FRAMINGHAM (07/03/2000) - Do you think you should have the right to see the data that companies keep about you? If you answer yes, you're among the overwhelming majority of Americans, according to surveys.
But under current law, you don't have the right to access that data. In 1974, the Fair Credit Reporting Act gave you the right to see your credit report, but the companies selling these reports actually have a lot more marketing information about you - such as demographic, psychographic, transactional and inferred data - that is being sold without your consent to unknown parties for unknown purposes. You have no legal right to see this data, and if you ask for it, most companies will ignore you.
Do you think you should have the legal right to require these companies to stop selling this information?
Some personal data vendors accept "opt-out" requests, but others refuse or ignore them, and in either case you have little legal recourse if they accidentally or deliberately continue to sell profiles about you. In most developed countries, people have a "private right of action" to sue the company for a nominal amount (typically US$100 to $500) in such cases, giving these companies an incentive to comply.
Another question: Suppose when you buy something online, the company's form says, "Please tell us your phone number so we can call you in case there's a problem with your order" and the company later sells your number to telemarketers? Would you be happy? Or would you be happier if the law required the company to obtain your consent before using your personal information for a purpose other than the one for which it was collected?
These three questions are essentially asking whether you support laws requiring companies to abide by "fair information practices."
The key principles of fair information practices include the following:
-- Obtaining consent, where appropriate, prior to collecting data.
-- Allowing people to have access to the data collected about them.
-- Complying with requests to delete the data.
-- Specifying the purpose of the data and respecting that purpose.
-- Keeping the data secure.
Most Americans support such privacy laws, but the laws we actually have are extremely limited and patchy when they concern companies.
Lobbyists for organizations such as the Direct Marketing Association have managed to stop Congress and state legislatures from responding to constituents' wishes for privacy and control over their information.
But the Internet has put these questions in front of people's faces with spam, online profiling by Web advertisers and the retailing of vast databases of personal information. A consensus has been reached in Washington that the American people need a lot more privacy rights than they have now.
Should that translate into new laws, it will mean a lot of work for IT professionals, just as environmental protection means a lot of work for chemical companies.
Data security has never been easy, and the incentives to get it right will increase when individuals whose data is accidentally spilled can sue for $500.
For example, retrofitting large legacy systems to provide access to data will be a major project for big companies.
Of course, these laws won't kick in for years, but the time to start work is now.
Jason Catlett is president of Junkbusters Corp., a privacy advocacy firm in Green Brook, New Jersey.