues in the online world. The DMA represents more than 3,000 United States corporations as well as 600 corporations from 47 other countries. DMA members use all media to reach their customers and prospects--mail, telephone, direct response TV, radio, home shopping networks, as well as cyberspace. As a long-time champion of consumer choice and a leading advocate of self-regulation and peer regulation, The DMA continues to examine how best to ensure that consumers in the online environment are afforded opportunities both to learn about products and services of interest to them and to express their preferences regarding marketers' collection, use, or dissemination of information about them. At the FTC's June 1996 workshop, The DMA presented the Joint Statement on Online Notice and Opt-Out, Joint Statement on Children's Marketing Issues, and Principles for Unsolicited Marketing E-Mail that it developed with the Interactive Services Association. Since the FTC's June 1996 workshop, The DMA has: Organized 22 other direct marketing trade associations from five continents in establishing an International Federation of Direct Marketing Associations and agreeing to establish self-regulatory principles for best practices for online marketing. Recognizing the global nature of the Internet, the IFDMA establishes the framework for cooperative advancement of common self-regulatory principles around the globe. (Appendix 1) Developed, printed, and distributed The DMA Marketing Online Privacy Principles and Guidance, which are to be enforced by The DMA's ethics peer review process. (Appendix 2) Embarked on an aggressive campaign entitled "Privacy Action Now" to educate its members engaged in online marketing about the Marketing Online Privacy Principles and Guidance, including sending a copy of the Principles to every member of The DMA and showcasing the Principles at every major direct marketing conference. (Appendix 3) Improved its peer-review process by beginning to release three times a year a public report that describes all matters considered by The DMA's Committee on Ethical Business Practice, the practices found (if any) to violate one of The DMA Guidelines, and the Committee's disposition of each case. (Appendix 4) Developed a Web privacy notice building kit, accessible online, that enables marketers in a few easy steps to create accurate and effective consumer privacy policy notices for their Web sites. (Appendix 5) Joined the World Wide Web Consortium (W3C) in an effort to develop technological support for consumer choice through a Platform for Privacy Preferences (P3). And, through the Internet Privacy Working Group (IPWG), helped develop a common vocabulary to enable seamless communications about preferences and information practices between users and content and service providers for use in P3. Issued a Request for Proposals to develop The DMA's E-Mail Preference Service (e-MPS), which would enable consumers to reduce the amount of unsolicited marketing e-mail, and help parents reduce the amount of unsolicited marketing e-mail directed to their children. We plan for the e-MPS to be fully operational within a year. (Appendix 6) Set aside a section of its Web site just for parents, and posted a listing of and hyperlinks to software packages it is aware of that assist parents in monitoring and controlling the activities of their children online. (Appendix 7) [Note: This material is at the end of Appendix 6, above. -- FTC Webmaster] Started the process of adding a section on children's issues to its Guidelines for Ethical Business Practice. In cooperation with the Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc. (CBBB) and Call for Action, developed a booklet and online information guide entitled Get CyberSavvy! The DMA's Guide to Parenting in the Digital Age: Online Basics, Behavior and Privacy. It contains interactive activities for parents that assist them in sharing their children's online experiences, learning about privacy issues, and making decisions about what information their children may transmit and have online access to. Undertaken an analysis of research on consumer perceptions about online privacy issues. Undertaken to learn more about its members' online practices. 1.3 What is the source of the information in the databases? The Direct Marketing Association has long had a policy opposing the use of personal data obtained from marketing transactions for non-marketing purposes. Our Guidelines therefore limit the sources of the information used by look-up services. Companies that maintain databases of both marketing and non-marketing information ensure that information gained from marketing transactions is not used as an information source for the look-up database. The DMA's Guidelines for Personal Information Protection indicate that personal information collected for marketing "should only be used" for marketing purposes. This was the basis for The DMA's response to a December 20, 1994 Federal Register notice in which the Internal Revenue Service suggested that agency personnel would begin accessing commercial databases as part of its Compliance 2000 program. The DMA filed comments and led a public outcry against the proposal. DMA stated: "Commercial lists used by DMA members were created for the purposes of marketing and were never intended to be used for any other purpose." The IRS backed away from its intention to use marketing data for law enforcement. In addition, The DMA Committee on Ethical Business Practice reviews complaints it occasionally receives regarding the alleged use of marketing data for non-marketing purposes. The Ethics Committee reviews these complaints to ensure that companies' use of marketing data is in accordance with the guidelines of The DMA. Because marketers use more than only personal data obtained from marketing transactions, marketers and look-up services often use similar sources of information. For example, they both may use public record data to create a file on an individual or to verify information about an individual already collected from other sources. Similarly, they may both use telephone directory data. Thus, public records and publicly available records may be used for both marketing and non-marketing purposes. Credit header data fall outside of The DMA's self-regulatory proscription because the FTC, in regulating the credit reporting industry, has in a consent decree expressly approved the use of credit header data for any lawful purpose. The DMA is aware that one of its members, which markets educational materials to children, has on occasion used its marketing list to assist the Center for Missing and Exploited Children in its efforts to locate missing and kidnapped children by running the names of such children against its database. Otherwise, whether the prospective user is the IRS or a private sector company offering a look-up service, The DMA's policy remains that commercial lists or databases containing marketing data should not be used for non-marketing purposes. 