FEDERAL TRADE COMMISSION Public Workshop: THE INFORMATION MARKETPLACE: March 13, 2001 Opening Remarks Session One: Merger & Exchange of Consumer Data: An Overview Session Two: Consumer Data: What is it? Where does it come from? Session Three: What are the business purposes for merging and exchanging consumer data? Session Four: How do merger and exchange affect consumers and businesses? Session Five: Emerging Technologies and Industry Initiatives: What does the future hold? P R O C E E D I N G S MR. WINSTON: Let me introduce myself, I'm Joel Winston, Acting Associate Director for Financial Practices at the FTC, and I want to welcome all of you to the Federal Trade Commission, and give a special greeting to those people who are listening in on our audiocast on the website, ftc.gov. Now, there are several members of the Commission who are going to be giving some opening remarks this morning, and I would like to introduce first Chairman Robert Pitofsky. Chairman Pitofsky has served as chairman of the FTC since April of 1995, and he will be beginning the proceedings. Mr. Chairman? CHAIRMAN PITOFSKY: Good morning, everyone, and welcome to another of the Federal Trade Commission's workshops. This one, we have entitled The Information Marketplace: Merger and Exchange of Consumer Data. I don't think I have to belabor the point with this audience that privacy, especially privacy in the commercial marketplace, is and remains a very important issue. If you take polls, you find today, just as you did three and four years ago, that somewhere between 88 and 92 percent of consumers when asked what their concerns were about doing business, buying online, will say that they have reservations, and think it's not a secure marketplace. They're not giving their credit card online without having some knowledge of how it's going to be used. As a result, you now have, I think, just since Congress reconvened, something like a dozen bills addressing various issues relating to privacy in the commercial context. But let me position this workshop. We are not looking for enforcement targets for companies that may be invading unfairly or deceptively consumer rights, and we're not looking for legislative proposals. This is another kind of workshop, and it's like many that we've conducted in the past five or six years. We're trying to find out in a new area, a fast-changing dynamic area, what's going on, so that we are informed about the kind of issues that eventually we'll be called upon to address. We did that with our earliest privacy workshops, just to find out how personally identifiable information was collected and whether or not it was being sold. We did it with profiling, more recently B2B commerce on the Internet, and wireless technologies. In this instance, we would like to be able to take the measure of the extent and the ways in which firms exchange information and data that create consumer profiles; not necessarily only the information the firm collects itself, but information that someone else collects that then becomes merged into a firm's database. How is that information used commercially? Is it used commercially? And if so, in what fashion? What is the source of the data? Is it mostly online, is it offline, is it a combination of the two? Does it come from public records, private records, a combination of the two? We know that the ability of firms to collect data has been enhanced dramatically over the last five to ten years, and what we want to find out is how it's being used so that down the road we can spot issues. It is an information-gathering enterprise. It is not designed at the end of the day, at the end of these sessions, to come up with policy proposals. We have no predisposition on this. My own view, as some of you have heard me say before, is that this kind of enterprise is what Congress had in mind in 1914 when it created a Federal Trade Commission. Not just law enforcement, but a group that would try to work with the business community, with consumers, and others, to understand new and emerging dynamic trends in the economy. That is what we've been about over the last five or six years. We've tried to restore that tradition, and I certainly feel that this workshop moves in that direction. We have a wide variety of people here today who represent the business community, the consumer community, academics, and others, and if history is any guide, we will at the end of the day have learned a good deal from each other. With that, we'll receive some words on video from my colleague, Mozelle Thompson, but while that's being set up, let me introduce my colleague and friend, Commissioner Orson Swindle. COMMISSIONER SWINDLE: Thank you very much, Chairman Pitofsky. I would like to welcome you all here, and before I forget it, the last couple of days in preparation for this, Bruce Jennings and his crew of youngsters around here have been scurrying in about 9,000 different directions making all this come together. Wires have been dragged all over the building and I think we've got a good set-up here, and this will be recorded for posterity and hopefully there won't be too much blood on the floor when it's all over, but it's a delight to see you all. I know so many of the organizations that are represented here, you have a vital interest in this, certainly from a personal perspective of your business, but we are all, as the chairman says, grasping to understand. And I would hope that we would view this process here today, as we have in previous workshops, as the Chairman mentioned, as a learning process in which we listen and offer our suggestions from time to time, but mostly we listen to you, the practitioners, and try to get a better understanding of what we're all about and what we're doing here with this very controversial -- is that a good word to describe it -- but the issue of information flow and its effects and the concerns that various and sundry people have today in the consumer population or in business population. I do want to welcome you all here today. The use of third party information from public records, information aggregators and even competitors for marketing has become a major facilitator of our retail economy. Even Chairman Greenspan suggested here some time ago that it's something on the order of the life blood, the free flow of information. This was made even more clearly by a new study released yesterday by the Privacy Leadership Initiative and the ISEC Council of the DMA. The study made it clear that consumer prices would increase if public policy significantly limited the flow of data into catalog marketing and sales. At the same time, the digital revolution, both online and offline, has given an enormous capacity to the acts of collecting and transmitting and flowing of information, unlike anything we've ever seen in our lifetimes. Obviously the debate has been furious over the appropriateness of these data flows, this passage of information from one entity to another. The perceived harm that this data flow causes and what the appropriate remedies might be. As we all know, we've had a heavy debate on privacy going on now for at least three years, I've been here three years, and it was going on even before I arrived. I believe that issues related to the real harm that might be caused are well addressed by existing laws, but now we need to explore issues related to customer or consumer and business entities or the seller and the buyer, if you will. It is also useful to note that the digital revolution has revolutionized the knowledge that the buyer has about the marketplace. Buyers today are more informed than they have ever been ever before. The information age and information technology is literally changing the way every one of us does business, the way we conduct our lives, how we pick and choose, and certainly this information flow has made the buyer far more informed. It is crystal clear that there have been quantitative and qualitative changes in the marketplace, and the manner in which information is made available and used. There are real benefits in this for both consumers and businesses, from these changes. There are also changes in the way we all interact with each other. More of the interaction is being defined by data and less by each of us based on what we reveal about ourselves. The FTC has traditionally dealt with harm that comes from bad actors and market failures. The issues being raised today don't necessarily fall easily into either of those categories. Such as the challenge that we face. Productivity gains are well documented and the new technology, as I said earlier, is changing the way we do everything. However, there is a great trust deficit in existence out there now. The public has concerns about the private sector's ability to govern information use, or manage that information that they happen to have on people. At the same time, the same observations will tell you that the public has great concern as to what the government does with the information it has. And I would contend that we might ought to be a little bit more concerned about what the government is doing than the private sector, but nevertheless, we've got a great distrust going here between the consumers who more and more today understand the value of their information, and what goes on around them. We therefore have a dilemma. The use of information drives our economy, I think that's pretty well established. That includes information to make sales, marketing and customer service more efficient, and more effective. The information flow allows businesses to build the right product, deliver it at the right time, to the right place, to the right address, and meet the demands, unique as they are, among all consumers, carefully tailored to them. That I would suggest most consumers would say not a bad deal. However, this increased use of information about people creates consumer concerns. The public is concerned about the potential misuse of the information, and individuals are concerned about being defined by the existing data on themselves. This is a huge misunderstanding deficit that parallels and matches the trust deficit. Consumer education has lagged market changes driven by new technology. Government is behind the new technology changes, too, as we've all noted. Consumers struggle to understand the technology itself, not just in the ways in which a technology is used in the marketplace, I'm still wrestling with my ISP, I was about to use a name there, but I won't. I'm having so much trouble with it, I don't want to defame the country at this point in time, but I'm having trouble with the technology itself, not to mention the information flow. Today's workshop is a great opportunity to begin to bridge this learning gap and this trust and misunderstanding or untrust and understanding deficit. We're here today to gather facts and begin to understand the flows of data that support marketing and customer service. This should increase our understanding of the benefits of the free flow of information, and to begin to understand the level of real harm, to whatever degree it might exist, related to information use. And perhaps we have an opportunity to ease the fears that are related to that emotion of fear of the unknown. I would suggest, plead with, counsel all participants to please leave your emotions at the doorway. This session today, folks, please, is not about sound bites, it's not about exposing people in public, it is about learning and sharing what we each know and how we go about doing what we are concerned with, and understanding how to balance legitimate privacy concerns and economic and social benefits. Remember, today's objective is to learn, to explore, and perhaps start to identify so we can put our hands on it, some policy approaches that are balanced in their -- they're balanced in a sense that they balance the consumer's interest in choice and economic opportunity, they balance the consumer's interest in not being harmed by security breaches and data misuse, they're balanced in the sense that they respect the consumer's interest in choosing when to not participate in a market, and also the other side of the coin, so to speak, is business interest in serving all markets in a most effective and efficient and, quite frankly, profitable way that they can. That's what you are our free enterprise system is all about. I thank you again for joining us. This is an important session. Perhaps it's the first of several important sessions on the very subject, because I think we have a lot to learn and we appreciate you coming here and being a part of our family and helping us learn more, learn faster, and hopefully, as I always say, helping us to look before we leap. Thank you very much. (Applause.) COMMISSIONER THOMPSON: Good morning. I would like to join the Chairman in welcoming you to the FTC for this important workshop on the Information Market Place. As he mentioned, today we will all be sharing what we know about the topic of Merging and Exchanging Consumer Data. It's no secret, for example, that the Federal Trade Commission has been long talking about issues dealing with personal data and privacy. I think that today we will be talking about how the issues raised with data collection converge when we're talking about an online and offline environment. At present, there are some real reasons to distinguish those two classes of information, in light of the speed and the manner in which information is collected. But I also recognize that, as a practical matter, it doesn't make sense for consumers and businesses to view separate protocols for online and offline data collection. So, I would encourage industry and consumers to work together to formulate practical solutions that foster consumer confidence. But there will also be some important other questions that you'll be dealing with today about issues like legacy data, information that was collected before there was an online environment, and, also, how information changes -- does the character really change when you have offline data, including public information that's merged with online data and made available in a mode like on the internet. I look forward to hearing your presentations and hope that you'll enjoy the day. Thank you very much for coming. MR. WINSTON: Before we get started, I have a few ground rules and announcements to make. The first one I approach a little bit gingerly, but I have been asked to ask all of you to turn off your cell phones. I'm just the bearer of bad tidings here. Apparently there's some feedback between the cell phones and our equipment, and it's messing everything up, so if you could please turn off your cell phones. Also, I would like to remind our panelists that because we have so much ground to cover today, we're going to try to hold you to the time limits that we've discussed with you previously. We're going to give you a one-minute warning before your time elapses, and then when your time is up, we're going to gently encourage you to conclude your remarks. If that doesn't work, we have someone with a hook who's going to come out and kind of pull you away, but if you could try to stay within the time limits. Also, it's our practice in our workshops to invite the audience to ask questions of the panelists, if time permits, at the end of each panel. But, again, because we have so much ground to cover, I'm going to ask the questioners to limit themselves to asking questions and not to make any statements for the record. Which brings me to my last announcement, and that is that the record of this workshop is going to remain open for 30 days, until April 13th, so that anyone who wants to file something, a comment or other materials, for the record, and for the Commission's consideration, can do so. The instructions for filing these post workshop comments are available on our website at www.ftc.org. So, I encourage you all of you to participate in that process. Dotgov, I'm sorry, somebody gave me the wrong web address here, okay. Anyway, I encourage you all to submit comments if you like. Now we're ready for our first panel, in which Professor Mary Culnan of Bentley College will lead a discussion designed to provide an overview of the flow of data through the information marketplace. Professor Culnan is the Slade Professor of Management and Information Technology at Bentley College in Waltham, Massachusetts, where she teaches and conducts research on information privacy. She is the author of the 1999 Georgetown Internet Privacy Policy Survey, and was a member of the FTC's Advisory Committee on Access and Security. And Professor Culnan will introduce the members of her panel. SESSION ONE: MERGER & EXCHANGE OF CONSUMER DATA: AN OVERVIEW MS. CULNAN: Thank you, Joel, and thank you to the FTC for inviting me to participate in this workshop. It's going to be a terrific day. One comment about our session. We were instructed we're not going to have Q&A at the end of our session, because we're just providing an overview, so I didn't want you to think that we're cutting off the flow of discussion arbitrarily. What we are going to do today is we're going to talk you through a slide, which I'm going to put up here, and which you also have in your packet. Because the other two people are going to be having their own slides. We're going to talk you through this 30,000 foot view of profiling to set up the rest of the day's sessions. And so, if we skim over a topic that you think we should have gone into in more detail, you will hear about this in more detail in the other sessions later on today. We're going to focus primarily on the compilers, the third party organizations that collect, slice and dice and then resell consumer data (but these firms do not have a direct relationship with consumers), rather than focusing on the profiling that's done by individual firms with their own customer data. And for the purpose of simplicity, we're also not going to talk about co-op databases, which fall into the category of third party organizations that collect information on customers, because there's such a small number of these systems, but for some of the things that we're going to talk about, they also fall into our slide. So, let me first introduce our two panelists. First is Johnny Anderson, who is the president and CEO of Hot Data, Incorporated. He has over 30 years of technology industry experience, holding executive and management positions at e2 Software Corporation, Saber Software Corporation, Novell, Excelan and Digital Equipment. Our second speaker is Lynn Wunderman, who is the President and CEO of I-Behavior, Incorporated. Prior to founding I-Behavior, she was the founding partner of Wunderman, Sadh & Associates, which is a consulting firm specializing in information-based marketing services for both consumers and B2B marketers in the financial services, high-tech graphic arts, non-profit and Internet industries, and President and Chief Operating Officer of Marketing Information Technologies, a company providing database services for major Internet and Fortune 100 companies. She currently serves on the Internet committee of the board of directors of the Direct Marketing Association. So, what we've done, we've divided the slides into thirds. I'm going to discuss the first part which is on the left, this is the consumer part where consumers generate information in our daily lives that ends up in a compiler's database. Johnny Anderson is going to discuss the middle part of what goes on in the compiler's black box, and Lynn is going to discuss the third part on the right, how compiled data is used to generate offers to consumers, both prospects and consumers. And then as you can see, our picture begins and ends with the consumer, which is an important point I think. After I attended my first DMA convention and went through the exhibits, I came away convinced that anything anybody does puts you on somebody's mailing list or you end up as a record in somebody's database. And the slide shows some of the main ways that this can happen. First of all, all of us generate a number of public records, depending on the kinds of activities we engage in. Some of these include personally identifiable information such as property records, which do have our name and address attached to them, or telephone directories or other directories, and then there's public records that have nonpersonally identifiable information in them such as census records. And compilers can acquire this information in two ways. First they can acquire it directly from the source, so they could buy the records from the state or local government. Or they may acquire the information from a second firm, such as Claritas, that acquires this information and does some analytics on it and then generates geographic and demographic profiles that do not include personally identifiable information but can be overlaid on top of a record that does have an address. And in fact there was an example of this information in yesterday's Washington Post, if you happened to see this, of talking about Fairfax County, Virginia that has the highest average family income in the United States. And inside the article, they talked about the different lifestyle segmentation profiles that are represented by the people who live in Fairfax County. For example, they said 22 percent of the people who live in Fairfax County are in The Winner's Circle, that's the name of the profile, or Executive Suburban Families, age 35 to 64, household income is $90,700 a year, and these people are most likely to have a passport, shop at Ann Taylor and read Epicurean Magazine. So, this will give you a flavor of how this information is used to, again, help companies understand who their customers or their prospective customers are. A second source of information is surveys, such as warranty cards or marketing surveys that could include questions about what people's product preferences are across a whole range of different kinds of products, their life styles, their hobbies, and their demographics. The third way that the information can end up in a compiler's database is that people sign up for mailing lists, and I was thinking about this as I read the Sunday paper and, you know, there are cards that fall out of the Sunday magazine where you can request information on various topics. Or people who order things by mail, or you request information, call an 800 number, sign up for something online, enter a sweepstakes or a contest, and these types of things will put you on a mailing list. Well, mailing lists may be made available directly, without going through a compiler, either by the firm itself or more likely through a list broker who is going to manage the mailing list on behalf of the firm that owns the list. And that can end up with targeted offers to prospective customers. Or some of the information may end up in the compiler's database, and go into subsequent uses that we'll hear about. And then, finally, down at the bottom, we see the customer database, and when consumers establish a customer relationship with an organization, with a business, they end up in the customer database. And I think this is not a big surprise to everybody. And then that firm can generate new targeted offers to its current customers. I think people expect this to happen, but we're also going to hear how compilers can help these firms generate new offers to their customers, better target these offers and help these firms do cross marketing of new products and services. So now Johnny will talk about what goes on in the middle of the picture. MR. ANDERSON: Good morning. My name is Johnny Anderson, I'm Chief Executive at Hot Data. How Data is an infomediary that connects customer relationship management marketing automation systems to sources of both household information on consumers, and business information about businesses, and provides a complete set of data quality and standardization services for both small, medium and large-sized businesses. I'm going to spend a little time and talk about the kinds of information that's collected, how it gets compiled into a database, and then gets delivered into a marketer's, end user's, database. But first I want to kind of digress. I've looked at some of the other slide shows, and a lot of the topics are going to be hit. I really want to digress and talk about why people are -- why marketers are interested in this kind of information to begin with. Building a data warehouse and collecting this kind of information is a massive undertaking, and very expensive. What's the payback, and what are businesses looking for out of taking third party information and merging that in with their in-house information? If you think about commerce, if you think back, all the way back to the middle ages when commerce really first started. The buyers and sellers knew each other. There was a one-to-one relationship. Even up into the beginning of the last century, people knew -- the storekeepers knew who their customers were. After World War II and the mobilization of America, and the move from urban centers into suburban centers, and the creation of the now shopping mall, merchants now lost track of who their customers are. They don't know who buys products anymore. So, merchants really spend a lot of time doing product level analysis to figure out who bought the stinky cheese, and what stinky cheese purchases drove what other kind of purchases. The change in the new economy, and the evolution of the Internet now has really empowered consumers with information, and has broken down a lot of the geographic boundaries in terms of, I have to travel to a mall to purchase something. This has already been broken down quite a bit with the direct marketing and catalog industries, but now with the Internet, people now have a lot of information. So, it is now dependent on -- a business' dependence on success is now leveraged by what kind of service they can deliver. And to deliver that service, they again have to know who their customers are. So, you really look at all of the kinds of information that's available so that businesses can get a complete 360-degree view of their customers to be able to understand them not only in the context of their own transaction that may have taken place, but also what the likes and dislikes of that customer are. So, when you really look at the kind of information that's available, it really falls down into three categories. There's the geographic information, or where you live, and that kind of information is really address data, quality of the address, standardized to the Post Office's standards, what's the bar code for the address, but also includes information like what MSA that address is in, what census tract that address is in, and important things like latitude, longitude and geocoding, which are really used by businesses to do things like drive time analysis, and trade area analysis. But one of the first segmentations, at least in the retail industries, and now in the telecom industries, is where do you -- where do people live and how far are they likely to travel to get to one of my retail locations. The second is really the demographic information, and the collection and the detail of this will really be talked about a lot in panel number 2, but that's things like name, address and phone number, at a very basic level, but also reported and modeled information around a person's income level, what their marital status is, whether they buy by mail, whether they're a credit card user, whether they own their own home or not, information about what you're like. And then the third piece is really the psychographic information, and that's really what you like, what your life style indicators are, and that's where a lot of the compiled information comes in from, lists and surveys, to determine what somebody's propensity to buy a specific kind of product is. And those are indicators that could be that you're an outdoors enthusiast, a gardening book reader, dot, dot, dot, there are a number of different life style indicators. So, how is that information merged into one particular database? Data compilers really look to those three sources and do a very complex job of extraction, transformation and loading of that data. And that data is bought from public sources, and that could be things like tax records, home owner information, up until recently motor vehicle information was used, and in some states, even driver's license information. But that information is reported information that's public record that's brought into the database. Self reported data really drives a lot of the demographic and psychographics, and that's information from surveys and warranty cards and registrations. And then information from mail lists, and that is I'm -- I have a wooden boat, I subscribe to Wooden Boat Magazine. If I subscribe to Wooden Boat Magazine, there is a great likelihood that I am likely to buy products for wooden boats. So, affinity modeling and propensity scoring is really driven by the self-reported data from both subscriptions and product registrations. That information is matched based on name and address, so that there's really a view of a consumer that takes into account all of those different kinds of data sources. And then there's some additional modeling that's done on top of that, based on scientific samples and surveys, different kinds of models are put into place for specific vertical industries. Not every industry is interested in the same kind of consumer information. A telecom merchant is not interested in the same kind of information that a retailer is interested in. So, modeling is done based on a set of attributes that's been collected to be able to put together things for financial services and other industries. And then the output of that information really goes to two sources. One is the data enhancement source, in that I have a customer database of people that have come to my company from a number of different sources, could be a customer that signed up for a frequent buyer program at a retail location, could be a customer that's come to me at a trade show or sent back a business reply card, or a customer that's walked into one of my retail locations. The customer that's in my database, so I'm really looking for information that's outside my organization so I can understand that customer better. And the second is the targeted lists, and that is really if I've done some analysis in terms of what my best customer looks like, give me some more prospects that I can market that look just like those folks. I don't know who they are yet, and in most cases those targeted lists are going to go to a mail house who is going to get a mail drop, and I won't know who they are, until they respond to that direct mail campaign and come back into my database. And then they'll go into the normal process of my selling process inside my customer database. So, there will be a lot of detailed talk about both the collection of data in the second panel, and then the use and kind of how the technology drives some of the business models for the use of that data in the third panel a little it later on. So, with that, let me turn it over to Lynn, and let her talk about some of the internal uses of data. MS. CULNAN: Thank you, Johnny. MS. WUNDERMAN: Bear with me just one second here. Thank you. Well, I've been asked to spend the next 15 minutes talking to you about the end user applications that have evolved really over the last two to three decades, so it might be a little tight, but we're going to do the best we can. I'm going to start where Johnny left off, which is to help you understand how this kind of compiled data really brings a name and address record to life for a marketer. Now, this is a real, live consumer record off of a compiled database. I can attest to it because it's me, it's the Wunderman household at 94 Mercer Avenue in Hartsdale, New York. I have signed a release so that my data can be made public here today. But just from that information, we can now geocode this record and find out its census block group, attach all the geographic information available for the census, as well as we can now construct a match code, which you see here on the right side of the screen. That match code is the link to the compiled database by which we overlay the demographic and the psychographic information that Johnny was just earlier describing to you. Now, what happens when we do that? This is pretty much what you get, on the Wunderman household, a fairly distinct profile of a relatively affluent middle-aged, suburban couple, dotes on their dog, is extremely mail responsive, somewhat techno savvy and lives pretty much a high-end, fairly active life style. Now, I can tell you this is a pretty accurate record. There are two things they missed here. They missed the registration on my husband's antique motorcycle, okay. They are off by one category on our income; that's okay with me if it's okay with the IRS. But why do we want this data? Why do we want this information? As Johnny said before, it's not because we're being nosy, it's because we're looking to establish and build a relationship with a consumer. Now, Webster defines a relationship as a connection, a bonding or a contract, and the way we build relationships for marketing purposes is really no different than the way we establish and nurture relationships in real life. I mean, we do it through data, whether it's by factual information or observation, we're looking to establish some common ground by which we can create a meaningful, relevant communication to gain that connection. Now, I will tell you that the way it's done by general advertisers is different from the way we do it as direct marketers. In fact, it's the exact opposite. As a general advertiser, I'm looking for large numbers of people with something in common. Maybe I'm targeting women, 25 to 49, maybe some broad-based income qualifier. I'm going to talk to them based on what it is these women have in common. Or at least I think they have in common. Now, the issue is just because these are women largely of child-bearing age doesn't necessarily mean they have kids, but when I'm spending $7 to $10 a thousand to reach them on TV or maybe $20 to $30 a thousand to reach them in print, I can afford to have a certain amount of misses there. But it's very different when you're a direct marketer. I may be spending $500 or $1,000 a thousand to reach somebody at an individual or at a household level. So, I'm going to be much more stringent and rigorous when I look at and evaluate the success of that communication. I'm not looking for soft measures like awareness or reach and frequency, I'm looking for that household to take a specific action, and I'm going to valuate the cost efficiency of that action based on return on investment. So, I've got to be much more precise in my ability to target that household and develop a meaningful, relevant communication so I can capture their attention and do it quickly. So, we've learned over the years as direct marketers a very important principle over the years, and that is that people's differences are more important than their similarities. Now, what do I mean by that concept? I mean that what it is when you're studying a group that sets them apart from everybody else is more important than what it is that the people in that group have in common with each other. So, the differences are more important than their similarities, and they respond better when those differences are recognized. Now, here's what I mean by differences. It's all the data we've been talking about. It might be geographic, could be climate, market size, it might be demographic, life stage or life stage change, you know, maybe I just got a new spouse, got a new house, got a new baby, preferably in that order. It could be psychographic information, hobbies and interests we've been talking about, or it could be your purchase history. Now, we haven't talked a lot about that, but that purchase history could be self reported that I got off of some kind of a survey, or it could be the purchase history that a marketer captures and utilizes in their own database. And normally when we talk about this, we talk about the recency, the frequency, the monetary value segments as a marketer. And I will tell you this is incredibly powerful information from a segmentation standpoint. So, I might talk to you differently if you're a new customer versus a tenured customer. I'll not only talk to you differently, but I'll invest differentially if you're a high-value versus a low-value customer, and I'll have an entirely different contact strategy, frequency of the kind of offers I'm going to send you, if I happen to know that you're a loyal customer as opposed to a competitive switcher. Now, as I said, this behavioral information is incredibly important to marketers, and it works terrificly, if you have it. But you don't always have it. I mean, it's great if I'm talking to a group of customers that have been with me a long time and I have a lot of data on those people, it's an established product, it's a proven offer, but what do I do in a situation when I'm trying to attract new prospects into the base? I don't have a lot of data about their purchase behavior, particularly about what they're buying from my competitors. What about if I'm trying to spend on my new customers based on their potential to become high-value customers every time. Not much there in my database about these people. Or if I've got some test market results that I've done with new offers, new products, I know in aggregate how people are likely to respond, but I've got to think about who do I target with those offers because I don't have that response information on everybody in my database. So, what do we do? We use surrogate data. We use surrogate data as a bridge to help us be able to apply that behavioral information to another universe. Now, the most important data that we tend to use as surrogates is this compiled information we're talking about today, because there's a very important criterion that data has to be as available on the target audience that I'm studying as the application universe that I'm applying it to. And the compiled data is virtually available on just about every household in the U.S. So, what I am going to do is I am going to use my behavioral data in my own customer database to define a target. I'm then going to use the bridge data, the compiled data to describe the target and create a profile, and then I'm going to use that profile to help me find lookalikes in some larger application base. So, let me show you schematically how this works. I'm a marketer and I have defined a target as my high-value customers, however I define it, profits, revenues, purchase frequency, et cetera. And my goal is that I'm looking to identify prospects in the population who have a high potential to become high-value customers every time, I want to track them into my base. So what do I do? I'm going to study how do these high-value buyers look different from everybody else in the U.S.? And the data I'm going to use to do that is all the demographic information, the psychographic information, and I will tell you the coverage on the psychographics does not tend to be as large as some of the other data, so it doesn't often enter these statistical analyses, but we use it and we see if it's predictive. The geographic data and the census information, all to help me understand what is it about this group that makes it look different from everybody else. I'm going to overlay statistical tools so that I can really quantify which of these differences are statistically significant in identifying this target. I'm going to look at the interaction and the relative weight or strength of those variables, and I'm going to apply it back to a broader universe, in this case, the U.S. population. Every household gets this -- every household gets a score, excuse me, and the highest scores are the most likely to generate and to exhibit that target behavior. Those at the bottom are least likely to become your high-value customer, and this is nothing more than a planning tool. Okay, I'm going to penetrate that universe of U.S. population based on my volume objectives, my budget limitations, whatever. Now, I think it's important for you to understand as we talk about these concepts, where the predictive value of that data comes from. Okay, and I promise, no formulas, you don't need to be -- have a degree in applied statistics, it's a very simplistic example. I'm just going to