EPIC logo

Federal Trade Commission
FACTA Free Reports
Post Office Box 1031
Merrifield, VA 22116-1031

Re: FTC File No. R411005

Dear Commissioners:

We applaud the Federal Trade Commission for soliciting public comment on implementation of the free annual file disclosure provisions of the newly amended Fair Credit Reporting Act.[1]

Congress included provisions for a centralized source for free credit reports in the Fair and Accurate Credit Transaction Act because the current methods for obtaining a report are inadequate. The Credit Reporting Agencies (CRAs) already operate sites with poor privacy policies, sites that offer "free" reports that are in actuality free-to-pay conversion credit monitoring products, and sites with advertising. Congress sought to change the situation in passing FACTA. Congress sought to provide individuals with a legitimate and easy to use system for obtaining credit reports. Accordingly, the Commission should strive to create a centralized source that is different and more legitimate than the mechanisms currently offered by the CRAs. The Commission should limit secondary use of personal information collected at the source, it should closely monitor the centralized source's use of authentication methods, and it should not permit advertising on the centralized source.

Below, we have responded to specific questions posed by the Proposed Rule Notice published in the Federal Register. In addition to these responses, we wish to raise two additional issues:

First, we applaud the Commission for requiring nationwide consumer reporting agencies to comply with the Standards for Safeguarding Customer Information, 16 CFR 314.3 and 314.4 (the Safeguards Rule), regarding all personally identifiable information collected through or disclosed by the centralized source.

Second, the Rule needs to address the potential that the CRAs could change the address of the centralized source without justification. We think it important that the web site address, telephone number, and physical address(es) of the centralized source not change unless there is a compelling reason to do so. There needs to be some permanence in the ways in which individuals can contact the centralized source so that consumer advocates and others can publish the web site, telephone number and physical address in books and other materials without needing to revise the information frequently

1. Are the definitions contained in section 610.1(b) of the proposed rule clear, meaningful, and appropriate?

We comment that the Commission should revisit two definitions in the Proposed Rule.

First, the definition of annual file disclosure may be confusing and may create an architecture of disclosure that will frustrate individuals' requests for the credit report. We urge the Commission to consider whether annual should be defined for purposes of the Rule as "once a calendar year." If it is not, annual can be keyed to arbitrary events, such as birth date. That is, the free disclosure could be staggered, or keyed to an event that will frustrate regular request of the credit report. We think that such staggering will be confusing, and difficult for individuals to remember.

Second, the definition of extraordinary request volume should be changed in two ways. As currently formulated, two times the normal request volume would be extraordinary. We comment that especially in the wake of well-known identity theft incidences, two times calling capacity would probably be insufficient to serve individuals who need their credit report. We comment that a volume of four or five times the normal rolling average would be extraordinary. A mere doubling in volume would not be exceptional; in fact, it would be expected when large-scale fraud or security breaches occur. We therefore comment that the Commission should revise this definition so that extraordinary request volume constitute four or five times the daily rolling 90-day average of consumer requesting file disclosures.

Also in regards to extraordinary request volume, the use of the word contact is important. As currently written, individuals merely browsing online to the centralized source may create a contact that, for purposes of the regulation, contributes to triggering an extraordinary request volume. That is, a mere "hit" on the centralized source Internet site could be counted as a contact or a request for a credit report. It is very likely that many will browse to the Internet centralized source for information or review. Mere visits to the site should not contribute to a determination of extraordinary request volume. Only actual requests for a report should contribute to the determination.

5. Section 610.2 (b)(2)(ii) allows the nationwide consumer reporting agencies to collect, through the centralized source, only as much information as is reasonably necessary to properly identify the consumer as required under the Fair Credit Reporting Act, section 610(a)(1), 15 U.S.C. 1681h(a)(1), and other applicable laws and regulations, and to process the transaction(s)requested by the consumer.

We applaud the Commission for limiting the amount of information that can be requested at the centralized source. This limit is commonly known as "collection limitation," or "minimization," a core privacy principle that protects individuals from privacy invasions.

a) Does the amount of information that is reasonably necessary depend on the request method or the method of delivery of the file disclosure or product or service? What information is reasonably necessary for each request method and delivery method?

We comment that the Commission must closely monitor the amount of information required for the file disclosure. If authentication standards are too weak, for instance, if just a name, address, and Social Security Number suffice, identity thieves will use the centralized source for fraud.[2] In designing the centralized source, the Commission should strive to avoid creating a new avenue for identity thieves to engage in fraud.

On the other hand, the Commission must be vigilant in ensuring that authentication is not designed at a level to frustrate access to free credit reports. We note that in other contexts, excessive authentication can burden opt-out or other privacy rights.[3] Because consumer authentication can act as an unjustified barrier to privacy rights, we urge the Commission to engage in regular, scheduled review of the centralized source's methods for authentication.

d) Should the rule address the use of information collected by the centralized source (i.e., by allowing, prohibiting, restricting, or limiting such use)? If so, how? If so, what information should such a rule address, i.e., personally identifiable information collected in connection with file disclosures and/or information collected in connection with products provided through the centralized source? Should any restrictions or limitations differ from those that are applicable to the same information collected currently in connection with the provision of such disclosures and products? On what basis should a distinction between information collected through the centralized source and information currently collected by nationwide consumer reporting agencies be made?

