Corporate Use of Customer Information

Kyle Gregory, Jonathan Laincz, James Nitchke, Txue Pa Yang 



» Download PDF

Consumers are both knowingly and unknowingly sharing their personal information with others every day.  There are many different ways of sharing personal information.  It may consist of, but not exclusive to, writing a check to make a payment, using a credit card to buy an online product, mailing in tax returns, calling home on a cell phone, scheduling a doctor's appointment or applying for a credit card; each of those transactions requires you to share personal information, such as your bank and credit card account numbers, your income, your Social Security number (SSN), or your name, address and phone numbers (Federal Trade Commission).  For the most part, consumers commonly share their personal information on an ongoing basis without being aware if it.  In the case that they are asked to “verify” their personal information by creditors, most consumers tend to not realize that they are also “giving away” their personal information, as well as verifying their personal information for “verification purposes only”.  Furthermore, most consumers may not even realize how important the privacy of their personal information is to their own well-being.  Such personal information, if misinterpreted or put in the wrong hands, may ruin lives or destroy one’s financial standing.  The misuse of this information can do more harm to the individual than he or she may even know or can imagine.
When sharing personal information, consumers are usually not aware of how their own information is being used.  In most cases, personal information of consumers are collected and distributed by companies to be compiled and/or used, and eventually sold and bought by other companies.  With the constant collecting and distributing of personal consumer information by companies, the Federal Trade Commission (FTC) enforces the Fair Credit Reporting Act (FCRA) to promote the accuracy of consumer reports, as well as to ensure the privacy of the information in those reports (Federal Trade Commission).  Though there are laws governing the use of consumer information and the privacy rights of consumers, such practices of violating those laws frequently occur because companies carelessly take into account their wrongful actions when it comes to making a profit.  According to the The Rights Approach from the Five Sources of Ethical Standards, it is suggested “that the ethical action is the one that best protects and respects the moral rights of those affected” (Markkula Center for Applied Ethics).  Basically, it is one’s right to have their own privacy secured from invasion; therefore, ethically, these acts of carelessness by companies may lead to the consumer’s privacy being invaded.

Invasion of Privacy
With regard to consumers’ privacy when dealing with personal information, it is important to note that there are many ways of invading one’s privacy.  Privacy, in the sense of personal information, is defined by the Privacy Rights Clearinghouse as “the ability to control what is done with one’s information” (Insurance Journal).  One way would be web browsers who are unaware of the incontrollable flow of their information and, as a result, having their privacy invaded.  In 2000, when United States (US) Representative Edward J. Markey noticed this invasion of privacy in which websites do not notify the consumers of their data being collected, he introduced H.R.3321 to the House which would require all sights to visibly notify a person if the site intends to share, reuse, or sell the information, and provide consumer control over the flow of this data (Insurance Journal).  Even Bill Clinton has publicly spoken on the invasion of people’s privacy in a commencement address at Eastern Michigan University.  Clinton said, “In this age of information we cannot let new opportunities erode old, fundamental rights.  We cannot let breakthroughs in technology break down the walls of privacy” (Insurance Journal).
While web browsing, whenever an icon is clicked on, an advertisement selected or a story read, each move is recorded into a database to be streamlined and investigated for patterns if the powers-that-be desire.  This method is an extremely useful and an inexpensive way to gather information that is utilized almost universally today.  In a survey conducted by Mary J. Culnan of Georgetown University, statistics revealed that of the 361 commercial websites 92.8 percent collected personal identifying data; 56.8 percent collected demographic data; 6.6 percent collected no personal data; and less than 1 percent collected only demographic data (Privacy Rights Clearinghouse).  This has tremendous implications for your every day consumer.  The statistics are even more frightening if we consider the fact that banks, brokers, and financial institutions are beginning to go on-line at an ever-accelerating pace, meaning that all of your financial history and transactions will also be available and collected.