use marital status and I'm only going to give it two values. So, here I am studying my high value-customers, all right, and I'm looking at them and I see well, big deal, they're just as likely to be married as they are to be single, that doesn't tell me much of anything, does it? How do I target anything based on this information, how do I talk to them based on this data? Well, guess what? I compared them to the U.S. population, and they're twice as likely to be single as the rest of the population at large. Now, take this predictive value, multiply it times another half dozen to a dozen variables, you start to see where the power of these statistical tools comes from. So, how do we use these tools? Well, we use them to help drive differential contact strategies. Who do we target, when do we target them, how do we target them so that we're more efficiently reaching them with more relevant communications across the entire life cycle of the customer. From acquisition to value stimulation, all the way to eventual retention and re-activation. So, for instance, I'm going to rank my customer database based on this information, and I'm going to spend differentially based on the probability of these people being high-value customers, the repeat sales, cost sale, up sale, I'm also going to apply it as well to my customer information applications. Maybe I'm even going to develop new services for high priority customers. I can overlay this data on any vertical or apply it out from a compiled database, I can use this for direct sale or regeneration offers. Also remember, that because this tool is developed at an individual household level, I can aggregate it back up to any level of geography. So, for local support programs where there's a retail trading area or there's a sales territory, it become a very useful tool to prioritize differential media and households for these purposes. It's easy to apply them to any form of addressable media, those that are available today, such as selective binding, addressable cable and satellite, some of the Internet applications you can hear about later this afternoon, and those that, you know, we've hardly thought about in the future, wireless, interactive television and things that haven't even been invented yet today. And these tools can also be used as a planning template, we can bridge them into syndicated research bases, such as Scarborough, MRI, Simmons, Nielsen, and help us optimize the value of our mass media, of our print and our broadcast spending. So, all of this is based on our study of a high potential end user. So, what does this do for us in the end? I mean, basically it helps marketers invest their marketing dollars smarter, more efficiently reaching customers across virtually every channel, and for consumers, it means hopefully you receive more of the offers you want, and fewer of the offers that you don't. And that to us is a win-win for everybody. Thank you. MS. CULNAN: We've got a lot of time left, we've got about 25 minutes. What would you like us to do? MS. ALLISON BROWN: Do you want to take questions? MS. CULNAN: Sure, we'll take questions. We changed our minds, we'll take some questions. And there's a microphone over here, so I think Jason Catlett has a question. And then if you would address your question to one of the panelists, if that's your preference, please do so. MR. CATLETT: May I address it to you, ma'am? MS. CULNAN: You may. MR. CATLIN: Hello, this is called the bleeding edge of technology. Well, I don't think it's doing anything, but I'm going to hold it here anyway. Mary, you said that you were not going to address co-op databases on the basis that there are so few of them. And I think that's like saying we're not going to address suppliers of Windows operating systems because there are so few of them. The dominant co-op database, Abacus Direct, really has enormous influence, and I think it's a model different to but very relevant here. So, could you take a minute to describe what co-op databases do? MS. CULNAN: I may punt this to one of the panelists who have more experience. I will say one thing, for those people that are interested in co-op databases, and particularly in Abacus Direct, their data dictionary is on the DoubleClick website, so if you go to doubleclick.com and you click on Abacus, you can see exactly what kind of information they have acquired, and I think probably it's a really good example of transparency, assuming you know to go there and look for the data. So, because Lynn is actually running a co-op database, and again, it's not that we didn't want to talk about these because we didn't want to hide anything, but because we were doing the broad overview, we decided as a panel it would confuse things, thinking our talks would take longer if we went off and then couldn't fit it all into the slide. MS. WUNDERMAN: I do promise that we will spend some time this afternoon talking about the co-op database model, and specifically about my company, I-Behavior, unless there's something specific to these applications that you would like to talk about now. I mean, I could go into the concept of co-op database, it's going to be a little redundant this afternoon. MR. CATLETT: Why don't you spend 30 seconds describing a co-op database. MS. WUNDERMAN: A co-op database is formed when marketers share their customer names and related buying information in order to gain access to names of qualified prospects as well as additional data on their customers that might otherwise be unavailable for them to market and to build their business. So, if we had, I don't know, Mary, if you could put back your first slide. MS. CULNAN: Sure. MS. WUNDERMAN: I mean, basically with a co-op database, if we move the consumer aside to the right and we were to create another box, what you would see is the customer databases, the compiled data would all come into a co-op database and we would have a consolidation of many customer files from marketers, publishers, catalogers, e-tailers, et cetera, all going into one database as well as it would be overlaid with the demographic or the psychographic as well as the census data we've been talking about earlier, all to form a positive record. And that is the rich behavioral and demographic base upon which marketers would be able to do selections from that file. MR. CATLETT: Thank you. MS. CULNAN: One difference I think it's important to point out, you have to be a partner in the co-op database. MS. WUNDERMAN: Yes, you do. MS. CULNAN: You have to put data in in order to take advantage of the data that's there, as opposed to the compiled databases where basically there's no relationship between contributing data to the database and being able to acquire data from the compiler. MS. WUNDERMAN: Yes, and I will also say that generally that there's notification to the consumer about sharing data with trusted third parties as well as the online component, there are privacy protections as well. MS. CULNAN: Anybody else? There's a question toward the back. MR. TUROW: Would you talk just a little bit about the way databases get purged, based not just on what consumers want, but also recency and the decision that certain things become obsolete and how those criteria are determined? MS. WUNDERMAN: I want to make sure that I understand your question. You're asking, you know, I think on -- in terms of if I have information in a customer database about an individual's purchase behavior and over time that that data is no longer relevant? Is that -- MR. TUROW: Yeah, how do you decide -- how do you decide at what point you purge those particular data like your sports car. Maybe you decided to get more conservative about the car and somebody has not picked it up, do you have any kind of criteria to which to purge certain kinds of data after a certain amount of time, based on certain other criteria? MS. WUNDERMAN: Let me say something about the compiled data and its value, because they're not going to be always 100 percent accurate. I mean, you saw even my income on my own personal record was not accurate. What's of greatest value with the compiled data beyond its coverage is its consistency, and when you're looking for predictive value, consistency can be even more important than sheer accuracy. So, the procedures that are in place to replace that information, the models that are done to calculate data such as income, it's consistently done even if it's inconsistent across households. So that as that data is predictive, it may be predictive, even though it's not 100 percent accurate, but if it is predictive, it will rise to the top, and then virtually it's a numbers game. You will never be 100 percent on any particular individual or household. What you're trying to do is increase the probability of identifying a high potential consumer. So, for one or two or, you know, any number of people, that data will still not be 100 percent accurate, it ages over time, and it's the compilers that capture that information from the various and sundry public resources or surveys that gets supplied back to us, it's accurate, it's not accurate. But if it's still predictive, we will still work with that information. MR. SMITH: Richard Smith with Privacy Foundation. I have a question for Lynn. How do I get my compiled record, just like you got yours, on the screen? MS. WUNDERMAN: Call me. MR. SMITH: Can everybody call you if they want to see, every consumer if they want to see this? MS. WUNDERMAN: I'm sorry, you're asking you as a consumer, how would you get access to information? Well, I am not a data compiler, per se, I mean we get our data from Equifax, there are others, Experian, and First USA through their Donelly unit and Acxiom through their InFobase that supply this information, but if you as a consumer are interested in seeing your record on our database, you can request a copy of your profile and we'll supply it. MR. SMITH: Do these companies, compiler companies generally allow consumers to look at this kind of data? MS. WUNDERMAN: You know, I not being a compiler. I would have to say in today's marketing environment, they should, but I cannot tell you. Certainly the data that comes, for instance, from a credit bureau, and the credit bureau information gets channeled as part of Equifax and that gets channeled into the Polk Database, as a credit bureau, you need to be able to provide consumers with access to that data, but I'm not familiar with the policies of each and every compiler. MR. SMITH: Thank you. MS. CULNAN: Okay, I think we're going to take a break and you want to break for -- you're going to let the people running this set the rules. Thank you. MR. WINSTON: This is kind of a unique situation, we're actually ending a little early, but that gives us a little more time for lunch. So, if we could break until about 10:15, and I want to thank the panelists and the Magazine Publishers of America. (Applause.) MR. WINSTON: Also, thank you to the Magazine Publishers of America for supplying our repast out there. (Pause in the proceedings.) SESSION TWO: CONSUMER DATA: WHAT IS IT? WHERE DOES IT COME FROM? MS. ALLISON BROWN: Hi, I'm Allison Brown, I'm an attorney in the FTC's Bureau of Consumer Protection, and I'll be the moderator for Session 2, entitled Consumer Data: What Is It? Where Does It Come From? The overview that we just heard has provided us with a brief look at data merger and exchange. Now we will begin a series of in-depth panel discussions about these practices. This panel discussion will focus on the original sources of consumer information, and we have five very experienced and knowledgable panelists with us today for the discussion. We will also have about ten minutes at the end of the panel for the audience to ask questions. If you're sitting in an overflow room and you want to ask a question, please come up to the doorway on the main room here on the fourth floor at about 11:20 and we'll have a wireless microphone here so that you will be able to ask the panelists your questions. I will now introduce each person on the panel and ask the panelist to spend about three minutes to provide a brief introduction to the sources of consumer data that businesses use. C. Win Billingsley is the Chief Privacy Officer of Naviant, Inc. Naviant is a provider of marketing tools and integration methodology for online and offline environments. Win, please go ahead with your introductory remarks now and I'll introduce the other panelists in turn. MR. BILLINGSLEY: Okay. Naviant is a leading provider of integrated precision marketing tools, for both online and offline environments. So, we really integrate the virtual world with the physical world. This capability enables marketers to identify, reach and build relationships with online consumers. So, to probably state that in a form that is more meaningful to you, Naviant has a database of about 30 million households that are Internet-enabled. So, our niche is a database of people who have the capability to buy products and services on the Internet. This data is collected primarily through product registration data, and we'll talk a little bit more about that in the session on how this actually occurs. The data is fully permissioned. We only want people in our marketing database that permission us to do so. You know, an individual or an Internet user that does not want to participate in Naviant's database is not included in the database. And then there are other processes that we have in place to make sure that our data is accurate and as useful as possible. MS. ALLISON BROWN: Okay, Elisabeth Brown is Senior Vice President of Product Strategy for Claritas. Ms. Brown oversees the development of new data products and services, including demographic, cartographic and segmentation systems, and the management of the software and applications that are delivered to Claritas clients. Ms. Brown? MS. ELISABETH BROWN: Thank you. One comment, too, I have actually been not only am I a member of the club, but I have been a client, so I was actually a client of the Claritas marketing products and services before I joined the company. So, I do have a little bit of perspective on how it can be used and how we used it when I was at the Prudential Insurance Company. Claritas is a marketing information company that has been in business for over 30 years, which makes us one of the more mature companies in this industry -- as evidenced by a recent Wall Street Journal article that referred to Claritas as the granddaddy of demographic providers. Claritas serves companies in financial services, telecommunications, energy, automotive, retail, restaurant and real estate industries, and we have clients ranging from the top Fortune 500 companies to small, independent consultants. I'll just give you a little bit of background. Over 30 years ago, Claritas' founder, Jonathan Robbin, who was a Harvard social scientist, was analyzing U.S. Census data and settlement patterns. He hypothesized that American neighborhoods reflected the old adage that birds of a feather flock together, and therefore, the products and services that Americans consumed could be predicted simply by knowing summary level demographic information about the area, or "you are where you live." This was referred to in the first slide as geodemography. Thirty years later, our models have become more sophisticated and are able to dissect markets at a much lower level of geography, but that same old basic premise still holds true that by knowing some small amount of demographic information, you can infer or predict the likelihood that a household will be interested in the products and services that you're offering. So, we provide demographics and other consumer and business data on multiple levels of geography, delivered through our various mapping and marketing application software platforms. We are probably most well known for our consumer segmentation systems, for example, Prism, which was also identified earlier when Mary was speaking about Winner's Circle and what some of the attributes of a neighborhood would be that would be tagged as Winner's Circle across the country. Our consumer product demand estimates that our clients use to more efficiently market their targeted customers and prospects, which you could refer to as surrogate or inferred data. Claritas data and services are used for broad marketing functions such as tracking new customers, retaining current customers, determining site locations and appropriate sales and marketing distribution channels, and we help with more efficient reach strategies and media planning. So, basically, Claritas marketing information helps our clients offer the right products and services in the most appealing way to the consumers and prospects. We provide basically the benchmark information or the total universe data that our customers can use to compare their current customers and markets against so that they can make better marketing decisions. Thank you. MS. ALLISON BROWN: Next we have Paula Bruening who is Staff Counsel for the Center for Democracy and Technology. The Center for Democracy and Technology is a non-profit public interest organization that seeks practical solutions for enhanced free expression and privacy in global communications technologies. MS. BRUENING: Thank you. CDT has been asked today to discuss the issue of public records as a source of information about individuals from a factual basis, and as many of you know, CDT generally has a specific viewpoint on this issue. I will talk today about the factual basis in my opening remarks and then any other comments will be reserved for the Q&A, but I would like to encourage the FTC to go to the state level and to some other resources and some organizations that are doing work on this issue, because I think some of the really difficult work on how the information is collected and how it is being used specifically is being done at the state level. And I'm happy to give the FTC that information. Public records maintained by government agencies disclose a vast array of detail about an individual's life, activities and personal characteristics. At the federal level, most personal information is not available to the public, because of the privacy exemption in the Freedom of Information Act and the Privacy Act of 1974. However, bankruptcy records are an important exception to this rule and are maintained by the federal courts. These records are a source of detailed financial information, and the sensitivity of that information has been recognized by the Office of Management and Budget, which has produced a study on this issue called Financial Privacy in Bankruptcy: A Case Study on Privacy in Public and Judicial Records. At the state and local level, however, the types of records that are maintained are different, and the laws and policies governing records yield disparate acts and disclosure practices, but it is possible to construct a detailed profile about an individual from public records. And while I will spare all of you the exhaustive list of all the sources of information, I'll name a few: Name and address information come from voting records; land titles are a source of home ownership information; property taxes can give you assessed value of homes; birth and death records give you information about an individual's parents. The list goes on, there are occupational license records, motor vehicle records that can tell you about an individual's make and model of an automobile, voter registration gives you party political affiliation, and hunting and fishing licenses, boat and airplane licenses can give you information about how a person likes to spend their leisure time. There may be considerably more information available in public records about an individual who has interacted with the courts as a criminal defendant, as a plaintiff or defendant in a civil litigation, in a divorce proceeding, as a juror, as the beneficiary of a will. Public access to government records serves several important goals. Individuals need government information to make political decisions about government programs, legislative and regulatory options, and candidates running for office. Government records also assure the accountability of individuals as in the case of business and real estate transactions. However, it's important that public record information be used for the reasons it was collected. This information was not meant to be searchable in a database, nor was it intended to be used in marketing. And simply because there is a tradition of collection of information, important decisions need to be made on a case-by-case basis about the appropriateness of access to public records and the role of consumer choice. MS. ALLISON BROWN: Thank you. Michael Pashby is Executive Vice President and General Manager for Magazine Publishers of America where he has also served as Executive Vice President of Consumer Marketing. Before joining the MPA, Mr. Pashby was president and publisher of Art and Antiques Magazine, vice president of circulation and new product development for Gruner + Jahr USA, and Managing Director of U.S. Operations for Marshall Cavendish. Michael? MR. PASHBY: Thank you. That sounded impressive. MPA represents about 85 percent of the consumer magazine -- dollar volume of the consumer magazine industry in this country, and about 85 percent of all magazines are sold through the mails, using direct mailing techniques or direct marketing techniques of extremely varying sophistication. The use of credit cards in our industry is extremely small, but is now growing. Our members strongly agree that we must protect the privacy of our readers, and I think our industry has done a very good job over the years in balancing our legitimate business interests and our consumers' reasonable expectations of privacy. Obviously we value our readers and we wouldn't be in business without them, so our industry is constantly looking for ways to improve that service to our readers. It's important to note that when our readers ask us not to share information about them, we don't. In the information section of most magazines, the publisher discloses that the subscription list may be rented to appropriate businesses. The magazine offers an address or toll free number so that the reader can opt out. And many magazines are taking advantage of the Internet to inform consumers of their privacy policies, and give consumers an additional opportunity to opt out. We're very careful with respect to the customers, to the wishes of the customers who choose to opt out. Generally when a consumer requests that publishers not share information, that publisher will not only remove the consumer from their own internal rental lists, but will refer the consumer to the DMA so that the consumer can request to be on their nation-wide do-not-mail list. That said, magazines are very good sources for consumer data. And the reason is very simple. More than any other medium, the choice of which magazines a consumer reads can tell a lot about a person, what a person likes, and his or her interests. In enabling our readers to get information about products and services that are of interest to them, it is advantageous to everyone. Our readers are given more choices, they get information about products of their interest and life styles, and most importantly they're not inundated with advertisements for products they have no interest in. Businesses benefit because they can target their advertising to consumers who are most likely to be interested in their products, saving them time and money. And for magazines, with a cost of mailing now between 65 cents and a dollar per piece, and that's before the Post Office applies for its newest rate increase this June, the cost of acquiring a consumer, when the response rates are in the low single digits, and in a very competitive market, is extremely expensive. But sharing information only works if it's beneficial to everyone. Our magazine subscriber lists are our most important and valuable assets, our readers do not want to get advertisements for products they don't care about, so the magazine industry is selective about letting advertisers use their lists. If a business intends to mail a solicitation to a consumer, magazine staff review that promotion to ensure its use is appropriate. Most magazine publishers will not rent their list to telemarketers because they have little control over how the list is used, but if lists are rented, we expect magazine staff to review the telemarketing script. And very importantly, the list is rented, it's not sold. That means the advertiser can use it only one time. And publishers, as a general course, see their lists and track how that list is used. Thank you for inviting us again. MS. ALLISON BROWN: Thank you. Our final panelist is Ted Wham. Ted is the President of Database Marketing for the Internet, a sole proprietorship consulting practice. His career has been concentrated in the direct and database marketing industries, focusing most recently on Internet-enabled marketing applications. Ted? MR. WHAM: The benefit of having the last name of Wham is that although I am always at the end of the line, I always get to hear what everybody says before me and tailor my comments to help amplify on those areas as well. Database Marketing is an independent consultancy that consists of myself as an independent business person working out of my home, and billing my cat at very low billable rates, I have had an opportunity to work with organizations such as Viacom Division, Curriculum Corporation, Hewlett Packard, I have worked with Cisco Systems here recently, NCR and so forth, helping them formulate Internet privacy strategies and also how to use information about consumers for part of their contact strategies. In general, the information which is available about consumers in the United States starts from very gross aggregate levels, compiled information which is largely demographic information, and as Ms. Wunderman explained in the session immediately before this one, to a lesser extent psychographic information. You move from that into information which is available from a wide range of public records, such as the ones that Ms. Bruening referred to, and ones that I have personal experience with as being on the receiving side of some of the solicitations for there. That's important because those public records the consumer doesn't have much choice in terms of their participation in those lists, it's an obligatory process. If I want to vote, I have to register to vote, and if I register to vote, those public records are then going to be available for purposes unrelated to my voting, and, you know, that's kind of the way it is. There is then a second tier, and that is government supported monopolies, and those monopolies are, because they're either a natural monopoly such as the provision of your gas service or your telephone service, and for instance white pages, telephone white pages are a major source of compiled list information, but there's also government supported monopolies in the form of patent protection and copyright protection, which gives a form of a unique ability to sell a product. So, for instance, if I want to operate with a computer operating system called Windows, I have to support the patent and copyright protections available from Microsoft until those patents run out, and I have to use that information and Microsoft has that and has the opportunity to share that information, if that is their business practice to do so. There is a whole range of different products from drugs that you have to take to the type of services that you buy and so forth, where that government-mandated protection is there. For monopolistic practice it serves a public good in terms of inspiring innovation. The last area is information which is in a much more competitive area. I can go to any of a number of different retailers to buy clothing, for instance, and the retailers when I make that purchase are going to collect various amounts of information. So, if I buy at Sears, that may be a largely anonymous transaction, especially if I make it in a cash basis. If I do it through a credit card, they may have more information, and some retailers through a traditional retail environment such as Radio Shack actually will ask you for information about your name and address, and collect that information online. Other businesses who run their business model through a mail order process such as Lands End and J. Crew and so forth become much, much more adept at collecting very specific information about you because what you've bought in the past becomes most predictive about what you will buy in the future. It's dramatically better than demographic information, dramatically better than any information you're going to get from public records. If I bought something from J. Crew in the past, I will be better than any prospect that they can find to buy stuff from them in the future. But there's an opportunity for a consumer to make a choice in those purchases on whether they're going to choose retailer A versus retailer B, and so there's an opportunity for control there. So, in looking at this, I think it's important to look at the spectrum of how that information is collected in terms of the consumer's ability to control the use of that information downstream. MS. ALLISON BROWN: Now that you've heard a brief introduction to the sources of consumer data that businesses use, I'm going to ask our panelists some questions so that we can learn some more specifics. Win, what data elements does your business collect about consumers and how do you collect the information? MR. BILLINGSLEY: Most of us have done a product registration or a software application registration, and it's very important for the manufacturer of that product to get to know who their end user customers are, because all of them distribute their products and services through some intermediary. So, they're really isolated from who their end user customers are. The way they try to solve that problem, and also to provide customer support and service, is through a registration process. So, Naviant provides software that is used by companies that manufacture computer hardware and software products to facilitate that registration. So, the data that we collect for the company includes all the information that we've all seen on those product registration forms, but the only data that Naviant really uses that goes forward into a marketing database is the name and the address, and the fact that this is an Internet-enabled household. And that's really what we focus on and what we collect. The other information is analyzed statistically and then passed back to the manufacturer, and they can use it for various business purposes to know who their customers are. So, name and address, and the fact that this individual is Internet-enabled is key to our -- that's where the cycle starts with Naviant. MS. ALLISON BROWN: What other data elements do businesses collect about consumers and how are they collected? Anybody? You can just either raise your hand or put your tent card on its side? Ted? MR. WHAM: Yeah, I forgot the tent card on its side, I don't live in Washington, D.C. That's a rule. Businesses often times have an insatiable demand for information. They would collect as much information as the consumer will spend time to provide for them. In fact, one of the services that I provide to my consulting clients is that I will get the question, How much can we ask on a registration process or in a survey process or through a purchasing application before the consumer is finally going to go Aye, "I don't want to do this anymore" and will bottom out of that, and they will test that very aggressively and try several different formats. If we ask this extra question, what's going to happen here? If I format this as a drop-down question instead of a radio button, what happens here and so forth. They will collect as much information as they can until they reach a point where the collection of that information degrades completion of the desired task. MS. ALLISON BROWN: Betsy? MS. ELISABETH BROWN: One of the things that I didn't go over specifically is that there are lots of sources of public information out there, including the U.S. Census data, which is pretty hot right now since it's been recently updated. Many companies are trying to get at this information because it's a very good source for benchmark information to understand sort of the lay of the land. And when we talk about benchmark information, there's a lot of other domain information, public domain information that is also collected and used by businesses. Just from my experience at Claritas and my experience with some of these customers, they really do use a variety of information for different business purposes, and from what we've seen, we -- at Claritas, we try to assist them by updating the demographic information annually so they do have these benchmarks and we use lots of different input sources, including consumer surveys that are out there, you may have heard of people like Simmons Market Research Bureau, Mediamark, Nielsen Net Ratings, Scarborough, all of these are collected with consumer consent, they're pretty much anonymized in terms of you never really know who these individual consumers are. Basically that data is used and compiled and turned into models that really say if the person is in this demographic characteristic, they have a higher likelihood than average to do these behaviors. Some of the magazine data is used that way as well. You can either use the individual registration data or pretty much the anonymized version which gives you the, quote, profile. So, there are many, many databases that Claritas and other companies produce and put out there, and the only way that information is linked back to a customer record is through an inferred modeling process, which either takes into account what we believe their demographics to be, or something as simple as the zip code or zip plus four in which they live. MS. ALLISON BROWN: And can you be a little more specific about the types of information that Claritas gets from surveys, you know, either through Simmons or through its own surveys? MS. ELISABETH BROWN: Depending on the panel, Simmons and Mediamark Research have various surveys that they put out there, some of them are books of information that ask everything from how much peanut butter do you eat a week, to what brands do you prefer, what media you like, how often do you spend in front of the television. A.C. Nielsen actually captures specific readership and views of which television programs and what day parts in terms of which actual physical programs you're watching. And a lot of that data, again, it's all consumers are signing up for these panels. That's the panel type of research. In addition, there's other types of research which is more of the research where you're calling up people on the telephone or just sending them a direct mail package and asking them something more specific about the financial services that they're using, or the types of Internet services they have and that type of nature. Once again, most of this data, what happens is that all the data is collected at a household level, but when it's modeled and analyzed, it's analyzed in terms of demographic characteristics or segmentation codes and not -- those people that participate in the panel, that data is never used for specific marketing purposes back to those individuals. MS. ALLISON BROWN: Thank you. Paula? MS. BRUENING: Yes, I just wanted to talk a little bit about business use of public record information, and clearly the kinds of information that I talked about in my opening remarks are valuable to businesses in their marketing pursuits. The problem comes with the fact that the information has been given up by the individual, is given up so that they can participate, as Ted Wham said, in some very basic functions of life. They want to drive a car, they want to buy a house. They've had a baby. Someone's been born or died in the family. Someone's received money in a will. And I think that to say that Well, that's being used for other purposes, and that's just the way it is, I think is a -- is not a really very thorough analysis. I think that if anything, what the information age, computerization, will allow us to do is give us an opportunity to re-examine those uses to decide whether those are appropriate, whether we can limit the access to that information, to the -- to something closer to what the initial collection was intended for. MS. ALLISON BROWN: Are there currently any restrictions on the use of public record data for marketing? Anybody? MR. WHAM: There's one large restriction that I am familiar with and that is recently there was legislation passed at the federal level which gives consumers an opportunity to opt out of having their information about their automobile registration used for marketing purposes. MS. BRUENING: That's opt in. MR. WHAM: Opt in, opt out, excuse me, okay. So, but it was very, very significant, because prior to that legislation 46 of 50 states made their consumer automobile registration information available to the list rental marketplace, and what type of car you own and drive is extremely predictive of your household income. It's one of the most predictive items. And so if I wanted to drive a car in the state of California, I didn't have any choice, that information was going to make it into R. L. Polk's database. That's an example where there have been some restrictions recently. MS. ALLISON BROWN: Michael, I think you've been wanting to say something? MR. PASHBY: I was just going to say the magazines themselves collect a relatively small amount of information about their consumers. The sort of information that they have is the date of purchase, the source of purchase, whether it's by the telephone or from a magazine previously bought, whether it's through direct mail. The number of times they've purchased, the value of the purchase. That's the basic information that a single magazine would have, that information can become more valuable if you're a multimagazine publisher or you have other lines of publishing so you can then create a broader profile of the person if they're also buying books or magazines in different interests. But the interesting thing about magazines, is that on a -- say a broad interest magazine, one of the seven sisters, when a publisher is trying to promote to the consumer, probably the most useful type of information that the publisher will have is cluster information. If a person is of a certain age and lives in a certain area, that their neighbors may be likely to buy the same magazine. The more specialized you get in a magazine, let's take a woodworking magazine, just because a person lives next door to someone who buys a woodworking magazine, there is absolutely no reason to suppose that the other person would want to buy one. So, the use of the use of data for the small -- the small publisher, the small business, is becoming far more important. We used to have something, until a couple of years ago, called Publishers Clearinghouse and American Family Publishers, which mailed into every household in the country, and the consumer could self select their magazines. Nowadays, those mailings are a thing of the past. And information to a publisher has become far more important, to be able to target their consumers. MS. ALLISON BROWN: Betsy? MS. ELISABETH BROWN: There are fairly significant restrictions on credit card information and data that's used to actually make specific financial offers, from the list compiler companies, like Equifax and Experian. And although I don't represent those companies, I'm not well versed in specifically what those criteria are, the financial services companies that we've worked with, they can only use certain information if they're actually making a credit offer, where they are willing to do a pre-approved credit offer, which means that they are going to say because I have pulled this information on you, I'm willing to say that I will guarantee that if I make this offer, you can have this product. And that data cannot be used by another portion of the bank to make another type of offer, whether or not extending credit. So, those protections are in place, I don't have all the details about all the specifics, but it's important to know that they're out there. MS. ALLISON BROWN: Right, and the FTC is very familiar with the Fair Credit Reporting Act and the restrictions on credit data, so that's useful to