BY FAX AND MAIL
May 8, 2002
We write as a nonpartisan coalition of organizations from across the country to urge you to support a framework of privacy protection for personal information that incorporates Fair Information Practices (FIPs). FIPs clearly define the responsibilities that entities assume when collecting individuals' personal information. We recommend that legislation considered by the Committee be evaluated by the statement of FIPs included in this letter.
Public opinion polls show clear support for the meaningful protections that FIPs provide. A number of recent polls show that Americans are "highly concerned" about their privacy and that legislation is preferred over self-regulatory "trust" programs.
Privacy Legislation based on FIPs would include the following elements:
- Minimization: governments and commercial entities should collect the minimum amount of information necessary in order to perform a given function or transaction. The Privacy Act of 1974 incorporates this important protection by requiring agencies to maintain only "information about an individual as is relevant and necessary to accomplish a purpose of the agency."
- Use limitations and purpose specifications: data should only be used consistently with the purpose stated at the time of collection and not in other ways without the affirmative consent of the data subject.
- Access and data quality: data collectors must give individuals access to their personal information, allow individuals to correct inaccurate information, and maintain data accurately and only to the extent necessary for the purposes for which the data is to be used. Strong right of access and data quality are afforded in the Fair Credit Reporting Act of 1970, which allows individuals to see all of the information in their file for a reasonable fee, and allows correction of the file. If information in the file leads to an adverse action, the individual is entitled to a free report.
- Accountability: individuals recognize that rights should have remedies. In public opinion polls, Americans report that there should be redress against privacy violators. Effective accountability would require a private right of action, liquidated damages, and a grant of subject matter jurisdiction to small claims court. The Telephone Consumer Protection Act of 1991 affords individuals all of these rights.
- Security: personal information should be protected by reasonable security measures. This includes a requirement to purge customer information that is no longer needed. The Cable Communications Policy Act, for instance, requires data collectors to purge personal information after one year.
- Consent: before data is collected, opt-in consent should be obtained from the individual. Public opinion polls show that over 85% of Americans support opt-in systems instead of negative-option "choice" frameworks. Several American statutes contain opt-in protections, including the Cable Communications Policy Act, the Video Privacy Protection Act, and Driver's Privacy Protection Act.
- Notice: meaningful privacy legislation affords individuals the right to be informed of how their personal information will be collected, used, and stored. This right is well established in existing federal privacy laws. The Cable Communications Policy Act of 1984 contains an excellent example of effective notice, one that requires yearly disclosures to the consumer of what data is collected, how it is shared, how it is maintained, how its uses are limited by statute, and how an individual can gain access to the data.
In addition to FIPs, privacy legislation should incorporate independent enforcement and oversight by the Federal Trade Commission and by State Attorneys General. Privacy legislation can stimulate commerce through the promotion of genuine Privacy Enhancing Technologies-systems that help individuals remain anonymous or limit the collection of personal information. There is also a role for restrictions on surveillance technologies in privacy legislation.
Additionally, the ability of states to develop supplementary protections to federal law is of great importance in privacy legislation and consumer law generally. Most privacy laws do not preempt the right of states to craft extra protections for individuals. States have supplemented federal law with protections that afford individuals more time to bring actions in court for violations, and protections that are tailored to the sensitivities of smaller constituencies. In supplementing federal law, states can experiment with different approaches, and serve as laboratories of democracy.
Finally, in the interests of both personal privacy and international commerce, American law should not hinder international enforcement of privacy law.
A failure to establish strong safeguards in law has resulted in economic harm to commerce and growing public concern on privacy. We urge you to use the FIPs outlined in this letter to evaluate privacy legislation that comes before the committee.
Electronic Privacy Information Center
Computer Professional for Social Responsibility
Vice President for Public Policy
National Consumers League
Privacy Rights Clearinghouse
Consumer Program Director
U.S. Public Interest Research Group (PIRG)
Consumer Project on Technology
Consumer Privacy and Health Data Protection Consultant