Oct. 2003: PRC's Privacy Update Newsletter

In this issue . . .

[1] The National Do Not Call Registry is Now Up and Running

[2] Volunteer Background Checks: What Are the Rules?

[3] PRC and Privacy Activism File Suit Against JetBlue

[4] Senate Bill 1753 and Key Amendments Are the Last Hope to Preserve California Identity Theft and Financial Privacy Laws from Federal FCRA Preemption

[5] New California Law Mandates Disclosure of Black Boxes Installed in Cars

[1] The National Do Not Call Registry is Now Up and Running

Court rulings that postponed the Do Not Call Registry (DNC) are on appeal. Pending the outcome of the appeal, the Federal Trade Commission (FTC) has been authorized to launch the Registry.

Beginning October 10, telemarketers could again access the Registry and, within seven-days, scrub their lists of numbers that had been registered prior to August 31, 2003. So for consumers, the first day for the operation of the DNC Registry was Friday October 17th.

The FTC reports 53.7 million phone numbers listed on the Registry as of October 24, 2003. Nearly 28,000 telemarketing organizations have accessed the Registry. The FTC says it has already received 37,000 complaints against telemarketers who continue to call registrants.

It is not yet known whether telemarketers are blatantly violating the Registry or whether those calls are coming from exempted businesses. The complaints can be used by the FTC, states’ Attorneys General, and other law enforcement agencies against telemarketers who violate the Registry.

The PRC’s fact sheet 5 Telemarketing: How to Have a Quiet Evening at Home, explains the kinds of sales calls you may still receive even if you are on the Registry. This guide also gives examples of how marketers are using exemptions to contact consumers who are on the DNC Registry.

Telemarketing: How to Have a Quiet Evening at Home

The PRC is monitoring the ways in which telemarketers attempt to get around the DNC rules. If you receive a “junk” mail or e-mail solicitation asking for permission to call you, even if you are on the Registry, please feel free to notify us by completing our website inquiry form, www.privacyrights.org/qwertyuiopasdfghjkl.php, sending us a fax at (619) 298-5681, or by calling us at (619) 298-3396.

[2] Volunteer Background Checks: What Are the Rules?

Since the terrorist attacks of 9-11, many would-be and existing volunteers have complained to the PRC about being subject to background checks and even being prevented from volunteering. Our next fact sheet in the PRC’s background check series will focus on this issue.

Background checks performed on volunteers do not appear to be covered by the federal Fair Credit Reporting Act (FCRA) or by state laws. Instead, investigations on volunteers may be subject to a patchwork of laws and organizational policies that provide little or no protection for volunteers.

The PRC invites volunteers to share their experiences (good or bad) with us. We also welcome comments from any organization that has developed written procedures and policies for checking volunteers. Your documentation will help us develop a “best practices” guide.

We have identified the following issues as important to volunteers. We welcome your additional recommendations.

-- What kinds of volunteer positions require a background check?
-- What is included in the volunteer’s background check?
-- Who pays for the volunteer's background check?
-- Is a volunteer's written permission required before performing a background check?
-- Does a prospective volunteer have the right to dispute inaccuracies in a background check and to receive a copy of their report?
-- What, if any, steps are taken to safeguard the volunteer's background check report?

To provide feedback, see the web page for Fact Sheet 16(c): Background Checks for Volunteers: What Are the Rules? at:

[3] PRC and Privacy Activism File Suit Against JetBlue

JetBlue Airways released personal information of over a million of its customers without their consent to a third party, Torch Concepts. As part of an apparent federal government-funded demonstration project, Torch Concepts allegedly merged 40% of the data with records from Acxiom, one of the country's largest data-aggregation companies. Personal information included consumer’s income, occupation, vehicle ownership information, number of children, and Social Security numbers.

A recent Oakland Tribune article by Sean Holstege, reported that the Computer Assisted Passenger Pre-Screening System (CAPPS II), a terrorist screening system “would color-code air travelers based on a computer assessment of who they are and their risk of being terrorists.” It is speculated that the JetBlue data may have been used to develop a feasibility study of passenger-profiling systems such as the CAPPS II.