know, although we are focusing here on data that's not being used for credit decisions. Paula? MS. BRUENING: Yes, I just wanted to go back to the Driver's Privacy Protection Act. I think that that piece of legislation really reflects heightened consumer concern about the incompatible use of this public record information, and it is a response to that. And I think what it does is really offer to individuals who are participating in these basic life experiences, the same kinds of choice that we have come to expect in the commercial realm. We require notice and choice when we're doing business now with a website, or with an organization, and something -- legislation like the Driver's Privacy Protection Act offers that same kind of consumer choice, which I think is critical here. MS. ALLISON BROWN: Ted? MR. WHAM: Just a couple of concepts I would like to throw out there, and I would like to pierce a couple of notions about what's happening with data out there. There is certainly data just being collected in a permissioned basis. There is also certainly information which is being collected which is not personally identifiable and is going through a more of an aggregation, a blending type of a process. Ms. Brown talked about some of the practices of Claritas, and Claritas uses largely, if not exclusively, nonpersonally identifiable information available from census tract records from U.S. Government surveys through the census process, but there's an immense amount of data which is collected which is not permissioned in any way, so the consumer is not being asked whether it is okay for that information to be shared with third parties, and there's an immense amount of information which is available that is, you know, personally identifiable and shared with third parties quite readily. So, I would have you think, we have an especially erudite audience in terms of knowing how this process works, although we're all here in this workshop, I think a lot of us have an understanding walking in the door how this process works. But if you thought back to your five most recent purchases, I would suspect that there are very few of us in this room who would know whether the companies with whom they did that transaction have a process of sharing that information with third parties, okay? So, you know, think about what you've purchased most recently, and there are many, many companies who the difference between profit and loss for those companies is made by selling their customer information to noncompetitive businesses who are going to be targeting the same type of business. So, if I'm buying a computer peripheral and it's for an obscure, you know, system, other customers that sell computer peripherals to that same obscure system in a noncompetitive way, can almost invariably buy that information. And the best example that I can give of that is the Bible for mailing lists in the United States, the Standard Rates and Data System, SRDS. I have a friend who is a list compiler, and before this session, I called her and I said, How many pages is that book these days? And the current volume exceeds 3,500 pages. Something on the order of 100,000 distinct mailing lists are available for rental in the United States. Most of those, the majority of those, with distinct personally identifiable information in them. MS. ALLISON BROWN: Win? MR. BILLINGSLEY: I would just like to make one other point and discuss an anomaly that we face in our data collection process, in processing warranty information. Some of that data is collected via a web browser technology, fully Internet-based, and clearly when you collect data using that methodology, it comes under the fair information principles of notice, choice, access, security and enforcement, but there is also a large portion of that data that's not collected using browser-based technology. It's collected using a dial-up, a synchronous modem capability with an application that is loaded in the PC. So, some people would make the contention that since you're not on the Internet, that is offline data. Now, you know, we have struggled with how to deal with that issue, and the way we resolve it in Naviant is we treat data collected by either one of those two methods by the more rigorous online marketing data collection rules, but it is an anomaly that I think should be addressed so that there is clarity provided in how people that try to collect data in an ethical and permissioned way, how they really should operate when they face these kinds of dilemmas. MS. ALLISON BROWN: I do want to go back to some of the specifics about the data that are being collected here. Betsy, you've talked a little bit about census blocks, zip code information, and zip plus four information. Can you give us a sense of how many households are in a census block, versus a zip code block, versus a zip plus four? MS. ELISABETH BROWN: Yes, a zip plus four would probably be the lowest level of geography, not even geography, because there aren't boundaries, but the lowest level at which you can compile information that's not at household level. And generally a zip plus four can have anywhere from four to ten households in it. Most of the zip plus four data that gets compiled, they have factors in there whereas if there isn't enough information for a particular variable, that is data-filled so that you don't have any privacy issues. The next level up, a block or block group tends to have anywhere from 250 to 350 households. Zip codes can have anywhere from a few thousand to 25,000. They're not really cohesive types of geographies. And census tracks are anywhere from 1,200 and up. So, low enough levels of geography so that if you're a broad, when you're looking at some of the broad applications that we're talking about, when companies are just trying to understand the lay of the land, for example, generally zip codes, counties, census tracts are a good way for them to really understand what's going on in a marketplace, if they want to enter the marketplace or not. And what we see is that there's different levels of using some of these data. A lot of the clients that we deal with will use a lot of this information for more of their strategic marketing purposes, and when they go out to actually implement a program, they will buy a direct mail list. The attributes that they use to understand their total marketplace may be different than they actually use on the implemented direct mail list. And I think Lynn went over that a little bit, which is that what you'll find is that just because they know that a certain demographic characteristic is currently their, quote, best customer, when they actually go to pull the mailing list, there are many different market -- let's say environments that will cause them to maybe change a specific type of demographic that they're going after, or they'll look at a list and they'll find that the people that they most want to attract, let's say for private banking, are not direct marketing type of customers, that they really aren't going to reach them through a direct marketing list. They don't exist much on the list, there isn't enough data on them and they're not really responsive to the list. So, I think that sometimes people believe that these companies have an enormous amount of information, which they do, but in their practice of actually rolling out marketing programs, it's not as succinct as you might think it is, that they know exactly who their targets are and they can then implement against those targets. They have to really use a lot of strategy and analysis to just try to reach the right person. I don't know if that's a -- there's just a lot of different ways you can use that type of information. So, you can move from these geographic levels down to the household level, but you may not have an exact fit when you do that. MS. ALLISON BROWN: And we heard a little bit in the overview about how businesses append data from third party databases. Can anybody give any specific examples of what types of data businesses append to their in-house customer files? Win? MR. BILLINGSLEY: Well, just having a name and address and a flag that says you're an Internet household is not a very effective product in terms of providing marketing lists. So, that base core of information is used to do a match with various data compilers and aggregators of information, and then we ingest certain attributes that are associated with that name and address. And some of those attributes -- and there's many -- but it would be things like income range, age range, gender, hobbies, interests, things of that nature, that we use to embellish the marketing file so that we can do selects and generate lists that are targeted for specific products and services. MS. ALLISON BROWN: Does anybody want to add to that? Michael? MR. PASHBY: Generally magazines will append information slightly differently, depending on the type of magazine. A general magazine will probably append more information or have the ability to append more information. I mean, clearly, the very basic information of age, income, family size, gender, is generally available to be appended to the -- to that list, but the more general the magazine, probably the more selections that will be made available. There are a number of companies which will take a magazine list and add information to it, creating that database, and the sort of information that can be appended is everything that's being talked about today. Whether it be the types of cars that people own, when they bought a car, the type of house, the value of the house. There's a lot of information that can be appended, but in general, magazines tend to be the starting -- the starting place rather than the end, with all that information appended to it, because they start -- you're starting with the general interest area, and then it is merged and purged with other lists during the marketing process. MS. ALLISON BROWN: Thanks. Ted? MR. WHAM: A very typical use of appended information is to take a large universe file of all your customers and presume you're a cataloguing business that has, you know, for conversation's sake, a million customers that have done business with you over time. You take a statistically representative sample of that, of perhaps 10,000 individuals and you go and append absolutely everything to those 10,000 people you can possibly get our your hands on, from income, age, whether they've got children, the age of those children, whether they're grandparents, the type of interests that they have, all of the psychographic information, everything you can get to that. And then you run that against statistical processes and say, Okay, tell me of all of these different processes, which one of these are going to be predictive of the ones I care about most. And as Ms. Wunderman pointed out this morning, different businesses care about different things. Some businesses want lots of transactions, some businesses need to be very concerned about turnover, loss of the customers, some long distance carriers and cellular phone carriers, for instance, are extremely interested to make certain that they're getting customers who are going to stick with them and are not switchers and so forth. And it varies by businesses. Once they identify which of those characteristics are particularly predictive for the customers that they want, they will then go to the remaining universe, those 990,000 names that they never did anything with, and they'll go back to the original appending firm and say, Please append these two or three variables that I want. Much more cost effective than appending all 30 or 50 or 150 variables to the entire universe if only three of those are going to be productive for what you're trying to do. MS. ALLISON BROWN: Betsy? MS. ELISABETH BROWN: Yeah, that's a very good point. I think one of the reasons that Claritas has been in business for 30 years is that one of the things that we have been able to do is boil down a lot of those characteristics into segment codes, which makes it a lot easier. I mean, we have seen in the financial services arena about ten years ago, they were one of the first industries to really take customer file records that they have done, they have a very -- financial institutions tend to have a very strong relationship, we talked about what a relationship was, with their clients. There's a lot of trust there that the clients are giving a lot of very in-depth financial information to these companies. Financial services companies are fairly conservative from what we've seen with what they do with the collected information, but in addition, they didn't really have the databases and the software capability to manipulate these gigantic files with so much information that they collect, nor did they have a good way of updating them. So, even with them collecting all of this very personal information, they tended to use companies like Claritas to help them boil it down and understand from a one code type of an aspect what can we know about these people quickly and easily without having to look at 100 or 200 different variables that we've collected over time. So, that's sort of in essence what a cluster code is. The basic information we really need there is just an address that will allow you to say the likelihood is that these people live in an upscale suburban neighborhood or an upscale urban neighborhood. And a real quick example of how that would be used would be if you knew -- if you just had straight demographics on someone and you knew you had two males, 30 years old, and you figured out that they make about $50,000, do they need individual life insurance or not. Not quite enough information for you to make a decision on that, one male might be single, doesn't own a home, doesn't really have any dependents, where the other male might have a family with three kids, a house, a mortgage, so having a little bit more rich information on that would make you look at these two similar demographics and say I'm going to offer insurance to the one because they are going to need it and not the other. Or another quick use is if they're only using their internal data and they know that they have got a thousand people who have $5,000 in their checking account and always have had $5,000 in their checking account, by overlaying some of these segment codes, you can get a quick idea that five of those people, that's all they're really ever going to have in demand deposits at a bank, that's really all they're qualified to have, and this segment code would be something like a number, 27, that would represent a string of demographics that would predict that that person is probably in that demographic. And you might find out that half of these people have a very high likelihood for using a loan product. So, if you wanted to offer them another service, you would be better off offering them a loan product than the other half who you would be better off offering an investment product. So, without having to know a ton of personal information, you can at least make some good guesses as to what the next most likely product is to offer those people. MS. ALLISON BROWN: And can you give us a couple of more examples of the segments, I think that Mary in the overview gave us a couple from a newspaper article, I think people might be interested to hear what some of the other ones are and how many there are as well. MS. ELISABETH BROWN: Well, we have -- there are several different segmentation systems, and a segmentation system really starts off as just a predictive model. So, as Ms. Wunderman was saying earlier in the session, different industries care about different data. So, a very generic model would be something like our Prism segmentation system that's based on the demographics of where you've settled, where you live, there are several more like that out there in the public domain, and they have -- some of them have nicknames, they tend to be sort of upscale suburban, like Blueblood Estates, Urban Singles, Upscale Urban Singles, Midscale, you know, Urban Dense Areas. So, there's lots of different ways that you can just get a quick snapshot of what the settlement patterns are in that neighborhood. And one of the things that we've -- because these things, as everyone said, as I think Paula was saying earlier, there's different uses for that. It's important to know that you're in a suburban market area if you're trying to sell lawn mowers. You certainly don't want to be offering that to urban upscale singles in high rises. So, some of the data is critically important to some of the things you're trying to sell. It may not be very important at all to somebody who is selling a very targeted niche magazine that could appeal to many different people and has no relationship in terms of a geographic reference. So, there are 62 Prism clusters, which means that we have predicted 62 different neighborhood settlement patterns. Another segmentation system is based more on predicting financial services behavior, or telecommunications behavior. In those segments, there are about 42 of the financial patterns, and they are anything from upscale suburban families with children, upscale suburban singles, upscale urbanites, those type of cluster types or segment types, and that's more based on a specific range of income, asset prediction, age and presence of children. So, those -- they're slightly different, but, you know, basically you can start with anything. In our audit of the convergence data, which is the telecommunications, I think we have about 57 different segments and they're based on patterns of usage that we have seen in terms of product usage, and then on the back end, we infer the demographic segment for that. MS. ALLISON BROWN: Ted? MR. WHAM: There's a distinction which might be valuable for the FTC in doing this, there's two major categories of lists that you can consider. One would be compiled list information, the other being response list information. Compiled list information tends to be very broad coverage, it's information about who you are, whereas response list is more information about what you've done, what type of products you've done. So, if I want to buy something that has a very broad geographic coverage because I'm offering a service that has something which is primarily defined upon where people live and the types of birds of a feather flock together type of analogy that is the basis for Claritas' business, then I am going to want that type of a compiled list. If I'm trying to find people who have interest in doing very specific types of activities and so forth, I am going to want to buy lists from similar businesses or businesses that point to similar types of people. Response lists tend to be very narrow. I can't typically take a response list and very effectively use that as an overlay tool against my universe of customers, and say tell me additional things about this, because if I took my, you know, 300,000 customers and matched them against somebody else's 300,000 customers, I might find, you know, 700 that match between those two of them. I would have a rich data set for those, but I wouldn't have enough to make it economically worthwhile to do that. Right now it's very easy to go from the hub out to the spokes. Go to a company that sells a specific product and tell me all of the customers for that product or set of products that they sell. It's extremely difficult to say that I want to start at a spoke and tell me all of the hubs that they're attached to, so go to a specific customer and tell me all of the products that they have bought within a category, or perhaps even all the products they have bought. I will say that although you can't do that today, there's an enormous economic potential there, and I am certain that many, many very bright people have spent a lot of time trying to figure out how I can come up with a master universe of all of the computing products that somebody has bought, or all of the clothing purchases that somebody has bought, because if I can do that, and if I'm a marketer selling, you know, an upgrade to a particular type of computer, that's the golden list, and I will spend a lot of money to rent names from that list. MS. ALLISON BROWN: Michael? MR. PASHBY: Yeah. I think in the magazine industry, one of the most important sets of data that can be added to a magazine list is catalog information, and the merging of catalog information, because it does add the recency, frequency and value component to the magazine list. If you go back to the woodworking magazine, a person may buy a woodworking magazine noting that they're interested, but if you can match that with catalog information about the purchase of tools or the purchase of other supplies, and they're showing some frequency there, that separates out one group of people who are peripherally involved to high-volume purchases within that area, and I suppose it also gives a greater degree of value to the broader lists, like a news magazine or a seven sisters magazine, those people may be then segmented into very specific interest areas. So, you have a -- one of the seven sisters, but you can match that with kitchen and food catalogs to show a high interest in cooking. So, it then becomes much more interesting for other marketers, and much more targeted to the consumer. MS. ALLISON BROWN: And what do businesses do to ensure that the data that you collect are as accurate as possible? Win? MR. BILLINGSLEY: Well, we do several things. Marketing data does not have to be 100 percent accurate to be effective, but you want to make it as accurate as you possibly can, within the economic constraints that you have to deal with. But an example of some of the things that we do to make sure our data are accurate, even if you permissioned us to use your data in a product registration effort, you say yes, I would like to receive offers from third party -- from third party marketers regarding products and services that would be of interest to me. You don't automatically go into Naviant's database just because you have permissioned us. To make sure that we're doing that accurately, we match your name and address against a public data source to make sure that you really are who you say you are. That helps us get out the Donald Ducks and the Roy Rogers and some people who like to play games, but we find the utilization of the public compiled data, a very meaningful tool to ensure that our file is as accurate as it possibly can be. MS. ALLISON BROWN: And can you just clarify what you mean when you say public sources of data and compiled sources of data? Can you be more specific? MR. BILLINGSLEY: Well, I probably misspoke, I probably should have said compiled sources of data which originated from public sources of data. But it's a very effective way to make sure that data is accurate. The other advantage that it holds for us is that we're very sensitive in not collecting data on children, and so by matching the name and a registration with an aggregator's data or a compiler's data, kids don't buy real estate property and cars and things of that nature. MR. WHAM: You haven't met my brother. MR. BILLINGSLEY: So, it gives us a reasonable check to make sure that we're not collecting data on children. The other thing that we do to make sure data is accurate is we use the DMA suppression file, and we find that a very effective way to make sure that we don't include data in marketing lists to the people who have gone to the trouble to go to DMA and sign up for either their direct mail suppression file or telemarketing suppression file, and a new product they started just a few months ago which is an email suppression file. So, that's another way to make sure that the data we provide a marketer is accurate. And the third way is the good old U.S. Post Office. All marketers use the NCOA process, or should use the NCOA process. MS. ALLISON BROWN: And what does NCOA stand for? MR. BILLINGSLEY: National Change of Address. And the way that basically works is if you move and you fill out a card at the Post Office so your mail will be forwarded to your new location, that information is collected by the Post Office, and the Post Office has this very large file of people who have relocated that's utilized to redirect their mail. And the Post Office authorizes some 20-something companies to take this data and do a match to make sure that if you have an old address in your file, and you match the old address, then you can substitute the new address. And that's something that's been in existence for a long time, it's been used in the direct marketing world for a number of years. It's a very effective tool to make sure that if you're doing a direct mailing of a marketing list, that the marketing collateral that you're spending hard dollars for to be delivered by the Post Office is truly deliverable. MS. ALLISON BROWN: Thanks. Michael? MR. PASHBY: Some information really has to be accurate. Some years ago I marketed a magazine, which I won't name, but, well, let's say a parents' magazine, and our primary source of readers were parents of newborn children. We were extremely sensitive to the problems inherent in that. Somebody's buying lists of potential new births, and some births obviously are not live births, and you are mailing to people saying congratulations, and that can be extremely sensitive, obviously. So, correcting data is very, very important. We spent an awful lot of time and energy making sure that the sources we were compiling that data from were accurate. If we found that there was an incidence of inaccuracy, we would cut off from that source. And we would not buy information from that source ever again. Because of the responsibility to the consumers that we had. MS. ALLISON BROWN: And can you be a little more specific about what the sources of that type of data are? MR. PASHBY: The sources of that data were from -- no, I can't, they were from compilers. It would come from doctors' office visits, from insurance companies, from a lot of different sources, I believe. MS. ALLISON BROWN: And what did you do to make sure it was accurate? How did you gauge that? MR. PASHBY: We would -- we would do it from the complaint level. That was the difficulty. You were doing it after the event, but if one found that there was a degree of inaccuracy there, then we would cut off from that source. MS. ALLISON BROWN: Ted? MR. WHAM: You talk about data quality issues, it's useful to look at it in two different ways. There's the quality of the data at the time that it's collected, and there can be errors introduced through typographical errors, or to purposeful, you know, fraudulence, Mickey Mouse and so forth, but there's also a more significant issue of data decay. Like if I, you know, show up in a database that I'm 25 to 34 years old, how old am I tomorrow? Okay? So, date range information is very inaccurate. Births, deaths, marital status and so forth, and people moving all the time, but we have a very mobile society. So, the statistic that I heard, I can't vouch, say, for this, but the average data in a data base decayed at a rate of about one and a half percent per month, that was the inaccuracy that built up over time. The marketer has an absolute vested economic interest in making sure that that information is as accurate as possible. If it's inaccurate, they can't use it for the goal that they have. So the alignment of the market interest, the consumer's interest of having accurate information is absolutely, I mean, perfectly together. MS. ALLISON BROWN: We have time for one more comment and then we will go to questions from the audience. Betsy? MS. ELISABETH BROWN: One of the things that I wanted to talk about data accuracy is that from the Claritas standpoint, we've seen a lot of different types of data. We not only use Census data and other public domain data, consumer surveys, which is really self-reported demographic information, but in order to -- as I was talking about implementing, in order to actually implement an actual marketing program, we will take our segmentation codes and place them on list files, such as Acxiom, InfoUSA, Experian and Equifax, and many other compiled lists. What we have found many times, especially when we're using the types of models that I discussed earlier that go down to a more specific household level, in terms of the demographic variables that we say are predictive of the behavior that we're trying to help our customers use, what we find sometimes is that these list sources have, I guess, decay, some other information, missing information, fill-in models, and we will show them that the data that we have proves out that their list is not really distributing the way the U.S. population distributes down to a low level of geography, a zip code, a census tract, a block group. So that we can take a look at a list of data out there and say you're reporting that only two percent are in the income category, 50,000 plus, and we expect to see more like 27 percent. So, we have actually created models that help some of these list sources to improve their models, their income models or whatever that might be, to base them more on sort of a benchmark of data. So, there's a lot of -- it's sort of a symbiotic relationship, back and forth with Claritas and the list providers, sometimes they actually do change some of their model information on their file based on our information, and other times we just use it to assign what we think is a more appropriate segment code, then they don't necessarily change that source of data, it depends on how they prioritize their models, and they prioritize their input sources. MS. ALLISON BROWN: And I believe that Claritas also updates Census data, how do you do that? MS. ELISABETH BROWN: On an annual basis. We update census data, again, from a list of a lot of sources, some of the postal information, some of the moving information, NCOA. There's a lot of intercensal data that is produced that's not produced on 100 percent factor. In other words, there are many, many counties, communities and states that do many updates of data and information, and we take really whatever we can get that's available and utilize that data. There are also many models that we have perfected over time, and we've been doing this, this is our third census that we've been actually updating information where we just do projections and straight line information based on other data. So, there are many sources that we can use, both census-type sources that we think we can have a high degree, feel that we have a high degree of accuracy in terms -- and relevance, and some of the consumer survey research that's out there just allows you to take a look at shifting data in terms of how people are self reporting where their incomes are. And in addition, we do use a lot of the list data just to try to get a handle on which areas are growing. Postal drop rates, I think ADVO counts, which is another list source where they constantly are updating where the postal drops are going. MS. ALLISON BROWN: One thing that becomes clear pretty quickly is how integrated the aggregators are with the sources and how the data sort of rotate in and out of the different databases. I know when I open up the discussion for questions from the audience, if you have a question you would like to ask, please raise your hand and I will recognize you after one of our staffers comes over with the wireless microphone. Please speak into the microphone while asking your question and state your name and organization before you begin your question so the court reporters can get an accurate transcript of today's proceedings. MR. CATLETT: Thank you, I'm Jason Catlett from Junkbusters. I have a question for Mr. Billingsley. I have an advertisement in a trade magazine from Naviant, it's quite amusing, it shows a biker with tattoos and a beard, and it makes light of the fact that he likes roses, and when you're going online, you might want to -- I infer from this advertisement -- you might want to pitch a banner advertisement for roses. Could you please tell us the process by which when this biker goes online and visits a website the website would know that he likes roses? MR. BILLINGSLEY: Well, I'll talk a little bit more about that this afternoon, if you would like, because we'll talk about how the data is used to administer marketing programs, but basically, we would have business relationships with some of the ad serving companies that collect data anonymously. We would pass data attributes to those ad serving companies anonymously, so that they could then target a banner ad that was appropriate for that particular person, without ever knowing the person's name. MR. CATLETT: Thank you. MS. ALLISON BROWN: Don't forget to say your name and affiliation for the record. MR. HENDRICKS: Thank you, Evan Hendricks, Privacy Times. I had one question, but first I wanted to follow up on what you said about the babies, because we always wondered about that, a lot of us. So, is it the doctor's offices would sell that information, or the insurance companies were some of the sources for people who are about to have babies? MR. PASHBY: I am not absolutely certain, I believe that was, and this was some time ago. MR. HENDRICKS: But I also wanted to comment, hospitals and birthing classes, and do they sell it to a compiler, is that how it would work? MR. PASHBY: It's my belief that that's how the information was compiled. MR. HENDRICKS: Okay. The other thing is you said that the magazines, I think correctly, are at the front end of this process, much more so than some of the others who are at the back end, and in the UK, on a subscription form, the little cards that you get in your magazine, you have a check-off box, it says if you don't want your name shared, check here, and send it in with your subscription, and one of the big problems in the U.S. is that at the point of the collection of data from individuals, people are not notified what could happen or given the chance to even opt out. And so, do you think that makes sense from a data practices point of view, and do you think that your association is ready to sort of endorse that and recommend it, you know, considering the growing strong feelings about privacy? MR. PASHBY: I think from the standpoint of having to fill in, check a box on a card, what we found in any promotional activity, having the consumer take actions in a promotional activity reduces the response. Therefore, we have cards which are prechecked, and yes I want this magazine, and then all they have to do is tear the card out and put it in the mail. But as I mentioned, we also do publish in the magazine the privacy policies and the ability to -- and the ability to call an 800 number or send to the magazine fulfillment house to be taken off the list. MR. HENDRICKS: And of course what I'm describing wouldn't even, I mean someone could still take the card and just throw it in the mail. It's only those people that took the time to look and see that there was a check-off box, and could check off they didn't want their name sold. So, what I'm saying is would it interfere with, you know, with what you're saying? I mean, it wouldn't require the individual to check the box to say I don't want my name sold, it would only be for those individuals that cared enough. And if this is practice -- am I confusing you? You look like you're not following me. MR. PASHBY: I'm saying that any time there is -- you give people the option in a promotion, the response declines. And as we mentioned before, the whole use of information has been more effective and more efficient when we are spending or when businesses are spending 65 cents to a dollar to put a piece of promotion into the mail and you're getting single digit responses, you're trying to be as efficient as possible. MS. ALLISON BROWN: Ted, do you want to comment on that? MR. WHAM: Yeah, I absolutely would. The basic fundamental question is if I -- if consumer X chooses to do business with Business Y, should consumer X have the opportunity to say Business Y, don't contact me. That's question A. And question B is, Business Y, don't share my information with company Z and Z sub one and Z sub two and so forth. I fundamentally reject the notion that a consumer should be able to say I want to do business with a particular company Y, but that company can't follow on and make money out of that relationship. I think that that has terribly negative consequences for the efficiency of economic transactions in this country. The reason we don't have mom and pop stores in the United States very successfully anymore and the reason we have Wal-Marts in this country is because they provided a very economically efficient way of delivering low-priced goods in the United States, for better or for worse, but the wheels of that continue to turn by having the businesses be able to use that information in the most effective way possible. MS. ALLISON BROWN: We are trying to stay on a factual level here and stay away from policy discussions. MR. WHAM: I couldn't help myself. MS. ALLISON BROWN: Does anybody else have a question? MR. DIXON: Tim Dixon from Baker McKenzie. A question, just to pick up on that point to take it a little bit further. When we talked, particularly when you mentioned the 30 million permissioned people or households in the database that you've got, what proportion do you know is that people who have done the sort of check box as opposed to the kind of I guess you could call it permission by inertia where they would need to read a privacy policy and then go through an active process of say opting out if they wished to opt out? MR. BILLINGSLEY: I don't know the percentage. We use in collecting the data, and this is primarily a decision that's made between us and the client that we're providing registration services for, we use three different kinds of permissioning processes. I'll try to get through this without confusing myself and the audience, but we use the opt-in process, which we define as a permissioning question with either yes or no, not preselected. We also use the opt-out permissioning process, which is a permission question with yes preselected, and in certain situations, not a lot, we use the explicit process, which basically is a bold statement that says, Do not provide us your marketing information unless you're willing to receive, you know, marketing offers. So, we utilize all three of those, depending upon the circumstance. We do flag how the permissioning process worked for that particular consumer, and we are sensitive based on the permissioning process, how that information is used when it is -- when a marketing program is generated based on that permissioning. But the percentage, I don't know the number to be very specific about your question. MS. WOODWARD: My name is Gwendolyn Woodard with Worldwide Educational Consultants. I'm consumer A, and I decide that I'm going to attend a conference, so I go online and complete the form. The site that I'm going to complete the form on has a third party advertising network associated with it, okay? As I complete the form, I notice in the URL the information that I put in the form is reflected up there. So, as a consumer, how would I know how that information is going to be used, what databases will it be going to, especially if this third party advertising network uses a push and pull technology to disseminate that information to different databases? MS. ALLISON BROWN: Does anybody want to take that on? MR. WHAM: It's very useful if you're omniscient. MR. BILLINGSLEY: I'll respond a little more. The -- MR. WHAM: Comprehensively, perhaps. MR. BILLINGSLEY: Yeah. The way it should work, in my opinion, is if you're in that kind of situation where a redirect is occurring, without your knowledge, then the privacy policy should be very explicit in saying -- in discussing the redirect to another website, why that is occurring, what your choices are to either participate in that or not participate in that. And disclosure, in my opinion, is the key for the consumer in understanding what is or is not happening to their data, particularly when you see it in the URL. MS. ALLISON BROWN: And let me just say that that's really a question that should be directed to network advertisers, and none of the panelists up here represent any network advertisers, and it's really a separate issue that we're not addressing today. But, you know, that's a question for other people. We are running out of time. Paula, did you want to comment on that issue? MS. BRUENING: No, thanks. MS. ALLISON BROWN: So, I think we are going to break for lunch now, and we would like to see everybody back at 1:00, and I want to thank the panelists for a very informative discussion.We really learned a lot. (Applause.) (Whereupon, at 11:30 a.m., a lunch recess was taken.) AFTERNOON SESSION SESSION THREE: WHAT ARE THE BUSINESS PURPOSES FOR MERGING AND EXCHANGING CONSUMER DATA? MS. LANDESBERG: If everyone would please take a seat, we would like to get started. We have a very full afternoon. Good afternoon. My name is Martha Landesberg. I'm an attorney in the Division of Financial Practices here at the Federal Trade Commission. Let me just state, before we get going, we have a couple of announcements to make. I want to reiterate for everyone our ground rules. We request that you turn off your cell phones, please. Once again we are going to very gently but firmly hold our speakers to the time limits we've discussed with them. My colleague, Allison Brown, will be your timer. She's right here, so just look for a sign from her that you're coming toward the end of your time, if you would. We will as time permits again have a question and answer session. I'll ask again that you please identify yourself for the court reporters before asking your question. And finally, the record of the workshop will be open until April 13 for submission of any comments or materials you want the Commission to consider, and we invite you to participate in that process. And also a fond welcome for those of you listening on the audiocast. We apologize and understand there was some trouble this morning. We hope things are up and running, and we're happy to have you with us. One last comment, Michael Pashby in our prior panel has submitted a written statement regarding his comments on the use of medical records to identify new prospects, and that statement, as others, will be posted in the workshop record for everyone to have a look at and comment upon. Now, it's my pleasure to begin session 3 of our workshop, and this is where we really get to the meat and potatoes of what it is that businesses do with all the information we've been hearing about all morning, and what we're going to do here is have presentations from each of our panelists one by one. I'll introduce them one at a time, and we'll take it from there, and as time permits have some questions too. We'll begin with Marty Abrams. Marty is the Executive Director of the Center for Information Policy and leadership at Hunton & Williams. Before joining Hunton & Williams Mr. Abrams, or Marty, spent 12 years as Experian leading their information policy and privacy efforts. Marty? MR. ABRAMS: Thank you very much. As we go through this technical process of keying up my presentation, I would first like to thank the FTC staff for inviting me here this afternoon, and I would also like to thank them for the excellent program this morning. I found it incredibly worthwhile and very informative, and hopefully we, this afternoon, can be just as informative. And we are talking about the uses and purposes for third-party data, and I think that the best place to start with understanding third-party data is understanding that it matches with in-house data, and it begins with the in-house data because that's what marketers begin with, their own customer base, understanding their own customer base. And that data comes from multiple sources. The most important of those sources is directly from their customer, and the second is their relationship with their customer, and this is the majority of the data that the organizations, marketers, have in their databases and their files. And to understand that data, to make the best use of that data, they have to match that up with third-party data, and I'm going to be talking about purposes and not processes. I have colleagues on this panel who I think are going to get more into the processes, but I would like to really put the emphasis on why the data is used. And there's a paper that really goes in to how this works that was released yesterday by the Privacy Leadership Initiative and ISEC Council of the DMA, and that paper is available on the DMA web site I believe. The first process, the first purpose, the first reason for using third-party data is just to make sure that your file is clean. 