Edit 12/20: Experian's SVP of government affairs and public policy Tony Hadley (who also testified during the hearing) has written in with his observations.
In the wake of Sen. Jay Rockefeller’s (D-WV) hearing on the practices of data marketers, AdExchanger reached out to the three data marketing solutions companies he accused of not complying with his investigation.
Jennifer Barrett Glasgow, global privacy and public policy executive at Acxiom, responded via email. Jeanette Fitzgerald, SVP and general counsel at Epsilon, responded over the phone. Tony Hadley, SVP of government affairs and public policy at Experian, responded via email.
On whether “data broker” needs to be defined and whether the FTC’s definition of “data broker” – a company that collects and sells consumer data for marketing purposes – is a fair definition:
ACXIOM’S JENNIFER BARRETT GLASGOW: A definition is only important to define the scope for applying any regulation or industry codes of conduct. It is a little like the definition of PII (personally identifiable information). If we want to regulate the sharing of data for marketing purposes, then that definition is fine.
EPSILON’S JEANETTE FITZGERALD: I don’t think there’s a need to define “data broker.” The key is how the information is used. If you think about the Fair Credit Reporting Act, that’s about how information is used. You take data and if you use it to determine employment eligibility, it’s covered by the Fair Credit Reporting Act. It doesn’t matter whether you’re a credit reporting bureau or not, you fall into the category because you use the data that way. And that means you have to follow the guidelines. It’s the use of the data that I think is much more important.
EXPERIAN’S TONY HADLEY: There is no consensus definition of a data broker and this complicates and confuses the debate. As I stated during the Senate hearing, the current definitions being considered would include thousands of companies of all sizes, as well as many non-profits and government agencies that acquire and share consumer information for very good reasons. However, not all these “data providing” organizations do so for the same purpose. Just in the same way that hiking boots and running shoes may be worn for different purposes -- data providers collect and use data for different purposes. They cannot be defined with one broad brush. Bottom line: data providers are not all the same, not even close.
On the biggest points of contention between the large data-marketing solutions providers and Sen. Jay Rockefeller:
ACXIOM'S GLASGOW: The committee wanted a complete list of all data sources and all clients. Acxiom and other large data brokers consider our sources as highly confidential competitive information and we have strict confidentiality agreements with all clients. Smaller brokers may not have such contractual provisions. We provided extensive information about the types of sources we have and the industries we sell to, which is quite broad and includes most consumer-facing industries. We felt that was sufficient for the purposes of this type investigation. This was an investigation to understand industry practices for the purpose of making legislative recommendations. It was not an investigation into suspected wrongdoing.
EPSILON'S FITZGERALD: There are two main areas where they have asked for information and we have all said we will not provide it. They want to know our actual clients, and they want our actual suppliers. All of us will tell you that’s proprietary information. Rockefeller's requests, both in the hearing yesterday and the letters that have gone out, have stated he’s trying to understand the industry. We strongly believe we’ve given him everything he needs to understand the industry. He can’t find anything that any of us are doing wrong because we’re not doing anything wrong.
We take steps to make sure, as best anybody is able, that the lists aren’t used improperly. In fact we gave Sen. Rockefeller both the forms for the client agreement and the forms for the supplier agreement. Our client agreements say you have to use the data in accordance with the DMA best practices. You are not allowed to breach any laws or regulations when you use these lists. And we say you’re only allowed to use it once. It’s a one-time list. That’s it. I don’t think there’s anything he’s going to gain from what he thinks he’s not getting. I think he just wants to say he’s not getting it.
EXPERIAN'S HADLEY: For the past year, Experian has been very forthcoming and highly cooperative throughout this inquiry launched by the Committee...We have also repeatedly met with the offices of the Senators on the Committee to describe our practices and respond to any questions about our company, products and services.
In our submissions, we provided the Committee with many internal documents and graphics demonstrating the types and categories of the clients we serve; samples of contracts governing how data can be shared; and additional detail on client types and common uses of selected products as identified by Committee staff. However, we cannot provide lists of specific clients and data sources because we are contractually obligated to keep much of this information confidential and, even if so permitted, this information represents vital trade secrets for Experian. Maintaining the confidentiality of our data sources and client relationships are essential to maintaining our competitive position in the marketplace.
The fact is our competitors want this information and, as stated during the testimony, we cannot be assured that these trade secrets can be properly shielded from disclosure if provided to the Committee.
