EPIC logo

January 5, 2005

Douglas C. Curling,
President and COO
1000 Alderman Dr.
Alpharetta GA 30005

Dear Mr. Curling,

I received your letter regarding the request for investigation that the EPIC filed with the FTC about Choicepoint's ongoing failure to comply with the spirit of the Fair Credit Reporting Act. The complaint, which was prepared by EPIC Associate Director Chris Hoofnagle and Professor Daniel J. Solove describes with considerable care the significant problem of the information broker industry, and your company in particular, to fail to abide by privacy protections that were adopted by the United States Congress more than thirty years ago. It reasonably requests the Federal Trade Commission, which has jurisdiction over the enforcement of the Fair Credit Reporting Act, to consider whether your business practices currently violate federal law or whether it may be necessary to amend federal law to safeguard the information about American consumers that your company routinely sells to the government and the private sector.

Your reply, in contrast, ignores the problems outlined in the letter, makes baseless allegations about EPIC, and puts forward the absurd proposition that we should review our filings with your company before they are submitted to a federal agency.

To briefly summarize, Mr. Hoofnagle and Professor Solove on behalf of EPIC, wrote to the Federal Trade Commission to request an investigation into data broker products for compliance with the Fair Credit Reporting Act. The FTC would have every reason to pursue this complaint. Chris Hoofnagle is one of the country's leading privacy advocates. Professor Solove is one of the most respected privacy scholars in the United States. And EPIC is responsible for much of the section 5 jurisprudence that has contributed to stronger privacy protections for millions of American consumers.

We argued correctly that many of the data products sold by companies such as Choicepoint, though not exclusively by your company, avoid coverage under the Fair Credit Reporting even though the content and source of these profiles on American consumers may be virtually indistinguishable from a credit report that would be covered under the federal law.

This is hardly an outlandish claim. As you well know, the scope of coverage of the FCRA has been a central concern for the US Congress, the federal courts, and the Federal Trade Commission for many years. Companies such as yours have found exceedingly clever ways to sell more and more information about American consumers with fewer and fewer obligations. When inaccuracies arise or the information is improperly used, the consequences are serious. Jobs are lost and loans are turned down, not because of any fault of the individual but because of the inaccurate information that companies such as yours can provide without liability.

Consider for example, the AutoTrackXP and Customer Identification Programs. Mr. Hoofnagle and Professor Solove provide considerable detail in the December 16 letter to the FTC both as to the contents and use of the consumer profiles that your company sells to banks, law enforcement agencies, and private investigators. It is obvious that many of the same problems that arise with credit reports will arise with these products, yet federal law covers credit reports but not these consumer profiles. Significantly, your reply of December 29, 2004 says not a word on this point.

The December 16, 2004 EPIC complaint reasonably concludes:

Even if these products are not consumer reports for purposes of the FCRA, it is incumbent on the FTC to analyze them and make recommendations to Congress concerning possible expansion of the FCRA. If these products are found not to be within the FCRA, the FTC should recommend to Congress to expand the scope of the Act.

Perhaps you could provide a simple answer to the FTC and to the American public of why, in your opinion, these products should not be covered under the FCRA if they are virtually indistinguishable from similar products that would be covered.

While your letter makes a lot of nonsensical claims about EPIC, I suspect your real concern is EPIC's repeated success at the FTC, in federal courts, and working with state attorneys general to defend the privacy rights of American consumers. We have earned the respect of these public officials precisely because we pursue these matters to a successful resolution. You are correct that there is an error in the letter regarding the cleansing of voter registration information in Florida. The list was actually complied by DBT, a company acquired by ChoicePoint in 2000. The sale of voter qualification information nevertheless is a perfect example of how non-FCRA flows of personal information can result in harm to individuals. At the same time, we made no mention in our initial complaint to the FTC regarding the numerous violations of privacy laws outside of the United States that implicate your company. As USA Today reported on September 1, 2003:

After the Mexican government complained that its federal voter rolls were the source, and were likely obtained illegally by a Mexican company that sold them to ChoicePoint, the suburban Atlanta company cut off access to that information.
In June, ChoicePoint wiped its hard drives of Mexicans' home addresses, passport numbers and even unlisted phone numbers. The company also backed out of Costa Rica and Argentina.
ChoicePoint had been collecting personal information on residents of 10 Latin American countries — apparently without their consent or knowledge — allowing three dozen U.S. agencies to use it to track and arrest suspects inside and outside the United States.
The revelations helped kindle privacy movements in at least six countries where the company operates. Government officials have ordered — or threatened — inquiries into the data sales, saying ChoicePoint and the U.S. government violated national sovereignty.

If it is you contention that Choicepoint has faithfully complied with all privacy obligations, we would be pleased to provide further information to the Commission and Congressional oversight committees so that they may open a separate investigation.

You and your chairman have proposed a national debate on the responsible use of personal information. We support this. But it is not a debate that should take place at industry trade shows or closed door meetings with PR specialists and Washington lobbyists.

We would welcome a public hearing in Congress with balanced representation between those in the information broker industry and those in the consumer protection field, including state attorneys general, to discuss the scope and application of the Fair Credit Reporting Act to the dossiers on American consumers now being sold by companies such as yours.

We would welcome a similar public workshop before the Federal Trade Commission with balanced participation on the same issue. In fact, we hoped that our letter to the Federal Trade Commission would lead to just such an inquiry.

We have posted your reply to our letter on the EPIC web site. We invite you to post this answer to your reply on your site. We also encourage you to show support for a genuine national debate on these issues with a letter to the FTC and the appropriate members of Congress.


Marc Rotenberg
EPIC President

FTC Chairwoman Deborah Majoras
FTC Commissioner Orson Swindle
FTC Commissioner Pamela Harbour
FTC Commissioner Jonathan Leibowitz
FTC Commissioner Thomas Leary

House Commerce Committee Chairman Joe Barton
House Commerce Committee Ranking Member John Dingell
Senate Commerce Committee Chairman John McCain
Senate Commerce Committee Ranking Member Daniel Inouye

EPIC Privacy Page | EPIC Home Page

Last Updated: January 5, 2005
Page URL: http://www.epic.org/privacy/choicepoint/reply1.5.04.html