20 percent of the American population moves each year. People use variations of their names. They use variations of spellings of their name. I'm Marty Abrams. I'm Martin Abrams. I'm Martin E. Abrams. I've lived in California. I've lived in Ohio. I've lived in Texas. I sometimes buy from my office. So one of the purposes is to merge all of those Marty Abrams that are sitting on a company's file into one Marty Abrams so that I can market that to me in a unified fashion. The second is to have a deliverable address. We often have multiple addresses, multiple variations of our addresses. We abbreviate our address. We move, and one of the purposes of using third-party data is to put that data together to have an address that is deliverable. And having a deliverable address means that you can deliver up to 15 percent more of the mail that you mail on a regular basis, and that has really cost implications for an organization. The second purpose is to truly understand your own customers, and I think Lynn Wunderman did a great job of describing that this morning. You're trying to understand what is similar about your customers and what is different, and one of the ways you do that is overlay your file with demographic information from a third-party. Examples of the type of data that you might overlay is age because age is very predictive of where you are in your life-style, what you might buy and also inferred or modeled income, and again we have no exact income on any files other than the IRS's files, and those, of course, are not available, so we model income to be able to try to figure out how individuals are similar or different. And that information helps us understand who to market to, how to market to them, what type of products we should offer them in the future. We begin to understand what is predictive of who's a buyer and what is just really a red herring, not very predictive. And then based on what we understand about our own customers, we can go out in to the marketplace and find individuals who are very similar to our own customers, folks who have very similar demographics, very similar psychographics, so we can begin to build our customer base with new customers who are similar to the folks that we are marketing to at the moment. And those sources include competitors, because organizations do exchange lists, noncompetitive marketers, and lastly aggregators or compilers, organizations that put together files of individuals for other organizations to use who create mailing lists, and the results are more effective communication with existing customers. We can put together the right message for the right consumer at the right time to maximize that relationship with the customer. We also find prospects who we have the greatest probability of reaching, folks who are most similar to our existing customers, and more important, in this modern age, is we begin to understand how our customers are changing so we can begin to develop the products and services that are responsive to where our customers are going over time. Martha asked me to talk a little about the differences between marketers and aggregators in terms of the type of data they have and the type of processes. When you think about marketers, the folks who actually market to you and I, first their data primarily comes from their own customers. Even if I overlay with data from third parties, if I'm a marketer, most of the data I have is from my own customers. Most of that data is either self reported, I give you my name and address, I volunteer information with you, or comes from my own experiences with you as a customer. And lastly, I as a marketer typically have regular contact with my customer and can communicate with you as my customer about both what I'm selling and my processes and the choices that you have. Aggregators have data on a broader population. Some aggregators have most of the U.S. population. The data comes from many, many sources. As we discussed, some of them are public record sources. Some of them are surveys. Some of them are purchase data, but the data comes from many sources, not a single source. Typically the data that is held by an aggregator is not experiential data. It tends to be demographic or psychographic data, and, last, typically the aggregator does not have regular contact with the customer, the consumer, but rather relies on the party that collected the data to have had that contact with the consumer, and most aggregators build systems to make sure they only get data from reliable sources. Thank you very much. (Applause.) MS. LANDESBERG: Thank you, Marty. Next we'll hear from Win Billingsley, the Chief Privacy Officer of Naviant. Win? MR. BILLINGSLEY: As we talked this morning, Naviant's key value that they bring to the marketplace is that we provide a database of consumers that are Internet enabled, and we sort of phrase our mission statement as Naviant is a leading provider of integrated, precision marketing tools for online and offline environments, so we can send marketing messages or marketing campaigns to consumers either through direct mail or through Email or through banner ads, so we work in both of those worlds and actually try to integrate those two worlds together. So we enable marketers to reach and build relationships with online consumers, and that's really Naviant's key sole business purpose. It's always tough to get a business model on one slide, so I tried to simplify this as much as I possibly can but still make it meaningful for you, and for Naviant the world begins with electronic registrations. We work with manufacturers that build computer hardware, computer software, and we facilitate the registering of their products and services via the Internet. Most of that data, once it's captured, is passed back to the original manufacturer. We keep the name and address and designate a flag that this individual, since they registered their product or service via the Internet, is an Internet enabled household. So the data point for us begins with the name and address and an Internet household. That begins the database processing, and there's data hygiene work that's applied to that database. I talked about it a little bit this morning. We use the compiler's information to make sure the names that we have are accurate in our database. We also append to that from the compilers various data attributes that enrich the data and make it meaningful and store and maintain the data. We also use the DMA's file suppression list to make sure that no one is in our database that has expressed an interest not to be. And I should have mentioned back in the registration process that there is a permissioning process that we go through before you ever really enter into this diagram. So once the data is there with an enrichment of data attributes, then we have the ability to deliver this data for marketing purposes in a variety of channels in a variety of ways, so the data can be used to administer direct mail or Email campaigns. It be used to deliver direct mail campaigns, telemarketing and targeted banner ads. And we analyze the data to determine counts based on criteria. A client will come to Naviant and say, I'm looking for these kind of people, tell me how many you have in your database so we can analyze the data and determine how many people we have that fulfills that particular requirement, so that in essence is Naviant's business model. Now, why do we do all this? What purpose does it serve the business community? There are many. I've just noted three here that I thought might be meaningful to you. One is we provide the data back to the registration client with the enhancement of the data attributes that we've associated so the registration client has some view of who is buying their products and services. That's very important to the manufacturer to know that because they -- since they distribute through some intermediary, they are not in direct contact with their customers. So we would provide that back to the registration client, and the registration client would say, Gee, we have this kind of person buying this model of computer, how can we find more of those kinds of customers and launch marketing campaigns to increase and enhance our business. So that's the way a registration client would tend to use this data is to find more like customers. Another way they would use the data is say, This particular product is being bought by individuals that have these demographic characteristics, so how can we fine tune our advertising so that we are visible, more visible to individuals with these kind of characteristics, so it's used for a variety of purposes by a registration client in order to improve the efficiency of their marketing effort. Another example would be a bank. Banks love to promote their Internet banking packages and capability because they can provide enhanced service to their customers at a reduced cost for those of us who sign up for Internet banking. So a bank will come to Naviant and say, We really would like to promote our Internet banking capability, but we have a problem, we have no idea in our customer base who is on the Internet and who is not on the Internet, and really rather than do a mass mailing to all of our customers, we would like to do some selection. So they would come to Naviant and say, If we give you a list of our customers, can you match those names against the names in your database and tell us which ones of those are Internet enabled, and we provide that service. And then the bank can then target or deliver a marketing campaign only to those customers who are Internet enabled, and they might even refine that further. They might refine it by an age group or income level, but the primary key for the bank, if they're promoting their Internet banking package, is to only target to those that can actually use that product or service. A third example would be a retail dot com. A retail dot com wants to drive traffic to their web site, and you know you can always buy a billboard on Highway 1 or you can by an ad for the Super Bowl, but what they would want to do is to work with Naviant looking for a particular type of customer or individual that meets the selection criteria and then do a direct mail campaign to those customers with some kind of marketing offer that would drive them to their web site so they could offer a product or service. Thank you. MS. LANDESBERG: Thanks very much, Win. Our next speaker is Peter Corrao. Peter is the CEO of Cogit Corporation. Before joining Cogit.com, he was Division President of National Accounts Marketing for ADVO and the owner and operator of Sports USA. Peter? MR. CORRAO: Well, thank you very much for inviting me here today. Even though I come from one of the largest direct marketing firms in the country in ADVO, my comments today will mostly be related to online marketing and its applications. So I would like to talk to you today about the developing science of visitor relationship management and how it's applied on the web. Before I do that, though, let me tell you a little bit about the dilemma in commerce today on the Internet. My company, like many other dot coms, is a highly capitalized, venture capitalized company. We've taken around $50 million in investment to date and have yet to turn a profit with our company. We look similar to others that are out there. The Internet commerce dilemma can be summarized pretty much on the slide that I've shown you here. There's two ways in a B-to-C environment that companies are making money or trying to make money on businesses on the Internet today. One is content sites, and they're heavily required or exclusively required, excuse me, to bring advertising in, so their model is all about advertising. They deliver free content to consumers. They put advertising up for sale. They sell that advertising, and their business model is developed around that. The other side of that is the commerce sites, who are the E-tailers or retailers that are trying to sell their goods and services online, and theirs is a simpler model in that they're trying to gather customers, turn those customers into repeatable revenue. Here's the dilemma. The Internet today isn't very efficient, even with the tools that are being applied to it. Imagine that you bought 133,000 banner ads, and you paid around $15 a thousand for it, which would be the current going rate if you had a media buying firm dealing with either direct companies or with providers of those services. Of those ads that you bought out there, around $15 a thousand, you would have earned probably in the range of 300 visitors or so, so ads saying 300 visitors clicked through from those ads and came to your site to look. Of those only five took action, so you're getting started with the 133. Now you're left with five that took action, and if they did take action, only 20 percent of those, or one, would return within the next year to buy anything from your site again. So just think of it from its most simplest format -- and you're only dealing with the advertising and attention components of being an Internet company, your acquisition cost for a loyal customer in this model is $2,000. So the imperative here is that the Internet has got to learn to be better and more focused on how it brings -- on how it brings its clients in. Let me show you a little bit about visitor relationship management and why it's important. Merchants want to increase desired action and get consumers to buy things and services from their site. Consumers want meaningful things to be shown to them. Merchants again want to display relevant content to their customers. Consumers are demanding instantaneous and ever faster access to relevant content. Doing that is expensive. Merchants want to optimize customer visits and generate sustainable profits. Consumers expect free Internet, other than access, or inexpensive services at significantly discounted prices often. We think that visitor conversion is critical to making this model sustainable on the Internet. What Cogit does is capture registration information, I'm giving an example of what we do here, with and amongst our customers. We match that registration information then to available data in the offline. We have two data sources primarily. One is Equifax Corporation, which we use their own bulk data, and the other as of March 31 will be Claritas data, which will be entered in our file at the end of this month. When that information is matched, we irreversibly discard any personally identifiable information that we found on the consumer, so if you registered by name, we get rid of the name, replace that with a random ID, and that random ID, we can't go backwards and reengineer to find out who that consumer is. We generate then an anonymous profile on that particular consumer, and then we allow our customers to, one, know who's visiting their site if they're not a customer yet, and, two, target them with relevant content that will then incent them to want to buy. We think privacy is a big piece of doing this. Consequently our profiles are 100 percent anonymous. We think consumer PII shouldn't be stored and used for further personalization. We don't -- our visitors in the Cogit model are never tracked across sites, so we only know what you're doing on a specific site that you're dealing with. Information from one client is never shared with another. Behavior information is never appended to our profiles, so the fact that you bought something on one of our customers' sites isn't appended to further your profile. Clients aren't allowed to store Cogit's returned data, and we semiannually have our web site audited to validate that everything that we've got in our web site is, in fact -- in our policy is, in fact, what we do. Ernst & Young does that audit. We were the first cyber audit that they did and first audit attestation that they did. So the notion is from a visitor relationship management standpoint or knowing who comes to your site so you can do something about it, we think that that's critical to being able to sustain the Internet commerce that's having trouble sustaining itself today. We think that convenient and relevant information for consumers is what they demand and what they want. Most of that information is given to the consumer free today, although it's given free against a model that is not panning out from a general business model standpoint, and we think that there's an optimum balance between personalization and privacy. We think we've come up with a method of doing that and one that doesn't offend the consumer and their ability to do it but yet does give the tools needed to the sites so that they can continue to make money in their commerce sites and/or money in their content sites. So thank you. MS. LANDESBERG: Thank you, Peter. Our next speaker is Johnny Anderson, President and CEO of Hot Data doing double duty for us today. MR. ANDERSON: Thanks, Martha. I wanted to take a second and kind of look at a higher level on how companies interact with customers and what are the analytic and customer relationship management applications that are driving a lot of the demand for third-party information. This really depicts a pretty typical architecture of a CRM application that any marketer would use one or more components of. At the bottom what you see is customer touch points. That's how businesses will either get information from their customers and prospects or communicate with them. So on the left-hand side you see kind of the outbound communications media that a business will use to communicate directly with the customer. This is not TV and radio ads and so forth, but they'll really use kind of Email, direct mail and maybe some telemarketing either from an in-house organization where they have their own telesales organization or a contracted organization. And on the right, what you will see is really the way that people get information and then sometimes communicate with their customers, and that would be kiosks, which is kind of a new emerging way to communicate with customers. You're starting to see kiosks in, of all places, baseball parks where the San Diego Padres have a customer loyalty program. And a customer puts in their preferences when they sign up for the customer loyalty program. When they visit the ball park they'll get the 10 percent off coupon for a specific restaurant that happens to be in the area. In-house or in-store communications, and we're now starting to see companies even like food chains implement customer loyalty programs where transactions are tracked so that customized offers and customized coupons can now be delivered to a specific consumer. Call center being somebody is calling an 800 number and talking to a customer service representative, either a sales rep or a support representative, and then obviously the web as one of the major ways that customers are getting information about products and services that a company may offer. It is a web visit where they may fill out a form that says, "Send me more information," and so that companies are getting some explicit personalization type information that says, If I'm going to a dot com or another sports kind of web site, I'm going to check that I'm interested in golf, so send me some golf information. That's really stored in an operational data store that's used for day-to-day kind of activity. That's the data store that a CRM system may use so that sales reps and a call center get access to a customer record when an inbound call comes in. They may have some transaction information, maybe used for actually back-end processing where order fulfillment takes place, but it's the data store that's being used on a day-to-day basis. Some companies actually will have a separate data store that is used for data warehousing and the analytics, and that information is transferred back and forth with some synchronization, extraction, transformating and loading where a lot of information is both rationalized, and that is, Bill Smith is also William Smith and Bill Smith came in through the Web and William Smith called in on a call, and that information is rationalized. And then the analytical tools at the top are the things that are really driving a lot of the marketing automation pieces, and that's things like campaign management. If I understand who my target audience is and who my best customers are, let me generate a campaign and plan that campaign and implement that campaign and then manage the results from that campaign. RFM analysis has been talked about already. That's really understanding recency, frequency and monetary transactions on a per customer basis, really to understand who my best customer is, and then to clone that customer and find more that just look like them or be able to recognize them when one of those comes into one of my touch points. Category management's driven from that, and that's really driving product synergies so if somebody buys a particular product, they know, through doing some category management analysis, retail analytics, that a customer is likely to purchase an additional product. And then that starts to drive a lot of the tools that marketing managers use to understand their business, and those are things like data visualization, being able to look at customer maps for drive time analysis and trade area analysis; reporting, so aggregate reporting on a per product or per customer segment or per campaign performance, and then other kinds of data mining, being able to mine data that's transactional and maybe inventory management type applications and merging that kind of piece together. Where Hot Data fits is really on the left side of the equation, and that is we provide a set of services that offer data quality and enhancement of those databases, whether that's an operational database or a data warehouse database. The business models that are really in that kind of space, and not just Hot Data related but kind of industry wide, are really geared around four sets of services. Marty mentioned address data quality, and that's a big part, not only in the real world, but also on the electronic commerce side of being able to verify that an address is a deliverable address, that it is standardized to Post Office standards so I get a better postal rate, that I can manage the consumer's change of address, i.e., the 20 percent of consumers that move every year, that that can be tracked in a database, and then geo-coding addresses so that addresses can be looked at in terms of where people live. Data rationalization and standardizing, that's understanding Bill Smith is William Smith. Consumer data enhancement is enhancement of demographic, psychographic, and business data enhancement. The flipside for us is that we also deal with business to business marketers. In a broad sense this is the architecture that we use. We house consumer household information. We house carrier route information. We have services that house standardization, area code update changes and U.S. national change of address. We provide customer data integration technology to our customer, to our customers who are contractually bound to the privacy use restrictions and viewing restrictions that we pass along to them, and that really from one click of a button they can profile a subset or their entire database and do things like address standardization and profiling. This is kind of a bright real world example of what one of our customers uses, and they're really a wireless broadband provider that was really looking for -- to really target market. I'm sure a lot of DSL, everybody has probably got DSL things in the mail, and when I did, I went to try to sign up for it, and I was out of range, and I couldn't sign up. So they got me to respond, but they got me to be hostile because I was outside the range, so our customer really wanted to target people outside 10,000 foot radius from a central office, and after having done some ideal customer profiling for them, identified who their target should be and who their ideal target should be in that particular environment. I am out of time, and the band's about to start playing, so I'm going to turn it back to Martha. MS. LANDESBERG: Thank you, Johnny. Our next speaker is Lynn Wunderman, CEO of I-Behavior, also serving two roles for us today. MS. WUNDERMAN: Actually, I don't know if it's true, but I heard a rumor here today that the real reason we've been asked to be here is that we're being auditioned for participants on a new TV game show. It's called "Database Marketing Survivor," you know the one where they put a bunch of database marketers in a room in Washington to talk about their business models. Last one standing wins a million dollars. Anybody else hear this? I think I probably better keep my day job. Anyway, I'm here to talk to you today about a company called I-Behavior, and I founded this company with my father-in-law, Lester Wunderman, yes, there is a family relationship for those who have asked, and we created this company largely with the vision to bring a lot of the art and science of traditional direct marketing to the web and to new media. Now, our formula is really very straightforward. Everything that we do, the way we manage data, the way we structure it, the way we analyze it, all the products that we create from data has its roots in a very simple but proven principle we've known for decades as traditional direct marketers. You've heard this theme a lot today. Past behavior is the single, strongest predictor of future behavior. It's no coincidence that our name is I-Behavior. Now, we take for granted gaining access to behavioral information in direct mail. We can pick up the phone. We can call a list broker, and we can rent names from one of any 30,000 plus odd lists based on what people bought, when they bought it, how much they spent. Can't do that today on the Internet. That type of behavioral information doesn't exist. We have interest categories. We have product registration data, but not that level of behavioral, experiential information. Beyond that, what's been largely unexplored is the opportunity to target and understand consumers based on their multi-channel buying behavior. Even though we know that a merchant's multi-channel shoppers, the buyers, tend to be their best customers, in fact statistics show that they're worth an average of over 30 percent more than their single-channel counterparts, and we know that those customers that can master these tools will be the multi-channel winners of tomorrow. So to fill this gap in the marketplace, we've created one of the first, if not some say the first, cooperative database that truly combines highly detailed, transactional information on and offline on known direct channel buyers. Now, before anybody starts slinging arrows up here, I will tell you that there are significant privacy safeguards built into this product, but before I get to them, I want to make sure that everyone has an understanding of the business model so they have the context in which to evaluate them. First of all, I mentioned earlier for those of you who are not familiar with the concept of a co-op database, it's created when marketers pool all their customer names and related buying behavior in order to gain access to names of qualified prospects as well as additional data on their current customers that would otherwise be unavailable in the marketplace by which to build their business. Now, this is a proven business model in the offline catalog industry. I'm sure you're probably familiar with names of companies such as Abacus. Experian has a similar offline product catalog called Z-24. The reason that these products are so successful is really two basic things; number 1, the superior performance of a list. The fact that all this rich behavioral information goes in to fuel the selections, they have significantly higher response rates than the average mailing list, outside mailing list, by which one would normally have the opportunity to do prospecting in the world today. Secondly, in terms of their pricing, they are offered to members, and by the way only members have access to these names. You have to contribute in order to get data out. Members get access to these names at a preferred rate, virtually half the price of a standard vertical list today. So what we're doing at I-Behavior is we're expanding this context so that beyond catalogers we're including publishers, E-tailers, club and continuity marketers, virtually anyone who does direct-channel marketing, and we're creating it in a way that's a true multi-channel vehicle so that you can target more efficiently the Email and postal mail today. Tomorrow it will incorporate wireless, interactive television and virtually all forms of addressable media. Now, there are two reasons why marketers want to gain access to the data. The first and most obvious is prospecting, and certainly you can see by the way that we consolidate information across marketers, across channels, we have a much more complete portrait of these shoppers, their buying patterns and their value. This thing is bigger, smarter than any single marketer could ever create on their own. That's because when we take data in from a merchant, we get it down to each transaction, the entire shopping basket of a person's purchases so that we can collect all the rich recency, frequency, monetary value information we've been talking about earlier today as well as we also get one component that's generally not been available in co-op databases previously. Instead of just giving to each marketer who participates, to all their transactions, some high level general category associated with the affinity for that particular property, we actually get item level data so that we know exact products down to the SKU level that an individual is buying, and I can tell you that that is incredibly powerful information from a predictive standpoint when you're looking for those subtle predictive patterns in the data for those kinds of tools that we were talking about earlier today. Now, we have proprietary technology that allows us to create a common language across marketers that we can really leverage the value of this product level information. We also have proprietary technology that helps us link multiple Email addresses back to a single individual and optimize the match between the on-and the offline data, but I'm not here to talk to you about some of our competitive strengths. I really want to focus on the business model itself. There are two key features that I think are inherent in the kinds of co-op you should be aware of. First of all, this is the only place on the Internet today where you are assured of not talking to your own customers as prospects. That's because, unlike in the traditional direct mail community where mailers are really familiar and comfortable with the process of sending their files to a compiler -- I'm sorry, to a reputable service bureau, I see I'm getting short on time here, whereby they can exchange their names, they can unduplicate them, you can suppress out your current customers, we already know who your customers are because we already have them in the database. Secondly, it's a closed loop process so when we send an Email to someone about this product, they may read the Email. They may not respond to that particular communication, but if they remember the marketer and two or three weeks later they have a particular need, they go to the Web site and they buy, we would know about that, not because we're tracking anything in terms of cookies. I don't want to get anywhere near that, in terms of your surfing of the Web, but we know because the merchant sends us back their data. We match that back to our contact history. We get smarter about targeting you the next time around in the future, even if we don't get credit for that response, because we maintain a professional history on the file. Now, the fact that we maintain a promotion history is really of true benefit to both the consumer and to the merchant. First of all, it allows us to identify habitual non responders. That's very important. Don't want to keep mailing to people who don't want to purchase from you. Secondly, we keep tabs on any correlating between the volume of mail so we can look at your individual saturation rate and any negative correlation against response. Now, the second way that mailers want to gain access to this database is to be able to target their own and mine the value of their own customers. Now, we can do that to help them expand it into new categories, to reactivate lapsed buyers, to turn their offline buyers to more efficient online buyers. So, for example, if an apparel merchant comes and says, "We're expanding into swimwear," and they may say, "I want to target everybody in own our file that has bought from us in the last 12 months, who has bought swimwear from any other merchant in your database. We'll create a one time file, do a one time mailing. Anybody who responds to that mailing, they own the rights to that data. But we will not append any information permanently to that marketer's files, not an Email address, not a transaction because we don't have marketing rights, and there are privacy issues attached to that. What we will append on an ongoing basis are model scores. Remember from our discussion earlier, it's nothing more than a mathematical probability. I have a .8, you have a .4. I'm twice as likely to buy swimwear as you are. Even if we have the same score, you don't really know what it is in terms of personally identifiable information that got us there because it's a formula, and it's made up like a Chinese menu. I got there because of age and income. You're there because you just bought shoes over the Web and you have kids. We don't necessarily have the same profile. I will also say that there's some other creative ways to use these tools. In fact you can use them to serve up dynamic content right on the Web site to register users. Now, I promised you that we would talk about privacy, and I just want to say that in terms of the offline data, we follow the industry standard which is opt-out for direct mail solicitations. We're not looking to reinvent the wheel in direct marketing from that standpoint. All of our member companies actively notify the people who buy from them that they share data with trusted third-parties. If they choose not to do that, they send a request to the merchant. That data comes back to us in one of their updates, and that information is removed in the course of our database build. However, online is a different animal, and we know that people have different expectations from a privacy perspective online. We respect that. We've been extremely proactive on the privacy front going what we believe is really above and beyond today's best practices in industry standard. First of all, this is a double opt-in database, so in other words, no consumer will be targeted for an Email communication unless they raised their hand, self selected, and said they actively agreed to participate. When they do, we allow them to tell us the maximum number of Emails that they're willing to receive in any time period. We will not exceed that. We give them access and control to the aggregated level of information that we utilize for selections, so they can come in, request a copy of their profile. They can say, "Don't use this Email address, use that one. I know I bought sports equipment in the past; but you know what, that was just a gift, please don't send me any more sports offers." Obviously, they can opt-out at any point in time. I will also tell you that we do not allow marketers to cherry-pick this file. They can not come in and say, We want people of this age and this income who bought these products in this time frame." Not online, because as far as we're concerned, anyone who would respond to that kind of an offer, you could attach that purchase history and that profile of the individual and you would be releasing personally identifiable information, and we don't think you should do that. So we work with the marketer to understand, What's the product you're selling, what's your price point, what's the promotional nature of your offer. We construct targeting tools, create a composite score, rank them on the database. All you know is these people had a score of .75 and above. That's nothing in terms of personally identifiable information. Finally, we do not release any of the data on this file to -- no addresses -- to anyone for any purpose beyond a reputable service bureau offline. They go seemlessly through our own service bureau online. They never get access to the data. I will also tell you that we took this concept into consumer research. We told them what kind of data we have, how it benefits them, what we do with it, what we don't do with it, and they were not only very positive about the concept, they actually embraced our privacy policies. So, in summary, I just want to say that we have a proven business model in terms of the behavior-based co-op, which has been expanded to meet the unique needs of multi-channel marketers. We have superior technology and a level of data that helps us generate superior behavior predictions at a good value to our clients, and we're doing it in a way that we believe respects consumer privacy and is looking to set new standards in that area. Thank you. MS. LANDESBERG: Thank you, Lynn. The last speaker on our panel today is Jerry Cerasale, Senior Vice President for Government Affairs at the Direct Marketing Association. Jerry joined the DMA in January 1995 and is in charge of the DMA's contact with Congress, all federal agencies and state and local governments, a very busy man. Thanks for being with us. MR. CERASALE: Thank you, Martha. Lynn, just so you know, for this panel, I'm the last one standing, so send the check. Before I get to my slides, I wanted to just, first of all, thank the FTC for having me here and for having this workshop. I wanted to make three quick points. The first is that the information that we're talking about today is marketing information, information that's used to send you a solicitation, an offer for something. It's not being used to give you employment or refuse employment or anything of that sort or for insurance, whether or not you're eligible for insurance and things like that. In particular as well, just to get on a topic that was raised, DMA guidelines would also say that information that comes from a doctor- patient or medical provider-patient relationship should be only on a consent basis, and that's pretty well standard within the industry as far as we know. Second, the information that you gather is basically to send a solicitation about a particular product, so it only goes once. It's a one-time use that people use to try and find new, prospective clients. And third is that, generally speaking, the information doesn't go to the marketer. What you receive is, the information goes to a service bureau that is either sending out -- making phone calls or sending out the mail pieces and then returned back to the -- it's not used again, so it's that kind of information that we're talking about. Martha asked me to talk specifically about prospecting and why we do it and how is it used, so I wanted to use because of my -- to make it simple so I could understand it, use some hypotheticals, and if Allison gives me time, I'll go to some more specifics after the hypotheticals, depending how nice she is to me. The first is the idea of a new company. I just started something, I have a brand new idea. Think about Marty's view when he had the list of what marketers have and what compilers have. He said marketers have information on their customers. Well, I'm brand new. I haven't got anything. I have no customers, nothing. I have a new idea for a new golf club, so what am I going to do? And the other thing is I'm going to sell it over the Internet. That's what I want to try and do. So what do I do? Well, I'm going to go to a golfing magazine likely and try and see if I can rent the list, because those are people I would assume would be interested in golf, and I'm going to use this list to mail it because I'm starting to find -- and we're starting to find that mail, snail mail is being used successfully to drive customers to Web sites to make sales. We find that from our catalogers and so forth, that it is a very important piece tool in E-commerce or multi-channel marketing. So, this is what I want to do so. So I go and get the golfing magazine list, and it's one million names, and that is outrageously expensive to send, so I can't do it, so I want to go -- I go to an information compiler, and I say, Look, I would like to have some more information from an information provider, I want to try and narrow this list down. I think that maybe this piece would likely be best suitable for women. I think that it may be for women probably over 40 because it helps give distance, and if you really swing hard it messes up the way the ball goes, so I think that that's what I want, and I know that likely I think that it's expensive, higher income, let's see if I can get that from Census data. I'm selling it over the net so I want to use Win's stuff to make sure they're Internet- enabled, and I think maybe five miles from a golf course. Let's just pick these out of the air. Maybe we can get these things, and it finally comes down to 500,000 pieces, people that I can send this to, and that's within my budget, and that's what I'm going to use, and that's how a marketer can try and prospect a new start-up business. Without the information from third parties, I can't start. I cannot start a catalog. I cannot start driving people. I can try, put it up on a Web site, see if search engines get me some people, but that's not going to be a viable economic model. Another idea for prospecting is a current marketer looking for new customers. The idea I'm trying to use here, I'm selling books and probably I'm selling books online, I'm trying to use online and offline because this is supposed to be online and offline information so these are my examples. And I know because I sell books that they're upper income, they're Internet-enabled and these people that purchase from me happen to be people who live more than 20 miles from a book store and more than a hundred miles from a discount book store, so that's my marketplace of my current set of customers. 