PRC's Privacy Update No. 2, Iss. 4

Send to PrinterSend to Printer

Copyright © 2004-2015
Privacy Rights Clearinghouse
Posted June 25, 2004

In this issue . . .

[1] With a Wireless 411 Directory Looming, Federal and State Lawmakers Take Action to Ensure Cell Number Privacy

[2] Calfornia’s Online Privacy Protection Act Requires Internet Merchants to Post a Privacy Policy, Goes into Effect July 1

[3] Beth Givens’ Presentation at the National Association for Information Destruction -- “The Saga of Shredding in the US”

[4] RFID and Privacy: Beth Givens’ Testimony to FTC’s RFID Workshop and Interview on California Connected’s “Imagining the Future: RFID and Privacy”

[5] “Credit Reports and Credit Scores: How the System Really Works and What You Can Do” -- New Book by Evan Hendricks of Privacy Times

[6] A PRC Success Story -- Increasing the Privacy Awareness of

[1] With a Wireless 411 Directory Looming, Federal and State Lawmakers Take Action to Ensure Cell Number Privacy

With the constant onslaught of spam email, “junk” mail, and telemarketing calls, is it any wonder that consumers are skeptical about the privacy of their cell phone numbers now that the wireless industry is developing a wireless 411 directory?

Slated for the end of this year or early next year, the wireless industry states that the directory will only list those who give their express consent to be listed. They say customers who do not want to be listed, will not be charged to protect their privacy. However, self-regulation, which depends on compliance with voluntary industry standards, can be problematic. For instance, voluntary guidelines can be changed or weakened at a later date. And privacy transgressions may go without penalty or disclosure to regulators or the public. What’s worse, all cell phone contracts contain mandatory arbitration clauses, waiving the rights of cell customers to file civil cases or participate in a class action suit.

Some federal legislators and California State legislators are also concerned about an industry-run wireless directory.

Federal legislation (HR 3558, S 1963, S 1973) called the Wireless 411 Privacy Act, if enacted, would create an opt-in mechanism, requiring a cell phone customer’s express consent -- before the directory is launched-- for their number to be included. However, those who establish cell phone accounts after the directory is underway would only be provided with an opt-out mechanism. This means new cell phone customers’ numbers would be included in the directory until they asked that their information be removed-- if the Act is passed. The Act also ensures that those who do not want to be listed, do not pay an extra fee-- unlike traditional landline customers-- who pay a fee if they do not want to be listed or published in the white pages or directory assistance. For more information about the Wireless 411 Privacy Act, see:

California Assemblywoman Sarah Reyes introduced similar legislation. AB 1733 would require all customers, regardless of when their cell phone service is established, to be required to provide express consent (opt-in). The PRC supports an opt-in approach regardless of when an individual gets a cell phone.

The text of the bill is available at:

Several California consumer organizations including the PRC are working with the author to include language so that those who do not want to be listed will not pay an additional monthly fee for privacy.

For more information about the PRC’s concerns about an industry-run wireless directory and the opt-out provisions of federal legislation, see

TAKE ACTION: Consumers Union is also concerned about your wireless phone number being included in a directory without permission. You can use their online form to contact your Congressional representatives to express your views at

[2] Calfornia’s Online Privacy Protection Act Requires Internet Merchants to Post a Privacy Policy, Goes into Effect July 1

On July 1, 2004 a California law called the Online Privacy Protection Act goes into effect. It requires commercial web sites that gather personally identifiable information about Californians to have a privacy policy posted on their home page.

The Online Privacy Protection Act (CA Business and Professions Code 22575-22579) states that if a web site collects information such as your first and last name, mailing address, email address, phone number, or Social Security number for and is considered a commercial entity, the site most post a link to its privacy policy on its home page that includes the following:

--The categories of personal information that are collected.
--The categories of third parties with whom your personal information maybe shared.
--The ability for consumers to review the personal information the site has collected and the ability to remove it if allowed.
--The process by which the web site owner will notify consumers when the privacy policy is changed.
--The effective date of the policy.

The law also allows a web site 30 days to update or post its policy after being notified of noncompliance.

If you are a Californian and know of a site that is collecting personal information without having a privacy policy posted or that does not meet the criterion as of July 1, you can put the company on notice, giving them 30 days to either update or post their policy.

We have a form letter on our web site that you can tailor if you know of a site that is not complying with the new law at

To see the effectiveness of sending such a letter, see our success story at [6] below.

[3] Beth Givens’ Presentation at the National Association for Information Destruction -- “The Saga of Shredding in the US”

The National Association of Information Destruction (NAID -- is composed of companies that provide services such as document destruction and shredding. Proper disposal of documents and other media that contain personal information is a huge step in reducing the threat of identity theft.

PRC director Beth Givens was invited to speak at their recent conference and gave a presentation entitled “The Saga of Shredding in the U.S.: A Privacy Advocate’s Perspective.” Her presentation noted situations profiled in the media over the years where documents were not properly destroyed or shredded before being disposed of.

