State Attorneys General want some of the action

State Attorneys General want some of the action

The same state attorneys general who brought down the tobacco industry, against big odds, are now going after companies that invade personal privacy. These are the same state officials who helped engineer the anti-trust lawsuit against Microsoft.

The National Association of Attorneys General devoted their entire summer meeting in Seattle last month to the subject of privacy and showed in this area as they have in other areas a vigorous intent to match Congress in shaping public policy.

One of the prime movers was the host for the meeting, Washington State Attorney General Christine O. Gregoire, who proposed reaching agreement on principles that would be presented to Congress as the AGs’ minimum requirements for federal legislation. Gregoire, outgoing president of a group that shows increasing political clout, said, “Attorneys general are really, in terms of consumer issues, on the front line.”

“When we come together, as diverse as we are, we can be a powerful voice.”

In fact, within the association, there is disagreement about the right approach to regulating privacy protection. Many attorneys general every day face the apparent conflict between law enforcement’s demands for access to information and the expectations of consumers for confidentiality. Attorneys General Joe Mazurek of Montana and Frankie Sue Del Papa of Nevada, for instance, argued that the National Commission for Uniform State Laws, a private, apolitical group of legal experts, ought to be charged with drafting a model state law. But others said that this.takes too long. NAAG itself may draft a model state law.

The AGs clearly agreed that they would resist any attempt in Congress to preempt stronger state action in this area.

Bill Lockyer, the attorney general of California, criticized business advocates who asserted that an opportunity to “opt out” is adequate protection. “Doesn’t this reverse 200 years of jurisprudence that ‘silence does not equal assent’?” he asked them.

The AGs are acutely aware of the strength of business lobbyists on this issue, especially Gregoire. Her comprehensive proposal for privacy protections offered st winter appeared to have smooth sailing in the Washington legislature, until suddenly business lobbyists organized against it. They succeeded in squelching the proposal in a closed meeting without a vote (in Washington’s evenly split House of Representatives, with 49 Republicans and 49 Democrats). [See accompanying story.]

Even though Congress last fall invited states to enact stronger protections for personal financial records than in a 1999 federal law, not one of the dozen proposals to do so has made progress in state legislatures. Janet Napolitano in Arizona, Jennifer Granholm in Michigan, Mike Hatch in Minnesota, Eliot Spitzer in New York, William Sorrell in Vermont – all Democrats have developed vigorous privacy initiatives, in addition to Lockyer and Gregoire. At the NAAG meeting, Republicans Mike Fisher of Pennsylvania, Bill Pryor of Alabama, and Betty D. Montgomery of Ohio expressed great restraint on the issue.

By the end of their meetings, the attorneys genera( were leaning towards- focusing on protecting medical and financial records (requiring consent to disclose information for secondary uses) and accepting “opt-out” for marketing uses of information. This, in fact, was the hierarchy proposed by PRIVACY JOURNAL Publisher Robert Ellis Smith in his keynote speech. Robert Sherman, counsel for the Direct Marketing Association, and Christine Varney, former Federal Trade Commissioner who represents on-line businesses in Washington, seemed to accept this approach as well.

Behind closed doors, several attorneys general met with executives of Microsoft for a briefing on “cookies” and other aspects of on-line browsing. In the course of their presentation, the Microsoft representatives said that they analyzed the privacy policies of the Web sites of the 50 attorneys general and found that the most active sites earned failing grades “of E or F.” In Microsoft’s assessment, only Michigan’s earned an A, even though its Web site warns those who file complaints that their submissions will become public. The Web sites of most attorneys general do not collect significant amounts of personal information, lessening the need for a detailed privacy policy.

All of the elected officials agreed that privacy is an issue that concerns voters on the left and the right. “Which is always a terrifying moment,” said Attorney General Spitzer of New York.

‘OK, but not Great’

When the European directive on data protection was first drafted, it required equivalent privacy protection in a second nation before data on Europeans could be exported there. After negotiations, that language was changed to adequate.

Europe’s chief negotiator of privacy in the U.S. Gerard de Graaf stressed last month that he regards the “safe harbor” agreement hammered out this spring as merely adequate, not equivalent.

“It’s not as strict as the European standard,” de Graaf told PRIVACY JOURNAL. “Canada’s new law is adequate, as well.”