40 percent of Americans never purchase remotely. 60 percent of Americans do, so I want to try and reach some new customers, so I'm going to go and try to find information that matches that market because it works for me today, and I'm going to send a mail piece to them. I may in fact ask for a split on this test, people who have purchased, those that were in the 60 percent piece of the pie, and those in the 40 percent that have never purchased, to try and see if I can reach new customers differently through this mail piece, and so I send it. This is what I want. This is the information I asked for. The information provider supplies a list to the letter shop I'm going to use. They send it out. They make sure the current customers are deleted. They use hopefully the DMA mail preference list, and they prepare the pieces, and they send them out. I never see the list. I only know someone was on the list if in fact they come back and purchase from me. Then I would know that they responded, so that's the only way it happens, and that's generally how you use prospecting data. That's to try and find someone new. You know from past behavior or you have a guess, if you're brand new. You don't have any past behavior in your -- on your product. You make a guess: We think this is what the market is for. That's how we use the prospecting. Now, let me give you a couple of quick examples of real life things that have been testified, to the process has been in Congress, in testimony before Congress. One company is Grolier. It's no longer in existence. It's been bought out, but Grolier is a bookseller selling things remotely out of Danbury, Connecticut, and it basically sells to children, basically sold discounted Dr. Seuss books. The market for this company was rural Americans who lived more than 50 miles from a book store, families that had young children and were low income. The only way for Grolier to find these people to give them books that their children can read or books that they could read to their children was to have information to find them, so it was necessary to have a free flow of information. And marketers -- the other is stylists, an after-market automobile company that sells after- products for minivans, seat belts that can be adjusted better for children, back-up warnings on minivans, so their market, families that own minivans that have children that are outside of car seats, to try to give them an offer of some safety to add to their cars, and that's the market, and they needed the information to try and find it. One of the things that I want to make sure that you also know, my time is now up, I did get through the two examples, thank you, I didn't get my million dollar check yet though, but the one thing that the DMA says, you have to tell people that you share information with third-parties and give them an opportunity to say "no." And that's really the basis, that people who take the information and share with third-parties have to tell you that they do that, and to be a member of DMA you must do that. Thank you for the time. (Applause.) MS. LANDESBERG: Well, we have just a very few minutes for questions from the audience. If you would raise your hand, and if do you have a question, we'll bring the mike to you. MR. HENDRICKS: Two quick questions. Evan Hendricks, Privacy Times. In the offline world, a lot of times people want to know when they receive a mailing, "Where did you get my name?" Aren't there a lot of instances where there's contractual language that prevents organizations from disclosing that? That's the first question. And the second question is I assume that the 20 licensees of the NCOA sell new movers' lists which they're able to produce because of the data they get from NCOA, but do other companies also sell new movers' lists? MR. ANDERSON: I'll answer the NCOA question, and one of the restrictions that we have from the USPS is that we specifically cannot generate new movers' list, so this is specifically -- our NCOA services are specifically for people that are in a database, but we will not, cannot contractually generate a new movers' list that can then be sent out to marketers that are interested in people that have just moved. MR. HENDRICKS: How are they generated, where they're moving? MR. ANDERSON: A lot of other different sources, but none of which come from the USPS. MR. ABRAMS: In terms of the question about, "Where did you get my name?" Increasingly during the 12 years that I was with an information aggregator, the contractual arrangements that limited the ability of the marketer to say where the name came from began to disappear from the marketplace. And increasingly organizations are acquiring data from organizations that have given notice, and organizations that even if they say, "No, you can't tell them where the data came from" they say "Pass on the name to us and we will call the individual and let them know that we were the source." So while that was the norm ten years ago, that norm has been changing over time. MS. LANDESBERG: Jerry, did you have a comment? MR. CERASALE: I was going to just comment specifically on the NCOA because actually there is a contract, but no one can use that for marketing purposes. It's just to correct mailing lists, to increase the efficiency of the Postal Service, so I don't have a lot of those letters. MS. LANDESBERG: Other questions? All right, then. Seeing no more questions, I would like to thank our panelists for a wonderfully informative session. Thank you. If I could ask you just to bear with us for a moment, we'll go straight into the next session -- so don't go anywhere. (Discussion off the record.) SESSION FOUR HOW DO MERGER AND EXCHANGE AFFECT CONSUMERS AND BUSINESSES? MS. RICH: Hello. If everyone can take your seats again, please. We're going to start this next panel. I'm Jessica Rich. I'm an Assistant Director in the Division of Financial Practices here at the FTC, and I'll be moderating this fourth panel, which will focus on the effects of merging and exchanging consumer data on both businesses and consumers. In other words, how do consumers and businesses benefit from these practices and what concerns, if any, do these practices raise. I think we've heard some references to the various ways in which people benefit or some of the concerns that people have, but we're trying to drill down and talk more specifically about this particular topic. We have a great group of panelists for this session. We're going to start with brief statements from each of them, three minutes each, and we're going to hold everyone to that, but I don't want to be too -- everyone has been great about keeping to their time, so I probably don't have to lecture them too much. Then we'll have a discussion among the panelists so we can examine the issues in greater detail, and we'll hopefully have time for questions. I think for this panel questions are fairly important, so at about 3:15, if you're in -- get ready to ask some questions if you're in this room, and if you're in one of the overflow rooms, please come up to the door here so we can give you a microphone to ask your question. I want to emphasize that this is a long panel, and it's easy to focus on a lot of different topics, but we really want to focus on the effects of the particular practices we're talking about today, which is the merger and exchange of consumer data, the effects on consumers and businesses, that specific topic. We're going to let our speakers go alphabetically. I think they may be seated alphabetically, and we're going to start with Fred Cate, and I'll introduce him. He's a professor of law and Harry T. Ice Faculty Fellow and Director of the Information Law and Commerce Institute at the Indiana University School of Law in Bloomington. He also serves as senior counsel for information law with Ice Miller Legal and Business Advisors and is a visiting scholar at the American Enterprise Institute. He specializes in privacy and information law and appears regularly before various legislative committees and professional groups on these matters. Fred? MR. CATE: Great. Thank you very much, and thank you also for the opportunity to be here. I've tried all morning long to condense this to three minutes, and I think I've got it now, so let me just make two points. I'm just going to take up one of the questions that was asked, and that is the impact on consumers, and let me talk about just briefly two points. One of them is the use of information to overcome the obstacles of market size and distance to make it possible to deliver customer service, customized service and personalized service to customers, and there are many examples of this, such as better targeting of what is stocked in stores. We've already heard about better targeting of the type of mail or commercial offers that are sent into homes, more accurate decision-making about customers, about consumers who come seeking service, greater convenience for consumers in many ways all the way from having forms pre-filled in, one call service center being able to change your or address in multiple accounts with a single call, loyalty programs. I think frequent traveler programs are something we almost all share in common at least in this room, or returning goods without a receipt. These are exactly the types of examples of, if you will, sort of overcoming the type of problem that large, diverse and particularly online markets pose. The second, I think, set of examples of the real impact on consumers is where we see dramatically new and different types of benefits, and maybe the best example is lower cost, and this is one area in which there's been a fair amount of studies completed recently showing, for example, Mike Turner's study, a billion dollars in the retail apparel industry in cost reduction by the ability to use personalized information, Walter Kitchenman's study showing $85 to 100 billion in annual savings in the mortgage credit market because of access to personalized information, the Staten and Barron Study showing $150 billion annually in non mortgage credit, the Ernst & Young study, Ernst & Young will be speaking later, $17 billion a year focusing just on 30 percent of financial services companies. The point is this consistent evidence from these studies about the way in which the use of personalized information saves consumers money, but there are other good examples, either dramatically new and different services, for example, the wider availability of products and goods and services. I don't mean simply expanded access to credit, although we have studies clearly demonstrating that, but even the points made on the earlier panel about the way in which a business operates, the way in which AOL got started by sending out floppy disks to people who had computers (and identifying people who had computers of course was key to that strategy), and finally the more apt, rapid and efficient, more accurate fraud detection and prevention. I think one thing that almost anyone who works in that field will say is that personalized information is the key to detecting and preventing fraud. If you don't have access to it, you'll lose one of those key tools. Thank you. MS. RICH: Next we have Jason Catlett. He's President and Founder of Junkbusters Corporation, a computer scientist with a Ph.D. in data mining. Dr. Catlett has worked on issues relating to the interplay between technology, marketing and privacy at such places as AT&T, Bell Laboratories, the University of Sydney and various other academic settings. In addition to academic publications, Dr. Catlett has contributed articles to such publications as the Privacy Journal and Direct Marketing News. DR. CATLETT: Thanks very much, Jessica, and thanks again to the Commission for inviting me today. First let me put a concern to rest of Jerry and anyone who feels like they're on a survivor program, or Commissioner Swindle, that I'm not going to be posting any profiles of people. I did go through an exercise that you can read in the handout out there of asking people if they would be willing to have their profiles posted and then going to companies to actually see the profiles that the consenting data subjects have. Unfortunately, though I have a number of volunteers, I have no company yet willing to place on the table before us a real profile, which I think is regrettable. However, what I'm going to talk about today is not that. It's three points. First, let me state that Fred is absolutely right that the benefits of information processing are enormous. Let's remember, however, that the overwhelming majority of those benefits come without personally identifying information. Wal-Mart is an extremely good example. It's all about inventory and forecasting, and most of the benefits come without PII. Where you do use personally identifying information, as Marty Abrams pointed out, the vast majority of that is about personal information that the business already has and not that it gets from third parties. Now, turning to the question of whether direct mail actually reduces -- sorry, targeting that information reduces the amount of junk mail that people get, in fact it actually increases it. If you look at the historical trend from say 70 billion direct mail pieces per year in the United States, it's been trending up as the technology has made targeting better and better. We do see more offers that people respond to. This is true, but the typical response rate being in the low percentage figures as Michael said, that results in a lot more junk, and Jerry's example of the golf course magazine is a good one here because without the information, a lot of offers are uneconomical and would not be mailed. So the additional information causes more offers to be responded to, also causes more unwanted solicitations because the information isn't perfect. Now, let me turn to some of the negative aspects of personal information. One that we haven't discussed yet, I think is important, goes under the name of dynamic pricing or price discrimination. The American public loathes the idea that the person sitting next to them is getting a lower price on the same goods that they're getting. They loathe the idea that I'm getting a lower price than Fred is for example, and I think Amazon learned this to their distress when it came out that they were randomly, they said, pricing, and Amazon very quickly stated that they would never base price points on demographic information. They said they didn't really have click stream data. I would like to see a clarification on that. I'll wrap up with my last point, which is the effect on non-participation. I would dearly love to see some figures that talked about the impact on participation of profiling, but we don't have those figures. We just have figures that Forester put out last year of $12 billion lost in online commerce due to privacy concerns. But those privacy concerns were not specified to the level of particular profiles where the people were concerned about SPAM, or about the actual nature of the profiles. We simply do not know. I'll leave it at that. MS. RICH: Great. Jerry Cerasale is next. He was just on the previous panel, but I'll remind you that he's Senior Vice President of Government Affairs at the Direct Marketing Association. MR. CERASALE: On this panel, still looking for my million dollars, but whatever, I wanted to just take a look at that study of restriction of data that was released yesterday and just raise to you that it's a billion dollars in just the apparel area, but there's an additional study that's an overlay on it that says that the individuals -- the groups that purchase apparel remotely to a greater extent, a greater proportion than their density in the population, are rural Americans and economically disadvantaged intercity, the people who are not adequately served by brick and mortar retailers, the people who don't have other choices, who end up paying a disproportionate share of any restrictions, cost of restrictions on privacy. Those who have the fewest choices are the ones who pay the most based on that study. I want to add to what Fred had said. What we know is that the sharing of information helps reduce fraud. We've seen studies where fraud, credit card fraud over the net in Europe is twice as great as that in the United States. We can attribute that in part I guess because we're more honest than Europeans, but I'm not certain that that is the full case. The real reason is that part of the restriction in Europe is you can't use information collected for purposes other than the specific reason that information was collected, so a billing address on a credit card cannot be used for anything other than billing. So that in the United States, if you're on the Internet or even on the phone, if you call or want to purchase a good and here's the credit card saying, I'm Jerry Cerasale, give them a credit card number, and it's being delivered to the billing address, that's fine. In Europe they can't check that. In the U.S. they can. If it's not going to the billing address, I'm sending it to my mother or ostensibly I'm sending it to my mother, they ask for the billing address. If I can't give them the billing address, then they figure it's probably not Jerry Cerasale, so it's an added thing for fraud prevention. So information flow is important from that score as well, giving benefits to people. There are an awful lot of jobs, low income jobs. It's interesting when you go on visits with senators and representatives that they want direct marketers to come with them to set up call centers, to set up warehouses and so forth in areas where there are economic downturn areas because they want to try to build them up. These are jobs that can be part time. People can be trained fairly readily, so those are advantages as well as choices to consumers. You also have employees and the efforts there in trying to do that. It also allows for easy entry, easier entry for new businesses so that you can get greater competition. I do not have to build the store. I can be L.L. Bean in my basement getting a list of Maine hunters, Maine hunting licenses, out of state people, sell 15 shoes, have to repair 14 of them, but that's how I start a billion dollar business. Those are the things that can happen and happen readily with the sharing of information. Thanks. MS. RICH: Next we have Mary Culnan. As we noted earlier, Mary is the Slade professor of Management and Information Technology at Bentley College in Waltham, Massachusetts, where she teaches and conducts research on information privacy. MS. CULNAN: Thanks, Jessica. My point I would like to make in my three minutes is that fair information practices should apply to the merger and exchange of consumer data, that is to profiling, and it's not clear that it really does today. One way I think to close the trust gap and the misunderstanding that Commissioner Swindle talked about this morning is through much greater transparency about how compilers and co-op databases acquire personal information and what they do with it. There's some parallels here to the network advertising model where in fact consumers do not have a direct relationship with the compilers and the co-op databases, and they frequently don't know who these firms are, so if they wanted to contact them, they would not know how to start. So what are some of the things that we need? We need much more notice where data are collected directly from consumers. I've never seen a notice that says, "We share your name with carefully selected companies or carefully selected third parties and one of America's largest data compilers." And I think to the consumer in fact the idea of a carefully selected company, while in fact the information is being shared for marketing purposes, that is not the same thing to the consumer as you buy from L.L. Bean and you get a mailing from Eddie Bauer or something like that. So I think that all the compilers should provide an easy way for people to opt-out, and there needs to be a better way for people to be pointed to the Web site or however the opt-out is handled, and I think the companies that enhance their customer databases should include this fact in their privacy notices just out of fairness. There are a couple questions that need to be answered. What does opt-out mean for compiled databases? Does my personal information stay in the database? Is it still used for enhancement purposes, or does it just mean that my name is removed from the mailing list when people come to get a prospecting list and it is just gone? Should consumers be able to have their personal information removed from a compiled database? And then, second, the always popular "What kind of access is appropriate?" In conclusion, I think really there's a need to bring consumers into the loop. What I hear -- it strikes me a lot of it is "We know what's good for you" is kind of part paternalistic because most consumers are smart, and they make good choices in their own interest when they have information. And I think access to personal information is not an entitlement just because people don't know about the compilers, and basically then they don't know about it. Consumers do benefit a lot from compiling, and I think the marketing profession needs to develop some effective strategies to educate and communicate with consumers the benefits of profiling and that these benefits outweigh the risks, which also means that the people that hold these databases have to make sure that they have very good privacy policies in place and that they enforce them. MS. RICH: Next we have Evan Hendricks. Evan is the Editor and Publisher of Privacy Times, a biweekly newsletter that reports on privacy and freedom of information law. He's also the author of several other publications on consumer privacy, including his book "Your Right to Privacy" and he's Chairman of the U.S. Privacy Council. He regularly lectures on information policy issues in the U.S., Canada and Europe. MR. HENDRICKS: Thank you, and thank you to the FTC for the hard work they've put into this and the opportunity. In January I had the good fortune of hearing Commissioner Swindle speak not once but twice in different gatherings, and he said something that I strongly agree with. He said that when we talk about this issue, we should not talk about it emotionally because it can be an emotional issue, and it doesn't really help. This is something we need really more light than heat, so I made a commitment to him that when I come before the FTC, I will not discuss this emotionally. And then I started thinking about it this morning, and I started getting really mad because I love to talk about this emotionally, but I'm a man of my word, so I can't do that. Seriously I think that we should speak about this in cool and analytical ways, and I think, first of all, there's a greater irony here, and one of the ironies is that the direct marketing industry was subsidized by the taxpayers. The direct marketing industry was able to get public records at low or no cost, which was a great way to start a business if you can get your primary source that makes your business possible paid for by taxpayers. We've seen it -- and that's not such a bad thing. We've seen it with investment in computer chips by the Defense Department has led to the computer revolution, but let's recognize that as people speak against government regulation, what got them to a point where they can speak about that. Second of all, I think already from today and all the years I've seen leading up to this, on the issue of warranty cards, I think there's enough evidence to justify an investigation of unfair and deceptive trade practices. I think it's widely understood that consumers fill out warranty cards thinking that they need to do this for the warranty to be good, and in fact you do not need to fill out a warranty card for the warranty to be good. The purpose of warranty cards is generally to collect information by database companies. It is then sold and used for other purposes, and warranty cards are one of the primary sources of unlisted phone numbers, which people are unable -- companies are unable to buy from phone companies, but they can get them. And I think it shows that people who pay extra for an unlisted phone number would not be giving their unlisted phone numbers if they knew that information was going to be sold on the open market, so I think we have a real problem there that deserves official attention. I think another example -- since I only have three minutes, another example of something that cries out for concern is say a company like American Student Lists based in New York. Factually, for instance, they have over 12 million names of children ranging in age from 2 to 13 years representing PK through 8th grade. All names are selectable by age, birth date and heads of households, and approximately 25 million age birth through 17 compiled from numerous direct response sources selectable by age, birth date, head of household, income and geography. Well, I doubt that most of the people in those categories or their parents really had a chance to exercise much in the way of notice and choice. A third area of I think concern which now -- finally the good thing about the workshop -- is it is being described as a very routine process and it has been for years, but that is not known to consumers, is the idea of enhancing your database, which really means by virtue of being a customer of a bank or of an Internet provider or whatever, because you're a customer, then they go to outside sources of data and fatten their file on you saying, This is what kind of car you drive, this is what kind of home you own, this is your estimated income, do you have children. And I think that there is again no notice, awareness or education to consumers about what's happening and certainly no rights for individuals to do anything about it; and I think that is a very significant privacy issue because if you join a company, you know they're going to have information on you as a customer, but when they merge information, they're basically creating a whole new file that you don't know about. I think also the whole issue of public records, I think that in public records, it's a difficult issue. As a FOIA advocate, I think there should be public access to public records, but when it's personal data, I think we should apply the purpose test that we find in Fair Information Practices and that if it's a driving record, it can be accessed for driving purposes. Well, if it's a voter record, and in answer to one of the earlier questions, Are there restrictions on public records, half the states have laws that say you cannot use voting records and the other half don't, but I think the idea is that if it will interfere with people's right to vote, if they're concerned that their information will be used for commercial purposes, that's the purpose of the privacy law there. I think we have to apply that kind of purpose test where people can get access to a voter's list if they're doing a campaign. How do we do that? I think one way to do it is that I think we should have to certify to the record holder that you're using it for this purpose and then have a notice sent to the data subject so they know that someone has accessed their record. That can be done either by postcard or electronically to reduce cost, but I think that's the direction we need to go to handle the public records issue. My final point is that I think there's a lot of important players missing at this workshop starting with Acxiom, which has records on over a hundred million Americans, something like 120 million Americans pulled from all sorts of sources. I commend you to two articles in the Washington Post that dealt with Acxiom over the last couple years. I think a lot of hard work goes into putting a workshop together like this all the way up and down the Commission, and I think it's a disservice to the Commission and the American public if a major player like Acxiom and other players like that don't participate to shed light on what they do. Thank you. MS. RICH: Our next panelist is Rick Lane. He's the director of E-Commerce and Internet Technology for the U.S. Chamber of Commerce, where he's responsible for coordinating the development and implementation of the Chamber's E-commerce and technology, legislative, and policy initiatives. Mr. Lane has served in leadership positions on a variety of federal, state and local commissions and committees, including the Montgomery County Cable and Communications Advisory Committee. Rick? MR. LANE: Thank you very much. I just have a quick question. How many people in the audience have started a small business, have started their own business? That's what this is all about. That's what we're talking about in the free flow of information and being able to have entrepreneurialism in this country. I started my own business called Cyber Sports. We spent a lot of money in development of a product, and basically what the product was was a database that college and university sports programs could use to help track the college recruits that they were recruiting through the recruiting process. In the old days they had paper files, and they had problems complying with NCAA requirements, but how did I get that product to market? It was easy for the most part to develop the product, but how did we target our audience? Our audience was college coaches. What we did was, first, we looked and thought, Well, we can call every college and university sports program in the country. I think there are about 5,000 colleges. We were four people. We couldn't afford to do that. So what we did was we found a list that was already available, that had information on all the college coaches in every sport across the country. It made our life easier. Then we got additional information from other sources that put on top of it the coaches win-loss records. So we saw those coaches that were losing would be a better potential market for our product than those that were winning because the ones who were winning figured, Hey, we already understand this game. And then on top of that, we took the information of size of school because what we found was the smaller the school, the more kids that they had to recruit because they didn't have name recognition. I have a nephew who is six-three, 215, the fastest kid on the team. He's not hard to find. He's going to be recruited by Michigan and Ohio State and other schools are going to find him and probably offer him a scholarship, but what about the kids who are in the smaller towns and how do we get information about them? Here's the next part of the process, which is people send information on college kids throughout the country into these coaches' databases which they search on grade point averages, height, weight, positions and they fill them. Now, what we're talking about is, Is that a bad thing? Is offering kids scholarships a bad endeavor? We have information, these college coaches, on thousands of kids based on public information through newspaper articles and so on and so forth. Yet they are using it to offer kids scholarships, and those of us who enjoy March Madness think, well, maybe it's not a bad idea at all, but what we found is the academic side of the colleges liked it because we were tracking grades and other information for the kids that were being sent in, but then other departments who were offering scholarships began using our software to offer kids scholarships for music and academic scholarships and drama and so on and so forth. So the information flow is critical. We looked at it in Acxiom, yes, big macro, large company, important to look at, but there are also a lot of smaller, targeted uses of information database and flow that is beneficial to the foundation of this economy and how we operate. So from our standpoint, we look at this issue from a small business perspective. Let's give small businesses the opportunity to grow and survive and to create competition in the markets unlike in the EU, and let's not arbitrarily just cut that information flow off. Thank you. MS. RICH: Greg Miller is Interim Chief Privacy Officer and Vice President of Corporate Development for MEconomy, an Internet privacy infrastructure venture. Before joining that company, Mr. Miller was Medicologic Netscape's chief Internet strategist of governmental affairs and a director of strategic marketing for Netscape. Mr. Miller has worked on issues involving technical Internet infrastructure, online marketing strategy, including personalization and data warehousing, and Internet security and privacy policy issues. Greg? MR. MILLER: Thank you, and I want to thank the Commission for inviting me to participate this afternoon. Actually a little bit beyond MEconomy, I have the privilege of being a venture capitalist, not to be confused with capitalist, so MEconomy is one of my portfolio companies. But in the process of doing that, I facilitate the development of emerging security and privacy companies in the digital economy and advise up-starts on issues of consumer privacy and information security, and two very different, yet perhaps paradoxically complementary sectors of digital entertainment and U.S. health care. I've been asked here today to participate with my esteemed colleagues on an exploratory discussion on the effects to business and consumers of the merger and exchange of consumer information and digital economy. And of potential applicability to this discussion, I spent the last six months working with a client start-up to engineer an inflow mediation and user registration system that was designed specifically to address required consorting of offline and online consumer information for multiple sources in order to create the best possible user experience and online digital entertainment while simultaneously respecting the privacy of those subscribers. Our solution, which we dubbed JOIN for "just opt-in," addressed many of the issues raised by this workshop, so the net of my work there, as it may contribute to today's discourse, can probably be summed up as follows: Over time the convergence, Consortium and brokering of personally identifiable information, or PII, we believe will require a balancing test between the needs of business and the needs of consumers, nothing too profound there. And I can see the broken smiles of the lawyers among us. I call it YABT, "yet another balancing test," and thankfully for all of us I'm going to avoid going down that particular rat hole of