April 8, 1997
Companies: CDB Infotek ; Unidentified Publishers and List Compilers
Dear Ethics Committee Member:
It is a fundamental principle of the DMA that consumer data should only be used for marketing purposes.
I am hereby filing a formal complaint against CDB Infotek for using consumer data to provide reference services (e.g., skip tracing, bill collection, look-ups, people-locating). This complaint also is filed against all magazines, publishers, consumer mailing list compilers, and other compilers of consumer data who have provided CDB with consumer data for such purposes.
A summary of the applicable DMA standards is appended as Exhibit 1 for the benefit and convenience of all interested parties.
CDB Infotek of Santa Ana, California, is a subsidiary of Equifax, Inc. According to its promotional materials, CDB offers consumer data on-line for reference purposes.
A sampling of CDB's materials and web site pages from 1993-present shows CDB offering data from "publishers' lists", "mailing lists", and "consumer files [other than credit bureau headers]".
As of last month, CDB was offering a "Skip Tracing Tool" called "National Publisher's Change of Address." This is currently described on CDB's web site as containing "new address information on individuals based on changes of address filed with various magazine and publishing companies".
According to a 1996 marketing pamphlet, CDB's "Missing Links" look-up service has utilized publishers' mailing records to obtain unlisted phone numbers, as well as age, address updates, wealth ratings, median income, and information on up to thirty neighbors.
A price list for CDB's reference products and databases as of August 1, 1996 is attached. Other CDB database searches that may include consumer data are: Infoscan, National Address Changes, Neighborhood Search, and Surname Scan.
Equifax, as a DMA member, should have voluntarily complied with the DMA standards when the violations were first brought to the attention of its legal officers in November and December 1996. But Equifax apparently opted to continue reaping the profits from unethical data sales, thus making this formal complaint necessary. For instance:
1] On November 22, 1996, I spoke with CDB counsel Paul Tobin, who professed to be unaware of the DMA standards. I informed him about the DMA Guidelines and Fair Information Practice Rule II-A. I told him that it was a clear violation of industry ethical standards to sell consumer data such as publisher's records for look-ups, people-finding, or other reference services.
2] That same day I sent a letter to the general counsel of Equifax, Thomas Magis, informing him of CDB's unethical data usage. I emphasized that "CDB's use of consumer data for reference purposes is not a close call" under the DMA rules, and that it was "incumbent on Equifax to see that the consumer data is removed from CDB's databases immediately."
3] On November 26, 1996, I again wrote Mr. Magis, informing him that Equifax had an "ethical duty" under the DMA standards to "remove any and all customer data, such as independent mailing list data and publisher's forwarding address information, from its look-up databases". I informed him that Equifax's duty existed entirely independent of any dispute with my client, Aristotle Publishing. I was told that my letter had been referred to Equifax counsel Bruce Richards.
4] In early December, I also spoke about the applicable DMA ethical rules with another of Equifax's counsel, Michael de Janes, whose division includes CDB.
Despite this series of notices to the highest echelon of Equifax's legal department officers, Equifax disregarded the rules and continued to sell the data unethically.
All entities that have been providing CDB with data from sources such as publishers' records, consumer mailing lists, or warranty cards, must also be identified by Equifax. These entities should be required to identify all other companies to whom they have provided consumer data for reference purposes. The reference service providers should then be contacted and also brought into compliance.
The violation is clear, and numerous other entities have been involved. Equifax can easily identify these other entities for the Committee, and the problem can be remedied efficiently in a single, comprehensive ethics proceeding. For self-regulation to be effective, it should not be necessary for me, my client, or any other interested parties to have to incur the burden of filing multiple ethics complaints over blatant violations involving the same subject matter. I urge you to investigate thoroughly, to act decisively with respect to all parties involved, and to announce the results with clarity and precision.
This is necessary for the credibility of self-regulation, and to deter future misconduct of a similar nature by others. The result also should be made public as soon as possible, so that it may be evaluated by the FTC in connection with its ongoing consideration of consumer data privacy issues and industry self-regulation.
Consumer look-up databases such as the "National Publisher's Change of Address" should be taken off-line immediately, and all other consumer data that might still be present in CDB's other look-up databases should promptly be removed;--
Equifax must identify the entities who provided such consumer data to CDB;--
The entities who provided such consumer data to CDB should be contacted and brought into compliance; and--
All of these data providers should identify the other reference service providers to whom they have provided consumer data, and such reference service providers should also be brought into compliance.
This is a critical test for the marketing industry. If the DMA is unable to obtain swift and complete cooperation from one of its largest members on such an obvious ethical violation, the DMA should make this fact public. Consumers would be entitled to know that fundamental ethics rules cannot be enforced against a prominent DMA member and that consumer data continues to be used widely for look-ups. Otherwise, the DMA would be facilitating a scam on consumers who have been assured that self-regulation is sufficient to insure ethical use of data and adequate privacy protection. Immediate compliance is simply a matter of fairness to all whose privacy is being violated by such improper sales.
It is also a matter of fairness to all companies that compete in the law enforcement reference service market without using consumer data unethically. My client, Aristotle Publishing, is one of them.
It is a matter of public record that Aristotle is in litigation with CDB over a contract dispute, and over CDB's sale of voter data from numerous states for unlawful purposes. No one will be surprised when the existence of that litigation is mentioned in an effort to distract attention from the substance of this ethics complaint. But this complaint must be viewed on its own merits, as it has far-reaching implications for consumer privacy. With the rapid growth of on-line look-up services -- especially over the Internet -- the DMA must take an active leadership role in insuring that no marketer is unethically selling consumer data for such uses. This case provides the DMA with that opportunity.
Finally, it is my personal belief that companies like Equifax will act more quickly to end such violations if exposed to public scrutiny. Private notice on several occasions was apparently not sufficient in this case. Therefore, to expedite full cooperation and disclosure by Equifax, I will be making copies of this complaint public.
If I receive further relevant information, I will provide it for your immediate consideration.
Thank you very much.
Very truly yours,
J. Blair Richardson, Jr.
cc: Commissioner Christine Varney (FTC)
I.DMA Guidelines for Ethical Business Practices
In the Section entitled "Collection and Use of Marketing Data, the Ethical Guidelines state as follows:
Article #32 -- Data Collection and List Rental Practices
II.DMA Fair Information Practices Manual
Section II-A of the Fair Information Practices Manual states:
Similarly, Rule IV of the DMA's "Fair Information Practices Checklist" states:
Under the DMA's self-regulatory principles set forth above, individually and collectively, the use of consumer data for law enforcement and other non-marketing look-ups is both unethical and improper.