Return to Cyberspace Law Seminar 2002 Main Web Page www.uiowa.edu/~cyberlaw/cls02
 
 

ABSTRACT          2
INTRODUCTION         3

I. THE SOURCES OF COMMERCIAL DATABASES

A. Credit Bureaus and Shopper's Discount Cards     4
B. American Express         5
C. Children's Web Sites        6

A. History of VISA Corporation       7
B. The Mechanics of a Credit Card Purchase      8
C. Who is the "Acquiring Processor"?      9
D. Database Mining         10

A. Sources of Law are Statutory and Regulatory     11
B. The Fair Credit Reporting Act of 1971      12
C. A Patchwork of Laws        13
D. The Gramm-Leach-Bliley Act       14

A. Opt Outs Do Not Work        16
B. Burying The Opt Out Notice in a Morass      16
C. The Opt-In Insures Informed Consent      19

A. The Facts of the Case        19
B. The Issues          20
C. The Holding and Why It Is In Error      21
D. The Court Applied the Wrong Test      23

A. Does It Really Matter?        24
B. The Arguments For Database Profiling      25
C. The Potential Danger of Consumer Databases Goes Beyond Privacy  26

ENDNOTES          29

Over the last twenty years, the growth of computer technology has enabled the collection and cross referencing of a wide variety of facts on individual consumers, including their names, addresses, personal spending habits and preferences. These are compiled into enormous lists that are commercially available to companies who wish to market products and services to likely customers. There is probably no immediate danger to Americans' personal liberty from this activity, and the companies who conduct this "consumer profiling" usually want nothing more than to market products. However, these databases are fraught with the potential for serious business and governmental abuse.

 Current laws pertaining to informational privacy are an uneven and contradictory patchwork of specific reactions to isolated problems rather than a coherent set of specific regulations based on a clear and principled mandate. This problem could be solved by the adoption of a system similar to that of the European Union's Data Directive. This "opt-in" system would compel companies to seek explicit, affirmative permission from the subjects of commercial data gathering. The 10th Circuit Court of Appeals erred in U.S. West Inc. v. F.C.C., 182 F.3d 1224 (1999) when it held that a federally mandated "opt-in" system violated the first and fifth amendment guarantees as related to commercial speech and ownership of information. An opt-in system would permit beneficial data gathering while protecting consumers' privacy.

Along with most other Americans, I have noticed over the last several years that my junk mail has gotten more and more specific to me. I now get solicitations for astronomy magazines, conservative magazines, history publications, and graduation photo services. One day recently, while purchasing a large amount of cheap beer with my VISA card, I began to wonder whether my specific credit card transactions were being tracked and placed in some large database somewhere which counts every immoral purchase I make, and profiles, in detail, my degenerate character. Do they know how much "Peanut Butter Crunch" I eat, or how often I go to Jiffy Lube instead of changing my own oil?

 According to a recent article in the Washington Law Review by Jeff Sovern, it is now possible to buy "lists of people who have bought skimpy underwear, college students sorted by major, class, and year... people who have lost loved ones, women who have bought wigs, callers to a 900 number national dating service... people who have had their urine tested, medical malpractice plaintiffs... impotent middle aged men, epileptics, people with bladder control problems, buyers of hair removal products... high risk gamblers, people who have been rejected for bank cards..."1 There are lists of "weight conscious consumers who had purchased low calorie foods such as yogurt and reduced fat breads... lists of 'fancy food buyers' - consumers who bought refrigerated pastas or frozen yogurt..."2

 Certainly all of us are on some list or other, but what about the specific purchases that I make with my VISA card, issued by the University of Iowa Community Credit Union? Am I racking up a list of character traits with each purchase? Where does the information go? Who keeps it? Who sees it? Who are they? And... is this legal? Those are the questions I set out to answer with this paper, focusing primarily on purchases made with a VISA card, and the answers I found quite surprising. While acres of personal information about me is being legally swapped and exchanged on hundreds of different commercial database sources, no one, no where, at the current time, is tracking the specific purchases that I make with my VISA card.

A. Credit Bureaus and Shopper's Discount Cards

What are these "commercial database sources" which are used to access consumer profiling information? The Fair Credit Reporting Act, which will be discussed below, does not prohibit credit-reporting agencies such as Experian, Equifax, and TransUnion from selling your personal consumer information to direct marketing companies. There are also some systems which are established for the exclusive purpose of collecting individual consumer information.

One category of these is the supermarket discount cards and the cards issued by department stores such as J.C. Penny's, or Montgomery Ward. These cards are unabashedly used to find out who you are, what you buy, when you buy it, and to use that that information to refine the store's marketing techniques, and sell the information to commercial databases. This may not seem like a particularly harmful exercise, but as Simson Garfinkle puts it, in his book Database Nation:
"Transactional-level information turns the art of marketing into a multivariable science experiment, with the store's customers doubling as laboratory rats."3

If this seems like rather overcharged language for a rather innocuous form of consumer research, consider the case of a Los Angeles man, Robert Rivera, who fell at a Vons market and injured his leg. When he threatened to sue the store, they looked up his purchase records and discovered that he had bought a great deal of liquor. The store informed Rivera that they would use that information against him in the lawsuit.4

Can law enforcement and other government agencies acquire this personal information without a warrant? Is there any reasonable expectation of privacy for information which you have willingly signed up to reveal, which you have been put on clear notice is being compiled, and you are being given store discounts and other incentives for doing so? These are as yet unresolved questions.