Visible and Invisible Methods of Collecting Personal Data
In terms of collecting personal information, there are two different methods of collecting personal information; visible and invisible.  Visible collection occurs when the consumer knowingly and willingly gives out their information, but has no idea what the information will be used for.  The other method corporations use to gather information is the invisible method.  When this approach of data collecting occurs the consumer is not aware that he or she is giving out information and it is being done without their direct consent.
Two widespread visible data collections are the National Consumer Survey and Consumer Product Survey of America, where both surveys consist of the promise of a free entry into a sweepstakes if the person fills out the survey and sends it back by mail.  One other example of collecting personal data visibly is Product Registration Forms, which occurs whenever a person gives out information to register any product that the customer has recently bought, such as a computer.  There are many different invisible methods of collecting data, such as Reverse Appending and Automatic Number Identification (ANI).  Reverse Appending is the process in which consumers use their credit card for purchases and then records of the account number with the mailing address attached are transmitted to a credit reporting agency by the merchant (Privacy Rights Clearinghouse).  Automatic Number Identification is “when individuals place telephone calls to a toll-free number or to a 900 number, their telephone numbers are transmitted to the call recipient.  If the recipient subscribes to an ANI service, it can capture the incoming phone numbers” (Privacy Rights Clearinghouse).  This process is similar to reverse appending where “additional data can then be appended to the telephone numbers, thereby enabling the company to obtain names, addresses and demographic data of those who place telephone calls to that company” (Privacy Rights Clearinghouse).  “While ‘customer relationship management’ is a prominent buzz-word used in business today, invisible data capture via ANI is an unethical means to build a company's data base” (Privacy Rights Clearinghouse).  But far, the most dangerous way that is currently being investigated by the FTC is gathering data on the internet. 

Collectors and Distributors of Personal Information
There are over 100 companies in the US gathering data about millions of households and citizens in the country.  The largest of these companies are Experian Information Solutions, Inc., (Experian), “a global leader in providing value-added information solutions to organizations and consumers”, and Acxiom Corporation (Acxiom), a company that creates and delivers “customer and information management solutions that enable many of the largest, most respected companies in the world to build great relationships with their customers” (Experian; Acxiom).  Each company holds information of over 100 million households and 165 million individuals, and the numerous smaller companies such as Unisys, ChoicePoint, and HotData hold only slightly less amounts of personal information (Privacy Rights Clearinghouse).  These companies hold databases with extensive and detailed information on citizens, enabling the companies to have the ability to paint a surprisingly vivid portrait of any individual’s daily life activities.
The companies, such as Consumer Reporting Agencies (CRAs), collect and sell information about the creditworthiness of individuals (Investorwords).  The credit bureau is the most common type of CRA (Federal Trade Commission).  Credit bureaus possess a wide range of consumer information, not only consisting of the common personal information: names, addresses, phone numbers, SSNs, bank and credit card account numbers, etc., but even medical information and religious or political affiliations.  CRAs have the right to sell information about consumers to creditors, employers, insurers, and other businesses in the form of a consumer report (Federal Trade Commission).

Concerns of Consumer Information Being Collected and Distributed
In a FTC Workshop held on March 13, 2001, the director of the Privacy Rights Clearinghouse, Beth Givens, commented that she had long observed that the “compilation and exchange of data captured from consumers when they participate in the marketplace” were of a key concern to consumers (Privacy Rights Clearinghouse).  With the FTC enforcing laws helping to prevent and end violations and abuse of consumer information by CRAs, it has also helped reduce the number of credit bureaus from such committing wrongful acts.  Unfortunately, most consumers are still at risk because of the vast amounts of data warehouses containing their personal information.  “Privacy experts estimate that the average American is profiled in at least twenty-five, perhaps as many as one hundred, databases” (Economics of Personal Information Exchange).