The Commission should limit the uses for which individuals' information can be employed. Individuals who request their report often are attempting to protect their personal privacy. If the CRAs are permitted to use their personal information in affiliate sharing relationships, for joint marketing, or for other reasons, individuals' trust and expectations will be violated. The Commission should craft a rule that only allows information submitted to the centralized source to be employed for fulfilling the request for a credit report.

The Commission should not present those who wish to protect their privacy with a Hobson's Choice­-one where those who are trying to protect their privacy by viewing their credit report are subjected to additional information exploitation. Individuals should be able to take advantage of the free disclosure without exposing their personal information to increased commercialization.

There are compelling reasons for protecting the personal information submitted from secondary use.

First, nothing in the record suggests that Congress intended the centralized source to become a new information exploitation opportunity for CRAs. Rather, Congress intended that the Commission implement a user-friendly method for individuals to obtain their credit reports. Congress' intent should not be twisted into new opportunities for CRAs to use individuals' personal information for purposes inconsistent with its provision.

Second, if the Commission itself were implementing the centralized source, information submitted would be subject to the Privacy Act.[4] As such, the information could not be used for list brokerage or for other purposes incompatible with providing the credit report. Furthermore, in passing the Privacy Act, Congress included section m, which requires private-sector compliance with the Act where a company administers a system of records for the government. In a way, Congress has created a new system where personal information will be collected. Although it is being collected by the private sector, the information flow should be subjected to the same standards applicable to government collections of personal data.

8. Section 610.2(g) of the proposed rule governs the possible use of the centralized source for other communications, including marketing or advertising.

a) Are the provisions of this section, along with the prohibitions of the FTC Act, adequate to ensure that consumers are protected against communications that may interfere with the purpose of the centralized source?

The provisions are inadequate. The centralized source is to be created to provide free credit reports, not new electronic billboards. The CRAs should not be able to convert the centralized source into a new medium for advertising for the following reasons:

First, there is no evidence that Congress intended to create a new advertising medium for the CRAs. The centralized source is a government-mandated system for the protection of individual’s privacy and not for the purpose of product marketing. There is no evidence that Congress intended the centralized source for any purpose other than simplifying the process for consumers to request their personal credit reports.

Second, advertising will detract from the "official" nature of the centralized source. The appearance of advertising on the site will lead many to believe that the centralized source is just another of the many sites that claim to provide free credit reports that really offer a free-to-pay conversion credit monitoring service.[5] Furthermore, advertising is designed to distract individuals, and will contribute to confusion about the purpose of the centralized source.

Generally, marketing of credit monitoring undermines the free annual disclosure. Instead of paying for credit monitoring that can cost $80 a year, consumers could save money by simply requesting their credit report periodically throughout the year. Since the FACTA provides for a free annual disclosure from all three CRAs, individuals can "self-monitor" their credit by ordering one of the reports every four months. Accordingly, marketing of credit monitoring can undermine free self-monitoring that individuals can engage in by requesting their credit reports periodically.

Third, in effect, if the Commission allows the CRAs to advertise on the central source, the Commission will appear to endorse the advertising messages. The Commission will inevitably be drawn into a situation where it has to approve of some advertisements and disapprove of others.

Fourth, the CRAs have a track record of providing confusing or even deceptive messaging to individuals in the past. For instance, the CRAs already have a statutory duty to operate a joint opt-out center for FCRA pre-screening. The CRAs have used their control over the opt-out center to pose confusing and irrelevant messages to consumers­currently, callers hear a message regarding "the recent e-mail that appeared over the Internet regarding a July 1st law affecting personal financial data…"[6] It is likely that they will use their control of the centralized source to present confusing, misleading, or deceptive advertising to individuals seeking their reports.

Last, the CRAs already operate sites with advertising. Congress included the creation of a new, free source of credit reports because the current methods of obtaining a report are confusing and not trusted by consumers for the reasons expressed above. The Commission is charged with creating a new source for credit reports; it should take this burden seriously, and distinguish the centralized source from the sites already operated by the CRAs. The Commission should create a site that is trusted and official looking; one that has legitimacy. The Commission's first goal in creating the centralized source should be fostering consumer trust; the advertising that the CRAs have engaged in previously, if applied to the centralized source, would undermine that trust.

If advertising is permitted by the Commission, there nevertheless should be a complete ban on the use of pop-ups, pop-unders, and "animated" advertising. Furthermore, if advertising is permitted, the Commission should be responsible for monitoring the content of the advertisements to ensure that they do no detract from Congress' intended purpose for the website.

Respectfully Submitted,

Chris Jay Hoofnagle
Associate Director
Electronic Privacy Information Center
1718 Connecticut Ave. NW 200
Washington, DC 20009
202.483.1140 x108

Daniel J. Solove*
Associate Professor of Law
Seton Hall Law School
Associate Professor Elect
The George Washington School of Law
One Newark Center
Newark, NJ 07102-5210

*Title and affiliation listed for identification purposes only.

