The Anti-Privacy Lobby

Why big companies fight for the right to sell your personal information–and why Congress goes along for the ride.


Congressman Bob Franks thought he had a winner. The New Jersey Republican had witnessed the wild popularity of child protection legislation like Megan’s Law, and in 1996 he hoped to tap into the zeitgeist with his own less-controversial legislation. His bill required that those who compile lists of children’s addresses, such as children’s magazines, get the consent of parents before selling the lists or sharing the information with others. A sure-fire hit, right? That’s what made the hearing so strange.

In September 1996, R.P. “Toby” Tyler, a noted child-crime investigator from California, came to Washington to testify on the bill. But Tyler didn’t praise the legislation as a positive step toward protecting our nation’s children; instead, he railed against it. Frank Distefano, Franks’ legislative assistant, was shocked. “I was sitting there wondering, ‘Wow, what is going on here?’ And then it comes out that [Tyler] is a paid consultant for Metromail.” Distefano then realized what—and who—he was up against.

Metromail, a subsidiary of R.R. Donnelley and Sons Co., is one of the giants of direct marketing, a list compiler that sells information to marketers so they can stuff your mailbox with “great offers.” It is also a principal member of the Direct Marketing Association (DMA), one of the corporate giants that make up what can best be called America’s anti-privacy lobby. Together with information clearinghouses and insurance companies, DMA is making its presence felt on Capitol Hill as Congress deals with the stickiest issue of the electronic age: deciding what personal information is truly personal and what is for sale to the public.

The stakes are high. For the anti-privacy lobby the fight is about profit margins and even business survival. For consumers it can be as serious as protecting one’s health care coverage, job, or even life. Right now the fight is decidedly one-sided: With the Clinton administration and Congress largely allowing the industries to self-regulate, the number of areas where Americans can feel their privacy is secure is shrinking.

Take the health care industry. It’s a sector you don’t necessarily equate with snooping around. But the increased competition insurers have faced for the last decade has taken its toll. Forced to cut costs and reduce risks, insurers have responded by digging deeper into the records of those they insure. They want to know more about who they are covering and why they are paying out the benefits. Dr. Denise Nagel, a Boston-area psychiatrist and executive director of the National Coalition for Patient Rights, has seen it first-hand. “Your insurer used to just ask for diagnosis and bills. Now they want to see files.” Nagel says. “Insurance companies are actually asking psychiatrists for their session notes.”

How can insurers do that? Buried in the agreement you sign with your health care company whenever you renew coverage is a waiver which grants the company free reign over all your medical records. And once those notes are on a database somewhere, they are fair game for employers, your next insurance company, and anybody who claims to be a doctor.

Who makes sure your insurance company isn’t too freewheeling with your private health information? The answer is basically the company itself. Robert Gellman, a former congressional staffer who has been working on health care privacy legislation since 1980, says the nation’s health care privacy system is a patchwork quilt of state and national laws that have little or no real impact. Right now we are simply relying on the insurance companies to “do the right thing” with the information.

Relief could be on the way, in the form of proposed regulations from the Department of Health and Human Services (HHS) that lay out how the records can be used, but Nagel is not hopeful.

“The recommendations are terrible. They’d only make things worse. The administration is simply giving its blessing to big business” with the proposed regulations, Nagel says. As long as the collection of information is somehow related to health care or cost-cutting, it would have HHS’s okay. And the re-release of the data would also be allowed, Nagel says, as long as it could be shown to have a health care purpose—a boundary that could easily be stretched. Furthermore, the regulations would do nothing to stop companies from using third parties to enter sensitive medical data into computers. The practice is common—and sometimes the third parties entering the data are prison labor.

Behind this weak proposal, pushing the administration forward with promises of tight self-imposed privacy rules, are credit clearinghouses and insurance companies, who also have extensive dealings in medical records. Both industries maintain that loose rules are essential if they are to thrive. Insurers argue that “information is necessary for quality,” and for profit margins. Credit clearinghouses Equifax and Experian (formerly TRW) maintain that they are only middlemen giving the information to those who need it—for a fee, of course.

There is still hope on the regulatory front. HHS could amend the proposed rules or, better yet, Congress could throw them out entirely.

But Capitol Hill has not been friendly to privacy-rights legislation. Lawmakers have largely opted for the self-regulation route, maintaining that Americans would rather have industries take care of their own problems than have Big Brother grab control of privacy laws. And even in the private-sector areas Congress has chosen to tackle, such as credit and video rentals, it has left large loopholes. Under the Video Privacy Protection Act of 1988, third parties are blocked from getting information on the video titles you rented, but not the genres. We may no longer be able to check whether Clarence Thomas rented Debbie Does Dallas, but we can still find out if he is making his picks from that little curtained room at the back of the store.

All of this might help explain why Franks’ parental consent bill (and a companion measure from Sen. Dianne Feinstein (D-Calif.) is stalled, but it doesn’t answer the question fully. After all, some of the few questions most Americans can agree upon are those surrounding child protection. A recent Harris poll showed 97 percent of adults believe parents should have to give consent before companies gather information about their children over the Internet. And the need for a parental consent provision was on display this summer when a reporter for KCBS-TV in Los Angeles called up Metromail, used the name of a known child killer, and proceeded to purchase a list of households known to have children.

So why is Congress stalled? The $98,996 that the DMA pumped into Congressional coffers last year may have something to do with it, but there’s more. This issue is very close to Congress’s heart, says Marc Rotenberg, executive director of the Electronic Privacy Information Center. “Direct marketing has a bigger reach [in Congress]—it’s how people get elected,” he says. Democrat or Republican, House or Senate, in the end direct-marketing lists are part of congressional life.

Says one former high-level Democratic official, who spoke on condition of anonymity, “People who buy things through the mail are the best givers through the mail. Politicians, parties and PACs use all the major list brokers.”

So far Congress seems to be siding with folks like the DMA who say that the free flow of commerce is all about the free flow of information. Or, as DMA spokesman Chet Dalzell puts it, “Unsolicited mail does not mean unwanted mail.” Direct mail is how parents learn about children’s books and magazines, not to mention college and university catalogs. Besides, Dalzell says, if parents don’t want their kids’ names on the lists they can simply contact those selling the information and ask to have the names removed.

This is DMA’s traditional response. People who don’t want their information shared can simply call DMA’s members and “opt out”—ask to be taken off mail and phone lists. In October, DMA announced that by July 1999, offering consumers an “opt out” provision will be mandatory for all DMA members. The organization pursues self-regulation so strongly, Dalzell says, because it allows for the free flow of commerce and in the end it serves the consumer. “Merchants are just trying to be like 19th-century shopkeepers, but on a grand scale. They want to say ‘We know you’ and ‘We know what you want.'”

The only problem, of course, is that a lot of Americans don’t know how their information is getting out there. It can happen when you fill out a warranty card, buy anything with a credit card, or visit the doctor or the grocery store. In the past, you might have known the shopkeeper, but you probably would have been careful about what you told him—not to mention that the community knew him and so there was pressure on him to keep his mouth shut.

And that is the danger with the self-regulation bug going around Washington. We don’t know the shopkeeper, but he knows us. And the only thing preventing him from loosening his lips is himself.

 

Are you annoyed by the peddling of your information? Vent in Live Wire. To learn more about state and federal privacy laws that affect you, visit the Electronic Privacy Information Center.