“From a European perspective, it makes no sense to protect video-rental records more than medical records. It’s impossible to explain that to a European. I don’t even try,” said the remarkably blunt-speaking diplomat.

The European Commission is now turning its attention to Japan, where there is no oversight enforcement of its self regulation scheme, according to de Graaf, a Netherlands native with a deep understanding of American politics. He is trade counselor in the Washington delegation of the European commission. “We have started discussions with Japan,” said de Graaf.

Under the “safe harbor” agreement [see PJ Apr 00], American companies desiring to export personal data on Europeans back to the U. S. must register with the U.S. Department of Commerce their intent to abide by fair information practices principles drafted by the department [see PJ Dec 98].

“A member state in Europe may not disrupt data flows if the information is flowing to a company abiding by the safe.harbor principles,” said de Graaf.

New Economy, Old Conditions

Not everything is sweetness and light in the dotcom world. The Seattle office of fired more than a dozen employees last month when they refused to sign forms authorizing the company to check credit reports, criminal histories, and consumer investigatory reports on them. The investigatory reports, most of them prepared by ChoicePoint (formerly Equifax, Inc.), purport to no fy employers of living habits and subjective impressions by neighbors and previous co-workers. Kozmo delivers products ordered on-line to customers in 10 major cities. Across town in Seattle, a reputable off line company, Nordstrom department store, routinely requires a similar authorization form from applicants. It also seeks access to motor vehicle reports, school records, and private detective firms. And it requires an answer to the question, “Have you ever been involved in a work situation which involved yelling, fighting or physical contact?”

Fair Isaac Loosens Up

After pressure from.lenders like E-Loan [see PJ May 00] and legislators like the California State Senate, the leading setter of credit scores to credit bureaus and creditor grantors has moved to make the score available to any consumer who asks.

Fair Isaac, creator of the “FICO” score and similar formulas for encapsulating a consumer’s credit-worthiness based on information in a credit report, has posted the general FICO formula on its Web site,, and is developing a Web-based service, expected to launch later this month, to explain individual scores.

Despite the banking industry’s continued opposition, some members of the lending industry have done an about-face and are now supporting the release of credit scores. In March, secondary market lender Fannie Mae announced that it would stop using PICO scores and instead create its own “transparent” system. Soon after, the credit bureaus Trans Union and Experian separately decided to develop their own ranking systems and make them available to consumers, most likely on Web sites.

The California State Senate approved – by a vote of 32 to 1 – a bipartisan measure to require disclosure of a credit score to a consumer by a lender or as part of a credit report. The bill would also require standardization of the formulas. The Banking Committee in the Assembly considered the bill in the first week of this month. SB 1607 is backed by a diverse coalition led by the California ‘Association of Realtors and Consumers Union.

Credit scores are comprised of five major factors: 35 percent, payment history; 30 percent, amount of outstanding debt; 15 percent, length of credit history; 10 percent, recent new applications or opened accounts; and 10 percent, a mix of credit and types of accounts and loans. Generally, 720 is a high score and 585 a low one, says consumer advisor Jane Bryant Quinn.

Get Past the Camouflage

Add two more groups to the list of those that have given themselves names to imply that they protect privacy when in fact they were established to beat back governmental privacy protections [see PJ Jun 00]:

AT&T, IBM, Dell Computers, Network Solutions, Time Warner and other big names have formed Electronic Commerce and Consumer Protection Group to resist federal or state legislation. Its counsel, Washington lawyer Ronald L. Plesser, wrote this month, “Legislation or stronger federal regulations won’t provide greater privacy protections on the Internet and could stifle the remarkable innovation occurring there. Rather, the best way to effectively protect consumer privacy on the Net is to encourage the many industry-developed efforts that are now taking place to provide strong privacy notices on e-commerce sites and choice with respect to transfers of information to third parties.”

A second group of more than 20 corporate CEOs and trade-association executives – with some of the same companies represented – is more progressive. The Privacy Leadership Initiative commenced with full-page ads appearing in Sunday newspapers around the nation. Members include Procter & Gamble, IBM, Ford Motor Company,, E*TRADE, Dell computers, and AT&T.

Two of its goals are to foster privacy-enhancing technologies and “to analyze the benefits to consumers of data exchanges and the economic effect on businesses.”

Copyright Privacy Journal Jul 2000

Provided by ProQuest Information and Learning Company. All rights Reserved