The PRC and San Francisco-based Privacy Activism filed suit in San Diego Superior Court, on behalf of the general public, against JetBlue Airways, Torch Concepts, and the defense contractor who operated the study, Newport Beach-based SRS Technologies. The case alleges that JetBlue violated several state laws and its own privacy policy, which clearly stated that the company does not share customer data with third parties. The PRC’s suit is one of over a dozen filed against JetBlue and third parties.

To read the complaint in its entirety, go to www.privacyrights.org/ar/jetbluecase.htm

For additional information, visit the web site of the “Practical Nomad,” Edward Hasbrouck: www.hasbrouck.org

[4] Senate Bill 1753 and Key Amendments Are the Last Hope to Preserve California Identity Theft and Financial Privacy Laws from Federal FCRA Preemption

Currently states’ abilities to pass laws stronger than the federal Fair Credit Reporting Act (FCRA) are limited by seven key FCRA provisions. These sections are scheduled to expire January 1, 2004.

With intense lobbying and sizable campaign contributions from the financial services industry, Congress now appears poised to extend federal preemption and permanently prohibit state laws that give consumers greater protection of their financial privacy. Also at risk is the ability of states to provide greater protection for identity theft victims.

Legislation to update the FCRA recently passed the House of Representatives (HR2622). The Senate version of the new law (S1753) slated for debate early next week has somewhat stronger consumer protection provisions. However, the Senate Bill still prevents states from passing stronger laws in some key areas. California Senators Boxer and Feinstein have introduced an amendment to protect California’s new financial privacy law (SB 1) that gives individuals the opportunity to block sharing of financial information among corporate affiliates.

Congress must act by December 31, 2003.

At this point S1753 and the proposed amendments by California Senators are the only impediments to gutting many of the laws in California and other states that do more than federal law to protect consumers.

It’s not too late to let Congress know how you feel about these bills. Visit the Consumers Union website to learn more about this issue and to send a message to Congress:

[5] New California Law Mandates Disclosure of Black Boxes Installed in Cars

Most consumers are unaware that their cars are equipped with a “black box” similar to flight data recorders that can capture performance data in the event of a crash. A new California law (AB 213) requires auto makers and dealers to disclose in the vehicle owner’s manual or lease agreement if the car is equipped with a recording device such as an “event data recorder” (EDR) or “sensing and diagnostic module” (SDM). This is thought to be the first such law in the U.S. It was co-authored by California Assemblymember Tim Leslie (R ) and Senator Debra Bowen (D).

According to a recent USA Today report, “black boxes” are currently installed in 40 million cars in the U.S. Surveys indicate most motorists don't know about black boxes, although use is on the rise.

The devices are often used for retrieving data after an accident and may include:
-- Vehicle velocity
-- Driver’s seatbelt status
-- Steering performance
-- Brake performance, including whether brakes were applied before an accident
-- Airbag performance.

The notification applies to motor vehicles manufactured on or after July 1, 2004. Information contained in the device can only be accessed with the owner’s permission, with a search warrant, or in other limited circumstances.

It can be argued that the data collected from EDRs has public safety value in the aftermath of vehicle crashes. But uses of such technologies do not stand still. Expanded applications raise a host of privacy implications: Should insurance companies be able to access EDR data to determine if you are a careful driver and assess the cost of your policy accordingly? Can traffic officers attach a jack to your EDR to determine if you were speeding? Should parents be able to use the data to monitor their teens’ driving habits?

AB 213 requires that consumers be informed of the presence of black boxes in vehicles they purchase, and mandates the owner’s consent for the data to be released to others, with some exceptions. These are important steps to protecting driver privacy.

To read the law in its entirety (you may need to cut and paste this address), go to:

  To subscribe to our free email newsletter, go to www.privacyrights.org/subscribe.htm