The Federal Trade Commission is following through on its promise to protect consumer privacy (January PROMO).
̶We believe that the focus should be on misuse of information,” even though past FTC efforts have focused on collection of data, said Howard Beales, director of the FTC’s Bureau of Consumer Protection, in a January speech. ̶Our focus on consequences leads us to view privacy through a broader lens” than the online-only focus of past FTC boards, he added.
The current administration’s first privacy-related suit was settled in January: Eli Lilly, Indianapolis, inadvertently disclosed e-mail addresses (collected through prozac.com) of 669 subscribers to its Medi-messenger e-mail service, which sent reminders to take or refill medication. The service ran from March 2000 until June 2001; a June 27 e-mail announcing its termination listed all subscribers’ addresses in the ̶To” line. The American Civil Liberties Union complained to the FTC last July.
As part of the settlement, Lilly must set up a four-part security process: Designate appropriate personnel to coordinate and oversee the program; identify and remedy reasonably foreseeable confidentiality risks in and outside the company (including lack of training and data storage); conduct a written review within 90 days after the settlement takes effect and then annually; and adjust the program if monitoring shows that’s necessary.
The Lily suit ̶is intended to make clear that companies making privacy and security promises must keep their word,” with internal security measures appropriate to the sensitivity of data they protect, Beales said. Not every breach means a suit, but ̶when companies collect sensitive personal information and promise to keep it secure, we will be closely examining any unauthorized disclosures to figure out how it happened and whether it could have been prevented,” he said.
Hold All Calls
In January, the FTC stepped up its campaign to create a national Do Not Call list for telemarketing by asking for consumer comments. The plan would amend the Telemarketing Sales Rule to let consumers opt out of all telemarketing calls, and require marketers to ̶scrub” their lists to remove any consumers who register with the national service.
The FTC registry would still allow businesses exempt from the Telemarketing Sales Rule (including insurance companies, airlines, and long-distance phone companies) to ignore the list. Consumers also could give direct permission to a specific marketer.
The amendment also would prohibit marketers from ̶pre-acquiring” consumer billing information. That would make it illegal to exchange lists of credit card numbers, something Beales calls a ̶troubling practice.”
Consumers have until March 29 to comment. Among the questions being asked: How long should a name stay on the list? Should consumers be able to specify which days or times they will accept calls? Who should be permitted to register a phone number (i.e., phone-bill recipient, spouse, or child)? Should third parties be permitted to collect and forward requests?
In the meantime, the FTC continues to crack down on telemarketing fraud. In February, the commission brought a $51 million contempt suit against telemarketers Diversified Marketing Services, National Marketing Service, NPC Corp. of the Midwest, and Magazine Club Billing Service, all Oklahoma City. The group allegedly charged consumers’ credit cards for magazine subscriptions without permission. It also misrepresented the cost, duration, and cancellation policies of subscriptions; the enforceability of the agreements; and the need for consumer account information, per FTC.
The FTC says the group’s action violates a 1996 settlement barring illegal billing practices, for which it was fined $1.5 million for consumer redress. This time, the FTC is asking for $51 million for redress and to bar three of the principals from telemarketing.
The commission also continues to tweak its guidelines for privacy notices, new in 2001 as part of the Gramm-Leach-Bliley Act (January PROMO). Financial institutions sent out more than a billion notices, but many were hard to read.
Telecom company Qwest, Denver, decided to not share consumer data between divisions after its privacy-notice bill inserts prompted consumers to worry. The company announced in January that it will wait until a Federal Communications Commission ruling later this year before deciding whether to exchange data internally.