Along with everyone else in the Western World, I have noticed over the last several years that my junk mail has gotten more and more specific to me. I now get solicitations for astronomy magazines, conservative magazines, history publications, and graduation photo services. One day last fall, while purchasing a large amount of cheap beer with my VISA card, I began to wonder whether my specific credit card transactions were being tracked and placed in some large database somewhere which counts every immoral purchase I make, and profiles, in detail, my degenerate character. Do they know how much "Peanut Butter Crunch" I eat, or how often I go to Jiffy Lube instead of changing my own oil?
 According to a recent article in the Washington Law Review by Jeff Sovern, it is now possible to buy "lists of people who have bought skimpy underwear, college students sorted by major, class, and year... people who have lost loved ones, women who have bought wigs, callers to a 900 number national dating service... people who have had their urine tested, medical malpractice plaintiffs... impotent middle aged men, epileptics, people with bladder control problems, buyers of hair removal products... high risk gamblers, people who have been rejected for bank cards..."1 There are lists of "weight conscious consumers who had purchased low calorie foods such as yogurt and reduced fat breads... lists of 'fancy food buyers' - consumers who bought refrigerated pastas or frozen yogurt..."2

 Certainly all of us are on some list or other, but what about the specific purchases that I make with my VISA card, issued by the University of Iowa Community Credit Union? Am I racking up a list of character traits with each purchase? Where does the information go? Who keeps it? Who sees it? Who are they? And... is this legal? Those are the questions I set out to answer with this paper, and the answers I found were nothing short of shocking- while acres of personal information about me is being legally swapped and exchanged on hundreds of different databases, no one, no where, at the current time, is tracking the specific purchases that I make with my VISA card.

The Law of Informational Privacy

 The laws relating to informational privacy in the United States could be likened to a labyrinth. There are hundreds of overlapping and sometimes contradictory regulations and statutes promulgated by various government agencies, such as the Federal Trade Commission, the Securities and Exchange Commission, the National Credit Union Administration, and the Federal Deposit Insurance Corporation, the Department of Commerce, and others, in response to 32 separate acts of congress.3 It has often been said that privacy law in the United States is an "uneven and inadequate patchwork."4 One law professor has called them "a patchwork of ad hoc responses to outrage over past invasions of privacy rather than a coherent set of rules based on fundamental principles and policies."5 This is particularly true in comparison to European Union law, which is much more protective of privacy and less ambiguous than U.S. law.6

 American law on consumer privacy and information over the last 30 years has been the result of constant tension between privacy activists, academics, concerned politicians, and the business interests who profit from compiling and exchanging personal information about individual consumers of goods and services. The first federal laws passed to protect computerized records of personal information were in the early 1970s in response to the growing industry of credit reporting and some of the abuses and errors of the burgeoning credit bureaus. Thousands of Americans were being erroneously billed, discredited, or otherwise victimized by credit reporting errors.
Credit Reporting companies, in addition to committing numerous errors, would dispense personal information on consumers to almost anyone except the actual subjects of the information. The movement to address the problems created by this largely secret industry was initiated with several books published by Alan Westin in the late 60s: Privacy and Freedom, Databanks in a Free Society, and The Naked Society.7

 After a series of hearings at which Alan Westin testified, the Congress passed the Fair Credit Reporting Act (FCRA) in April, 1971. This law did nothing to slow the growth of the consumer credit reporting industry, but it did provide the subjects of consumer reports with the right to view their information and correct errors. This law also established limits on the scope of disclosure of personal information.8 The information which could be gathered was limited to credit information such as the consumer's name, address, social security number, credit lines, credit balances, credit limits, payment histories, bankruptcies, liens, and public judgements against the consumer. As amended in 1996, the FCRA only allows the information to be sold to those with a "permissible purpose," such as creditors, employers, landlords, and insurers.9

Unfortunately for privacy advocates, the FCRA has a rather considerable loophole. Demographics, population statistics and purchasing habits and other information is not considered part of a person's credit history and so is not covered by the law.10 As long as the consumer has been given the opportunity to "opt out," any of this information can be (and is) distributed by credit reporting agencies to third party affiliates.11 Notice to consumers of the right to opt out of inclusion in a consumer database is almost invariably mailed to them in the form of a dense folder of tiny print legalese included with a credit card bill, or if separate, it is often in a format calculated to resemble junk mail.12