B. American Express

Another frequent contributor to these "commercial databases" has been the American Express Co. Since AmEx is an independent card operation they ARE the issuing bank and so it is much easier for them to assemble huge databases on consumer transactions. This is more difficult for VISA and Mastercard since they are just brand names for hundreds of different, competing bank credit cards.5

It has been well known that AmEx is compiling and selling consumer transactional information since 1992, in spite of some strange non-denial denials.6 On May 14, 1992 the Washington Post announced: "Credit Card Holders to Be Warned of Lists; American Express Collects, Sells Buying Habits Data."7 At the time, AmEx was not disclosing this information to cardholders. AmEx still creates these databases, and markets them, and has no plans to stop.

Other ways in which these commercial databases are created are when you fill out your "product registration" and return it to the company for your new VCR, or other purchase. You may be led to believe that your warranty won't be valid unless you fill out the little form. Not true, but that's how they get you.

C. Children's Web Sites

Children are also easy to prod for personal information. Many children's web sites such as "FunBrain.com" and "Bonus.com" 8 are filled with games and puzzles, and the child is told that he/she must register if she wishes to have game scores saved and be eligible for fun prizes. Most of these sites exist for no other purpose than to collect information for marketing research. It is estimated that around 90% of web sites directed at children also collect personal information.9 In one unusually crass example, a toy manufacturer ran a television commercial featuring a clown who told the children watching to place their telephones near their television sets. Then the commercial played tones which dialed a 1-800 number, providing the toy manufacturer with the telephone numbers of phones from which the calls were placed.10 The Children's Online Privacy Protection Act has not stopped online information gathering, but there is now at least an affirmative duty for children's web sites to seek an explicit opt-in from the parents of a child under 13. It is well known that most commercial websites on the Internet collect personal information.

A. History of VISA Corporation

 To understand what happens when you swipe your VISA card at the checkout counter, you must first understand what the VISA actually is. VISA is a payment system, with over 21,000 member financial institutions around the world. They originated in California in 1958 and were known as "BankAmericard" before 1976. They changed their name to VISA because it sounded like a "simple, memorable name with an international flavor that is pronounced the same way in almost every language." 11

VISA operates the global electronic authorization system but VISA doesn't get the money from you when you pay your bill, nor does it issue money to the vendor when you buy your cheap beer. VISA is a brand name with a trademark and they enter into licensing agreements with banks and other financial institutions.12 The bank issues your VISA card and vouches for your conduct with that card. The bank (or "card issuer") owns the information gleaned from credit card transactions and is responsible to notify you of your right to "opt out" of direct marketing lists. Like every financial institution, they do provide some of your information to credit reporting agencies.

VISA provides all of its card issuers with a set of "privacy principles" stating, in part, that "issuers should restrict disclosure of specific information about individual cardholder accounts... [unless] the cardholder has been informed in advance through a cardholder agreement or communication about such disclosure activities."13 VISA privacy principles make clear that some issuers may provide cardholder information to "non affiliated third parties for marketing purposes"14 so long as the cardholder is informed and given the opportunity to opt out. That means that many banks probably do sell your information to direct marketers, it just so happens that my card issuer, the University of Iowa Community Credit Union, isn't doing that.

B. The Mechanics of a Credit Card Purchase

With those card issuers who track one's transactional information, it is the "acquiring processor" who sits directly in the middle of the transaction, and is therefore in the best position to accumulate your personal information. To demonstrate the role of the "acquiring processor" in an electronic transaction, we need to understand what a credit card transaction looks like. Here is what usually happens when you buy something with your VISA card-

1. You swipe your card and the merchant's payment software sends the encrypted transaction data to an "acquiring processor" via private dial or a leased line.
2. The "acquiring processor" communicates the transaction information to the issuing bank, which either authorizes the transaction or denies it.
3. If your card is approved, the issuing bank authorizes a certain amount of money and issues an authorization code. There is not yet a charge on the customer's bill.
4. The acquiring processor communicates to the merchant that the purchase has been approved.
5. The acquiring processor issues credits to the merchant, and the corresponding amount of money is charged to the consumer's credit card account by the processor.
6. The transaction is "captured" by the merchant whereupon she presents you, the consumer, with your 12 pack of cheap beer and a receipt.
 7. The merchant accumulates "captures" and "credits" into a batch, and submits these to the acquiring processor.
 8. When the acquiring processor receives the batch, it sends payment instructions to the card issuing banks and the merchant's bank.
 9. Money transfers from the issuing bank to the merchant's bank.15

 C. Who is the "Acquiring Processor"?

 As you can see from this abbreviated transactional outline, the people most perfectly situated to compile a list of people who drink cheap beer are the acquiring processors. In my case, this would be "First Data Corporation" (FDC) in Omaha, Nebraska. This company processes most VISA transactions nationwide, and they do indeed compile extensive consumer databases and provide the card issuers with access to this information. But the information they compile and sell is contingent on the specific policy of the card issuer and its relationship with direct marketing companies. The card issuer still owns the transactional information and they are the ones who will either sell your information to direct marketers or refrain from doing so. The acquiring processor is bound by the same confidentiality standards as the issuing bank.
 Nonetheless, First Data Corporation has made extensive forays into the business of compiling your personal information. According to a First Data Corp. press release, dated Feb. 28, 2001:

 "Today, First Data Corp... announced its card issuing services and subsidiary ieWild Inc., a San Diego-based software and predictive customer analysis company, have agreed to offer card issuers technology that provides keen insight into card holder purchasing preferences... under the First Data brand FirstInsight (SM).
 "FirstInsight is a sophisticated data mining, analysis and reporting solution that merges merchant data with bankcard transactional data to give the card issuer better opportunities for one on one value offers.
 "FirstInsight allows card issuers to take merchant data and cardholder transactions and use the information to segment cardholders and understand their buying behavior."17

 She told me that the press release was a year old, that the deal with ieWild fell through, and that she doesn't believe that company even exists any more. She would give me no further information about their databases except to say that they are only be shared with the card issuers, not third party direct marketing firms.