jurisprudence. But anyway, what we learned last year in this online music start-up was that consumers might not worry about privacy per se as much as they worry about surprises and uninvited interruptions, and apparently Seth Goddin this week concurs at least in part with that finding in the current issue of Red Herring Magazine. So I submit that consumers simply want to be left alone and are not interested in being interrupted, unless they've agreed to such as part of the deal for receiving the information, product or service that they're seeking. I also submit that the majority of businesses are not interested in snooping but simply selling more products and services. For business success in the digital economy means gathering information to improve the customer experience and relationship. Compiling information on consumers from whatever source is legally available should be intended to improve the customer experience and nothing more, and this may mean not only sharing and consorting of PII, but synthesis of data into homogenized databases. This can raise potential concerns. The ease with which PII can be extrapolated is improving -- it's proving really possible to be a very powerful thing and perhaps to one's detriment. Witness Web M.D.'s move last week or the week before to rescind their contractual obligations to provide certain data to Quintiles, one of their supply chain trading partners, due to the technical wherewithal to ascertain an identity with only a date of birth and a postal code. I submit there are demonstrative benefits to PII compilation and the downside in terms of consumers' lack of confidence in business to do the right thing or unwillingness to participate I think can be addressed through what we call permission based approaches to the data gathering use. Of course, consumers should be aware of the possible misuse of PII but also understand the cost benefit. So through that work we also came to the conclusion that unless and until the incentives of business and consumers are matched in a manner that encourages and authorizes the compilation and usage of PII, something we're studying right now at MEconomy, this so-called digital economy we think may stall. For the consumer the concern should probably run to security more than privacy as the real threat may lie in identity theft. Unfortunately we weren't able to find a lot of empirical evidence last year on the use or misuse of PII. I think the digital economy is still fairly nascent, but I think prospectively industry should focus on the now well settled principles of notice, choice and access, and as they're equally important in the compilation of PII, we think the consumer should be notified of information gathering practices and policies whenever they're used in any service, online or not, and where appropriate or practical given the choice to participate in advance of such gathering. We think the compiled PII by business should be accessible to the consumer's review, too, and we think applying these three principles with equal force and meaningful standards for each empowers the consumer to take an active role in protecting their own identity and its uses. So as we grapple with the complex issues of the underlying and I think most valuable commodity of a digital economy, PII, I believe that notice, choice and access can serve as safeguards for over- reaching data collection, and I think that that would be the basis for my contributions today, if any, that are hopefully useful. Thank you. MS. RICH: Thanks. Lastly Brian Tretick is a principal with Ernst & Young, who works in the area of global privacy assurance and advisory services. He serves clients in the online financial services, retail and software industries focusing on the technological, organizational, regulatory and third-party relationship aspects of data privacy. He also works in the firm's global privacy practice where he helps to provide various consolidated services, technical, advisory, and legal, to Ernst & Young's global clients. Brian? MR. TRETICK: Thank you, Jessica. Prior to this panel, you heard from marketers, and I represent here the assurance industry. I want to talk a little bit about what companies are doing, especially companies that hold on to marketing information, hold on to information about their customers, merge third-party information with that to get to know their customers better and perhaps then provide an avenue for other parties, their merchant partners, business partners, to reach the company's customers with those third-party messages. First off, I would like to talk a little bit about the organizational issues, namely, the appointment of privacy officials, and these aren't the privacy officials, the celebrity CPOs that were appointed over the last year, year and a half. These are people with a lot less glamor. They have assurance, audit and compliance responsibilities, so what we're doing, we're seeing a push, an evolution of privacy and privacy responsibilities out of the PR, the business development type environments and down into the business. We're seeing an emergence of the roles and responsibilities, the policies and procedures out of marketing groups for marketing data, although they need to keep executing those policies and procedures. There's someone with authority and accountability in companies who is much more, pardon the expression, humorless about the use of information because they're much more regimented and disciplined in their backgrounds. So we're seeing those again accountabilities and authorities extending outside of the marketing arrangement, marketing groups, and into business development, into other compliance and auditing functions. We're seeing the extension of security and controls, again not just on Web sites. All this data is back in enterprise systems and increasing technical, procedural controls in these situations, and also assurances where management needs to establish confidence among themselves that their technology groups, that their business development groups, customer service groups, marketing groups, sort of fulfillment groups, are all meeting these policies and procedures, these internal policies and procedures. So they're seeking assurance internally and externally on these practices. They're providing training and awareness for their employees and third-party vendors on their policies, on their detailed practices, dos and don'ts, what they should and should not do regarding the use of collected data. And they're also reregulating their dealings with third parties, with people who they receive information from and people who they provide information to, vetting them, selecting them carefully and doing due diligence and including specific terms of use in contracts with third parties and also then various verification and monitoring. The final point here is that these companies are working again internally or with third parties to establish assurances that their controls are in place to prevent bad things from happening, to discourage bad things from happening, and to put controls in place to encourage the right things, the appropriate business practices to happen. Thank you. MS. RICH: Thanks to everybody for your prepared statements. We thought it would be useful next to open up the panel for a discussion of some of the issues you touched on in your opening statements. Some of you have identified ways in which consumers and businesses benefit from the merger and exchange of data, for example, better targeting of ads, lower costs, better customer service, lowering end barriers for start-up, other examples. I think it would be useful if the panelists expanded on some of these points and had a chance to comment on others' points that were made in this area, and also if anybody has data to support or even contradict the points they're making, if you could mention it now, I think it would make for a better discussion if there was any data and everyone could hear about it. I guess Jason is putting his tent up, so he would like to start it off. DR. CATLETT: Thanks very much. Let me talk about dynamic pricing a little. There's very little data on this because companies don't put out press releases saying," We are able to gouge our customers to the extent of $6 million." However, I would point you to an article in Harvard Business Review last month that says that an unnamed consumer electronics store was able to differentiate between price sensitive consumers and price insensitive consumers who were in a hurry and to charge the more hurried customers a 20 percent premium over the more diligent shopper, so that's the only empirical data point that I have about dynamic pricing, an area that's shrouded in secrecy. What could we possibly do about dynamic pricing? Well, there's a diversity of opinion about whether this is a good thing. The airline industry does differential pricing, not based on personal information, but whether, for example, you want to be home with your wife and children on Saturday night. A benefit to rationing that, and I think there's a diversity of opinion on whether dynamic pricing is a good thing. What privacy protections are necessary in that environment? I believe the appropriate one here is that adopted in the EU's data directive which gives the data subject not only the right to see the base data on which the decisions are made, but also to have an automated decision-making process explained to him or her. So that, for example, if an E-commerce merchant is charging Fred $2 less for a paperback book than it is charging me, then I can, in principle, ask to have that decision-making process explained to me, and then the merchant can say, "Well, it's because of your past behavior in this area," and then at least I have some understanding on which to base my future behavior. MS. RICH: Is that Rick down there? MR. LANE: Yes. Just a couple points. On the dynamic pricing issue, obviously that just puts up red flags for us in terms of you're dictating how businesses are going to charge particular customers for particular items. Does it mean dynamic pricing includes presenting certain customers with coupons that provide a 10 percent discount over maybe my neighbor who doesn't get that and based on my buying habits, and so that is obviously of concern. Also market forces, if what happened at Amazon.com is accurate and all this brew-ha-ha erupted, obviously there is concern in the marketplace that reacted very quickly and swiftly that consumers weren't ready for that or did not appreciate that, and it stops, so there are market forces already out there. Also the direct marketing that Jason put forth in his discussion about the increase in direct marketing over the course of time, well, yes, obviously there's been more mailings done. There are more people in the country. So, of course, you're going to have more mailings. There's more businesses. There's more small businesses, and we've had a dynamic growth over the past couple years. It's called economic growth. I thought it was a good thing. So, yes, you're going to have more direct marketing out there, but the fact is you're getting less mail that's not of interest to you, and that's a critical point, and that's what this is all about. DR. CATLETT: Could I respond to that quickly? There are several factors at work, the increase in population, the increase in the price of paper and the price of postage, which Jerry I guess constantly is working on, all work to cause the total number of solicitations to vary for a number of different areas. But I think if you learn DM Math 101, you will find that more information means more total solicitations, more accepted solicitations, but also more unwanted solicitations. And on the issue of dynamic pricing, I didn't seek to say that the Federal Trade Commission should stop dynamic pricing or stop a company from offering a coupon to a subset of its customers based on the Claritas Prism rating or whatever criterion. I simply think that from the point of view of privacy and fair information practices, the consumer should have the right to see the information that that decision is being based on. The information may be incorrect, and they may be missing out on something that they might otherwise be entitled to, and the decision-making process should be transparent. If there is a trust gap, and I agree with Commissioner Swindle and the many other speakers who have said that there is a trust gap here, the way to close that gap surely is greater transparency, to give the consumer the right to see what's going on and the right to delete it if they don't want it. MS. RICH: Evan, you've been waiting patiently, calmly. MR. HENDRICKS: And unemotionally too. MR. RICH: Unemotionally, yes. MR. HENDRICKS: Well, let's talk about small business. If you look -- I commend everyone to the latest study from Forrester. Jason cited one earlier in our Privacy Times. It's out on the table. We report on the latest Forrester which looks at wireless, how privacy is not only integral to wireless, but privacy is integral -- it's the core business issue, and that it has to be dealt with top to bottom or businesses will suffer. And Forrester staff are not consumer advocates or political. They're just worried about their clients' bottom line, and I think it's a very important analysis. Let's talk about small business. I mean, so much of being in business depends on your judgment as a businessman and what is your business model, and so sometimes you need information to make your business go, and sometimes you can configure your business so you don't need to rely on people's personal data. I started my small business in January 1981, and I had $3 in my pocket, and I've not borrowed money, and I'm still in small business and -- is the business you described still going? MR. LANE: It's the number 1 recruiting software in the country. MR. HENDRICKS: Excellent, excellent. So we like that, but I think the other thing that happened to be in the 1980s is when the federal agencies were making a lot of claims about computer matching and that computer matching -- when I wanted to match databases from different agencies to fight fraud, they would make these projections about how bad fraud was among federal agencies. And I was part of studies that actually drilled down and looked at the numbers, and we found that the costs and the fraud projections were completely specious. There was no basis in fact to them, and that they were just pulling numbers out of the air. So I look in today's Wall Street Journal, and I see that the cost of the 90 largest financial institutions will be $17 billion for some sort of restrictions on sharing or selling customer information, and Fred is quoted as saying that the costs run into the trillions, so I look forward to looking at those numbers too. I'm very skeptical that these will hold up to objective analysis and that the one thing when you hear about Gramm Leach Bliley, notices will be going to customers by banks of information practices and privacy policy. But Gramm Leach Bliley, the provisions in there were -- that's what the banking lobby wanted. They got what they wanted in this bill, and the other proposals advocated by the consumer advocacy community were rejected. So this is a case where maybe they didn't think out long enough what really were the best privacy standards and the most cost efficient ones. MS. RICH: Fred? MR. CATE: Thank you very much. I think one of the points Evan makes, he raises one, and frankly this goes to something Jason said which might be worth following up on, several people have mentioned, and Evan just did then, the question of how many people don't engage in an activity because of privacy fears and trying to put numbers, and Forrester certainly tried to do that. I think there's some reason to be a little skeptical of that, and I think Europe is the reason for that. Europe offers the most restrictive set of privacy laws we have on the books. The polling data on reasons for staying offline is just as high as in the U.S., so in the presence of very high legal protection, you have a very high anxiety rate. Moreover, something else we seem to know is that there's a certain disconnect here between what you want to be worried about and what you are worried about, that what we might perceive because we don't know, because we don't understand, and that this is also reflected frankly in a lot of these -- a lot of these numbers. And if you read the whole survey you see what they were really talking about was something different. They were talking about security or they were talking about some specific issue, not the question of, Is this information going to be shared. They're worried about, Is the information even going to get to the end point, but this reminds me -- this is my segue alert. This reminds me of Jason's point, which I think actually is excellent, dynamic pricing is an issue. If it's a problem, it's a problem that should be looked at as a phenomenon itself. And if Commissioner Swindle can get me a cheaper fare home because I'm not going to be subject to the sort of pricing that the airlines use, I think that would be terrific. Unfortunately, I guess jurisdiction doesn't extend there. But it highlights the sort of need to focus on what is the use of the information that causes the problem; in other words, not what's the specter of uncertainty. What's the way in which you can sort of look across sort of all possible uses of information. But if in fact there is a use of information, for example, we have all sorts of laws in this country prohibiting discrimination, that you would use information to discriminate in. We don't have nearly as many laws restricting the flow of that information. We have laws restricting the use of that information. You cannot use it to discriminate in certain ways, housing, public accommodations and so forth, and so I think really both of these points highlight the importance of focusing on demonstrated behavior and real harms as opposed to sort of speculation and system wide regulation of information flows. MS. RICH: Mary? MS. CULNAN: This is another segue alert, but I think for the business people in the audience, I mean, one way to think about privacy, it's not really privacy, it's really disclosure. You want consumers to be comfortable disclosing information and allowing it to be used for marketing. And there have been a couple of good Harris surveys that have looked at people's willingness to disclose. There was one done in 1997 so these were mostly computer geeks in the sample because at that time everybody wasn't on AOL like they are now. But they asked some questions about, Have you ever either lied or not disclosed information to a Web site when they asked for it, and everybody knows the numbers. A huge number of people say, Yes, at some point I did do this. So then they asked, Well, what if the Web site told you, gave you notice and choice, and a huge -- about half the people who did not disclose before or lied say, "Yeah, I'll disclose my information then," or if you already had a previous relationship with a firm, then a lot of people would disclose. I think what it says is you've got to get at least notice and choice into the equation, and it does make people more comfortable. Now, the other interesting side to this is there is still a clump of people that under any circumstances are still not comfortable disclosing, and the issue is, What is it that would make these people disclose or, in fact, is this just how marketing works, and there's a segment of people that don't want to do business online. MS. RICH: Jason? DR. CATLETT: Let me go from those habitual, non responders, who comprise approximately half of the United States, back to the dynamic pricing issue. Rick said that market forces have corrected that, and in the case of Amazon, I would feel a lot more comfortable if Amazon disclosed the fact that they were doing dynamic pricing. This was not the case. It was discovered by someone who talked about it on an Internet discussion group, and then it went out to the media. So I think again the problem we have is a lack of transparency here. If we want to investigate the practice, we have a very difficult time doing so, if we don't have a right of consumers to see what information is being held about them and how it is specifically being used in their case. MS. RICH: Since we seem to be moving partly into what effect this has on consumers, let me just go back to a point made earlier, which is if there are cost efficiencies and lower costs generally from being able to share data, are any of these cost efficiencies passed on to consumers? Has anyone measured that or thought about that? No. Another point I just wanted to go back to before we move into effects on consumers completely is I heard different statements being made about whether the number of solicitations is really reduced when you can share data and target more efficiently with some people saying that, Yes, people will get fewer solicitations and others saying, Well, they'll be targeted more. Does anyone have any data on that or any information that would be useful in talking about that issue? Evan? MR. HENDRICKS: Well, in the credit cards, we do have data out, just in the last few months, showing that the response rate for pre approved credit card is plummeting, and I think that deals -- I mean, here's a situation where they're able to use credit bureau data, highly targeted, and it's just a question of the market is so saturated, and there's not much differentiation anymore among the credit card offers. So I can't remember, someone told me it was .4 percent or something was the response rate, so the customer acquisition is going much higher, and that's many factors. DR. CATLETT:They key point there is the number of credit card solicitations is going up. MS. RICH: Jerry? MR. CERASALE: The basic -- this isn't precise data, but the basic use of mail solicitation tends to be standard mail, although there are solicitations that go out first class, and standard mail growth is growing faster than the rest of the mail volume is growing, but significantly below what would be expected in the -- what was expected in the growing economy. The Postal Service is coming in and asking for new rates and so forth based on new market forces, so that the amount of total volume of standard mail is not growing, what would be expected in the economy. One of the things you can see has changed over time, however, is what used to be known as resident or occupant mail, that in standard mail the non resident, non occupant mail percentage of standard mail is growing, meaning that the targeting has increased. It's not just the saturation shock on hitting every house everywhere, even though those have the lowest postage rates offered by the Postal Service. So that type of data we have seen as well, and the solicitations also tend to follow a pattern of the economy, that if the economy turns down, you tend to get a significant increase in standard mail solicitations to try to drum up the business that's being lost, and that lags the drop in the economy about six months to nine months before that plummets down as it follows the economy. So that's what's happening. You have an increase in targeted pieces, less saturation pieces going through the mail, but they are growing less rapidly than they have historically based upon what's happening in the economy. DR. CATLETT: Jerry, could you just clarify that standard mail is what used to be called third class mail? MR. CERASALE: Yes, that's what the Postal Service used to call third class mail. They now changed it to standard. MS. RICH: Before we get too deep into consumers, I realize I left out the piece of -- we talked about the benefits for businesses of these practices. Does Greg or Brian or anyone else want to talk about some of the downsides or the risks for businesses of these practices? MR. MILLER: We both probably have interesting remarks to make about this, and just perhaps as a segue from the business side over to the consumer side, I want to speak to you a moment about infrastructure cost on the business side and then how that transitions over to consumers. And I have two quick case points for you that would be great for you to comment on too, and I will start with health care, which is where I spent a lot of time in the medical records space, and what we were trying to do at Medicalogic was give to the consumer for the first time in history a secure, authorized access to their authentic medical history. Well, it turns out that for most of us, our medical history is comprised of several records, our primary care physician and at least a couple of specialists, and so what we were trying to do was give a view port to that comprehensive medical history, and that required literally the opt-in of several physicians and the proactive relationship building that went on with the patient to encourage them to allow that. That required a lot of infrastructure cost for us in the consorting and homogenizing of that data and creating the necessary safeguards to even create Chinese walls, if you will, between the dermatologist and the OB-GYN and the primary care physician, so there was a view port challenge there. In the entertainment space, the most recent case, we had a very challenging one with -- another one of our panelists, Ted Wham and I worked together on a project in the music space, and the problem we had there was when you go buy music, you don't say to yourself, I've got to go get me one of those Sony records. You say, I want to go buy a Dave Matthews album. You, the consumer, purchase by artist, but the music industry, by which I mean the five record labels that control 90 percent of the music that's distributed worldwide, have their view of the world on you. So we literally had to engineer what we called a data escrow service to ensure that privacy policies across five labels actually reconciled with one another and then the JOIN, the just opt-in program, was the means by which we encouraged the consumer to get the experience that we're really looking for which was a unified locker service which allowed them to compile all music they've ever purchased across any label from any retailer in history into one homogenized database. This really presented a lot of problems because all the labels jumped up immediately and said, Not on my watch are you going to be mixing my data with the data of Universal without my customer explicit opting in says BMG, so we literally had to create this membrane. This produced some substantial costs, and I dare say it may have been the straw that broke the camel's back because unfortunately that company is now in receivership. They spent tons of money on infrastructure to build the data escrow service that would ensure the privacy policies of five labels were maintained and protected and then still get the subscriber, the consumer, opting in to participate. And I think that put a lot of pressure on them from the standpoint of ensuring privacy as well as building infrastructure that would support and then shield them from a certain amount of liability which I think segues over to you. MR. HENDRICKS: Also, Greg, wouldn't an FTC standard, a uniform standard solve that problem across those five Web sites? MR. MILLER: I think to a certain extent that's possible, yeah, but it's interesting the challenge of being a lawyer, working with lawyers and their view of each of their privacy policies. MR. TRETICK: I think there are always some risks in the exchange of any valuable asset, both upstream and downstream from a marketing data provider to a marketing data consumer company. The providers are looking to make sure that the information that they provide is going to reputable and responsible parties and going to be used in reputable and responsible manners, that children's information that is being offered up about all these school kids and college kids isn't going out to market them, drugs, liquor, cigarettes to athletes, things like that upstream. Downstream is the same thing. We want to make sure that when we receive information it's coming from sources that got this data under again a reputable and responsible regime and that we can reach out and touch these customers and make sure then that they're not annoyed by our message, that the frequency of being able to be touched is reasonable, that the method of touching these customers is reasonable and responsible and appropriate for that. So these are the risks that are faced both upstream and downstream. MR. CERASALE: I think we're switching to some risk to businesses. I think the first risk a business has is they promise more than they can deliver, so that you have to make sure that you promise to do certain things and that you can and will be able to do it. The risk -- the real risk you have, a business has in sharing information is to become complacent and sloppy. If you don't treat the information that's given to you as part of a trust relationship, ensure that you have safeguards to keep the data secure, you want to make sure -- as you just said, you want to make sure to whom data is being shared, what type of procedures, what type of marketing piece is going out. If you're just sharing data from one marketer to another, you want to see what the marketing piece is. You want to make sure if you're -- for a one time use that the list is seeded so you can see, to make sure the person you dealt with actually does, in fact, live up to his, her, its agreement they had with you. So that those -- and you have to train your employees as they work with -- we've seen that way back with -- an example that was publicly stated here with Metro Mail where on the 13th phone call, an untrained person gave information out. You have to make sure that you work that way because you can quickly lose consumer trust. A 60 Minutes program, something like that, can destroy your business, so I think that that's a big downside for businesses. The upside is that you can try and grow and expand and give people who don't have as many choices more choices and so forth, but you can, if you are reckless, totally destroy your business with some mistakes. MS. RICH: I'll take Jason, and we'll move on. DR. CATLETT: Thanks. Building on Jerry's point there, it's not any danger to the individual company. It's a danger to the collective trust by consumers of companies and the technologies. I would refer you to another Harvard Business Review article by Susan Fornia called "Preventing the Premature Death of Relationship Marketing" in which she tells -- gives an example of a supermarket with a loyalty card that would send out personalized letters saying, You haven't bought X lately, why don't you come in and buy some more. And of course, inevitably some woman became pregnant, and the company -- the supermarket sent out a solicitation saying, Why don't you come in and buy some more tampons. There are a number of similar horror stories. We heard the miscarriage example this morning. We've heard the prison inmate sending the personal letter to Beverly Dennis. It's very difficult to quantify the degree to which the average consumer is aware of these horror stories, but I think that the American public is largely aware that they have very few rights in these cases. The company takes a PR hit. They change supplier, but what about the individual whose data was used inappropriately? And I submit that the American consumer, under current law in the U.S., has inadequate recourse. MS. RICH: Well, in addition to these issues Jason has just raised about how consumers are affected, I think the main concern for consumers that I heard identified in the opening statements was whether the practices are transparent to consumers. Mary, you're nodding. Would you like to expand on the points you raised earlier in the panel? MS. CULNAN: I just don't think people know what's -- the average consumer knows what's going on, and then the problem is, and it exacerbates the trust gap, that people are surprised. Then they become unhappy. And it's when -- wasn't what they were expecting, wasn't the bargain that they bought into, and so then they write to their members in Congress or they do whatever, there end up being stories in the newspaper, et cetera, and it causes a lot of problems for the collective business community. One of the things I forgot to mention before too, the people who were sort of the least trusting and the more concerned about privacy and the least willing to disclose were also the ones who were most likely to favor legislation, so I think there's a take-away there. I think the industry can do a lot to help educate people as they've done in other areas, online privacy, kids privacy. There were some terrific presentations at today's sessions. Why not put them up on the Web? Why not try to get people to go there? I think the DMA can play a big role in terms of trying to push your members along to do better disclosures by putting -- changing the model disclosures in the compliance manuals to be more forthcoming about what is really happening to your information when it's shared or when you provide it. I think -- go ahead. MS. RICH: Before we talk about this issue, could somebody, Jerry, Brian, somebody describe what kind of notice is being provided regarding these practices? MR. CERASALE: I can start this at least. Notice has been provided by catalogers, for example, for an awful long time, and the notices generally -- I have a box of catalogs I was going to give Martha, I forgot to do it, I'll do it later now, that show on the order forms, basically is where they are, mailing, preference service information, so forth on how to, and they state basically that information is shared with third parties to send you -- to market to you offers that you might be interested in, and if you don't want that, either call this number or write to us here. MS. RICH: Does that encompass -- MR. CERASALE: That's the notice that generally comes in the off -- I would say in the offline world. Online is a little different in the sense that there's more space. The real estate is fairly inexpensive, and some privacy policies are very lengthy, as some people have heard when they went to testify up on the Hill, a little bit too long, so they can -- some of them are a little bit more detailed in the offline world. Plus if you have a network advertiser on there, you have to add -- there's a whole slough of more notices that are required. MS. RICH: When you say the notice says we share with third-party, does that include sharing with compilers? MR. CERASALE: Yes, that's the way it is today, sharing with third parties for marketing purposes to send you offers, and it does say for marketing purposes, and that's where DMA requires it be for marketing purposes as well, but that would include that at this point, yes. MS. RICH: Do the notices talk about bringing in data from third-party sources and to provide overlays or other enhancements? MR. CERASALE: Generally the examples I have with catalogers, they do not. MS. CULNAN: I would say, first of all, I think again saying you share for marketing purposes, most consumers understand that if you buy X, you get Y where Y is the same industry as X, but they don't understand compilers. Second thing -- and now I've forgotten what I was going to say. MS. RICH: We'll come back to you. MS. CULNAN: Oh, oh, oh. The enhancement thing, I have seen -- there was one excellent financial services notice about enhancement that basically said, We do profiling, we do data mining, we acquire third-party data, non credit report data, to understand how you use our card and we use this to serve you better, and they had an opt-out form right with the notice, and you could mail that back or call the 800 number. Unfortunately, with the Gramm Leach Bliley requirement, that doesn't cause companies to have to specify how they're going to use information, just what they collect and who they disclose it to. That very nice statement disappeared from the Gramm Leach Bliley notice that this company has sent out, which is now their de facto privacy notice. So I think that's an issue that's probably not going to get Congress to act on it, but again more disclosure I think makes people more comfortable. MS. RICH: Fred, were you going to address this point? MR. CATE: Yes, and I have to say I am genuinely confused, and that is we talk a lot about transparency and that we all want transparency and we want more transparency, we want more disclosure. On the other hand, we know as a statistical matter people don't read these, and therefore we're saying we're going to make ourselves feel better about privacy because we're going to mail a lot more notices to people so they can throw those away, but we can then say we've met disclosure obligations. And what I wonder is if there isn't a better way, in other words, if there isn't a way to make -- to go back to that point. I mean, two things that have been said. One is people don't want to be bothered, period. I think you could just stop there. It doesn't need to be qualified. They don't want to be bothered with privacy notices any more than they want to be bothered with anything else. And if you want empirical evidence of that, just go home and set your own browser so it asks you every time you get a cookie and see how long you live under that system. You just don't want to be bothered. I mean, it's that simple. You will set the default to accept all cookies or you will stop browsing on the Internet.I'm only describing 97 percent of the population. I know there are three of you out there who will be different. So is there a better way to provide to get rid of the surprises, if you will, yet recognizing people really don't want to be sort of educated generally about this? I mean, as a professional educator, I know how hard it is to hold the attention of anybody at any time, but the idea of providing sort of a lesson on privacy at point of sale, it's a little easier maybe on the Internet. But it also comes back to that problem of thinking specifically about when are we talking in a transaction and what is the impact on the consumer depending upon when that is? At time of collection it's probably much easier, Why am I asking you for this information, here's why I'm asking, but that requires of course that we're only talking someone who is dealing directly with the consumer. We're not talking about any third-party activity there, and we're talking about they're going to anticipate all possible uses at that moment. And of course remember that notice, if it's complete, will be criticized as being overly detailed, and if it is incomplete will be criticized as forming a contract that doesn't include all of its correct terms. But what I worry about is the later use. Back to the AOL example, AOL decides it wants to start mailing disks to people's houses. It didn't have any dealings with any of those people. It had no chance to talk about consent with any of them. It can't mail them notices for consent because to do that, it would have to use the very information we want them to get consent before they use. What are they to do, buy ads educating people, I'm a start-up business. You have $3 in your pocket but you can buy an ad in the New York Times saying, let me educate you about something we know the public is not interested in generally being educated about? I think it's a real conundrum that frankly none of us, and I'm certainly including me, have done a very good job getting at. MS. RICH: Evan? MR. HENDRICKS: That's why I brought up earlier, I think it has to be case by case. I think we have to be practical here because nobody I know in the privacy advocacy community wants to see bad things done in the name of privacy. That's why I brought up with the magazine publishers, How about putting a box at the bottom of the card? It's not going to cost you anything. A lot of people -- and it's opt-out, which is the altar that many people here are praying at, and still there was no willingness to commit to anything like that, and I think that evidence is a certain level of bad faith, to be frank. I think the one -- the other thing I fear is like the two real harms to privacy, the most extreme harms are identity theft which is supposed to be the fastest growing crime in the U.S., and information brokers, the guys that get your information. And for many years the credit reporting agencies have been the easiest target for those people, and I think because of litigation under the Fair Credit Reporting Act and business cases and settlements and losses, the credit