The 1996 amendments to the FCRA state that the "opt out" notice must be "clearly and conspicuously disclosed to the consumer..."13 but this law is routinely disregarded by financial institutions, most of whom continue to include the privacy notice toward the middle of a small print document filled with other required disclosures. If the consumer does happen to find the opt out procedures and chooses to avail herself of them, she must often write a letter to an address different from the one shown her mailing.14

There are only three major credit reporting agencies which dominate the industry- Equifax, Experian, and TransUnion, and these three companies energetically assemble marketing lists which they sell to companies looking to market their products directly to persons who they feel would be likely to be interested in them.15 While the FCRA is effective at preventing the worst abuses of a person's information, it allows the propagation and the marketing of consumer databases to proceed virtually unimpeded.

Some other laws relevant to informational privacy include:

The Privacy Act of 1974 (PL 93-380)
This act extends the principles of the FCRA to the federal sphere, giving citizens the right of access to federal records databases which pertain to them, to correct errors, and it limits the scope of federal disclosure of this information.

The Cable Communications Privacy Act of 1984 (PL 98-549)
This act requires cable companies to provide subscribers with notice concerning their collection, use, and disclosure of information about them.

The Electronic Communications Privacy Act of 1986 (PL 99-508)
This act extends the protection to citizens from unlawful surveillance to digital voice data, video communications, cell phones, e-mail, and computer transmissions.

The Video Privacy Protection Act of 1988 (PL 100-618)
This act effectively prohibits video rental stores from disclosing which movies you rent. This was passed in response to the Bork confirmation hearings, in which the judge's movie rentals became an issue.

The Driver's Privacy Protection Act of 1994 (PL 103-322)
This act prohibits the public dissemination, for marketing purposes, of certain types of information held by departments of motor vehicles.

The Children's Online Privacy Protection Act of 1998 (PL 105-208)
This act regulates the collection of over the internet of personal information from children under the age of 13.16

And finally, the Gramm-Leach-Bliley Act of November, 1999 (PL 106-102) is the latest round in the ongoing privacy law saga. This act deals primarily with modernization of the requirements for financial disclosures in banking and securities transactions, and removing legal barriers that have separated banks, insurers, and securities firms, but it also contains substantive privacy provisions dealing with the informational privacy of consumers. This law was strongly opposed by the "financial services industry."17

 This Act may have been the death knell for many of the more stealthy forms of data gathering, and I believe it is the reason that my local Credit Union (also my VISA issuer) does not allow any third party use of my transactional data. Or do they?

 Here, in part, is the U of I Community Credit Union's privacy policy, carefully crafted to comply minimally with GLB:

 "We may disclose nonpublic personal information about you to the following types of third parties: ...consumer reporting agencies, data processors... direct marketers and government agencies.... (emphasis added).
 "To protect our member's privacy, we only work with companies that agree to maintain strong confidentiality protections and limit the use of the information we provide. We do not permit these companies to sell the information we provide to other third parties."

 I was informed unequivocally Richard Noble, senior vice president of operations at the U of I Community Credit Union, that they do not, have not, and never will sell any of my account or transactional information to third parties.22 Doug Sanders, Internal Auditor at the UICCU says that there is information exchange with MemberConnect, a direct affiliate of the CUNA (Credit Union National Association) who market auto loans and insurance to members based on specific criteria provided by the UICCU such as age group, car loans, etc. But absolutely no account information, much less credit card transactional data is given to "direct marketers" or other third parties by my card issuer. If they did so, they would be required to offer a "clear and conspicuous" opt out, which they do not. In short, the UICCU printed privacy policy is a canned document provided to them by the CUNA, and as such is slightly inaccurate.23

What's In a Transaction?