Process of Data Mining Consumer Information
Most commonly, consumer information being collected by companies are put into extensive databases, and most of the time, information is taken from the consumer without them being aware of how it is being used.  Once this information is collected, the majority of consumers have no idea where it is stored or who has access to it.  If only consumers were informed about how their personal information was going to be used, exactly whom their personal information is given to, and for what purposes they are relinquishing their personal information to, they may be more or less inclined to reveal certain details about themselves. 
An extension to privacy being affected by data warehouses is where, when, what and how the information is being collected, as well as who is using the information.  Personal information databases not only contain large amounts of consumer’s personal data, but included in those databases are information on the whereabouts of purchases a consumer makes, and how and when it is being made.  This is critical to make note of because it can lead to very serious outcomes.  All of a consumer’s purchasing information can be compiled and organized together to allow any person obtaining this information to essentially follow and stalk every movement the consumer would make.  A person’s purchasing information combined with their personal information, i.e. address, phone number, etc., provides an adequate amount of information to locate a person at their place of residence and/or workplace, or any other trips being made routinely by that person.  If such databases make it possible for an individual’s movements and daily habits to be tracked, then the only right to privacy the individual has anymore is the right to whom this information is available to.

Risks Involved When Sharing Personal Information
Consumers who were aware of their privacy being violated or abused have already registered their complaints about privacy abuses and have sought information on how to safeguard their privacy (Federal Trade Commission).  As for those consumers who are unaware of their privacy being violated or abused, they are also not aware of the risks involved when sharing their personal information.  Especially when corporations are constantly collecting, distributing, buying and selling consumer information to make a profit, not only are the consumers at risk but the corporations are at risk as well. 
Within the personal information privacy issue, the consumers and corporations are the ones at risk.  Consumer personal information is being collected, distributed, bought, and sold by corporations everyday.  The corporations who are the ones committing this abuse of privacy on consumers and can basically be broken down into three main groups: companies collecting and distributing personal data, companies who sell and re-sell those personal data, and companies buying and using the data resources.   Because of the two very different stakeholders at risk, there arises different exposures to risk and various issues arise as well.  As for privacy issues concerning the consumers at risk, the issues include identity theft, credit scams, denial of loans and jobs, in which all these may lead to lawsuits.  For corporations, it is their duty under the FTC Act to “keep the promises they make to consumers about privacy and, in particular, the precautions they take to secure consumers' personal information” and not misuse consumer information in any way (Federal Trade Commission – Privacy Initiatives). 

Risks of Collecting and Distributing of Personal Data
Releasing personal data is often a requirement in today’s society, but it carries with it many different exposures to risk.  Companies that collect and distribute personal data can cause problems because they tend to not take the right precautions when collecting and distributing personal data of consumers.  One example of a company who did not take the necessary precautions to prevent violating consumer’s privacy rights is ChoicePoint.  With a market capitalization of $3.03 billion, ChoicePoint is currently the leader of the identification and credential verification services industry (Federal Trade Commission).  ChoicePoint is a publicly traded company that obtains and sells the personal information of consumers to upwards of 50,000 businesses (Federal Trade Commission).  Last year, ChoicePoint “acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, and will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws” (Federal Trade Commission).
Companies buy personal information of consumers to use for many different purposes including pre-employment screening, credit risk analysis, marketing analysis, and so forth.  When operating a business in the identification and credential verification services industry the main concern and risk for the organization should be the strict adherence to security issues, regulations, and data accuracy in order to protect the well-being of the consumer.  Clearly, the information collected by firms, like ChoicePoint, is still at risk and isn’t safeguarded as much as individuals would assume it to be.