2.4 What surveys, other research, or quantitative or empirical data exist about consumers perceptions, knowledge and expectations regarding (1) whether their personal information is being or should be collected by Web site operators and the extent of such collection; (2) the benefits and risks associated with the collection and subsequent use of this information; (3) appropriate uses of such information; and (4) whether certain categories of information should never be collected or disclosed to others? The DMA is analyzing research and will be in a position to present Mr. Stanley Greenberg, a nationally recognized researcher, as an expert at the June 1997 Workshop to address issues regarding consumer perceptions, knowledge, and expectations in connection with the use of information for cyber-commerce. 2.5 How many commercial Web sites collect, compile, sell or use personal information? Of these, how many give consumers notice of their practices regarding the collection and subsequent use of personal information? With respect to these Web sites, describe (1) how and when such notice is given, (2) the content of such notice, and (3) the costs and benefits, for both consumers and commercial Web sites, of providing such notice. Marketing in cyberspace continues to be a relatively recent venue for direct marketers. A recent Price Waterhouse survey commissioned by The DMA reveals that more than half of the direct marketing companies that have commercial Web sites have had them for one year or less. The DMA is collecting information from its members to understand the new marketing practices developing in the emerging cyber-commerce. We expect to have illustrations to respond to the specific information requested by this question available for the June 1997 Workshop. 2.9 What industry principles, recommendations or guidelines have emerged since the June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry. The DMA and ISA presented the Joint Statement on Online Notice and Opt-Out to the FTC in June 1996 as a "discussion document." After entertaining comments on the document for several months after the workshop, The DMA refined this Joint Statement into principles and developed guidance for its members. The DMA Board of Directors approved these principles and guidance in January 1997 as part of The DMA Marketing Online Privacy Principles and Guidance. These principles, which are to be enforced by The DMA's ethics peer review process, include self-regulatory principles on unsolicited marketing e-mail as well as on online notice and opt-out. The DMA's Committee on Ethical Business Practice began in February 1997 issuing a public report that, without identifying companies, describes all matters considered by the Committee, the practices found (if any) to violate The DMA Guidelines, and the Committee's disposition of each case. The Committee has decided to issue similar public reports about its activities three times a year. Prior to the Board's final approval, The DMA through its newsletter and its "Privacy Action Now" kit alerted its members at its October 1996 Annual Conference to the existence and availability of the principles in draft form. Also at the October Conference, 22 national direct marketing trade associations from five continents signed an agreement that will establish an International Federation of Direct Marketing Associations. Recognizing the global nature of the Internet, participants have agreed to establish self-regulatory principles for best practices for online marketing, building on earlier agreements for recognizing and facilitating consumers' mail and telephone preferences. The signatories to the agreement also have agreed to advance and adhere to a set of professional education, public relations, and consumer education practices. The IFDMA establishes the framework for cooperative advancement of common principles around the globe. Following the Board's final approval of the Marketing Online Privacy Principles and Guidance, The DMA embarked on an aggressive campaign to educate its members engaged in online marketing about the principles and the benefits of their implementation. For example, The DMA showcased them at its March 9-11, 1997, "net.marketing" conference, and has developed a privacy exhibit to showcase them at all of its major conferences. It has also sent a copy of the Marketing Online Privacy Principles and Guidance to every member of The DMA. The DMA has also developed a privacy tool kit, accessible online, that enables Web site operators in a few easy steps to create accurate and effective consumer privacy policy notices for their Web sites. In responding to questions in the package's questionnaire about their site's information practices and capabilities (such as what information is collected, how it is used, and how visitors to the site can opt out from some of these uses), Web site operators are able to create their own privacy policy statements for online consumers. This "how to" package, which can be downloaded complete with html code, can be reached on the DMA Web site (http://www.the-dma.org/policy.html). The DMA is publicizing the availability of this tool among its own membership as well as the wider community of Web site operators. 