 To understand what happens when you swipe your VISA card at the checkout counter, you must first understand what the VISA actually is. VISA is a payment system, with over 21,000 member financial institutions around the world. They originated in California in 1958 and were known as "BankAmericard" before 1976. They changed their name to VISA because it sounded like a "simple, memorable name with an international flavor that is pronounced the same way in almost every language." 24

VISA operates the global electronic authorization system but VISA doesn't get the money from you when you pay your bill, nor does it issue money to the vendor when you buy your cheap beer. VISA is a brand name with a trademark and they enter into licensing agreements with banks and other financial institutions.25 The bank issues your VISA card and vouches for your conduct with that card. The bank (or "card issuer") owns the information gleaned from credit card transactions and is responsible to notify you of your right to "opt out" of direct marketing lists. Like every financial institution, they do provide some of your information to credit reporting agencies.

VISA provides all of its card issuers with a set of "privacy principles" stating, in part, that "issuers should restrict disclosure of specific information about individual cardholder accounts... [unless] the cardholder has been informed in advance through a cardholder agreement or communication about such disclosure activities."26 VISA privacy principles make clear that some issuers may provide cardholder information to "non affiliated third parties for marketing purposes"27 so long as the cardholder is informed and given the opportunity to opt out. That means that many banks probably do sell your information to direct marketers, it just so happens that my card issuer isn't doing that.

Here is what happens when you buy something with your VISA card-

1. You swipe your card and the merchant's payment software sends the encrypted transaction data to an "acquiring processor" via private dial or a leased line.
2. The "acquiring processor" communicates the transaction information to the issuing bank, which either authorizes the transaction or denies it.
3. If your card is approved, the issuing bank authorizes a certain amount of money and issues an authorization code. There is not yet a charge on the customer's bill.
4. The acquiring processor communicates to the merchant that the purchase has been approved.
5. The acquiring processor issues credits to the merchant, and the corresponding amount of money is charged to the consumer's credit card account by the processor.
6. The transaction is "captured" by the merchant whereupon she presents you, the consumer, with your 12 pack of cheap beer and a receipt.
 7. The merchant accumulates "captures" and "credits" into a batch, and submits these to the acquiring processor.
 8. When the acquiring processor receives the batch, it sends payment instructions to the card issuing banks and the merchant's bank.
 9. Money transfers from the issuing bank to the merchant's bank.28

 As you can see from this abbreviated transactional outline, the people most perfectly situated to compile a list of people who drink cheap beer and sell such information to marriage counselors for direct marketing purposes are the acquiring processors. In my case, this would be "First Data Corporation" in Omaha, Nebraska. This company processes most VISA transactions nationwide, and they do indeed compile extensive consumer databases and provide access to this information. But the information they compile and sell is offered back to the card issuers, not the direct marketing companies. The card issuer still owns the transactional information and they are the ones who will either sell your information to direct marketers or not. The acquiring processor is bound by the same confidentiality standards as the issuing bank.

 Nonetheless, First Data Corporation has made extensive forays into the business of compiling your personal information. According to a First Data Corp. press release, dated Feb. 28, 2001:

 "Today, First Data Corp... announced its card issuing services and subsidiary ieWild Inc., a San Diego-based software and predictive customer analysis company, have agreed to offer card issuers technology that provides keen insight into card holder purchasing preferences... under the First Data brand FirstInsight (SM).
 "FirstInsight is a sophisticated data mining, analysis and reporting solution that merges merchant data with bankcard transactional data to give the card issuer better opportunities for one on one value offers.
 "FirstInsight allows card issuers to take merchant data and cardholder transactions and use the information to segment cardholders and understand their buying behavior."30

 She told me that the press release was a year old, that the deal with ieWild fell through, and that she doesn't believe that company even exists any more. She would give me no further information about their databases except to say that they are only be shared with the card issuers, not third party direct marketing firms.

Database Mining

 So where do direct marketers get these lists of every college sophomore in Eastern Iowa who's on a diet and wears glasses? This is the wonder of "consumer database mining." According to one of the vendors of this technology, it is a set of computer software applications which allows "data selection, exploration and building models using vast data stores to uncover previously unknown patterns."31 This technology has many non-commercial, scientific applications as well. According to Nautilus Systems, another vendor, it can be used for analyzing geologic data from an earthquake to create predictive models for future events, and also for tailoring the Emergency Information Management System to better respond to various scenarios. But it is also used for "[a]nalysis of buying habits and trends of potential credit card holders..."32 At the "Very Large Database" conference in San Francisco in 1998, Nautilus presented a case study in which:

" a client had described the buying habits and buying trends desired in new subscribers. The optimal candidates were individuals likely to be repeated purchasers of 'best of class' item, demonstrating not only available disposable income but also a likelihood of continuation of desirable purchasing trends... [ie: purchase of titanium mountain bikes or expensive golf clubs which indicate a 'status conscious image'].
"Nautilus Systems used its proprietary data mining techniques to extract transactional data matching these product and service categories from commercial database sources, and by examining buying trends contained within mercantile databases of credit card purchases."33

What are these "commercial database sources" which Nautilus Systems uses to formulate these lists? We have already seen that the Fair Credit Reporting Act does not prohibit credit reporting agencies such as Experian, Equifax, and TransUnion from selling your personal consumer information to direct marketing companies. There are some systems which are established for the exclusive purpose of collecting individual consumer information.
One of these would be the supermarket discount cards and cards issued by department stores such as J.C. Penny's, or Montgomery Ward. These cards are unabashedly used to find out who you are, what you buy, when you buy it, and to use that that information to refine the store's marketing techniques, and sell the information to commercial databases. This may not seem like a particularly harmful exercise, but as Simson Garfinkle puts it, in his book Database Nation:
"Transactional-level information turns the art of marketing into a multivariable science experiment, with the store's customers doubling as laboratory rats."35

If this seems like rather overcharged language for a rather innocuous form of consumer research, consider the case of a Los Angeles man, Robert Rivera, who fell at a Vons market and injured his leg. When he threatened to sue the store, they looked up his purchase records and discovered that he had bought a great deal of liquor. The store informed Rivera that they would use that information to defend themselves in the lawsuit.36
How long will it be before law enforcement and other government agencies can acquire this personal information without a warrant? Is there any reasonable expectation of privacy for information which you have willingly signed up to reveal, which you have been put on clear notice is being compiled, and you are being given store discounts and other incentives for doing so?

Another frequent contributor to these "commercial databases" has been the American Express Co. Since AmEx is an independent card operation they ARE the issuing bank and so it is much easier for them to assemble huge databases on consumer transactions. This is more difficult for VISA and Mastercard since they are just brand names for hundreds of different, competing bank credit cards.37

It has been well known that AmEx is compiling and selling consumer transactional information since 1992, in spite of some strange non-denial denials.38 On May 14, 1992 the Washington Post announced: "Credit Card Holders to Be Warned of Lists; American Express Collects, Sells Buying Habits Data."39 At the time, AmEx was not disclosing this information to cardholders. AmEx still creates these databases, and markets them, and has no plans to stop.
Other ways in which these commercial databases are created are when you fill out your "product registration" and return it to the company for your new VCR, or other purchase. You may be led to believe that your warranty won't be valid unless you fill out the little form. Not true, but that's how they get you.

Children are also easy to prod for personal information. Many children's web sites such as "FunBrain.com" and "Bonus.com" 40 are filled with games and puzzles, and the child is told that he/she must register if she wishes to have game scores saved and be eligible for fun prizes. These sites exist for no other purpose than to collect information for marketing research. It is estimated that around 90% of web sites directed at children also collect personal information.41 The Children's Online Privacy Protection Act has not stopped this type of information gathering, but there is now an affirmative duty for these web sites to seek an explicit opt-in from the parents of a child under 13. It is well known that most commercial websites on the internet collect personal information.

What To Do?

Privacy law is largely contingent on how people feel about their privacy. Many people don't mind having incidental information about some of their grocery store purchases parleyed about, but would not like sensitive personal information available to strangers. A 1996 study commissioned by Equifax found that 11% of consumers find profiling "very acceptable" and there is another core group of "privacy fundamentalists" (24%) who favor strong laws privacy laws. Most people understand and expect that their credit history being compiled and accessed is a necessary evil which cannot be eliminated.42

As far as consumer transaction databases are concerned, the European Union Data Protection Directive simply mandates that a consumer must "opt in," that is, to consciously assert that they are willing to allow themselves to be profiled in order for this activity to be legal.43 This has been and will continue to be a source of great friction between American and European trading partners. American business interests live in a state of virtual terror that the U.S. will also move to such a system. They make an argument that consumers need their junk mail and telemarketing calls, for example:

"Because opting in would call for added time, attention and effort, many consumers would miss opportunities they would like to have, opportunities that would improve their condition."44 To that, one might respond "let's just put it to a vote."