 D. Database Mining

 So how do direct marketers get these lists of every one-eyed midget in Texas, or every college sophomore in Eastern Iowa who's on a diet and wears glasses? These types of lists are produced bya technology called "consumer database mining." According to one of the vendors of this technology, it is a set of computer software applications which allows "data selection, exploration and building models using vast data stores to uncover previously unknown patterns."18 This technology has many non-commercial, scientific applications as well. According to Nautilus Systems, another vendor, it can be used for analyzing geologic data from an earthquake to create predictive models for future events, and also for tailoring the Emergency Information Management System to better respond to various scenarios. But it is also used for "[a]nalysis of buying habits and trends of potential credit card holders..."19 At the "Very Large Database" conference in San Francisco in 1998, Nautilus presented a case study in which:

" a client had described the buying habits and buying trends desired in new subscribers. The optimal candidates were individuals likely to be repeated purchasers of 'best of class' item, demonstrating not only available disposable income but also a likelihood of continuation of desirable purchasing trends... [ie: purchase of titanium mountain bikes or expensive golf clubs which indicate a 'status conscious image'].
"Nautilus Systems used its proprietary data mining techniques to extract transactional data matching these product and service categories from commercial database sources, and by examining buying trends contained within mercantile databases of credit card purchases."20

A. Sources of Law are Statutory and Regulatory

 The laws relating to informational privacy in the United States could be likened to a labyrinth. There are hundreds of overlapping and sometimes contradictory regulations and statutes promulgated by various government agencies, such as the Federal Trade Commission, the Securities and Exchange Commission, the National Credit Union Administration, and the Federal Deposit Insurance Corporation, the Department of Commerce, and others, in response to 32 separate acts of congress.22 It has often been said that privacy law in the United States is uneven and inadequate.23 One law professor has called it "a patchwork of ad hoc responses to outrage over past invasions of privacy rather than a coherent set of rules based on fundamental principles and policies."24 This is particularly true in comparison to European Union law, which is much more protective of privacy and less ambiguous than U.S. law.25

 B. The Fair Credit Reporting Act of 1971

 American law on consumer privacy and information over the last 30 years has been the result of constant tension between privacy activists, academics, concerned politicians, and the business interests who profit from compiling and exchanging personal information about individual consumers of goods and services. The first federal laws passed to protect computerized records of personal information were in the early 1970s in response to the growing industry of credit reporting and some of the abuses and errors of the burgeoning credit bureaus. Thousands of Americans were being erroneously billed, discredited, or otherwise victimized by credit reporting errors.

Credit Reporting companies, in addition to committing numerous errors, would dispense personal information on consumers to almost anyone except the actual subjects of the information. The movement to address the problems created by this largely secret industry was initiated with several books published by Alan Westin in the late 60s: Privacy and Freedom, Databanks in a Free Society, and The Naked Society.26

 After a series of hearings at which Alan Westin testified, the Congress passed the Fair Credit Reporting Act (FCRA) in April, 1971. This law did nothing to slow the growth of the consumer credit reporting industry, but it did provide the subjects of consumer reports with the right to view their information and correct errors. This law also established limits on the scope of disclosure of personal information.27 The information which could be gathered was limited to credit information. This included the consumer's name, address, social security number, credit lines, credit balances, credit limits, payment histories, bankruptcies, liens, and public judgements against the consumer. As amended in 1996, the FCRA only allows the information to be sold to those with a "permissible purpose," such as creditors, employers, landlords, and insurers.28 Unfortunately for privacy advocates, the FCRA has a rather considerable loophole. Demographics, population statistics and purchasing habits and other information are not considered part of a person's credit history and so are not covered by the law.29

There are only three major credit reporting agencies which dominate the industry- Equifax, Experian, and TransUnion, and these three companies energetically assemble marketing lists which they sell to companies looking to market their products directly to persons who they feel would be likely to be interested in them.30 While the FCRA is effective at preventing the worst abuses of a person's credit information, it allows the propagation and the marketing of consumer databases to proceed virtually unimpeded.

C. A Patchwork of Laws

As mentioned earlier, many of our current privacy laws were enacted to address some specific outrage, rather than being based on a consistent set of universal principles. The Video Privacy Protection Act of 1988 (18 U.S.C.  2710) effectively opens video rental stores to civil suit if they disclose which movies you rent. This was passed in response to the Bork confirmation hearings, in which the judge's movie rentals were released to the Senate Judiciary Committee. This became a national issue in 1987 when Bork's was defeated for a seat on the U.S. Supreme Court.31

The Driver's Privacy Protection Act of 1994 (18 U.S.C.  2721) was passed in response to the murder of a television actress, Rebecca Schaeffer, in 1989, by an obsessed fan who acquired her address and other personal information through her California motor vehicle records.32 This act prohibits the public dissemination of certain types of information held by departments of motor vehicles.33

The Children's Online Privacy Protection Act of 1998 (Rule 16 CFR Part 312) regulates the collection of over the Internet of personal information from children under the age of 13.34 This act was passed in response to a growing national concern in the mid-1990s about children meeting unsavory characters on the Internet, and the sale and resale of information about children to various marketing agencies.35

All of these Congressional Acts have implications requiring complex cross referencing to other federal regulations promulgated by the DOT, the FDIC, the FTC, the FCC, the SEC, and others. Each one of these acts serves a narrow purpose that could be better addressed by a single, national opt-in system for most transactional information.