The Effects of Consumers at Risk
Consumers, who are mainly at risk concerning the collection and distribution of personal information, are the millions who have given out bits and pieces of their information, both voluntarily and involuntarily.  Whether it is applying for a credit card, getting a driver’s license, or opening a bank account, every consumer gives out information about themselves on a regular basis to partake in a modern lifestyle.  But what many consumers do not know is that their information is available to just about anyone who is willing to pay the price.  There have been recent situations in which valuable personal information has made its way into the wrong hands due to minimal, and sometimes, unlawful security regulations or even foul play.  For example, on January 26, 2006, “the FTC charged that ChoicePoint violated the Fair Credit Reporting Act by furnishing consumer reports and credit histories to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information” (Federal Trade Commission).  In fact, ChoicePoint was also charged with “violating the FTC ACT by making false and misleading statements about its privacy policies,” in order to create a sense of security (Federal Trade Commission). 
The other consumers at risk regarding personal information privacy are the companies that purchased data from firms in the identification and credential verification services industry.  The major risk for these consumers is the accuracy of the information and its effects on the operations of their business, and the possible repercussions from wronged individuals and the law.  Earlier this year an accuracy issue occurred within a consumer reporting agency.  Far West Credit, Inc. will be paying a $120,000 fine to settle Federal Trade Commission charges (Federal Trade Commission).  A home lender, Keystone Mortgage and Investment Company, Inc., was provided inaccurate consumer reports by Far West.  This led to defaults in mortgages that were insured by the Fair Housing Administration of the U.S. Department of Housing and Urban Development, “resulting in losses to the FHA program” (Federal Trade Commission).

Values of the Consumers Being Violated
In allowing corporations to continuously gather and sort information about individuals, the individual is surrendering much of his/her right to privacy.  The individual relinquishes his/her ability to keep personal information private.  ChoicePoint has databases with information on millions of consumers.  In these databases are records of consumer’s SSN, bank information and financial records, religious or political affiliations, and medical records.  All of this personal information can be misused or misinterpreted causing serious harm to an individual’s way of life. 

Causes and Effects of Political and Religious Status Revealed
An area of interest in relation to one’s personal information is one’s religious or political affiliation.  Personal information regarding a person’s background such as race, ethnicity, gender, and political status are also common data being collected and organized.  Political and religious affiliation recorded in these databases could be used by parties to influence an individual or a group, or to profile an individual based on this information.  This concept of profiling can be especially important during this time of “War on Terror”.  There is a big movement by the United States government to secure its borders and keep America safe from what they deem as “terrorists.”  Looking back through American history, one can notice that there have been multiple occurrences of discrimination and profiling.  For instance, during the McCarthy era many US citizens were discriminated against based on their supposed support for communism or for having ties to the USSR.  This led to many people losing their jobs and being jailed despite having never committed a crime or speaking out against the government.  During World War II, many Japanese were imprisoned just because of their skin color and nationality.  Because of occurrences like these mentioned it is vital that one’s political and religious views are able to be kept private.  Misuse of this information can lead to people’s civil rights being abused or removed.