"...the poor do not have ready access to information about products and services...Under this analysis it is thought that lower income persons therefore benefit the most from targeted marketing that information sharing facilitates, and, thus, those who would impede information sharing are advocating a course of action that would harm the less fortunate."45

There is a more compelling argument made by database business advocates and it goes like this:

The Government is the real danger, and they are fomenting an exaggerated concern for commercial privacy to distract our attention from some downright Orwellian intrusions that the federal government has made into financial privacy in the last 20 years, largely in pursuit of the drug war. The "Financial Crimes Enforcement Network" (FinCEN) has the machinery and the authority to scan almost any financial transaction in the country to look for the illicit financial fruits of drug dealing or other crime.

Only time will tell whether the Gramm-Leach-Bliley act will effectively restore some degree of personal privacy to the American consumer. The European system has a great deal of appeal, because it insure persons are only on lists that they want to be on, and it would put an affirmative duty on direct marketers to actively solicit customer permission instead of the current system of burying opt out provisions deep in a morass of legal goo. There is no reason at the present time to think that the "clear and conspicuous" notice standard of Gramm-Leach-Bliley will be any more effective than the "clear and conspicuous" standard of the Fair Credit Reporting Act was.

When the issue of consumer informational privacy was first being debated back in the early 70s, a report by President Nixon's secretary of Health, Education and Welfare, Elliot Richardson, proposed a set of five aspiration principles about computers and privacy (paraphrased):

1. no personal data record-keeping systems whose very existence is secret
2. There must be a way for a person to find out what information about them is being kept.
3. A person must be able to prevent information gathered for one purpose from being used for another purpose without one's consent
4. There must be a way for a person to correct erroneous information.
5. Organizations who keep this data must insure its reliability and prevent its misuse. 48

1 Jeff Sovern, "Opting In, Opting Out, or No Options at All: The Fight for Control of Personal Information," 74 Wash. L. Rev. 1033, 1034 (1999).

2 Ibid, 1038-1039.

3 Robert Belair and Kevin Coy "United States Privacy Law and Policy," printed in "The Future of Financial Privacy: Private Choices Versus Political Rules," The Competitive Enterprise Institute, Washington, D.C., 2000, pp. 31-35.

4 Ibid, p.19.

5 Jeff Sovern, (1999), 74 Wash. L. Rev. 1033, 1042.

6 For a good description of the European Data Protection Directive see:
Priscilla M. Regan, "American Business and the European Data Protection Directive: Lobbying Strategies and Tactics," printed in "Visions of Privacy: Policy Choices for a Digital Age," Colin M. Bennet and Rebecca Grant, eds, University of Toronto Press, Inc. 1999, p. 199.

7 Simson Garfinkle, "Database Nation: The Death of Privacy in the 21st Century," O'Reilly and Associates, Inc., Sebastopol CA, 2000, p. 22-23.

8 Belair and Coy, (2000), p. 32.

9 Daniel Klein, "Credit Information Reporting, Social Accountability, and Consumer Opportunity," printed in "The Future of Financial Privacy," (2000) p. 152.

10 Simpson Garfinkle, (1999), p. 25.

11 Julius Loeser, "Some Practical and Theoretical Thoughts About Privacy and Banking," printed in "The Future of Financial Privacy," (2000), p. 147.

12 Jeff Sovern, (1999), 74 Wash. L. Rev. 1033, 1085-1086.

13 15 U.S.C.A. § 1681a(d)(2)(A)(iii) (West Supp. 1999).