D. The Gramm-Leach-Bliley Act

The latest attempt at a single, national standard for informational privacy is inadequate from the start. The Gramm-Leach-Bliley Act of November 1999 (PL 106-102) is the latest round in the ongoing privacy law saga. This act deals primarily with modernization of the requirements for financial disclosures in banking and securities transactions, and removing legal barriers that have separated banks, insurers, and securities firms, but it also contains substantive privacy provisions dealing with the informational privacy of consumers. This law was strongly opposed by the "financial services industry."36

The Gramm-Leach-Bliley Act (GLB) set a deadline (November 2000) for various federal agencies such as the SEC, the FDIC, and others, to promulgate new rules about privacy. One of the primary purposes of the GLB was to reduce the multiplicity of privacy regulations, to get all the various federal agencies to work together to produce "consistent and comparable" privacy regulations between the agencies, so that some uniformity of regulation can be achieved.37

The preamble to the GLB mandates "that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customer's nonpublic personal information."38 The act requires "clear and conspicuous" notice to consumers by any financial institution before they may disclose personal information to third parties and the chance for consumers to opt out before any of their information is disseminated. 39 The act further reserves authority to various states to enact more restrictive legislation increasing the privacy protections and required disclosures, and a great deal of legislation is pending in this area.40 Nonetheless, the Gramm-Leach-Bliley, while insuring consumers the opportunity to opt out of the consumer database business, insures that an opt-in system is far over the horizon. There is no reason to think that the "clear and conspicuous standard which GLB mandates will result in any more informed consent on the part of consumers than the FCRA's "clear and conspicuous" standard has in the past.

IV. WHY AN OPT-IN SYSTEM WOULD BE SUPERIOR, AND CONSTITUTIONAL, TOO

A. Opt Outs Do Not Work

If the goal of requiring an opt-out provision is to give consumers an informed opportunity to be left off the mailing lists, then it does not work. The near universal practice of banks, credit bureaus, and others is to bury the opt-out notice deep inside a small print folder of other mandatory disclosures. Notice to consumers of the right to opt out of inclusion in a consumer database is almost invariably mailed to them in the form of a dense folder of tiny print legalese included with a credit card bill, or if separate, it is often in a format calculated to resemble junk mail.41

Research has shown that "...the majority of the general public is still unaware of the exact nature of marketing uses and the availability of opt-out choices. The industry itself recommends the use of only vague notices that do not offer meaningful disclosure of practices." 42 Another study shows that "Many consumers are unaware of personal collection and marketing practices. They are misinformed about the scope of existing privacy law, and generally believe that there are more safeguards than actually exist."43

B. Burying The Opt Out Notice in a Morass

The 1996 amendments to the FCRA state that the "opt out" notice must be "clearly and conspicuously disclosed to the consumer..."44 but this law is routinely disregarded by financial institutions, most of whom continue to include the privacy notice toward the middle of a small print document filled with other required disclosures. If the consumer does happen to find the opt out procedures and chooses to avail herself of them, she must often write a letter to an address different from the one shown her mailing.45

American Express provides some of the most inscrutable privacy notices. For example, the latest privacy policy notice from American Express Travel Related Services Company Inc. (April, 2002) lists the privacy information in paragraph seventeen, in a folder stuffed with other mandatory disclosures in fine print. The word "privacy" does not even appear anywhere in the paragraph, which is entitled "Information Provided to Affiliates." The notice states that:

"You may direct us not to share with our affiliates and subsidiaries certain information (other than transaction or experience information) about you or your Corporate Card account by writing to us at: American Express, P.O. Box 7852, Ft. Lauderdale Florida."

 Here, in part, is the U of I Community Credit Union's privacy policy, carefully crafted to comply minimally with Gramm-Leach-Bliley Act:

"We may disclose nonpublic personal information about you to the following types of third parties: ...consumer reporting agencies, data processors... direct marketers and government agencies....
"To protect our member's privacy, we only work with companies that agree to maintain strong confidentiality protections and limit the use of the information we provide. We do not permit these companies to sell the information we provide to other third parties" [emphasis added].

 I was informed unequivocally Richard Noble, senior vice president of operations at the U of I Community Credit Union, that they do not, have not, and never will sell any of my account or transactional information to third parties.46 Doug Sanders, Internal Auditor at the UICCU says that there is information exchange with MemberConnect, a direct affiliate of the CUNA (Credit Union National Association) who market auto loans and insurance to members based on specific criteria provided by the UICCU such as age group, car loans, etc. But absolutely no account information, much less credit card transactional data is given to "direct marketers" or other third parties by my card issuer. If they did so, they would be required to offer a "clear and conspicuous" opt out, which they do not. Then why does the policy inform me that my data may be released to "non-financial direct marketers"? The UICCU privacy policy is a canned document provided to them by the CUNA, and as such is slightly inaccurate.47

 C. The Opt-In Insures Informed Consent

 Most of the problems of ambiguous or deceptive privacy policies are solved with the opt-in system. The European Union Data Protection Directive simply mandates that a consumer must "opt in," that is, to consciously assert that they are willing to allow themselves to be profiled in order for this activity to be legal.48 This has been and will continue to be a source of great friction between American and European trading partners. American business interests live in a state of virtual terror that the U.S. will also move to such a system.

