[Politech] ChoicePoint and EPIC in a tiff over over privacy, databases, and FCRA [priv]

From: Declan McCullagh (declan@private)
Date: Mon Jan 10 2005 - 21:27:37 PST

Excerpt from EPIC's letter to the FTC trying to compel the agency to 
target ChoicePoint:

"ChoicePoint, one of the largest data aggregation companies, became 
independent from Equifax, a leading U.S. credit rating agency, in 1997. 
  ChoicePoint has bought more than 40 companies and competitors, and 
obtains 40,000 new public records daily for its database of more than 19 
billion records. Choicepoint contracts with about 35 federal agencies to 
supply data. The company's slogan is "Smarter Decisions. Safer World."

ChoicePoint's reply follows.




ChoicePoint Corrects EPIC Errors, Calls for Privacy Group to Join Discussion
December 29, 2004

Mark Rotenberg
Electronic Privacy Information Center
1718 Connecticut Avenue, NW
Suite 200
Washington, DC 20009

Dear Mr. Rotenberg:

It was with great disappointment that I read EPIC’s latest attack on 
ChoicePoint in Mr. Hoofnagle’s letter to the Federal Trade Commission 
(FTC) dated December 16, 2004. ChoicePoint has consistently reached out 
to EPIC – and you personally – to discuss what we do and how we do it 
and, especially, our company’s compliance with the fair information 
practice principles, relevant privacy laws, and a variety of privacy 
regulations. EPIC, unlike other privacy and consumer advocacy 
organizations, has consistently refused these efforts at a constructive 

The result is yet another inaccurate, misdirected, and misleading attack 
by EPIC. EPIC has filed this letter with the FTC, posted it on your web 
site, and circulated it in your recent EPIC Alert, all without 
contacting us. Frankly, it is hard to see Mr. Hoofnagle’s letter as an 
attempt to influence policy instead of a narrow attack vehicle. That 
said, it appears that there are two primary claims in the letter:

     * That ChoicePoint may be violating the FCRA by providing 
information held in FCRA-governed databases to government agencies, law 
enforcement agencies, and others for non-FCRA purposes; and
     * Even if ChoicePoint has not violated the FCRA, it is only because 
the FCRA is inappropriately narrow and constricted, which allows 
ChoicePoint to “artfully” avoid the FCRA.

Both charges are baseless.

ChoicePoint fully complies with the FCRA, including the new Fair and 
Accurate Credit Transactions Act (FACTA), where they apply to our 
products and services. This compliance has led ChoicePoint to take steps 
that others in our industry do not take. For example, ChoicePoint – 
apparently alone among information companies – has applied the new 
“603(w)” requirements in FACTA to our employment and tenant screening 
products. At real expense, we created a streamlined process to provide a 
free copy of these reports to consumers once a year upon their request.

Where the FCRA does not govern our products and services, a host of 
other federal and state privacy laws and industry-initiated 
self-regulatory principles often do apply.1 Our Public Records Group2 
provides consumers with access to some of the same reports about 
themselves that our customers receive. In addition, we provide consumers 
with a host of other “self-check” records and reports at our 
ChoiceTrust3 and KnowX4 web sites.

We also provide consumers with information about the sources of our 
reports so they can go to the original source to correct errors. 
Correction at the source is vital because other information vendors may 
also collect and report the same records. However, if the error is our 
responsibility, we correct the error in our records.

Mr. Hoofnagle’s charge that the FCRA is inappropriately narrow is simply 
a disagreement on the public policy choices made by Congress and state 
legislatures. As you know, Congress clearly intended to limit the scope 
of the FCRA to specific types of reports for specific transactions.5 It 
was not meant to be omnibus privacy legislation. Information used for 
investigative, law enforcement, or governmental purposes is not 
regulated in the same manner as is the information used to make 
decisions related to credit, insurance, or employment.

The topic of the responsible use of information is a vital one to our 
society. Like ChoicePoint chairman and CEO Derek Smith, in his recently 
published book, Risk Revolution, we support a national debate on this 
very topic. We have met with many privacy and consumer advocacy groups 
on this topic because we believe that real improvements in both homeland 
security and the protection of personal privacy will only come through a 
constructive dialogue among the interested parties, including 
ChoicePoint and EPIC. The ideas outlined in Risk Revolution or discussed 
by these groups may or may not be enacted into public policy, but the 
debate is important to have.

Finally, EPIC, relying on inaccurate information, reprises discredited 
charges linking ChoicePoint with the 2000 election in Florida as an 
example of a “pre-FCRA” era of “unaccountable data companies.” Simply 
put, ChoicePoint played no role in the Florida election in 2000. 
Database Technologies (DBT) performed the legally-mandated review of 
Florida’s voter rolls prior to our acquisition in 2000. The process, a 
part of which included DBT, was created by the Florida legislature and 
implemented by state election officials. DBT was hired to create an 
overly inclusive list of potential voter exceptions based on criteria 
established by the Secretary of State, which DBT told the state might 
create false positives. County election supervisors – not DBT – were 
solely responsible for verifying the eligibility to vote of any voter 
identified by DBT on the exceptions list. In particular, county election 
supervisors – not DBT – were solely responsible for the decision to 
remove any voter from the rolls.

While we will discuss this matter with the FTC directly, we remain ready 
to meet with you and others on your staff to discuss your concerns about 
our company or our industry.


Doug Curling

cc: Federal Trade Commission


1 The Gramm-Leach-Bliley Act (15 U.S.C. §§6801 – 6809), the Driver’s 
Privacy Protection Act (18 U.S.C. §2721 et seq.), various public records 
laws and court rules and procedures, and Direct Marketing Association 
guidelines apply to different products and services.

2 The Public Records Group provides AutoTrackXP and supports a 
substantial portion of our non-FCRA information product offerings.

3 http://www.choicetrust.com

4 http://www.knowx.com

5 The FCRA applies to information that relates to a consumer’s “credit 
worthiness, credit standing, credit capacity, character, general 
reputation, personal characteristics, or mode of living” only when that 
information is used or expected to be used as a factor in establishing 
the consumer’s eligibility for insurance, credit, employment, or other 
specific, enumerated purposes. (15 U.S.C. §1681a(d))

Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)

This archive was generated by hypermail 2.1.3 : Mon Jan 10 2005 - 22:16:40 PST