14 Jeff Sovern, (1999), 74 Wash. L. Rev. 1033, 1088.

15 Daniel Klein, (2000), p. 151.

16 Belair and Coy, (2000), pp. 31-35.

17 Ibid, p. 37.

18 Russell Schrader, Letter to the Securities and Exchange Commission Concerning the Proposed Privacy Regulations, March 15, 2000, p. 3. This 47 page letter was written to the SEC in response to a request for comment from the Federal Reserve Board, the Office of the Comptroller of Currency, the SEC, and other government agencies.  http://www.sec.gov/rules/proposed/s70600/schrade1.htm

19 15 U.S.C. 6801(a) (United States Code Service, Mathew Bender and Company).
http://www.lexis.com/rese...z&_md5=67df9375eeb052bc60718f336768ceae

20 15 U.S.C. 6802(b)(1) (outlines the opt out provisions)

21 Julius Loeser, (2000), p. 147

22 Richard Noble, personal communication, March 14, 2002.

23 Doug Sanders, personal communication, April 2, 2002.

24 VISA homepage, "About VISA, Who We Are" p. 2 of 5.
http://usa.visa.com/personal/about_visa/who/who_we_are_history.html

25 Russell Schrader, Letter to the Securities and Exchange Commission Concerning the Proposed Privacy Regulations, March 15, 2000, p. 2. This 47 page letter was written to the SEC in response to a request for comment from the Federal Reserve Board, the Office of the Comptroller of Currency, and other government agencies.  http://www.sec.gov/rules/proposed/s70600/schrade1.htm

26 The Privacy Exchange- "an online global resource for consumer privacy and data protection."
"Visa Issues Privacy Principles" April 14, 1998.
http://www.privacyexchange.org/buscodes/iap/creditcard/visa.html

27 Ibid

28 First Data Corporation, Omaha, Nebraska, online. "Internet Commerce: Credit Card Processing 101."
http://www.firstdata.com/Pages/Doing_Biz/2121.jsp

29, "MembersGroup" P.O. Box 10409, Des Moines, Iowa, 50306-0409.
1-800-243-5354 Sandy Dupei, consumer representative, personal communication, March 15, 2002.

30 First Data Corporation, Omaha, Nebraska, online, Financials: "First Data & ieWild introduce FirstInsight (SM)"  http://www.firstdata.com/P...2-28-2001/0001437369&EDATE.

31 SAS, Intelligence Architecture, Analytic Intelligence- "Turn Raw Data into Business Gold with Data Mining"  http://www.sas.com/technologies/data_mining.

32 Nautilus Systems, Inc. "Case Studies" http://www.nautilus-systems.com/casest.html.

33 Nautilus Systems, Inc. "Case Study: Identification of High Potential VISA cardholders" http://www.nautilus-systems.com/cscp.html

34 "Xerox Case Study," Visa Card Services, Belgium.
http://www.xerox-emea.com/iso/finance/pdfs.VISA.pdf

35 Simpson Garfinkle, (1999) p. 158.

36 Privacy Journal, March, 1999, p.5, (cited in "Database Nation," Garfinkle, p. 159).

37 Bruce Horovitz, U.S.A Today, May 13, 1998. p.1A "AmEx to Sell Information About Consumers."

38 Ft. Lauderdale Sun Sentinel, May 14, 1998, "Amex Stirs up Privacy Debate; Denies Selling Consumer Data:"
"Gail Wasserman... [spokesperson for AmEx, said] 'American Express does not sell or provide individual transaction information to any third party for marketing purposes'... On Tuesday, American Express and KnowledgeBase announced a partnership to develop services to help merchants scout prospects. "
It would be intriguing to try to figure out just which word in Wasserman's statement makes it not quite a lie, but one must recall that this was in 1998, during the height of the Clinton Administration, when millions of Americans were taking their cue from the president.

39 Albert B. Crenshaw, "Credit Card Holders to Be Warned..." The Washington Post, Financial, May 14, 1992, p. D11 (from http://www.lexis.com/resea...).

40 Learning Network, Fun Brain.com, http://www.funbrain.com/mission.html and http://www.bonus.com.

41 Sovern, (1999) 74 Wash. L. Rev. 1033, 1041.

42 Ibid, 1059-1060.

43 Daniel Klein, (2000) p. 159.

44 Ibid, 160.

45 Julius Loeser, (2000), p.144.

46 Lawrence B. Lindsey, "The Money Laundering Conundrum: Mugging Privacy in the Assault on Crime?" printed in "The Future of Financial Privacy: Private Choices Versus Political Rules," The Competitive Enterprise Institute, Washington, D.C., 2000, pp. 164-172.

47 Me, two minutes ago.

48 Simson Garfinkle, "Database Nation" p. 7.