 If the question were put to consumers directly, it is likely that the overwhelming majority would favor the opt-in system. In 1991, a survey conducted by Time Magazine and CNN found that "ninety three percent of respondents agreed that the law should require companies to obtain permission from consumers before selling their personal information."49 Further, it seems likely that companies would make it far easier to opt-in than they currently make it to opt out. There would be offers, incentives, and the consent obtained by marketers would be genuinely informed, unlike with the current opt out system of which few consumers are even aware.

 A. The Facts of the Case

The opt-in system with regard to consumer's proprietary information has been briefly attempted in the United States, as shown by the recent case from the 10th Circuit: U.S. West, Inc. v. F.C.C. For years, the U.S. West Telecommunications Company has been keeping track of telephone subscriber's personal information. The company tracks telephone subscriber's calls and compiles lists of ; who they are, who they call, where they call, when they call, how often, and for how long. This information is called Consumer Proprietary Network Information (CPNI). This CPNI is used, in part, to insure that when a customer calls the company for service, the operator can access the person's relevant account information. However, U.S. West has also been making this information available to third parties for marketing purposes.50

In  702(c)(1), 47 U.S.C.  222(c)(2) of the 1996 Telecommunications Act, Congress "chose to require carriers to obtain customer approval prior to using, disclosing, or allowing access to individually identifiable CPNI."51 The specific words of the Act say that CPNI cannot be used without "the approval" of the customer.52 The Act contains an exception permitting the use of such information for customer service or billing without prior consent.53

 What the Act does not make clear is what is meant by the word "customer approval." Is it enough to send the customer a vaguely worded notice of her right to opt out, and, if she doesn't, may you then presume that you have her "approval"? Or must the "approval" of the customer be explicit and informed, as with an "opt-in" system? The FCC reviewed the language of the Act with great care54 and concluded that the best way to insure the actual approval of customers for the dissemination of their CPNI was to create regulations that establish an opt-in system.55

 B. The Issues

 U.S. West, Inc challenged the F.C.C.'s CPNI Order interpreting  222's requirements for what constitutes "customer approval," and this was the fighting issue in the case of U.S. West, Inc. v. F.C.C.: did the congress mandate that an "opt-in" system was required? U.S. West argued that the F.C.C.'s approval requirement violated the First and Fifth Amendments of the U.S. Constitution because it impinged upon their rights of commercial speech and constituted a taking of their property. They further argued that the opt-in requirement was a "gratuitously severe construction" of the Telecommunications Act.56 The F.C.C. argued that they were enacting the intent of  222 as it was clearly written, that no commercial or other free speech rights were implicated in the decision, and that the consumer's proprietary information was not the property of U.S. West, Inc. By a narrow margin, the 10th Circuit vacated the F.C.C.s CPNI Order requiring "affirmative approval."

 C. The Holding and Why It Is In Error

 Relying on the "four part framework" for commercial free speech outlined in Central Hudson Gas and Electric Corp. v. Public Service Commission, 447 U.S. 557 (1980), the 10th Circuit found that the implicated speech was "non-misleading."57 The Court found that there were serious reservations about the government's "substantial interest" in protecting consumer privacy but it would be assumed "for the sake of this appeal that the government has asserted a substantial state interest in protecting people from the disclosure of sensitive and potentially embarrassing personal information."
 The Court found that the government had failed entirely on the third prong of the Central Hudson test: "Does the regulation directly and materially advance the state's interests?" The 10th circuit found that:

"The government presents no evidence showing the harm to either privacy or competition is real. Instead, the government relies on speculation that harm to privacy and competition for new services will result if carriers use CPNI."

 The fourth prong of the Central Hudson test is "are the proposed regulations narrowly tailored to serve the government's interest?" The Court found that the F.C.C. CPNI Order was not "narrowly tailored" because there was a less restrictive means of protecting the government's interest:

 "...the FCC's failure to adequately consider an obvious and substantially less restrictive alternative, an opt-out strategy, indicates that it did not narrowly tailor the CPNI regulations regarding customer approval."58

 Further, as pointed out in an EPIC/ACLU Amicus Curie brief, the court erred in choosing to employ a "least restrictive means test" in a case of commercial speech. In 1989 the U.S. Supreme Court distinguished its holding in Hudson concerning the standard of review in commercial speech cases. In the case of Board of Trustees v. Fox, 492 U.S. 469 (1989), the high court held that the "least restrictive means test" should not be used in cases of commercial speech.

 D. The Court Applied the Wrong Test

There is a world of difference between the "narrowly tailored" and "least restrictive" tests. "Narrowly tailored" means that the government may not take a "scattershot" approach, but there must be a reasonable relation between the commercial speech restriction and the harm sought to be avoided. The "narrowly tailored" test ought to resemble a variation of "intermediate scrutiny," or, as the Supreme Court said in a case subsequent to Central Hudson, all that is required of the government in commercial speech cases is that the means of accomplishing the government's legitimate objective be "tailored in a reasonable manner" to fit the ends.60

The "least restrictive" analysis is distinct, and far harsher. It often amounts to "fatal scrutiny." The "least restrictive means" test has usually been reserved only for our most sacred rights, and commercial speech does not fall into that category. The Supreme Court has made abundantly clear that the means/ends test for commercial speech restrictions are considerably looser than for ordinary First Amendment rights. If the 10th circuit had applied the correct test, clarified by the Supreme Court in the cases of Edenfeld v. Fane, 507 U.S. 761 (1993) and Board of Trustees v. Fox, (1989) both decided after Central Hudson, the FCC's CPNI Order should have been permitted to stand.

