Ask Judy: Data Compliance Corner

Answers to all your data compliance questions

Judy Macior

Judy Macior is Vice President of Compliance for Experian Marketing Services’ Marketing Information Services. She has provided compliance thought leadership for more than 25 years. Currently, she is focusing on a variety of privacy and data governance topics. Ask Judy your next compliance question and visit her new Web page for compliance insights.

August 2012

Q: What approach can be employed to address potential consumer privacy issues when collecting and using “Big Data”?

A: We have all heard that data collection, particularly in the digital platform, is growing at an exponential rate. The use of the term “Big Data” is not new and has been used in reference to monetizing data as an asset. The processing of “Big Data” sets and creating a useable format, particularly in the analytics area, is a hot topic in the trade publications. Concerns have been raised from a privacy perspective when large amounts of disparate data is collected, and particularly, what considerations have been given to the consumer expectation, harm or benefit to the consumer, and whether the data collected is appropriate for the proposed use.

A thoughtful approach to privacy in this area is necessary and involves a consideration of your information values, following fair information practices, and following a process for data governance from collection through product development and data destruction. The process should take into consideration the laws, industry self regulation guidelines, a focus on the expectation of the consumer, and a balancing of the needs of the business against the benefit to consumers, all while maintaining consumer and client trust throughout the process.

Adopting information values creates a framework to assess data collection and product development efforts. We believe that information use must benefit both businesses and individuals, while meeting the privacy expectations of consumers. We apply the information values according to the laws, industry self regulation, customs and consumer expectations.

The values we have adopted at Experian are:

  • Balance - we evaluate each product/service to assure balance between the privacy expectations of the consumers and the economic benefit to both clients and consumers.
  • Accuracy – we acquire data from reputable sources and diligently work to maintain the accuracy of that information
  • Security – we use security systems to safeguard the information we maintain
  • Integrity – we comply with relevant self regulatory guidelines and laws, as well as applicable contractual restrictions
  • Communication – we are open about the types of information we maintain and work towards educating others about our businesses and values

We perform a proactive risk assessment called a Fair Information Values Assessment, whereby the opportunity is viewed in relationship to our stated values, and inquiry is made to assure we are following the letter and spirit of laws and self regulatory guidelines. We have a variety of subject matter experts take part in the assessment, and consensus is reached prior to launch. If risks are identified, they are mitigated before the opportunity continues. This process is flexible and can also be used in evaluating the collection of data as it encourages thoughtful review of basic concepts of fair information practices prior to moving forward at the data collection or product development/data use stage.

Special consideration should also be given to sensitive data such as financial data, health care data, children’s data, data regarding the elderly, etc. Adherence to basic principles of fairness and honoring the expectation of the consumer should be taken into consideration. Basic principles of fair data collection are also employed (i.e. that data collected for one use may not be appropriate for another use).

Enabling a transparent process helps to best protect consumers from harm, creates an atmosphere of trust, and ensures that if a large data set(s) or a combination of disparate sets are proffered to be used together, then the consequences of balancing the needs of and benefits to the consumer have been balanced against business goals, and the opportunity has been vetted with all stakeholders in mind.

May 2012 Archive

Q: Why can’t data collected for marketing purposes be used for credit decisioning or insurance underwriting?

A: There are several reasons why it is inappropriate to use marketing data obtained from third parties like Experian for credit decisioning and insurance underwriting. First, to do so would subject the marketing data to the requirements of the Fair Credit Reporting Act. The FCRA requires many notices and disclosures and would subject the data to various other requirements, including significant data security standards consumer disclosure and correction procedures. These requirements are typically not provided for marketing data.

Second, marketing data is generally collected for a marketing purpose and should be used only for a marketing purpose. When this data is initially collected directly from the consumer, the privacy policy and/or disclosures given to the consumer typically describe the purpose for which the data is collected. If it is collected for another purpose not disclosed to the consumer or is inconsistent with consumer expectations, the secondary use of the data could provide negative consequences to the marketer. If consumer expectations are not met, trust is eroded and it would be difficult to regain that trust and collect data from the consumer again. Also, if the marketer doesn’t “walk the talk” in its privacy policy, there may be consequences with regulatory authorities.

An additional concern is that data collected for one purpose, such as marketing, may not be appropriate or accurate for another purpose, such as underwriting or eligibility determinations.

Finally, the DMA guidelines for Ethical Business Practice state that marketing data should only be used for a marketing purpose. This applies to both marketers and data compilers. Insurance underwriting and credit decisioning are not part of the definition of marketing purposes. Also, the Digital Advertising Alliance recently expanded its self regulatory principles and prohibits use and collection for adverse action related to insurance, credit, health treatment or employment.

Of course, financial institutions, including banks and insurance companies, may rightfully use marketing data for market segmentation, data hygiene, solicitations, advertising, product development and similar purposes. Examples include Invitations to apply, modeling, research and targeted mailings. However, when banks and insurance companies need data for underwriting or credit decisioning, they can utilize data from the credit bureau if they have permissible purpose to do so.

April 2012 Archive

Q: Why does Experian require compliance with the Direct Marketing Association’s (DMA) self-regulatory guidelines in its contracts with clients?

A: The purpose of the DMA Guidelines for Ethical Business Practices is to establish acceptable principles of business conduct for marketers. These business best practices demonstrate our industry’s commitment to honoring consumer choice and doing the right thing. As a member of the DMA, Experian Marketing Services adheres to these guidelines and supports the principles and requirements of Article 36, which outlines the responsibilities of data compilers. This article requires compilers to include language in their written (or electronic) agreements that requires DMA-member customers to comply with applicable laws and DMA guidelines and strongly encourages non-DMA customers to comply with these guidelines.

In addition, data compilers are required to have a written contract defining the use and purpose of the marketing data and to review mail pieces with sensitive data elements. Experian Marketing Services also requires several other provisions in our contracts that mirror the requirements in the guidelines. These provisions ensure that data users have requisite information security controls in place, that users comply with all relevant laws and that marketing data is used only for marketing purposes. Specifically, we want to ensure that marketing data is not used for eligibility determinations.

Honoring these self-regulatory guidelines also demonstrates the industry’s ability to develop and enforce best practices, thereby eliminating the need for increased legislation and government regulation. The guidelines cover a diverse range of marketing practices, including telephone marketing, digital marketing, consumer choice (opt-out), sweepstakes, data collection, advance consent, fulfillment, terms of the offer, special offers and claims (including the promotion of “free” offers), marketing to children, fundraising and mobile marketing. For a complete list of the categories covered under these guidelines, I encourage you to visit the following link: DMA's Guidelines for Ethical Business Practice

This column includes general information and is not to be construed as legal advice. You should consult your own attorney for interpretation and matters related to the law.

Submit your questions to Judy

Would you like your question to be featured in next month's Ask Judy?  Submit your question below and it may be featured in next month's newsletter.

  • Submit Question
  • © 2014 Experian Information Solutions, Inc. All rights reserved.