On whether third-party data providers or their business clients should be most responsible for the proper use of consumer data:
ACXIOM'S GLASGOW: You are correct that concerns vary greatly based on the intended use of the data. We all share some responsibility in assuring appropriate practices in the information ecosystem, but there is a limit to what the broker should be liable for. We carefully vet our clients to be sure they are legitimate businesses and have a need for the data they are licensing from us. In that vetting process we look at things like complaints to the Better Business Bureau to be sure they are reputable and will follow the terms of our agreement. If any marketer is engaging in unacceptable marketing practices, like price gouging, then these practices should be illegal. The committee focused on this issue, but we are not aware of any instances of price gouging actually occurring in our 44 years of supplying services and data for marketing purposes.
EXPERIAN'S HADLEY: Experian is not engaged in dynamic or variable pricing and does not provide products for such activities to our clients [editor's note: The ethics around variable pricing was a particular sticking point during the hearing]. If a marketer is engaged in dynamic or variable pricing, that is a decision that the marketer makes, not Experian.
Experian has implemented rigorous compliance procedures for ensuring that our data is used only according to applicable laws and governmental guidance, as well as best practices adopted by Experian’s Global Information Values and the Direct Marketing Association’s Guidelines for Ethical Business Practice. Our compliance program also has procedures in place to vet data sources and new clients to ensure that they, too, are complying with relevant laws, Experian practices and industry guidelines. Not until we are confident that clients and data sources meet our strict requirements do we agree to work with them.
On the extent to which consumers should be responsible for managing their information:
Because of those things, privacy policies may not be written as well as everybody would hope [and] it’s hard to figure out how you write it so everybody understands. I’m not sure how to give all the information that the laws, the regulations, the best practices require and yet is something consumers can understand.
We try to put spots in our surveys that help remind consumers why they’re giving us the information and what we’re going to do with it and we’ve gone to the FTC and suggested they might want to promote something like this. But who in the end is responsible? I’m not sure. I’m not sure if I can make that call.
EXPERIAN'S HADLEY: With respect to marketing offers, if consumers are seeing relevant ads, and they can understand why they might be receiving them, then everything is working as it should. If consumers see offensive ads, or ads that simply do not reflect their interests at all, then they should contact the advertiser and opt-out. At Experian, we are continuing to assess how we can be more transparent with consumers about our practices. Our business depends upon consumer trust. Currently we address the issue of consumer participation by providing consumers, upon request, with an explanation of the categories of consumer data we possess and the right for consumers to request that their name not be used by Experian for solicitation purposes.
Speculation on whether legislation is likely:
EPSILON'S FITZGERALD: My gut feeling is that Sen. Rockefeller will propose something. How far it will go, I have no idea. [This is] really looking into my crystal ball, but based on what Sen. Rockefeller said yesterday, I think he’s going to propose some sort of legislation that somehow protects the people he fears are being hurt the most: the financially challenged, those with ailments. I don’t know how, other than to say it can’t be used.
But then my question is: What if people voluntarily give it up? Because as Tony [Hadley, Experian’s SVP of government affairs and public policy] said yesterday, they get ailments because people fill in surveys. That’s how we get them too. We don’t get them any other way. People voluntarily give up that information.
On whether legislation is necessary:
EXPERIAN'S HADLEY: [We] agree with the Federal Trade Commission that there is no need for special measures to ensure the accuracy of data that is used for marketing purposes and is not used to decide consumers’ eligibility for credit, insurance, employment or other similar benefits. We also agree with the Federal Trade Commission that the costs of individualized access and correction would likely outweigh the benefits.
While we understand the concerns of the Committee, it is not our belief that new laws are needed that would place additional requirements on the collection, use and sharing of consumer data used for marketing purposes. The fact is we already have a robust legal framework to protect consumer privacy…[and] there are robust industry self-regulations and corporate best practices to fill the gaps.
When it comes to marketing data, the best means of addressing consumer concerns are two-fold: (1) Bolstering industry self-regulation and having companies commit to best practices around maintenance and usage of marketing data; and (2) Increased enforcement by the FTC and other governmental authorities, using their wide powers and the broad laws in place, against those truly bad actors bad practices in the marketplace. Of course, these means can evolve in flexible ways that address privacy protections in the future, as consumer expectations and technology continue to evolve.