 For the 10th Circuit to say that the requirements of "approval" are met by a mushy, nebulous "notice" in the mail, that almost no one reads and even fewer people respond to, the implications of which are understood by a scant minority, is to put a burden upon consumers to think and behave like lawyers. U.S. West. Inc. is a case where the congress and the F.C.C. have tried their level best to protect consumer privacy in one specific area, and the 10th Circuit has, with dubious reasoning, quashed that attempt.

VI. THE NEED FOR REFORM

A. Does It Really Matter?

Privacy law is largely contingent on how people feel about their privacy. Many people don't mind having incidental information about some of their grocery store purchases parleyed about, but would not like sensitive personal information available to strangers. A 1996 study commissioned by Equifax found that 11% of consumers find profiling "very acceptable" and there is another core group of "privacy fundamentalists" (24%) who favor strong laws privacy laws. Most people understand and expect that their credit history being compiled and accessed is a necessary evil, which cannot be eliminated.61

B. The Arguments For Database Profiling

Business groups who favor commercial databases make several arguments. One is that consumers need their junk mail and telemarketing calls, for example:

"Because opting in would call for added time, attention and effort, many consumers would miss opportunities they would like to have, opportunities that would improve their condition."62 To that, one might respond "let's just put it to a vote."
Another argument emphasizes how the poor would suffer without their junk mail and telemarketing:
"...the poor do not have ready access to information about products and services...Under this analysis it is thought that lower income persons therefore benefit the most from targeted marketing that information sharing facilitates, and, thus, those who would impede information sharing are advocating a course of action that would harm the less fortunate."63

The Government is the real danger, and they are fomenting an exaggerated concern for commercial privacy to distract our attention from some downright Orwellian intrusions that the federal government has made into financial privacy in the last 20 years, largely in pursuit of the drug war. The "Financial Crimes Enforcement Network" (FinCEN) has the machinery and the authority to scan almost any financial transaction in the country to look for the illicit financial fruits of drug dealing or other crime.

FinCEN demands "currency transaction reports" for any use of currency over $10,000 (77 million of these were filed from 1987 to 1995, with the net result of just 580 criminal convictions). A report must be filed every time more than $750 is wire transferred. The Bank Secrecy Act requires a "suspicious activity report" to be filed by any bank whenever the banker has 'reason to suspect' that a transaction is unusual for that customer. An even more intrusive regime was narrowly averted when the proposed "Know Your Customer" rules were withdrawn under public pressure in 1999.64

These laws are said, with some justification, to make the activities of the direct marketing industries look tame indeed. It is also pointed out that the over all amount of junk mail circulating is being reduced by more direct, more targeted marketing, resulting in a net savings of trees and money. I can find no persuasive refutation of this argument, although one legal scholar has said that the actual amount of junk mail reduction is negligible.65 All of the arguments in favor of the compilation of vast consumer databases still raise the essential question- if direct marketing is such a wonderful thing, it shouldn't be that hard to persuade consumers to participate voluntarily.

C. The Potential Danger of Consumer Databases Goes Beyond Privacy

Gramm-Leach-Bliley is likely to be the last congressional action on consumer's informational privacy for the foreseeable future, unless some new outrage should begin to circulate in the news. Only time will tell whether the GLB will effectively restore some degree of personal privacy to the American consumer, but there is no reason to believe that very much will change as a result of this Act. The European system has a great deal of appeal, because it insures that persons are only on lists that they want to be on. The European system puts an affirmative duty on direct marketers to actively solicit customer permission instead of the current system of burying opt out provisions deep in a morass of legal goo.

Historically, the compilation of databases has been put to barbarous use, and could be similarly employed in the future. Computer technology designed to keep track of individual citizens has been used in the past to assist in genocide. In the 1930s IBM provided its punch card technology to its German subsidiary with the acronym "Dehomag." This company played a central role in the 1939 German census which helped the Nazis to identify "racial Jews" and track the bloodlines of German citizens. The punch card machines were used by the "Race and Settlement Office" of the SS, and also in concentration camps. IBM's punch card technology "helped to automate the mass production of death."66

It would be absurd to suggest, as one author has,67 that the owners of IBM bear some responsibility for the horrific use to which their technology was put by the Nazis. However, the point remains that huge government databases do present very real dangers to free citizens in times of war and upheaval.

 It could be said that we are living in a warlike time, or soon will be. For the last several years a group of database marketing companies have formed into what they call the "Consumer Profile Exchange (CPEX) Working Group." Their stated goal is to create "an XML based standard [which] incorporates online and offline data to enable singular, simultaneous customer view within multiple enterprise applications."68 In plain English, what they want to do is form a central clearinghouse in which 90 separate companies can pool all of the customer information, "incomes, home addresses, and shopping habits," which currently resides in various computer systems, into one enormous database. One "enthusiast," Bradley Husick, vice president of software maker Vignette, said:

"Wouldn't it be great... if when you call the customer relations department about a problem with a new laptop you bought, that they know exactly what kind of machine you bought and when you bought it? That's what this standard does. It helps with customer service."69

"Top financial companies are working to figure out how to use public and private consumer databases to catch possible terrorists..." Marty Abrams, of the Center for Information Policy Leadership, says: "We have to think about how to use information to create profiles about what a bad guy might look like."70 Ergo, government surveillance of your credit card purchases may be closer than you think.