She also notes that, “The goal of every workplace today – and that includes businesses, government agencies, nonprofits, as well as households – should be to create a culture of confidentiality. From top to bottom, everyone in the organization must be aware of the necessity of safeguarding and effectively destroying records containing sensitive personal information – no matter what medium they are in, whether paper, computer hard drives, CD-ROMs, magnetic tape, microfiche, you name it.”

Givens’ speech is available at

[4] RFID and Privacy: Beth Givens’ Testimony to FTC’s RFID Workshop and Interview on California Connected’s “Imagining the Future: RFID and Privacy”

Called the next generation of bar codes, Radio Frequency Identification (RFID) is an item-tagging technology that is a small radio frequency-activated device containing a unique identification number. When near a radio frequency reader, the device emits a signal that is captured by the reading device and stored in a computer database. Typically, the data is sent to a distributed computing system involved in, perhaps, supply chain management or inventory control. But the tags also have potentially profound societal implications for consumer profiling and location tracking that could threaten privacy and civil liberties.

On June 21, 2004, PRC Director Beth Givens gave testimony to a workshop on Radio Frequency ID (RFID) tags hosted by the Federal Trade Commission (FTC).

Givens notes that “if the technology is implemented irresponsibly, we as a society could experience it not as a wonderful convenience with many social benefits, but as a tool for consumer profiling and tracking -- in other words, as one part of a larger surveillance infrastructure.”

Givens’ testimony also reiterates a call for a comprehensive multi-disciplinary "technology assessment" of RFID akin to the assessments conducted by the now-defunct Office of Technology Assessment, a Congressional office from 1972 to 1995. [To learn more about the OTA and its many technology assessments, visit the archives housed at the web site of Princeton University,]

Even though industry is moving full-speed ahead with RFID, the PRC believes that such an assessment is vitally important for the responsible implementation of this technology.

Givens’ testimony to the FTC is posted online at

Similarly, public television’s California Connected broadcast a panel discussion on Radio Frequency ID (RFID) technology with PRC Director Beth Givens, CA Senator Debra Bowen, Xeni Jardin, contributor to Wired News, and Mark Roberti of the RFID Journal. The video of the segment can be located on line, third from the bottom, at:

Beth Givens’ comments center around the massive databases that aggregate the data that is behind the tags and government’s push to bring RFID into the mainstream. Specifically, the Department of Defense (DOD) is currently requiring all vendors to implement RFID technology. As Givens notes, the DOD isn’t doing this just for keeping track of missiles, but for menial items like cases of drinking water that are delivered to various departments.

Givens notes that any deployment of RFID tags in the consumer marketplace needs to be done with openness so that individuals are aware of the practice, will know how information associated with a tag is stored and can be used, and are provided with a way to deactivate tags before leaving the store.

CA Senator Debra Bowen was included in the California Connected discussion because of her legislation (SB 1843) that attempts to give guidelines to the deployment of RFID technology, available at

Many of the concerns of privacy advocates are included in a position statement signed by over 40 privacy and civil liberties organizations worldwide available at

[5] “Credit Reports and Credit Scores: How the System Really Works and What You Can Do” -- New Book by Evan Hendricks of Privacy Times

Evan Hendricks of the Privacy Times ( recently printed a book entitled “Credit Reports and Credit Scores: How the System Really Works and What You Can Do.”

The publication runs the gamut on educating readers about the credit industry and credit scores. It provides information on the elements that are used to calculate the mysterious FICO credit score, how the credit industry works, and practical advice on how to get preferred interest rates by increasing your score.

With erroneous information on many consumers’ credit reports, the book walks you through ordering a copy of the report and how to dispute inaccurate information by requesting an investigation. This resource includes current information on the battle for financial privacy and updates to the Fair Credit Reporting Act (FCRA) that passed in December 2003.

And our favorite sections? This up-to-date primer on credit contains advice and case law for:
--Those whose credit report is checked by those who don’t have a permissible purpose,
--When auto dealers should check the credit of those who are taking a test drive or paying cash
--Determining damages when a credit bureau is stubborn about not correcting wrong information.

If you want to demystify the credit industry, really understand what your rights are, and get the best credit score possible, this book is a must.

All this and more is contained in the 359 page “consumer instruction manual.” For more information about the book or to place an order, see:

[6] A PRC Success Story -- Increasing the Privacy Awareness of the American Institute for Public Safety (AIPS)

Several months ago, the PRC was contacted by an Californian who was concerned that a web site operated by the American Institute for Public Safety (AIPS) asked for very personal information but did not have a privacy policy posted.

She had gone to the site as many others had, to find out if there was a traffic school in her area that she could sign up for because she had a driving citation. She was surprised to note that the site did not have a privacy policy posted but required personal information such as:
-- First, Middle, and Last Name
-- Gender
-- Mailing Address
-- Email Address
-- Day and Evening Phone Numbers
-- Birth Date
-- Driver's License Number
-- State that Issued License
-- Last Four Digits of your Social Security number
-- Citation Number

The PRC sent a letter to the board of the AIPS and their web master and got an immediate reply. Their General Manager and Chief Operating Officer stated that they had added a privacy statement to their web site in California and are in the process of adding them to the rest of their sites around the country. Sometimes, all you have to do is ask.



  To subscribe to our free email newsletter, go to

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


Sign In!