2.14 Has interactive technology evolved since June 1996 in ways that could address online privacy issues? To what extent is it currently available and being used by consumers and commercial Web sites? With a committed approach to addressing online privacy issues, The DMA has developed a privacy tool kit, accessible online, that enables marketers, in a few easy steps, to create effective consumer privacy policy notices for their Web sites. In responding to questions in an easy-to-follow questionnaire about their site's information practices and capabilities (such as what information is collected, how it is used, and how visitors to the site can opt out of some of these uses), marketers are able to create a privacy policy statement regarding their company practices for online consumers. This privacy policy "how to" package, which can be downloaded, can be reached on The DMA Web site (http://www.the-dma.org/policy.html). DMA has long believed that technology can provide consumers with additional privacy protections on the World Wide Web. Technological efforts in recent years--such as the Platform for Internet Content Selection (PICS)--have focused on protecting against the receipt of obscene content, not on information collection. PICS enables two principal approaches, i.e., filtering and rating. Although they may be appropriate in the context of nudity, violence, or profanity, The DMA seeks a third approach to protecting consumer privacy. This alternative, described as the "negotiation" or "handshake" approach, would enable users and sites to engage in automated dialogue and negotiation about information practices. The "negotiation" approach for protecting privacy has several characteristics. First, similar to the ratings approach, it would require Webmasters to classify the information practices of their sites, enable consumers to "set" their privacy preferences, and compare the site's classification with the consumer's preference. For example, a consumer might wish to set her preferences so that, when visiting Web sites that collect identifiable information from visitors, the site enables her to limit the purposes for which it uses the data. Software would then compare a consumer's preferences to a particular Web site's information practices before allowing the site to be viewed. If the preferences and practices matched, then there would be a "handshake" permitting the consumer automatic access to the site. Second, the software would not automatically block access to sites that do not match a consumer's preference. Rather, consumers would be informed of the reason for the mismatch and, if they wished to proceed to the site despite the mismatch, could do so by clicking their mouse. Their access to the site would be blocked only if after this "dialogue" they declined the opportunity to override their preferences. The DMA is contributing to and participating in the initiatives that are underway to develop this technology. First, The DMA joined the World Wide Web Consortium (W3C)--which funded the PICS project and is in the process of establishing a project to develop technological support for a Platform for Privacy Preferences (P3). The DMA is the first trade association to have joined the technology consortium. Second, The DMA is a member of the Internet Privacy Working Group (IPWG). Under the coordination of the Center for Democracy and Technology, IPWG has begun working on developing a common vocabulary to enable seamless communications about preferences and information practices between users and content and service providers, which it plans to submit to the P3 Vocabulary Working Group of the W3C for consideration. Other members of IPWG include industry leaders such as America Online, AT&T, IBM, and the Interactive Services Association, as well as other nonprofits such as the Center for Media Education. Even without P3, the market has continued to respond when it perceives there is a consumer demand for privacy-enhancing technologies. For instance, the latest versions of the browsers of the two major browser developers give consumers the option of setting their preferences so that they will be alerted when a Web site is about to deposit a "cookie" file on their hard drive. 2.15 What are the risks and benefits, to both consumers and commercial Web sites, of employing such technology? What are consumers' perceptions about the risks and benefits of using such technology to address online privacy issues? The DMA believes that consumers and commercial Web sites only benefit by employing such technology. The proposed P3 Project discussed in our answer to Question 2.14 will address the twin goals of meeting the privacy expectations of consumers on the Web while ensuring that the medium remains available and productive for electronic commerce. The DMA is analyzing research and expects to be in a position to address consumer perception about some of these issues at the June 1997 Workshop. 2.17 What are the risks and benefits, to both consumers and commercial entities, of unsolicited commercial e-mail? What are consumers' perceptions, knowledge, and expectations regarding the risks and benefits of unsolicited commercial e-mail? As with other forms of direct marketing in the U.S.--which now generates nearly $1.2 trillion in sales annually--unsolicited marketing e-mail offers consumers the opportunity to learn about products and services that may be of interest to them, increases the convenience of shopping "from home," and offers businesses new ways of reaching consumers. The DMA believes that, except in the cases of fraud, unsolicited marketing e-mail poses little or no risk to consumers, but substantial risks to direct marketers, which might alienate potential consumers if they do not take steps to gain their confidence and empower consumers to make choices. Providing consumers with a mechanism to avoid unwanted marketing solicitations is an important step in these efforts. 2.19 Are there technological developments that might serve the interests of consumers who prefer not to receive unsolicited commercial e-mail? If so, please describe. Building upon its experience in establishing and operating name and telephone removal services--the Mail Preference Service and Telephone Preference Service--The DMA is planning to develop an E-Mail Preference Service (e-MPS) to enable consumers to reduce the amount of unsolicited marketing e-mail they receive. The DMA issued a Request for Information (RFI) on December 16, 1996 on the feasibility of developing an e-MPS. The information responses to the RFI helped The DMA determine to proceed to request proposals for the development of such a service in 1997. The Request for Proposals was issued on March 31, 1997, with proposals due by May 5, 1997. It is contemplated that a contract will be awarded for development and implementation of the e-MPS by June 15, and that the e-MPS will be fully operational within a year. It is anticipated that there will be both a global e-MPS Web site and national e-MPS Web sites. The global e-MPS Home Page will have language options and point to the national e-MPS Home Pages where registration will take place. 