CONCLUSION

When the issue of consumer informational privacy was first being debated back in the early 70s, a report by President Nixon's secretary of Health, Education and Welfare, Elliot Richardson, proposed a set of five aspiration principles about computers and privacy (paraphrased):

1. No personal data record-keeping systems whose very existence is secret
2. There must be a way for a person to find out what information about them is being kept.
3. A person must be able to prevent information gathered for one purpose from being used for another purpose without one's consent
4. There must be a way for a person to correct erroneous information.
5. Organizations who keep this data must insure its reliability and prevent its misuse. 71

1 Jeff Sovern, "Opting In, Opting Out, or No Options at All: The Fight for Control of Personal Information," 74 Wash. L. Rev. 1033, 1034 (1999).

2 Ibid, 1038-1039.

3 Simpson Garfinkle, (1999) p. 158.

4 Privacy Journal, March, 1999, p.5, (cited in "Database Nation," Garfinkle, p. 159).

5 Bruce Horovitz, U.S.A Today, May 13, 1998. p.1A "AmEx to Sell Information About Consumers."

6 Ft. Lauderdale Sun Sentinel, May 14, 1998, "Amex Stirs up Privacy Debate; Denies Selling Consumer Data:"
"Gail Wasserman... [spokesperson for AmEx, said] 'American Express does not sell or provide individual transaction information to any third party for marketing purposes'... On Tuesday, American Express and KnowledgeBase announced a partnership to develop services to help merchants scout prospects. "
It would be intriguing to try to figure out just which word in Wasserman's statement makes it not quite a lie, but one must recall that this was in 1998, during the height of the Clinton Administration, when millions of Americans were taking their cue from the president.

7 Albert B. Crenshaw, "Credit Card Holders to Be Warned..." The Washington Post, Financial, May 14, 1992, p. D11 (from http://www.lexis.com/resea...).

8 Learning Network, Fun Brain.com, http://www.funbrain.com/mission.html and http://www.bonus.com.

9 Sovern, (1999) 74 Wash. L. Rev. 1033, 1041.

10 Ibid, p. 1040.

11 VISA homepage, "About VISA, Who We Are" p. 2 of 5. http://usa.visa.com/personal/about_visa/who/who_we_are_history.html

12 Russell Schrader, Letter to the Securities and Exchange Commission Concerning the Proposed Privacy Regulations, March 15, 2000, p. 2. This 47 page letter was written to the SEC in response to a request for comment from the Federal Reserve Board, the Office of the Comptroller of Currency, and other government agencies.  http://www.sec.gov/rules/proposed/s70600/schrade1.htm

13 The Privacy Exchange- "an online global resource for consumer privacy and data protection."
"Visa Issues Privacy Principles" April 14, 1998. http://www.privacyexchange.org/buscodes/iap/creditcard/visa.html

14 Ibid

15 First Data Corporation, Omaha, Nebraska, online. "Internet Commerce: Credit Card Processing 101."
http://www.firstdata.com/Pages/Doing_Biz/2121.jsp

16, "MembersGroup" P.O. Box 10409, Des Moines, Iowa, 50306-0409.
1-800-243-5354 Sandy Dupei, consumer representative, personal communication, March 15, 2002.

17 First Data Corporation, Omaha, Nebraska, online, Financials: "First Data & ieWild introduce FirstInsight (SM)"  http://www.firstdata.com/P...2-28-2001/0001437369&EDATE.

18 SAS, Intelligence Architecture, Analytic Intelligence- "Turn Raw Data into Business Gold with Data Mining"  http://www.sas.com/technologies/data_mining.

19 Nautilus Systems, Inc. "Case Studies" http://www.nautilus-systems.com/casest.html.

20 Nautilus Systems, Inc. "Case Study: Identification of High Potential VISA cardholders" http://www.nautilus-systems.com/cscp.html

21 "Xerox Case Study," Visa Card Services, Belgium. http://www.xerox-emea.com/iso/finance/pdfs.VISA.pdf

22 Robert Belair and Kevin Coy "United States Privacy Law and Policy," printed in "The Future of Financial Privacy: Private Choices Versus Political Rules," The Competitive Enterprise Institute, Washington, D.C., 2000, pp. 31-35.

23 Ibid, p.19.

24 Jeff Sovern, (1999), 74 Wash. L. Rev. 1033, 1042.

25 For a good description of the European Data Protection Directive see: Priscilla M. Regan, "American Business and the European Data Protection Directive: Lobbying Strategies and Tactics," printed in "Visions of Privacy: Policy Choices for a Digital Age," Colin M. Bennet and Rebecca Grant, eds, University of Toronto Press, Inc. 1999, p. 199.

26 Simson Garfinkle, "Database Nation: The Death of Privacy in the 21st Century," O'Reilly and Associates, Inc., Sebastopol CA, 2000, p. 22-23.

27 Belair and Coy, (2000), p. 32.

28 Daniel Klein, "Credit Information Reporting, Social Accountability, and Consumer Opportunity," printed in "The Future of Financial Privacy," (2000) p. 152.

29 Simpson Garfinkle, (1999), p. 25.

30 Daniel Klein, (2000), p. 151.

31 Privacilla.org, "Your Source For Privacy Policy From a Free-market, Pro-technology Perspective."
http://www.privacilla.org/business/videoprivacyact.html. updated Aug. 29, 2000.