reporting agencies, you're going to see them tightening and tightening and tightening the procedures and protections against those two threats. And what you're going to see is the identity thieves are going to be turning to these other sources of data, and so when the marketing material says this will only be used for marketing purposes, I think there's a real warning cloud out there about these existing threats that you can anticipate. And finally, I have to point to the ToySmart case which the FTC is familiar with. I mean, here's a company that had a privacy policy. It went bankrupt, and its privacy policy lost out to its fiduciary duty to in that case the trustees and the bankruptcy, that they had to sell their data. And I think that if a marketing company basically says they only want to sell this information for marketing, but if certain revenue streams and opportunities come up which says that, Well, you can sell more individual profiles for different purposes for screening, then that's going to create the same quandary because that corporation will have a fiduciary duty to its shareholders to go after those revenue streams. MS. RICH: We'll take Greg and then Jason, and then we'll open it up for questions. MR. MILLER: Just a quick couple of points. One, I also was sort of surprised this morning about the response with regard to the check box on the bottom of the card. For some empirical data from the entertainment industry from the focus groups we've been working on, we actually got quite a different result. We discovered that if we engage consumers, a trust relationship was built. We started to minimize the notion of surprising, and we actually found there was an updraft or an uptake in people opting in if you gave them the permission to opt-in. I think one of the big fears about this, from the marketers is that, Gosh, if we start asking people for permission, they're going to say no. That was a suggestion this morning that was made that, no, people won't fill it out. They'll actually not opt-in. In fact, we find -- we have empirical data that shows they will. Another point we found out is nobody reads the privacy policies, as Professor Cate observed correctly, and we once we started describing to people the notions of data gathering and what can be done with it, that was really what started sending people into a tizzy because, let's face it, people have no idea what an aggregator is. They don't know the difference between an aggregator and a marketer. They couldn't recite that slide up there to make a conscious decision about whether they should participate or not, and as you begin to educate them, you end up drifting into this rat hole of technicalities and nuances. So we had that problem, and to speak to Mr. Cate's notion of what do we about it, one thing that we have been experimenting with is the sort of interactive privacy policy, and it was because on advice of legal counsel, somebody started saying, Guess what, it turns out it's not really a policy, it runs more like an agreement, like a terms of service agreement. We're going to find that a privacy policy is in fact a contract, and that sent up the red flag. And we said, Okay, so we need to reengineer the privacy policy and be an interactive document, so what we did with the JOIN program is that we asked people to actually read through the policy, meanwhile in the back while we're consorting their data and setting up their locker, and we asked them to click off a check box between each major section in the privacy policy. And we started compiling that data to see which sections people were reading and what they're doing with it. It also gave us some affirmation that they had at least seen the privacy policy, whether they were going to do anything about it or not, and we found that that was pretty instructive. And then finally the last thing was that in the focus groups that we ran, and they were in New York and Texas and North Carolina and Seattle, Washington, Los Angeles as I recall, it turned out that the most common thing that people reacted to about what would happen with their data was again being surprised, being bothered, not being left alone. They didn't give permission to get that piece of mail or that announcement or whatever, and the second thing, identity theft. The second most popular concern turned out to be identity theft, and this is data, talking to people who are consumers of musical and video entertainment and are looking for ways to get that through the Internet. MS. RICH: Jason? DR. CATLETT: Thanks. I think the solution to Fred's conundrum about transparency is to guarantee each individual access to the data about them. If you think transparency means putting up a long notice, I think that's very much mistaken. Let's take the analogy with the federal government departments. I don't read the mission statement of every federal government department that might have personal data about me, but I know that if I think they're doing something wrong, I can put in a FOIA request, find out the specific data they have and see if I need to fix something there. So I think a similar principle of transparency would provide a lot of assurances about direct marketing companies. Unfortunately, and other trade groups and companies have refused not only to give general access to marketing data, but also even at this workshop to show us specific examples of known individuals who have consented to it. I think that's astonishingly arrogant, and that the FTC should have a forceful response to open up that transparency to the degree people want. MS. RICH: Let me follow up. Jerry, when you said that the privacy policies, when they in general talk about sharing with third-parties and that encompasses sharing with compilers, is that -- some of the comments here made me realize we may not have -- I didn't understand your response. Does it actually discuss sharing with compilers? MR. CERASALE: No, no. It's sharing with third parties. The view of DMA is that data that is shared should be subject to a notice and an opportunity to say no, and that data can be shared with third-parties for marketing purposes and compilers. And I think Win talked about making sure the information they received had come from marketers that had given notice and opt-out, so that's where it's at. As far as the general common notice, there is no statement concerning compilers at this point. MS. RICH: We'll go to questions, but if Fred and Evan could -- did you want to say something? MR. HENDRICKS: Go to questions. MS. RICH: Fred, did you have something very quick to say. MR. CATE: I just wanted to say, there is now a data set, which Jason has reminded me of, and that is if we're going to talk about the federal FOIA, there's excellent data under what access under FOIA costs, about the litigation it generates and about the amount agencies spend on it. At some point in the late 90s the agencies stopped collecting data because the process of collecting that data was high, but certainly for the preceding 20 years, there's excellent data which would be easily available to the Commission on what complying with an access regime costs. MS. RICH: I saw some questions in the audience, lots of questions. This gentleman right here was holding his hand up earlier, right here with the gray or the -- I can't see in the light. MR. O'HARROW: I don't know if this is going to work. I'll talk into it. MS. RICH: Could you say your name? MR. O'HARROW: Robert O'Harrow. I'm a reporter at The Washington Post, and I have written a little bit about this over the last couple years. MS. RICH: I didn't know who he was when I called on him. MR. O'HARROW: That's okay, and excuse me, and one thing I thought was very interesting, and I've actually noticed it for several years is the discussion oftentimes found its way back to the question of whether or not the use of data warehousing, data mining and so on increases or reduces the mail that an individual receives at home. And then the discussion sort of surrounds that for quite awhile, and I guess I wanted to sort of raise a question of whether that's really the issue. It seems to me that in some ways it used to be the issue, but in many cases it might be a canard that tends to distract us from the larger issue at hand, which I think is profiling. And so I wanted to sort of raise that as an open ended question, of whether or not that's something that's salient at this point. Secondarily, there was an assertion up there that people don't want to be educated, and I think what I've found in interviewing many, many people and industry folks, academics and so on is that the reality is that people don't want to read legalistic privacy policies that are written to meet a very low threshold for privacy disclosure. I find it very difficult, and I've read a lot of them, and some of them I've actually understood. In fact, I would have to say as gently as possible that I don't think anything could be further from the truth, and that at my paper, it's one of the most widely read subjects that we've written about and that people can't seem to get enough of true, clear, explanation. And oftentimes a clear explanation will create a great deal of anxiety which, to loop back to my original assertion about the direct marketing and the mail and so on, the real issue, is the question is, Do people want to feel like they're being watched, and charted without their permission? Just some food for thought or if anybody wants to address that. MS. RICH: Evan? MR. HENDRICKS: Yes, thank you. I think it is because some of the steadiest pollings by Lou Harris and through the 1990s was, "Do you feel like you're losing control of your data," and that was the issue. And, of course, the direct marketing industry is in the business of sending out mail, so they're going to try to refocus the issue there, but the truth of the matter is what's driving this issue is people feel they're losing control of their data, and they don't like it, and they would like something to be done about it. MS. RICH: Fred? MR. CATE: Yes. I think on the education point, of course it's exceptionally well taken. If you write it in language that people don't understand, they're less likely to perceive it. I think, however, the issue goes much farther than that, and I think probably everyone in the room would know it, and if you want to try a test, have The Washington Post when people call to subscribe or to buy classified ads read the first, say, page of their privacy policy on the phone to them, people aren't overly interested. They really didn't want to go on. They want the service. They couldn't care less. Let's move ahead. It might be different if you were going to a doctor or something, very contextual. I understand that, but I think the problem is, is when we talk about transparency, whether we mean notices or that you tell everything you do or you make it possible for them to find it, that there really is a reality that people are not that interested in that they love great stories. They love human interest stories and all of that. But to describe the data processing operation of a corporation, to have anyone do it, the best marketer in the world, I just don't think it can be done. MR. O'HARROW: If I could add one follow up thought, which I think is interesting. One of the things that's interesting here is without a doubt that without a doubt, people love the services, even if they don't know how it's done. There's no question, people are loving the personalized services. They're climbing on to the stuff like crazy, and it's definitely the future of business in our time. Yet, when they find out how that service is provided, and not just necessarily in a human interest story, but let's say an analytical story, they find -- we find that oftentimes they get freaked out, and they're not so sure they like the service under the terms that they've taken it. MS. CULNAN: Jessica, can I add just one quick point? I think we don't really know a lot about sort of the consumer process of learning about this and what really works. We haven't done a lot of research, and I think it's an area where now that we've moved past sort of the, yes, everyone is concerned about privacy kind of surveys that are coming in, is to really do some academic research. What are the trade-offs people make? What kind of notices make sense? I think the idea that, well, notices are too hard to understand so let's not have any notice at all is a bad idea, just my personal preference. There's also a lot of research that's looked at justice, fairness, because this is what this is really about, treating people fairly, and a lot of times people may not want to read the policy or they may not want to exercise their rights under some kind of a justice system, but they want to know that they have the rights, and that then makes them more comfortable in participating, and it makes them think things are fair. So even if they don't click on the privacy policy, they may want to see that link. DR. CATLETT: Just to comment on Robert's observation that people like the product but when they found out how it's made, they're not so sure, it reminds me of Prince Von Bismark's remark that the less people know about what goes into making laws and sausages, the better they'll sleep at night. I think that the food analogy is a useful one here. Congress passed the Pure Food Act in 1904. It didn't actually say you couldn't put cocaine into the Coca-Cola. They said you just have to label the fact that you're putting it in. And I think that transparency in terms of actually showing us the data about you and what goes into making it is part of enabling consumers to have a real choice about whether they want to buy or participate in that product. MS. RICH: Let's take the next or a few more questions. MR. LE MAITRE: I'm sorry, I was going to respond on the point, Am I losing control of my data. My name is Marc Le Maitre. I work at Nextel. I moved to the U.S. about four years ago, and I started from ground zero literally. Nobody had anything on me, including the credit reporting or anything, and the first pieces of mail and the first unsolicited phone calls were actually quite welcome. My wife engaged the gentleman on the phone for an hour and a half. She didn't buy anything but was delighted to receive the phone call. It actually taught me a lot about the community that I moved into, so I actually welcomed it, but it's now got to the point now where I can't sit down in the evenings to dinner with my children without getting an unsolicited phone call. And I think it's got to the point now where I -- at first I knew exactly who it was who was abusing it. The first company I gave my information to was my bank. I will not say which bank, unless you ask me afterwards, but it's now got to the point where I bought a DVD player two weeks ago, and I was getting unsolicited requests to join clubs to buy DVDs. And so some of it is good. My question is: Where is it going to end? I don't have a great deal in the way of health information in this country yet, so I still don't know whether that's being abused. Financial information I'm fairly confident is being used without my knowledge, but working in the wireless industry, things like location services, where will it end? At which point do I say, This data is sacrosanct, you cannot have access to it, or will I have the opportunity, or will it just be taken for granted that this is just another piece of information that can be used to market to me? MS. RICH: Does anyone want to respond? DR. CATLETT:Your video rental records are sacrosanct according to Congress. MR. LE MAITRE: But not DVDs. DR. CATLETT: I know the fact that you bought a DVD is not sacrosanct. MR. HENDRICKS: Okay. I think that to answer your question in the short run, no, you will not have that right. I don't there's any realistic chance in the next six months to nine months that significant legal protections for privacy and individual's personal information will be passed. I don't think the current power machine and the administration in the Republican leadership is interested, and so I think this is more of a long term struggle. MS. RICH: The gentleman on the left there? MR. BEHRENS: If this is working, I'm Ed Behrens with the Progress and Freedom Foundation. I wanted to follow up briefly on Mr. Miller's comments on providing notice, choice, et cetera, in the interest of serving consumers, but I think there's two dimensions to the question. One is: Should they be provided? The second is: Should they be mandated? And I think that's a separate question. And I would like to draw out the panel on the practical ramifications of mandated principles versus not, both beneficial and adverse. Thank you. MS. RICH: Who would like to respond? MR. CERASALE: Sure, what the hell? I like to use an example of a business model that would not be allowed by the DMA guidelines and decide whether or not we want to outlaw that business model. You go to my Web site, Jerry Cerasale.com, and the first thing you see, notice, and I sell radios, so it's a commodity. I try and sell you, provide you these radios at the lowest price possible. I hold down costs as much as possible. In that light I share and rent your information to others and provide the savings on to you. I do not provide you the opportunity to not participate in this sharing. I do not provide access opportunity to you because both of those things will increase my costs and therefore increase the cost of my goods to you. If you don't like this, please, please shop elsewhere. Is that business model illegal? And that's what most -- a lot of people discussing would make that an illegal business model. I don't think that's where we should be. MS. RICH: If people are willing to go a little bit into the break, we could take some more questions, and it looks like everyone wants to ask questions. MR. HENDRICKS: And, Jessica, just quickly, the OECD guidelines were adopted in 1980 and endorsed by the United States government and all Western, European and Japan and Canadian. Yes, I would say we want to see those guidelines incorporated into law across the board, yes. MS. LEGIEREM:(Phonetic) My name is Ann Legierem with a banking agency, and my question's really with as far as I'm a consumer, this morning there were statements made that best practices would have it that marketing associations disclose that you're going to share the information or whatever. And I was wondering if there's any kind of figures that you collect that you really have an idea of how many do really make disclosures to their consumers. And then as a consumer, a mother and all, I saw an article on the CNN Web site recently, about two weeks ago, about how schools had -- the kids were surfing the Internet I think as part of their classroom studies, and there was a marketing company who had software on the computers. They were following the click streams. Well, the parents didn't know about it, but then that, like the dynamic pricing, somebody tripped over it, found out about it, caused an uproar, it was pulled. So I guess what I'm saying is this morning representations were made about -- representations were made about, Well, our best practices are that we disclose to consumers but I'm wondering in reality how many really do. MS. RICH: Would anyone like to respond? Jerry's on the hot seat. MR. CERASALE: DMA has a privacy promise that requires disclosure. We have an FTC letter exempting us from antitrust problems as long as we can kick people out. There are 3,000 marketers, 3,500 marketers that have signed it. I would say that 80 percent of the mail you receive is probably from members of the Direct Marketing Association, and so we have -- so those are the numbers we've got. We have our own mail preference service, telephone preference service to pull people off of lists. There are well over 3 million names on each of them. They're free to consumers to get on, and so those are the numbers that we have, so the major marketers who are members of ours do direct marketing, which are some of the largest marketers in the country, do provide notice and an opportunity to say no. They in a sense would not follow that business model I just mentioned. MR. LANE: Can I just make a comment getting back to Mr. Behrens' comments about federally mandated laws? I think what this panel has shown, for the most part because it was supposed to be empirical evidence about the effects of mergers and acquisitions or mergers and exchange on consumer businesses, and there are reports that are beginning to come out to highlight what some of the costs are. But I think what we have found is we don't have a lot of information, that we are just looking at the impact that information sharing has on the overall economy. Who is in Mary's first survey on Web sites and who has privacy policies and who doesn't and what impact that has on consumers. We have the Forrester research that says $2 billion lost on Internet sales. Are they real? What other information do we have? So from our point of view, what our biggest concern to get to federally mandated legislation is that we don't have enough information on what harms are we trying to address specifically and how those harms -- and the cost benefit ratio of those harms and where really are the American people. We know the American people are concerned about privacy. We all know that. That's why this room is filled. Yet we don't have the details of what are those concerns, the next five layers below that, and I think before we move forward in any federal legislation, we need -- or state legislation -- we need to get a little more dynamics and not the rhetoric that we constantly hear across the board on both sides, but some real, factual data of what are we talking about. And I don't think we're there yet, and this panel is a perfect example. We don't have a lot of facts. We're all saying the same rhetoric that we've been saying for five years now. Yet nothing has improved, but we're beginning slowly to get information, and that's critical. MS. RICH: The gentleman back here? MR. MEISINER: Thank you, Madam Chair. Speaking of facts, my name is Paul Meisiner from Amazon.com. I have to do this stand up routine now. Maybe it's the lack of oxygen in this room, but I understand it was alleged that we engaged in dynamic pricing last fall. In fact, there was apparently some long description of how this so-called dynamic pricing was discovered. But let me assure you that policy making is difficult enough based on facts, but when it's based on fiction, it cannot go right. We did not engage in dynamic pricing. We never have, and we actually have promised never to do it, even though it would be perfectly legal for us to do so. Let me repeat, back last fall we engaged in some random price tests where we would serve up different prices to consumers based on when they came on. If you were the same person sitting at the same terminal, same browser, you hit our site several times, you're going to get a different price for the same item. The whole idea was to figure out where to price the item. Well, random, again based not on demographic information. It was not a privacy issue, full stop. Well, we got a lot of flack for it and rightfully so. It confused our consumers, our customers, and we regretted doing it. As a result what we did is we promised never to engage in dynamic pricing ever again, something that would be perfectly legal for us to do, and then we went and refunded all of our customers, even the ones who had paid willingly 12 bucks for a CD. We went and refunded them the difference to the very lowest price, and we said, If we ever in the future ever do this random price testing again, we'll do the same thing so that everyone will always pay the lowest price. Frankly we're being held to a much higher standard than other businesses are being held to, but I think frankly it really pains us all when we have to sit through one of these meetings and find out that what has been discussed here is factually inaccurate. DR. CATLETT: Paul, I don't think I misrepresented that Amazon did the random pricing. I think I said that it was accused of -- we'll have it in the record. MS. RICH: Ted Wham has a quick comment, and then we'll take one more question, and I think everyone wants to splash water on their face, it's so hot in here. MR. WHAM: Ted Wham with Database Marketing for the Internet. I had one quick statistic I wanted to share. I previously worked at Excite@Home, and when I was there, I was the Chief Privacy Officer among several hats that I wore at a rapidly growing company. There was a segment on 60 Minutes regarding Internet privacy. It was approximately two years ago, two and a half years ago. Jason Catlett actually was one of the speakers on that session just describing -- so you hold it closer, it works -- describing the risks to the consumer on the Internet basis. We were asked by 60 Minutes to participate as one of the companies being interviewed, and we originally said yes, and then we went, Oh, God, we don't want to do this, and we said no. And because we additionally owned a third-party ad serving firm, MatchLogic, we were concerned that we were going to be targeted within the segment and wanted to be very prepared, so we went full out and made certain everything was aboveboard, and we went through the privacy policy links, privacy policy on absolutely every page of the site, where they remain I believe to this day, and really tried to make certain that we were ready. The day immediately following the airing of one of the top five most watched television shows in the United States where portions of our site were shown and the risks to consumers of privacy, Excite@Home, as it does every day for the past year or so forth, received over 20 million unique users visiting the site that day. If my recollection is correct fewer than 100 of them accessed our privacy policy links. The notion that consumers want to take -- now, you can argue whether the privacy policy that I wrote was easily readable and comprehensible and so forth, but only a hundred people got there to find out. The notion that the consumer is interested in learning about this and spending the investment I think is mistaken. I think the comments that Fred brought up, Fred Cate brought up that most consumers want to have, quote, privacy, don't bother me with the details, is much, much more accurate. MS. RICH: One more quick question, and the gentleman over here. MR. SMITH: Yes, Richard Smith, The Privacy Foundation. One thing we're hearing a lot about, how profiling and gathering of consumer information benefits businesses. I've heard very little about cost, other than two very interesting numbers. One person said acquisition costs today for E-commerce sites was $2,000 a customer, which is probably on the high side, but I don't know of really any business, other than maybe the yacht business, that could afford that. And then also the issue of the credit card offers, that the number that are going out is going up dramatically in the last two or three years. At the same time the response rate inversely proportional is going down at the same rate. So I'm wondering here in business how much feedback in the process is really going on. Were these online and data gathering things cost effective really or is it just we're on a sled here and we're heading in this direction and we'll go on? Thanks. MR. LANE: I think a lot of businesses, and if you look at the downturn in ad revenue on the Web sites, as we all know, they're hurting, in the newspaper industry where San Jose Merc is laying off hundreds of people because ad revenue is dropping, and companies are beginning to reevaluate, Is it worth spending $2 million advertising on the Super Bowl. I think there's a wholesale looking at what is the best way to reach out to your customers, and that is the whole goal, but what I think is great though, having said that, there hasn't been a lot of facts in terms of pure data and research from this panel. What I think has been very important, and one of the reasons why I was one who supported the FTC putting this workshop together, was we do have an education process to consumers of how information is used in the economy. And I think the other previous panels were better at doing that than maybe this one, but I think once you have a better understanding, I think there will be less fear, and the trust deficit will be reduced once there is again an educated consumer. And so I appreciate and I wanted to thank the FTC for putting this forth to begin our efforts at having the business community focus our efforts on educating consumers on I think these critical issues because they are all about how our economy is going to grow and work in the future. MS. RICH: Thank you. Finally we're at our break. If you could keep it at a short break since we did get into the break, maybe five minutes, and then come back, maybe we can try to open the window. (A brief recess was taken.) SESSION FIVE EMERGING TECHNOLOGIES AND INDUSTRY INITIATIVES: WHAT DOES THE FUTURE HOLD? MS. ROSENFELD: Okay. Everybody, we're getting ready to start our last panel of the day. Please take your seats. Please take your seats. Thank you. Welcome, everyone, to our last panel of the day. I'm Dana Rosenfeld. I'm an Assistant Director in the Office of the Director and the Bureau of Consumer Protection. Our final panel is entitled emerging technologies and industry initiatives, what does the future hold, which I think will be a very interesting panel. We are going to discuss whether new technologies are emerging that will increase the sharing of detailed consumer data, and also we will focus on what self-regulatatory initiatives are underway to address the privacy of consumer data in the merger and exchange process. Our first presenter today is John Kamp. John is an attorney with Wiley, Rein & Fielding in town and serves as counsel for CPExchange. He has extensive experience in privacy and other regulatory issues through his work of over more than ten years as senior vice president with the American Association of Advertising Agencies, the four As, and from his ten years at the FCC before that. CPExchange Network is a volunteer Consortium of over 90 business organizations. It's dedicated to developing a vendor-neutral open standard to facilitate the exchange of privacy- enabled customer information across enterprise applications. CPExchange facilitates the management and promotion of customer relationships by businesses across industry sectors. Special data elements of the CPExchange specification support the development of privacy policies by companies consistent with Fair Information Practices. And with that, I will turn the podium over to John. MR. KAMP: Thank you, Dana. As I'm bringing this up, I must remind some of you, many of you know that I'm a former college professor, and as such, we former college professors know that there is only one class in the day that's worse than teaching an eight o'clock in the morning class, and that's a four o'clock class. So we're going to make this quick. We're going to keep it lively and go forward from there, and we also, as professors, know that we learn more from our students, and thank you to the FTC for organizing this today because I know that we all have learned a lot. The CPExchange is about consumers generally, and one of the things I think as we've listened today through the morning, we heard people talking about it, was businesses who were doing most of this, but they were doing it in order to reach consumers. And looking at our sort of then and now kind of yin and yang here, this is about long-term customer-focused relationships, about new business processes, but it's mostly about high consumer knowledge, mass customization, multiple channels, proactive, integrated and highly responsive to consumer preferences. We want to know who are our customers, what are their wants and needs, what are the economic value of those needs, and how do we apply that knowledge and how do we focus on those consumers. So the successful enterprise interacts with consumers through many channels such as -- and has many opportunities to understand those consumers. The imperatives in all of this, this customer driven, are protection of privacy, the sensing and responding to consumers' needs, satisfying those needs, reducing those costs to consumers and increasing the shareholders' equity of the company. Looking at this, the CPExchange was really designed to facilitate an enterprise's ability to share consumer information internally in large companies. Of course it's gone forward. It's no longer just used, designed for consumers. If you look at this model here, the schematic here, the CPExchange core, the group got together to look at the preferences, business objects, whatever, also added the functionality of the Web, most importantly through Dan Jaye, also someone who is very familiar in these quarters, at Engage Technologies, was part of the FTC Advisory Committee on Access and Security, worked very hard to develop the CPExchange privacy principles, which are P3P compatible, and all this is an XML schemata. Looking at just the privacy declaration component in the P3P compatible, you see in that, you see very specific data elements for purpose, retention and access, and looking just at one of those, the retention component, you can see that there are many data elements that make it possible for this system, this protocol to ensure that there is a face with the consumer. Now, remember, CPExchange is not a data aggregator or a business that's in the business of aggregating these data. It essentially is the development of a protocol that people can use, may use. It's wholly voluntary, can be used by companies for the purposes they wish. But because in this -- in these late data sensitive times, privacy times, it was created during the period that the FTC was looking at these privacy principles and customers were making their preferences so apparent to companies, these privacy elements were contained in it. So quickly our summary slide, CPExchange facilitates that customer awareness and focus, enables corporate privacy policy implementation and addresses the privacy preferences of the consumer. It's platform, vendor and application independent, provides a comprehensive view of the customer and the way that customer interacts with the many facets of the enterprise, provides granular privacy and an authorization model and is designed to promote optimal query and reporting systems. We suggest that you, as you look at this, remember that it's neutral, and it's open, and you also can find more information about it by going to the Web site CPExchange.org. Thank you. MS. ROSENFELD: Thank you, John. That was very succinct. Our next presenter is Ari Schwartz. Ari is a policy analyst at the Center for Democracy and Technology, CDT. His work focuses on protecting and building privacy protections in the digital age by advocating for increased individual control over personal information and expanded access to government information via the Internet. Ari also serves on the advisory committee of the Worldwide Web Consortium and is a monthly columnist for Federal Computer Week Magazine. Ari? MR. SCHWARTZ: Thank you. This is the first time I've ever seen the windows opened up in this room, and I kind of like it actually. I'm going to talk about how technology has both -- kind of the positive ways that these new technologies can be used to protect privacy. The story with most of these new technologies is always bad news for privacy and good news for privacy. In this case the bad news is you look at XML technologies, technologies that allow companies to tag information and exchange it more clearly and more openly means that there's greater sharing and that there's going to be greater profiling. Richard Smith will go into this in a little bit more detail, but the good news is that these same technologies open the door for new types of privacy enhancing technologies. I'm just going to give you two examples of this to kind of kick things off. At CDT we don't build technologies, and that's for other people to come up with those kind of -- these kind of applications, but just to give some ideas of what people have been talking about and what they've been thinking about. The first one is the idea of tagging data collections with a current privacy policy using the P3P vocabulary. John talked about this a little bit, but I'm going to try to explain a little bit more what P3P is and how other technologies can use this. P3P was really designed originally to do business to-consumer transactions, to get at the question that we heard on the last panel asked maybe seven or eight times, about how consumers are having trouble reading privacy policies, that they're seven pages long, that they don't go there. Ted Wham brought up the point that people aren't going to a page. Well, having read many, many, many privacy policies over the past six years, I can tell you that I find them difficult to read, and therefore I know how consumers must feel, that you go to one, you don't really feel the need to go to the next one if you're not going to be able to understand it. The idea of P3P was to allow a consumer to put in their preferences, their expectations of what they want to see out of a site and have the site put in what their privacy policy is. When the browser gets to that site, they match up, and at that point the consumer has more control, and they can decide whether to block that site. They can decide whether to provide information. They can be prompted. Really that's up to the browser manufacturer right now, and we're going to be seeing some of these applications in the next few months, but in order to do this, we had to create a vocabulary because we went around looking for vocabularies for privacy that went in to the real details about retention, as John showed us. And no vocabularies existed that really gave kind of multiple choice answers in the way that a Web site would need to be able to describe it if P3P were going to work. So we created this vocabulary. Let me see if I can get it open now. I lost the mouse. Oh, here it is. This mouse, okay. So this is just the basic P3P vocabulary, and we came up with these questions based on the Fair Information Practices. The eight Fair Information Practices in the OECD guidelines were the starting point, but we really instead of -- because those are really at a high level and we had to go into the detail and answer the multiple choice questions underneath, we worked with -- this is a P3P working group, worked with data commissioners in the EU and in Canada, privacy advocates, companies and others, and really built this kind of -- the kind of questions that would need to be answered. But the idea here is that this is -- while this was -- we originally came up with this vocabulary to be used for business to consumers, people quickly found out you can use this for business to business as well, for sharing of information. You can tag this on and use it to help companies audit internally or have third parties come in and audit for them, to set up software that controls the use of information so that you can't send out, put people's Email addresses in the "to" field when it has -- when individuals sign up to a policy saying that their Email address would not be shared. There's a company called Privacy Wall that's building this kind of software right now, so there's a whole bunch of uses for this technology not originally envisioned, but you can use this vocabulary to answer that. Also, there's the ability of access that these new technologies provide. We heard a lot in the last panel again about cost and how cost -- how this was going to be -- that access was too expensive for consumers, this was discussed a lot, to provide to consumers. Well, if companies can provide the sharing between companies and make that less expensive, then they can also make it less expensive to provide it to consumers as well, and we shouldn't be overlooking the fact that making it cheaper in one aspect is also making it cheaper in another aspect. And then the final point here is the question of how this is really going to work and whether there will be market incentives for companies to use this vocabulary, to use the new access features, and that's still really questionable. This is obviously all stuff that happens behind the scenes, and right now responsible companies seem to be taking up these ideas, but will it be wide spread practice? And the answer to that is that we still don't