[1] Free Annual File Disclosures; Proposed Rule, 69 Fed. Reg 13191, Mar. 19, 2004, available at http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2004/04-6268.htm.
[2] We note that with the low authentication standards associated with instant credit granting, identity thieves have been able to easily obtain credit in others' names, often using incomplete or inaccurate information. The Commission should avoid the low standards commonly employed in the credit granting context in order to avoid facilitating identity theft. See e.g. TRW Inc. v. Andrews, 534 U.S. 19 (2001) (on four occasions, Trans Union released victim's credit report on partial information match); Nelski v. Pelland, 2004 U.S. App. LEXIS 663 (6th Cir. 2004) (phone company issued credit to impostor using victim's name but slightly different Social Security Number); United States v. Peyton, 353 F.3d 1080 (9th Cir. 2003) (impostors obtained six American Express cards using correct name and Social Security Number but directed all six to be sent to the impostors' home); Aylward v. Fleet Bank, 122 F.3d 616 (8th Cir. 1997) (bank issued two credit cards based on matching name and Social Security Number but incorrect address); Vazquez-Garcia v. Trans Union De P.R., Inc., 222 F. Supp. 2d 150 (D.P.R. 2002) (impostor successfully obtained credit with matching Social Security Number but incorrect date of birth and address); Dimezza v. First USA Bank, Inc., 103 F. Supp. 2d 1296 (D.N.M. 2000) (impostor obtained credit with Social Security Number match but incorrect address); Erin Shoudt, Comment. Identity theft: victims "cry out" for reform, 52 Am. U. L. Rev. 339, 346-7 (2002).
[3] For instance, Verizon implemented an opt-out system for CPNI data in 2002 that was confusing and probably resulted in individuals not opting out. EPIC wrote to Verizon's president in 2002 describing the system: "Individuals must provide their phone number, their account number, the name on the account, their address, and speak the name of the "authorized" person to make decisions on the account. This process places an unreasonable burden on consumers who simply wish to protect their privacy. Further, the script used by Verizon to guide consumers through the opt-out process employs language that discourages individuals from exercising their rights. For instance, when a consumer chooses to opt-out, the script responds, "You are requesting to establish a restriction on your account"­­a characterization that misleads customers about the ramifications of their decision." Letter from Marc Rotenberg, Executive Director, EPIC to Ivan Seidenberg, President, Verizon, Feb. 7, 2002, available at http://www.epic.org/privacy/cpni/verizonletter.html.
[4] 5 U.S.C. § 552a.
[5] See e.g. EPIC's complaint in In re Experian, available online at http://www.epic.org/privacy/experian/. EPIC receives more complaints regarding Experian's Consumerinfo.com than any other issue. ConsumerInfo.com engaged in television advertising that suggested to viewers that their credit reports may be inaccurate or insecure. Playing to consumer fear, the television advertisement directs viewers to the ConsumerInfo.com website to order a "free" credit report. A reasonable consumer would likely believe that the offer came with no additional terms given that the commercial omitted any reference to the subscription services. Experian is following a "Tony Soprano" style business model in marketing "free" credit reports. The company plays on consumer fears regarding privacy and insecurity, urging members of the public to accept the company's services. But, those problems of privacy and insecurity are actually being caused by the CRAs themselves. It is not unlike the mob demanding businesses to pay for protection from crime. The mob profits and enables both the protection and the crime.
[6] The big three CRAs have used the pre-screening opt-out system established under the FCRA number to distract individuals' attention from their privacy rights. When one calls this number, which is supposed to be operated only for opting out under the FCRA, the caller is presented with an unrelated message regarding a "recent e-mail that appeared over the Internet regarding a July 1st law affecting personal financial data."

The first option on the telephone tree diverts callers to learn about this e-mail circulated on the Internet. This is a purpose unrelated to the opt-out function for which the system was intended.

The automated message on the pre-screening line is as follows:

"Thank you for calling the credit reporting industry pre-screening opt-out number. If you are calling as a result of the recent e-mail that appeared over the Internet regarding a July 1st law affecting personal financial data, please press "1" now. If you are not calling about this e-mail, please press '2'."

The "1" option delivers this message:

"The e-mail stating that credit reporting companies are now allowed to share your personal credit information with anyone who asks is incorrect. Credit reporting companies can only release your credit information to those legitimate businesses that have a permissible purpose for obtaining it under the provisions of the Fair Credit Reporting Act. The opt-out privileges granted by the July 1st law applied to financial institutions sharing their personal information with third parties. If you are calling about this you should contact each financial institution where you do business and ask them not to share your personal financial information with other companies. You cannot obtain the opt-out privileges granted by the new law at this number. Your rights under the Fair Credit Reporting Act to have your name removed from marketing lists remains unchanged. If you are calling to exercise your rights to opt-out of pre-approved offers of credit and other benefits, please press '1'."

EPIC Privacy Page | EPIC Home Page

Last Updated: April 16, 2004
Page URL: http://www.epic.org/privacy/fcra/freereport.html