32 Ibid at  http://www.privacilla.org/government/dppahistory.html.

33 Belair and Coy, (2000), p. 34.

34 Ibid.

35 Office For Information Technology Policy, COPPA, the Children's Online Privacy Protection Act.
http://www.ala.org/oitp/history.html

36 Ibid, p. 37.

37 Russell Schrader, Letter to the Securities and Exchange Commission Concerning the Proposed Privacy Regulations, March 15, 2000, p. 3. This 47 page letter was written to the SEC in response to a request for comment from the Federal Reserve Board, the Office of the Comptroller of Currency, the SEC, and other government agencies.  http://www.sec.gov/rules/proposed/s70600/schrade1.htm

38 15 U.S.C. 6801(a) (United States Code Service, Mathew Bender and Company).
http://www.lexis.com/rese...z&_md5=67df9375eeb052bc60718f336768ceae

39 15 U.S.C. 6802(b)(1) (outlines the opt out provisions)

40 Julius Loeser, (2000), p. 147

41 Jeff Sovern, (1999), 74 Wash. L. Rev. 1033, 1085-1086.

42 Paul M. Schwartz and Joel Reidenberg, Data Privacy Law: A Study of United States Data Protection, 329-330 (1996). Cited in- Amici Curiae Brief of the Electronic Privacy Information Center, American Civil Liberties Union, Consumer Federation of America, et al. on the Respondents' Petition for Rehearing by the Panel and Suggestion for a Rehearing En Banc, in the Matter of U.S. West, Inc. v. F.C.C., (10th Cir., 1999) on line at Freedom Network, American Civil Liberties, In the Courts: http://www.aclu.org/court/uswest_brief.html

43 Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193, 1253 n.255 (1998).
Cited in- Amici Curiae Brief of the Electronic Privacy Information Center, et al,

44 15 U.S.C.A.   1681a(d)(2)(A)(iii) (West Supp. 1999).

45 Jeff Sovern, (1999), 74 Wash. L. Rev. 1033, 1088.

46 Richard Noble, personal communication, March 14, 2002.

47 Doug Sanders, personal communication, April 2, 2002.

48 Daniel Klein, (2000) p. 159.

49 Sovern, 74 Wash. L. Rev. 1033, 1064.

50 H.R. Rep. No. 104-204, pt. 1, at 90 (1995).

51 U.S. West, Inc. v. Federal Communications Commission, 182 F.3d 1224, 1240 (10th Cir. 1999).

52 47 U.S.C. 222(c)(1)- The central provision of   222 dealing with CPNI is   222(c)(1), which states:

"Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of
(A) the telecommunication service from which such information is derived, or
(B) services necessary to, or used in, the provision of such telecommunications service, including the
publishing of directories [emphasis added].

54 Amici Curiae Brief of the Electronic Privacy Information Center, American Civil Liberties Union, Consumer Federation of America, et al. on the Respondents' Petition for Rehearing by the Panel and Suggestion for a Rehearing En Banc, in the Matter of U.S. West, Inc. v. F.C.C., (10th Cir., 1999):

"Section 222(c)(1)'s requirement that a carrier seek a customer's 'approval' before disclosing her CPNI demonstrates that the FCC's adoption of an opt-in approach is in line with congressional intent. When the FCC contemplated its order, it primarily considered two options: opt-in and opt-out. Under an opt-in approach, consumers must give the carrier express approval before the company can divulge their CPNI, which, as the FCC explained, 'will minimize any unwanted or unknowing disclosure' of the information. CPNI Order at 20,329. With an opt-out approach, by contrast, customers would receive a notice to sign and return to prevent the carrier from disclosing their CPNI. As the FCC explained, the danger of the opt-out approach is that 'because customers may not read their CPNI notices, there is no assurance that any implied consent would be truly informed.'"

UPDATE- On June 5, 2000 the Supreme Court denied the petition for a writ of certiorari, so U.S. West v. F.C.C. remains the law of the land, unless individual states enact more restrictive privacy requirements. http://www.epic.org/privacy/litigation/uswest/.

55 In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunication Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Notice of Proposed Rulemaking, 61 Fed. Reg. 26,483 (1996) ("CPNI NPRM").

56 U.S. West, Inc. v. Federal Communications Commission, 182 F.3d 1224, 1241 (10th Cir. 1999).

57 182 F.3d 1224, at 1233 (10th Cir. 1999).

58 182 F.3d 1224, at 1238-1239 (10th Cir. 1999).

59 See FN 52, above, from "The Amici Curiae Brief of the Electronic Privacy Information Center and others.

60 Edenfeld v. Fane, 507 U.S. 761 (1993).

61 Ibid, 1059-1060.

62 Ibid, 160.

63 Julius Loeser, (2000), p.144.

64 Lawrence B. Lindsey, "The Money Laundering Conundrum: Mugging Privacy in the Assault on Crime?" printed in "The Future of Financial Privacy: Private Choices Versus Political Rules," The Competitive Enterprise Institute, Washington, D.C., 2000, pp. 164-172.

65 Sovern, 74 Wash. L. Rev. 1033, 1046.

66 Frederick E. Allen, "Behind the Cutting Edge: Hitler and IBM." American Heritage, July/August, 2001, Vol. 52, No. 5

67 Edwin Black, (2001) IBM and the Holocaust, cited in American Heritage, Vol. 52, No. 5.

68 Robin Cover, "The XML Cover Pages: Consumer Profile Exchange Working Group," February 26, 2001. http://xml.coverpages.org/cpex.html

69 Patricia Jacobus, "Privacy Advocates Wary of Data Sharing Standard," C/Net News.Com
http://news.com.com/2100-1023-249570.html?legacy=cnet

70 CNN.com "Can Consumer Data Profile Terrorists?" April 3, 2002, Posted 7:58AM EST.
wysiwyg://25/http://www.cnn.com/2002/TE...04/03/terrorism.profiling.ap/index.html.

71 Simson Garfinkle, "Database Nation" p. 7.