3.11 What industry principles, recommendations or guidelines have emerged since the June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry. The DMA and ISA presented their Joint Statement on Children's Marketing Issues to the FTC in June 1996 as a "discussion document." After entertaining comments on the document for several months after the workshop, The DMA refined this Joint Statement into principles and developed guidance for its members. The DMA Board of Directors approved these principles and guidance in January 1997 as part of The DMA Marketing Online Privacy Principles and Guidance. These principles, which are to be enforced by The DMA's ethics peer review process, also include self-regulatory principles on unsolicited marketing e-mail and online notice and opt-out as well as children's marketing issues. The DMA's Committee on Ethical Business Practice began in February 1997 issuing a public report that, without identifying companies, describes all matters considered by the Committee, the practices found (if any) to violate The DMA Guidelines, and the Committee's disposition of each case. The Committee has decided to issue similar public reports about its activities three times a year. The DMA is also in the process of adding a section on children's issues to its Guidelines for Ethical Business Practice. Prior to the Board's final approval of the Online Privacy Principles, The DMA through its newsletter and "Privacy Action Now" kit alerted its members at its October 1996 Annual Conference to the existence and availability of the principles in draft form. Also at the October Conference, 22 national direct marketing trade associations from five continents signed an agreement that will establish an International Federation of Direct Marketing Associations. Recognizing the global nature of the Internet, participants have agreed to establish self-regulatory principles for best practices for online marketing, building on earlier agreements for recognizing and facilitating consumers' mail and telephone preferences. The signatories to the agreement also have agreed to advance and adhere to a set of professional education, public relations, and consumer education practices. The IFDMA establishes the framework for cooperative advancement of common principles around the globe. Following the Board's final approval of the Marketing Online Privacy Principles and Guidance, The DMA embarked on an aggressive campaign to educate its members engaged in online marketing about the principles and the benefits of their implementation. For example, The DMA showcased them at its March 9-11, 1997, "net.marketing" conference, and has developed a privacy exhibit to showcase them at all of its major conferences. It has also sent a copy of the Marketing Online Privacy Principles and Guidance to every member of The DMA. The DMA also set aside a section of its Web site
(http://www.the-dma.org/home_ page/ In cooperation with the Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus, Inc. (CBBB) and Call for Action, The DMA has also developed Get CyberSavvy! The DMA's Guide to Parenting in the Digital Age: Online Basics, Behavior and Privacy. This booklet and online information guide contains interactive activities for parents to help them share their children's online experiences while learning about privacy issues families might encounter with various online experiences. The guide helps parents make decisions about what information children may transmit and what they have online access to. The guide helps parents develop family Internet rules for online interactions. An online version of Get CyberSavvy will be available on The DMA Web site beginning approximately April 25, 1997. 3.19 Are there technological developments that might serve the interests of parents who prefer that their children not receive unsolicited commercial e-mail? Building upon its experience in establishing and operating name and telephone removal services--the Mail Preference Service and Telephone Preference Service--The DMA is planning to develop an E-Mail Preference Service (e-MPS) to enable consumers to reduce the amount of unsolicited marketing e-mail they receive. Parents could list their children on e-MPS to reduce the amount of unsolicited marketing e-mail their children receive. The DMA issued a Request for Information (RFI) on December 16, 1996 on the feasibility of developing an e-MPS. The information responses to the RFI helped The DMA determine to proceed to request proposals for the development of such a service in 1997. The Request for Proposals was issued on March 31, 1997, with proposals due by May 5, 1997. It is contemplated that a contract will be awarded for development and implementation of the e-MPS by June 15, and that the e-MPS will be fully operational within a year. It is anticipated that there will be both a global e-MPS Web site and national e-MPS Web sites. The global e-MPS Home Page will have language options and point to the national e-MPS Home Pages where registration will take place. Ultimately, however, nothing can take the place of adequate parental supervision. As with all of their children's activities, parents should monitor their children's usage of the Internet and online services. Use of passwords, software tools and parental access controls, and family rules will help parents prevent their children from disclosing their e-mail addresses and other personal information. The DMA has developed Get CyberSavvy! The DMA's Guide to Parenting in the Digital Age: Online Basics, Behavior and Privacy, discussed at 3.11, to help parents learn about privacy issues and develop family Internet rules for online interactions. |