know. MS. ROSENFELD: Thank you. Ari. Our next presenter is Richard Smith. Richard is the Chief Technology Officer for The Privacy Foundation, where he directs The Foundation's research activities. He also has primary responsibility for explaining The Foundation's research findings to the media and at public events like this. Richard? MR. SMITH: First of all, I want to thank the FTC for inviting me to speak today, and I was asked to actually look into the crystal ball here to see where technology is heading in terms of sharing more data, this idea of emerging technologies increasing the sharing, and very fortuitously yesterday, Steve Ballmer, the CEO of Microsoft Corporation, gave a speech for the Association of Computing Machinery, that's sort of like the Bar Association for the lawyers in the group here, gave a talk about XML which was going to be my topic so I thought that was very good. And I would like to quote from the article that ZDNet wrote which said that XML as the lingua franca of cyberspace would affect -- and it would effectively clear away lingering barriers blocking companies from exchanging information over the Internet. And then the article goes along to talk about the tools that are being developed to support XML and so on. What I found very interesting was there was really no discussion of what kind of data is going to be going back and forth, and pretty obviously some of it is going to be about widgets, about cars, packages and whatever, but it also is going to be personal information, so the answer here, looking into the crystal ball, is clearly yes, we're going to see more sharing because tools are being developed to make it easier to do. There's nothing magical about XML. It's a particular specification of how companies agree to communicate data from one place to another, just like English is a way that humans communicate. The nice thing about it, it's very easy to understand, and it's also human readable, so for folks like myself who kind of like to look at privacy practices of companies, it's actually going to make it easier to look into things, but clearly we're going to see it's -- XML is going to help in the sharing of data, but it's also going to help in some of these areas like P3P and CPExchange, providing some privacy controls. The question is is, Will they be implemented? Just because they're in a specification there's still the issue of, Will they be implemented. Now, another issue, if you want to predict the future, I believe in looking in a crystal ball, you have to also follow the money. We first follow the technology, but then we also follow the money. And pretty clearly in the Internet I think the most ardent cheerleader would now say that we've had a dot com meltdown of companies literally wasting billions of dollars on business models that are not going anywhere. But one thing is very clear is that the Internet is a very good place to get information on things. If I wanted to go to the Google Search Engine, I could get information about anyone in this room probably, except for myself because I have a common name. But if you have a not so common name, it's a lot easier to find out information, and I think that really shows a good business model here, which is the idea that people are going to go to the Internet to make purchase decisions but then go to the offline world and buy stuff, like buy a car. And so I really see that as sort of the money starting to focus people and business models in that direction, and what that's going to mean is the people that provide the information on the Internet are going to want a piece of the action when the sale is made in the offline world. So I see technologies like XML and CPExchange being done for that, so let me give you a quick example here. We've all bought cars, and it's always an interesting experience. Now that I'm older, I actually feel fairly confident about going in the showroom but at a younger age, it was sort of like me against them, and they had the information, and I think that's going to get more interesting here. For example, we go to a car Web site, research three different models of cars that we're interested in, and the Web site remembers that information. Well, the fun thing is going to be I believe in the future is you can walk into the car dealer. They ask for your driver's license in order to do a test drive, and the other thing they're using that for is to go find out what you've been researching on the Web here, for what kind of cars you're interested in. And that gives the salesman one up on you, which is he knows the other competitive models you're looking at, and he can have computer software that recommends how to sell against these cars. You can also be scored on the likelihood of buying a particular model that you express interest in and so on. So I think we're going to see this very strong economic push, and I think it's basically inevitable that when we have one part of the market which seems to be dollar poor and another part of the market where the money is being spent, that the business models are going to have to go that direction. And we're going to see -- be forced into more information sharing. It's just an inevitable part of this economics, much more so than we've seen on the Internet itself. Thank you very much. MS. ROSENFELD: Thank you, Richard. Our next panelist is Lawrence Ponemon, who is the president of Guardent, a services and technology company enabling security, privacy and data protection. Prior to joining Guardent, Larry was the founder of the PricewaterhouseCoopers global privacy practice. Larry is a founding board member of The Personalization Consortium, and he will talk about that organization today. MR. PONEMON: Thank you. Everyone looks really hot and really tired. Is that true or is that just a perception that I have? I need to personalize on you. How many people worry about personalization and privacy? Raise your hand. Oh, come on. I know it's late, everyone. How many people worry about personalization privacy in the wireless Web? Let's see if we can get those hands a little bit higher? Quite frankly, there is actually a lot to worry about, in my opinion, and I know I sound like a heretic as a founding member of the Personalization Consortium. I have good news. I'm going to be fast in my presentation, and I do not have Power Point slides so you can actually watch me. The bad news is I'm going to read to you our blurb about what the Personalization Consortium is, and I'm going to tell you where we are and what we are trying to achieve. The Personalization Consortium is an international advocacy group formed to promote the development and use of responsible one-to-one marketing technology and practices on the worldwide Web. The Consortium encourages the growth and success of electronic commerce that delivers the benefits of personalized electronic marketing while articulating best practices and technologies that protect the interest of consumers, and I want to underscore consumers. To achieve its goal of expanding the scope and use of personalization technology that respects consumer privacy, the Consortium has many functions, for example, to provide a forum for industry discussion and information, sponsor research, foster standards for technology and best practices and work towards consumer understanding. And toward this end the Consortium has established ethical information and privacy management objectives that articulate its goal to create a solid process that enables consumers to confidently use personalization technology for their benefit. Now, the Consortium was established about a year ago chaired by Don Peppers and a few other key folks. I was co-oped into joining the Consortium because of my very strong and very weird views on privacy. So like you, I was pretty suspicious. So I attended my first board meeting, and at the first board meeting were about 30 or 40 company representatives, and I saw a sincere interest to do it right, and I had this kind of vision in my mind. If someone could invent a cigarette that didn't cause cancer, wasn't habit forming, maybe it won't be so bad to smoke, right, and maybe that's where we are in the evolution of personalization. It's probably a bad analogy unfortunately, unless you're a smoker. But the idea is that we've grown from a small group of good companies to 67 great companies, and there are many, many other companies that are taking a wait and see attitude. Let me tell you a little bit about some of the challenges. First, we set high standards. If you read the Personalization Consortium and you go to our Web site which is www.Personalization.org, I don't know how to spell personalization, but my friend Jason can spell it for you. And I think at the end of the day though when you go to that Web site, you're going to find that these principles are about equal, not better than, not worse than, but about equal to many wonderful statements about privacy. So then you scratch your head and you say, "What's the difference here." The difference is we're basically holding our members to a very high standard. That is, it's not just good enough to say you're going to comply with these principles, but you have to undergo an audit, the A word, audit. And that's pretty scary because if you're a small organization or a large organization and you say you're going to be a member and suddenly you're no longer a member, you're basically killed or kicked off the membership list, it's a signal that basically suggests -- not suggests, that tells the universe that the company failed to comply. Let me just tell you the courage of members. The founding members are very courageous because right now they just generally assume that they're going to pass this audit, but my guess is many will fall by the wayside and that the end result will be that some members will not make the grade. Now, let me just tell you it's not for pure altruism, it's not because we're good guys. There's a real economic value proposition, something a little bit different than regulation and lawsuits, and that is if we do it right, becoming a member is going to be a good thing. It's going to be something that is of great value. It's going to be a way to differentiate your services and product in this ever evolving marketplace. Now, if that's so, then people will knock the door down to become a member. To become a member will have real substantive meaning, and that's really what we're trying to achieve through the independent verification. Also, some people are confused, and the next speaker will talk about TRUSTe. The next speaker will also discuss the issue of seals. This is not just a seal. It's not a new form of a seal program. It is in fact about an independent audit conducted by a trusted party. So that's all I want to say about the Personalization Consortium. I'm very proud to be a member, even though I was co-oped to becoming a member originally. It's a great group, and I really encourage everyone here, as well as in the spillover rooms, to go to our Web site and to find out more about what we are and what we want to become. Okay so without further ado, I'll sit down. Thanks. MS. ROSENFELD: Thanks. Thank you, Larry. Our next panelist is Becky Richards. Becky is the Director of Compliance and Policy for TRUSTe, an Internet privacy seal program. She oversees all aspects of enforcement operations and policy developments for the TRUSTe program, including TRUSTe's compliance operations and the TRUSTe Watch Dog Dispute Resolution Process. Prior to joining TRUSTe, Becky was an international trade specialist on the electronic commerce task force at the U.S. Department of Commerce's International Trade Administration. Becky? That's a mouthful. MS. RICHARDS: It is a mouthful. I don't have a Power Point presentation either, so being the last person to speak on the last panel, I hope we'll get through this quickly. I'm actually not going to really talk about seals today. Most of you probably know what they are. Instead, I'm going to talk -- we've heard today a lot about merging and exchanging of consumer data and what the benefits are and what the risks are. And at TRUSTe, we've been following the practices of merging and exchanging consumer data closely, but TRUSTe's main focus in the past has been on the explicit and inexplicit collection of information from consumers and the sharing of such information. TRUSTe's monitored the increasing practice of merging and exchanging and has been and will continue to work to ensure that consumers are aware of these practices. Mary Culnan in the previous panel brought up a very good point. Transparency is very important. If we're going to continue to increase growth via E-commerce, we need to have consumers' trust, and trust comes through transparency and understanding of what those practices are. Currently because we've really been looking at how information is collected from the consumer as opposed to the other way around, our license agreement doesn't -- does not explicitly address the disclosure of merging and exchanging of information, although depending upon the practices, it could be required. As we look to the future, we will explicitly require companies to disclose the practices of merging and exchanging information, to increase the transparency and to increase trust. Our current practices are that we ask Web sites whether they're combining information from third parties by asking in the self-assessment," Is your company supplementing the information that you receive directly from users with information received by an offline means or from a third-party? If so, explain." So if a Web site states that information is being supplemented from such sources, this should be disclosed in the privacy policy. TRUSTe has a model privacy statement that is currently used by a number of companies as a privacy resource, and in this model privacy statement, we provide two different examples of how a company can address the supplementation of consumer information from third parties. The first example is really more appropriate for gathering of financial information, and so I won't go over that specifically. Our second example deals with the combining of marketing information with consumer information. It states: "In order for this Web site to enhance its ability to tailor the site to an individual's preference, we combine information about the purchasing habits of users with similar information from our partners, Company Y and Company Z, to create a personalized user profile." So this is the disclosure. Now, for perhaps maybe a more real world example. I have three examples. The first one is one of our licensees that states explicitly that they do not supplement consumer information by stating that all information excluding our user passwords originates solely from our primary client. Now, in the case of a company that does supplement consumer information, one of our licensees states: "We may research demographics, interests and behavior of our customers based on the information provided to us upon registration." And finally, a third example that gets lengthier; and as we've discussed, privacy policies can be rather long: "The combination of offline and online information provided by the customer has the ability to enhance the customer experience and make customers' interaction more meaningful and relevant. Company X requires that any consumer profiling or purchasing behavior captured online and combined with offline information be clearly stated to the consumer at the time of the online data collection. The consumer will have the ability to choose not to be part of a subsequent marketing campaign." So in this last disclosure, the company is giving the individual the opportunity to opt-out of being profiled. I would like to thank the Commission for having today's workshop. I think it's been very informative as to both the benefits and risks involved in merging and exchanging information across businesses. The important part of each of these, in thinking about this for both businesses and consumers, is that the consumer needs to be informed of the practice if we are going to continue to increase transparency and trust and continue to see increase in business on the Internet. And as I mentioned at the beginning, TRUSTe will be changing our license statement to explicitly address this particular practice in the future. Thank you. MS. ROSENFELD: Thank you, Becky. I have a few questions, we want to try to stick to the time frame here, and then we'll open up the floor to questions from the audience. John, we know CPExchange is an open and it's a voluntary standard, and I think that means that the privacy related features also have to be voluntarily adopted by the users. How likely is it that companies are going to deplore the privacy-related features of the specification in your view? MR. KAMP: I hope they don't deplore them. It is getting late though. MS. ROSENFELD: Did I say deplore? MR. KAMP: Deploy. MS. ROSENFELD: I'm sorry, the heat is getting to everyone here. MR. KAMP: We don't know. In fact, we have reason to believe that they don't deplore them, that they will deploy them, but because it's a voluntary standard, as Jason once described it, it's a safety that may or may not be used. We expect though, because remember the whole point of all of this day has been businesses are interested in customization because consumers are demanding it. As consumers demand more and more privacy transparency, the privacy transparency will be used by the successful companies, and they will use that part of the CPExchange protocol. MS. ROSENFELD: Is there any effort underway to develop a code of best practices for those users of the specification? MR. KAMP: We worked first of all to make sure it was P3P compatible because we believe that's really very important, and we have, just in the last week, sat down again with the P3P people, CDT, and are exploring alternatives, ways in which we can continue to ensure that the protocol is as multifunctional in this regard as possible and will be looking at those very kind of things going forward. MS. ROSENFELD: I guess on a related note, in terms of being multifunctional, will the specification be used to facilitate merger and exchange of consumer data across media, for example, into wireless space? MR. KAMP: Again, it's a neutral protocol. It was designed for internal data sharing within companies, and as we went forward, we added the other functionality. My guess is that all of the things that will be possible and will be used by companies are likely to use this protocol because we think that it's valuable in that regard, and, yes, it could very well be used for wireless or whatever other scary things that might happen in privacy going forward. But because of the kinds of focus there has been on privacy by this agency and others going forward, I'm convinced that the American public are learning what privacy is all about and learning how to use, how to make their choices, and that those kinds of things will automatically develop as the industry develops. The important point here is not that the functionality will be required, but that it's built into the system so that it can be used and the commitment by CPExchange to make sure that the system does have that functionality. MS. ROSENFELD: Go ahead, Ari. MR. SCHWARTZ: In terms of functionality of CPExchange and whether that alone will spur individual -- spur companies to use it, I do think that the regular P3P that I was talking about earlier in terms of Web sites, Web browsers going to Web sites and seeing whether they have privacy policies that match consumers' policy, that has a -- direct impact on the consumer. There's direct feedback that a consumer will want to see a privacy policy because it will show up in their browser. CPExchange doesn't have that ability to be right in the consumer's face like that, so there is that missing step there. It really does have to be a responsible company to take that on, and I look forward to working with the CPExchange people, but we have to recognize that there is that missing piece with all of this behind the scenes type transaction. MS. ROSENFELD: Larry, can you just describe the kinds of companies that are members of the Personalization Consortium and what kinds of companies you expect will join in the future? MR. PONEMON: Good question. Of our members today, we have a combination of tool makers, people who are inventing new technologies, both in the wired and the wireless area, and they're the largest chunk of members. We also have vendors, companies that are not actually making the technology but selling that technology or embedding that technology into other tools, so for example in the CRM universe we see companies fall into that space. Then we have end users, companies that, for example, like AMR, American Airlines or Charles Schwab, that are actually the users of this technology. If you kind of think about the model, the model is a little bit weird because it's a B-to-B-to-C model. We're adding now a new element, and so the key is to get to the consumer. Even if you are in a business mode, and you personally -- as an organization you do not have direct access to personal information, there's still a chain of trust and responsibility, and that's really what the audit is attempting to prove. So you can't say," Well, we passed but guess what, the audit was simple because we don't have personal information, we don't collect any information because we're a tool maker." You can't get away with that. That's obviously a very slippery slope, but that's not what the audit is about, so the members are primarily in those three categories, and we're really -- to answer your question about what is the future, if you'll look at all of the users of personal information, there's a huge body of end user organizations that would love to learn more and become a member and to make sure that they're using the technology that is ethical and that is being managed at a high level. Unfortunately to get there, we really have to have those rigorous standards in place, and it's ultimately the responsibility of the tool maker to ensure that the process is a fair one, is a good one, and so we would encourage end users as well as tool makers and vendors to participate in this process. MS. ROSENFELD: Thank you. What about enforcement with the guidelines? MR. PONEMON: You had to ask the enforcement question, end of the day, we're all sweating here. Now I'm really sweating. Basically if you don't comply with this, and you know my favorite word, we're going to kill our members. We have a license. They've agreed to -- no, we're not going to kill our members, but what we're going to do is you're going to get kicked off the membership scroll. And we're actually in the final stages of establishing a disclosure standard. While it has not been defined as yet, the plan is to have a status report on our Web site to show where members are in the auditing process, so obviously if you're not there, if you mysteriously disappear one day, you could reach your own natural conclusion. But understand that enforcement is very, very important for this to work. Without enforcement, it is a wasted effort. It is virtually a wasted effort, so self regulation means that the organizations that have become members have to work hard to maintain their membership, and enforcement is going to be very costly for some organizations that don't make the grade. MS. ROSENFELD: Becky, you talked about TRUSTe intending to revise your licensing agreements to require disclosures about data merger and exchange of information, and I'm wondering if you have a time table for that. MS. RICHARDS: We last updated ours I think in August, September, and I'm told that the legal fees have to stay lower so I'm not supposed to give it to our lawyers for a couple more months, and we also want to have a certain level of stability in the program. And we're actually on the sixth version right now, we'll be going to the seventh, and there will be a number of revisions, not just this one but also to sort of-- what we have done always is to follow along what the privacy debate is, where are we going with things and make sure we're a step ahead. And so I think that we can anticipate to see those sometimes in the July/August time frame as we move forward. MS. ROSENFELD: I think now I'm going to open up to audience questions. The gentleman back there, and again please identify yourself and your organization. MR. LE MAITRE: Hi. I'm Marc Le Maitre. I work with Nextel Communications. Larry, I agree absolutely, entirely with you that privacy without enforcement doesn't fly. During the B-to-B world, very few businesses would do anything without signing a contract, and I'm aware that P3P is policy based, no need for a contract in P3P, how do you get from policy based to contract based so that you've got some basis on which to place -- to put some enforcement around? MR. PONEMON: You're asking a very good question, and we've tried to address this over the course of the last few years, especially with my involvement with the FTC and the Advisory Committee. Quite frankly, one of the problems you have is a policy, doesn't necessarily suggest truth, so you have a lot of organizations that are very quick to post a policy, and P3P by the way is kind of an offshoot of that. P3P is good, but unless you have an ability to say, Okay, you have this policy, how do we know you're complying, it's kind of an interesting problem because a lot of organizations aren't really evil and they're really not trying to dupe the consumer. It's not that at all, but they're not actually digging deep enough into their own business models or into their own organizations to determine where they have vulnerability and risk. And in many cases, in most cases unfortunately, the legacy of being an auditor, right, you basically stumble on some incredible problems. Bad news doesn't necessarily get up to the right people. That's the job of an auditor is to communicate it ultimately to the board, and I've been in many board meetings to say to major companies," You know what, what you say you do on privacy, you're just not doing, and it's going to be very costly to fix it." So then that's the other issue. What's the accountability on the other side to actually now fix the problem now that you have that information. Audits are a good thing though. If there's self regulation you might be able to move the bar. MR. LE MAITRE: I think there's some direction on it. The notice and choice aspects of Fair Information Practices are well understood. My own feelings are that it may take some sort of binding between notice and choice. This is the notice you gave me, this is the choice I gave back to you, and some notion that that forms a bond, a contract, that has some legal status that we can both rely upon in an audit situation. MR. PONEMON: Can I just make one comment about that? If you just look at the current implementations around GLBA, Gramm Leach Bliley, we've seen a lot of organizations having a very difficult time just operationalizing choice. We're starting to see evidence that companies are failing. They're getting the reply back, but companies are having a difficult time making sure that it sticks in their legacy systems, and they're spending virtually no resources to fix the problem, so I think we're going to have a lot of interesting issues on the horizon in terms of lawsuits, organizational culpability, but that's a problem. And so even if you have a contract, even if it's a legally binding contract, I'm not sure that's going to change behavior in the short term. MS. ROSENFELD: John? MR. KAMP: I just wanted to mention, and not in any way to slight the FTC enforcement authority or even the authority of auditors, that perhaps the most important thing that will happen in the marketing space is happening, and that is privacy is becoming part of the brand, and as part of the brand, it's part of that image of the product and the company that is part of the relationship that the customer has with the brand, and either a company is going -- going forward, I think either companies are going to respect the privacy of their consumers and treat them appropriately or they're not, and that consumers are going to take it out on them, and that the value of the brand and the need to ensure that the brand stands for something in the privacy space as well as in the basic historical places where it talks about quality, product quality and consistency and value proposition, that privacy is going to stand along that, and the American consumers are going to make sure that their privacy is protected in ways that they consider appropriate. MS. ROSENFELD: You in the back. MR. KAMINSKI: Hi. My name is Jim Kaminski from Arent Fox. This is a question for Ms. Richards. I was wondering if you had a sense -- I have two questions actually. My first question is: Do you have a sense of what the industry practice is for disclosing the company's enhancement practices, and also when that new standard is in place, are you going to require the companies to provide access on the Web site to the data collected offline to keep that parallel? MS. RICHARDS: The lovely question access. This is always difficult to answer. Let me maybe revise a little of how I answered Dana's question. Right now there isn't an explicit requirement for you to disclose, but if we go through your privacy practices and we find that it's very appropriate and you should be disclosing it, we will force you to disclose that information. So it's sort of an implicit requirement if you could have that, and so -- and what we have been working with our account managers is to make sure that they know this is an important aspect and they need to be probing more about the questions, and so I think on that aspect it's something that we're -- as the practice becomes more prevalent, we're seeing more disclosures. When I asked the question around the office of if they can give me some different examples, we came out with some different ones, and it was a really good learning experience for everybody to see what is happening. I would say that there's -- I can't give you any numbers in terms of how prevalent it is or how not prevalent it is in terms of how many companies are doing it at this point. It's just a sense that it's definitely increasing and that it's something we're addressing as we go along. I don't have a good answer for your access question at this point. MS. ROSENFELD: There in the middle. MR. TUROW: Joe Turow from the University of Pennsylvania. I just wanted to know if anyone has a sense of whether what you guys have been talking about is going to change when things go in the not too terribly distant future to a much more broadband, very dynamic environment where people will be watching television, doing the Web stuff, doing this, constantly moving between sites at such a rapid speed with so many parties involved in a transaction that the kind of privacy policy issues, I'm just wanting to know, might be totally irrelevant, the ones that we've been talking about. If you have four or five parties that have an interest in dealing with the data at the same time who have very different notions of what's acceptable, is that a scenario that's realistic, and then what do you do? MS. ROSENFELD: Would anyone like to take a shot at that? Ari. MR. SCHWARTZ: Well, I was just about to say that's why XML technology, people are focusing on XML technology, because it's really the only realistic way the different parties can come in at different points, and that's why I focus so much of my time on P3P because I see it as the only realistic way to provide notice in that realm. Now, obviously Larry brought up the point that P3P has a weakness that it doesn't do enforcement. P3P, that's not what P3P was meant to do. It's not supposed to do enforcement. It's supposed to do notice and do it well, and that's what we've tried to focus on. So of course tying in all these access points is going to make it very difficult for the consumers to follow, it's difficult enough to follow on the Web the way they do it today. In a pervasive computing environment only XML technologies will help do that so we need to map everything to some -- MR. TUROW: Can you explain how? I don't see how it's helping to solve the problem. MR. SCHWARTZ: How will XML help to solve it? MR. TUROW: Yes. MR. SCHWARTZ: Well, what's going to happen is that you'll have -- it's a complex system, and there's a few different ways that schemas will work, but basically that everyone will be relating to the same basic vocabulary or schema, and then information will be flowing into points back and forth using this same underlying data, using the same tags. So that we don't have the confusion that we have today where everyone has different databases labeled in different ways and uses the information in different ways. It's a whole new infrastructure that Tim Berners-Lee from the World Wide Web Consortium calls the semantic Web. MS. ROSENFELD: Jason? DR. CATLETT: I have a quick question for Larry. Does the Personalization Consortium require its members to provide access to consumers about the data they hold, and does it require an opportunity to delete the information? MR. PONEMON: That was probably again one of the most contentious issues with our principles, but we ruled. We prevailed. Basically access and accuracy are actual principles, and that means that you have to provide access, reasonable access which means that -- I don't like that word reasonable because it opens up for interpretation. We're going to have to be really smart as auditors in terms of finding what's the line between reasonable and unreasonable, but more importantly, if someone finds a problem, you have to be able to provide that individual the proper approach for fixing those problems as well as redress if that is not being handled well. But also this is opening up a can of worms in terms of security and authentication issues that have to be built into the system. From that point of view it could be very costly to members, but that's just what we have to do. DR. CATLETT: But it was a requirement that was accepted by the 67 companies. MR. PONEMON: All but one company agreed to it, and that one company basically has agreed to go along with it so it was amazing, but it was a battle. It wasn't like, Gee, it makes a lot of sense. It had to be -- it took weeks and months, as Win knows, a lot of work to kind of get us to that point. MS. ROSENFELD: Any other questions? No. I want to -- was there anybody else? No? I want to thank the panelists. This was an excellent panel, and it's not over yet. I want to, first of all, commend all of you for staying throughout the day. I apologize for our air control problems, but after this panel can step down, we have some closing remarks by Joel Winston. (Applause.) MR. WINSTON: I think it's fitting that we were able to get these curtains and windows open, because the purpose of this workshop was to shed some light and bring in some fresh air on a very important subject, data merger and exchange, and I hope we were able to accomplish that today. I did notice that it took a crow bar to get some of those windows open, and I don't want to carry the metaphor too far, but actually I think people were very open and honest with us, and we really appreciate that. I want to thank all of our panelists today and our audience for a very lively and interesting day. I also want to express my appreciation to the FTC staff who really worked tirelessly to put this workshop on and to do so really in record time. Specifically I want to thank Martha Landesberg, Allison Brown, Jessica Rich, and Ellen Finn from the Financial Practices Division, Lou Silversin from the Bureau of Economics, and Dana Rosenfeld from the Bureau Directors Office, and of course our intrepid team of support staffers who really made this possible today. Let me just close with a few brief remarks. The Commission's been studying online data collection for over five years now, and we've hosted several workshops on a variety of topics related to collection issues, but I think the subject matter of this workshop is an especially timely one. It seems like every day we hear or read about new ways in which consumer data are being collected and combined and put together for various purposes. It's been a very educational day for us and we hope for all of you. Although some of the practices we've heard about today are practices that have been going on for many decades, new technologies and other recent developments have increased the speed and amount of data that businesses exchange both online and offline, so being able to discuss these practices really helps us keep up with all of these recent developments. We learned today, for example, about various sources of consumer data used for creating profiles such as public records, census data, survey data, warranty cards and consumer transactions. In addition, many companies described their business models and how the merger and exchange of data benefits both the businesses and consumers. For example, by purchasing third-party data, companies are able to target their advertising more effectively and efficiently and to personalize Web content, so that consumers may get more advertising that they want to see and fewer advertising offers that they don't want to see. Several panelists raised questions about the transparency of these practices to consumers, in particular, whether consumers know about the existence of data compilers and the practice of enhancing consumer information with data from third-party sources. Do consumers know how and why this data is exchanged between companies? Well, I would harken back to what Commissioner Swindle said this morning and many of the panelists raised throughout the day, this notion of the trust gap and the information gap, the misunderstanding gap. From what I heard today it seems like the key problem here is that there's a gap between what businesses are actually doing in their collection, merger and exchange of data versus what consumers think they're doing. I haven't seen any specific survey evidence, and I would certainly welcome it, but I'm willing to bet that most people either dramatically underestimate or dramatically overestimate the scope and detail of information that businesses are compiling about them. On the one hand, I suspect that there are lots of consumers who really have no idea that hospitals and government offices and bankruptcy trustees and lots of other people are selling or providing personal information to businesses, all of which may be combined and enhanced in various ways to form consumer profiles. On the other hand, I imagine there are lots of consumers who think that their every action is being traced, recorded, combined and deposited into some mega database for anyone to use and see. What I heard today is that the information that's actually being compiled and combined out there is not nearly that comprehensive or nearly that granular. To me this raises a real challenge. Alan Westin did a survey several months ago on consumer attitudes toward privacy. He found that there are a fair number of people who simply don't want their information shared or used by anyone for any reason. On the other side of the equation, he found that there were some people who really didn't care about their information. They were happy to allow it to be used for any purpose whatsoever. But, what he also found is that there are about two-thirds of the survey participants who fit into the category of what he called privacy pragmatists; that is, people who are willing to share their information under certain circumstances for certain reasons and if they're promised certain benefits. Now, the task for business is to convince these pragmatists that in particular situations, it's to their benefit for the businesses to combine and use the information that they're putting together about them. My hope is that through workshops like this, we can help bridge the information and trust gaps and enhance public and business awareness of what is and what is not going on out there. I'm not going to get into the debate about the value of privacy policies, but I think we can all agree that shedding more light and fresh air on this subject has to be a good thing. Again, I just want to thank all the panelists for contributing to this workshop and to remind you that we do have a record that will remain open for 30 days, and I encourage you to file comments. Thank you very much for coming. (Timed noted: 4:51 p.m.) |