Personal Information Being Used and Abused
Data warehouses also contain extensive information about a one’s financial situation.  Checking and savings account details, debit and credit card numbers, credit ratings are only some examples of information contained in data warehouses.  Crimes, such as identity theft, rely on obtaining personal information to access financial data in order to steal from people or smear the images of those identities they embezzle.
Beyond personal and financial information, data warehouses also store wide-ranging information about a person’s health and medical history.  While this enables researchers, doctors, and healthcare providers to monitor and prescribe their patients more effectively, it also allows for profiling and discrimination to take place.  Release of a person’s medical information can lead to several forms of discrimination.  One example is the recent efforts by corporations attempting to cut healthcare costs by pre-screening potential employees.  Therefore, by opening up medical records to public corporations it becomes possible for employers to engage in practices of hiring based on health status and not qualifications.  Due to these actions, the release of medical information can also impede a person from getting medical attention. 
A major issue that makes the implications of internet data mining even worse is Inference, which is defined as the process of users posing queries and deducing unauthorized information from the legitimate responses they receive (Privacy Rights Clearinghouse).  For example, names and salaries taken together may be private but individually are public, the same for healthcare information, and even more for name, medical, wage, age, education and so forth all taken together are private but may easily be formed with proper research.  The problem with Inference is the possibility of learning almost any private information about a consumer from internet data, even though the problem has been investigated by the National Science Foundation, as it has implications for National Security, there has been no complete solution found.
The first result, after the data is taken, gathered, and sold by any number of the companies practicing selling data for a profit, including Acxiom or ChoicePoint, is an invasion of people’s privacy by marketing solicitations.  There are the options of the Mail Preference Service and Telephone Preference Service, but these are not widely known of and expire after five years.  If a consumer isn’t aware of these options, solicitors and spammers are notoriously difficult to turn off.  In fact, the Privacy Rights Clearinghouse gets hundreds of calls about this from upset citizens that have tried to get off solicitors call/mail list to no avail and now wish to sue, but are typically told they can’t if it was solicited by mail.
People will face much more challenging and bothersome effects of the abuse off of their personal information.  The sellers and gatherers of this information claim it is only used for marketing purposes, and is also only sold in bulk but there are no legal regulations guaranteeing this.  Therefore, an insurance company could get medical reports to screen for problems, car agencies could get leisure habit lists, and loan agencies can get complete financial history.  Acxiom’s InfoBase Ethnicity System is described as a breakdown of ethnic, religious, and minority classification that can instantly match a name to a wide range of demographic data (Acxiom).  This system is already sold and being utilized by many companies including Conseco Insurance Company, who claims that the information only helps them better understand and service their existing customers.  A statement from a HotData spokesperson of the data said that, “those may or may not be the traits of individuals you want to insure” suggests they the insurance companies are using this information to screen potential clients (Insurance Journal).  Loan agencies and automotive dealerships will also get this information, denying people mortgages, loans, and cars, on top of any insurance policies.  Government agencies like the FBI and IRS have turned to this data as well, buying “credit header” information that tells almost everything you want to know about a person from Experian, Equifax, and TransUnion.  Actually the FBI and IRS are ChoicePoint’s largest customers with contracts above eight million dollars from each per year.  Another example examined in a Washington Post article in 1998, involves misuses of data from supermarkets.  It involves the DEA buying data from Smith’s Foods in the Southwest in an effort to find possible Methamphetamine makers.  Although they were not looking for over-purchase of Sudafed or Heet, they were investigating purchases of sandwich bags, which could falsely implicate anyone I know.  A third example is the case of Beverly Davis v. Metromail.  In this case Miss Davis was sent a letter from a prison inmate with detailed knowledge of her saying he was getting out soon and was coming to molest her.  The inmate obtained this information because Metromail (now known as Experian) contracted a third party who contracted with a prison to enter customer data into spreadsheets.


With the constant process of consumers sharing their personal information, as well as companies continually gathering such information, it will be difficult to end this on-going practice.  The regulations imposed by the FTC are only boundaries waiting to be crossed.  Though it helps to somewhat regulate the flow and use of consumers’ personal information, their privacy will always be violated due to the fact that companies are still making the mistake of wrongfully distributing personal information.  In terms of ethics, only companies can prevent themselves from committing illegal acts of collecting, distributing, selling and buying consumer information.  By invading one’s right to privacy, it is also violating the code of ethics in relation to the The Right Approach.

With the growing number of companies taking their businesses on-line providing new data and the other companies depending on the data compiled, instances like these will become more common and spread into every part of our personal lives.  For this reason, there must be much stricter regulations imposed on the companies in gathering of consumer information and the use of it in order to protect the value of consumer privacy.  Also, by implementing stricter policies, this will regulate the flow of personal information as will as limiting it.  Open disclosure to consumers giving out their personal information, instead of the small fine prints at the bottom of the page, is another way to help and reduce consumers from not to sharing their information with others.  All in all, it really depends on the companies who choose to do what they do as well as the consumers who should be more aware of knowing not to share too much or any of their personal information.