I have very much enjoyed this conference and the chance to talk to many of you over the last few days. I guess I am the last speaker who is not with Experian so let me ask you to join me in thanking them for all the hard work they have done to bring us together.
It may have looked to you all like I have just been eating shrimp, sipping on cocktails, and fishing unsuccessfully this week. I do some of my best work under those conditions, of course. But I really have learned a great deal about the work that all of you do. I am better aware now of what it takes to have a sophisticated financial services system like we have in the United States.
A lot of the pro-regulation privacy advocates with whom I deal — or do battle — in Washington don't understand that you have to use information in order to deliver people the goods and services they want — to get them credit at low interest rates that reflect their good credit histories, for example. It's increasingly clear to me that each tiny use of information in the credit reporting system has an equal tiny benefit to consumers.
Now, that's a difficult story to tell in Washington and state capitols, where the phrase: "You really can have something for nothing." is what everyone wants to hear and say. So, yours is a difficult story to tell, but I am better equipped to tell it now, and I know Tony does a great job of it. I hope you will all go out and try to explain to people with whom you deal the benefits to consumers of the credit reporting system.
I have learned a lot here, and one of things I've learned is a great new word: "decisioning." It's evidently it's part of a growing trend. The word "partner" has turned into a verb as well. You've all heard of "partnering," I'm sure. Well, I worry about such changes in the language, but I think I'd better just get on board with this trend. So let me now try to knowledgize you by speeching about privacy.
First, a little background. Privacilla is a Web-based think-tank devoted exclusively to privacy as a public policy issue. We break the issue down in terms of online, financial, and medical privacy, as well as dealing with privacy from government. One of the most important sections on "Privacy Basics," where we try to dig down and answer important question like "What is privacy in the first place?"
Let me turn to that because I think an effort is underway to change the meaning of the term privacy. There may well be good reason to push back against this change.
Privacy has existed as a legal concept for a little over 100 years. The privacy torts in the United States came about after an article in the Harvard Law Review was published by two men named Samuel Warren and Louis Brandeis. They found objectionable the fact that newspapers were publishing picutres and stories about parties and social events that had not previously been in the newspapers — in particular, events they themselves attended. Warren and Brandeis were concerned with broad publication of private information, not the type of information-sharing you do which is very narrow and restricted to people with legitimate business interests.
The kinds of things that helped the law of torts evolve here in the United States were things like photographs of surgeries published in papers or circulated widely in a community. Publication of these kinds of things have been found to invade privacy. Most recently, the state of Minnesota adopted the privacy torts after someone's racy vacation photos found their way from the 1-hour photo developer out into the community. The 1-hour photo developer's job was to get those pictures printed, sealed in an envelope, and returned to the customer. It was an invasion of privacy for nude photos from someone's vacation to be circulated out of the photo developer's shop.
Privacy torts exist in the United States. People whose privacy is invaded can sue the person responsible and get damages. And the message that needs to be carried forward is precisely that.
Politicians in the states, politicians at the federal level, and bureaucrats and politicians internationally think that the U.S. has no privacy law and that they need to invent it out of whole cloth. They are wrong. There is room to quibble about whether they are satisfactory, and some states have only adopted some parts of the privacy torts, but there is no disputing that the privacy torts provide baseline protections for privacy.
I said that some advocates are trying to change the meaning of privacy, and I want to talk about that a little more because I think it affects you.
The lesson I'd like you to take away today is this: Just because it's information policy, don't assume that it's privacy. Many proposals coming forward today would regulate uses of personal information, but I don't think they deliver privacy. They are usually actually aimed at some other interest.
Let's go through a few examples. The Driver's Privacy Protection Act, which is a federal law aimed at curtailing the availability of information in public records, started because of the murder of an actress named Rebecca Shaeffer in California. It turned out that her killer had gotten information about her from the state Department of Motor Vehicles. That law arises not so much out of an effort to create privacy, but rather to prevent crime.
A couple of years ago, we had a proposal in Congress called Amy Boyer's Law, which would have cut off many uses of social security numbers. Amy Boyer was murdered by a man who, in the final days of a years-long obsession, looked up information about her on an Internet search service. Now this law came to be identified as a privacy law, but it's inspiration and real intention was to be a form of crime control.
These crime-control methods need to be looked at as crime-control. How effective are they in relation to their costs? How many murders will be stopped by preventing law-abiding people access to social security numbers? And I do mean law-abiding people because I count murderers as part of the group that don't stop short when they run up against "privacy" regulation.
Another, less dramatic example, is the Gramm-Leach-Bliley Act. The affiliate opt-out provisions of Gramm-Leach-Bliley, at the end of the day, allowed people to prevent themselves from receiving well-targeted marketing. It didn't really protect privacy.
GLB lets you prevent people who want to market financial services to you from learning details that might help them get it right. So poor people like me might get advertisements about tax shelters in the Bahamas. And young people just starting out their careers may learn about annuities and estate planning.
Judging by the response, it's pretty clear that GLB didn't discover an untapped consumer desire to be free of accurate marketing. There is unanimity among advocates that the "privacy" provisions of GLB didn't protect privacy.
So always watch for what interest is really being advanced by law and regulation named after "privacy." You'll often find that information policies aren't really aimed at privacy, but at something different.
I think we may see some of this in the upcoming debate in Congress on the Fair Credit Reporting Act. The Fair Credit Reporting Act is a very interesting law because it's actually pretty well named. The bulk of what it's about is fair credit reporting. That's fairly unusual. I mean, we get bills in Washington called the Happiness Protection Act of 2002, and do you think everyone gets excited because they know they're going to be happier after it passes? I don't think so.
But the Fair Credit Reporting Act lays out some rules for fairness in credit reporting. What do consumers need to know? What rights do they have to correct information? And so on.
The affiliate sharing rules in the Fair Credit Reporting Act are pretty much like the Gramm-Leach-Bliley Act. It's just not about privacy when commonplace information like name and address are shared along with facts or inferences reflecting well on a person's financial character. Particularly when the sharing is among businesses with an interest in serving the individual and maintaining a customer relationship with him or her, this just doesn't go to the embarassment and exposure that we avoid with privacy protection.
Again, though, this is a hard story to tell in Washington. It is very difficult to understand, much less convey quickly, how our sophisticated financial services systems work. I will be attempting to do so in the near future. I hope you will join me by working to clear up misunderstandings about privacy among the people you meet and talk to, and by being more skeptical when you hear that someone is going to deliver privacy in a law or regulation. More likely, whether they know it or not, they're aiming at some other interest.
At conferences like this, it may look like I'm just eating, drinking, and socializing, but I really have learned a great deal. I appreciate the chance to be here, and I hope you have enjoyed my presentation.
All content subject to the Privacilla