February 14, 2002
Protecting the privacy and security of personally identifiable information is a critical national and international concern, and a matter of high priority at Disney. As one of the most trusted names in American business, it is vital to us at Disney that our guests and customers know that we are concerned about the privacy of the information they give us and that we will treat their information appropriately.
As a result, we are developing our own Statement of Privacy Principles, which are largely similar to those set forth in the Privacy Act of 2001 and which will apply to both our online and offline activities. Because our primary business is not healthcare or finance, my comments today, however, are restricted to the matters addressed in Title I of the proposed statute, and our suggestion that a provision relating to the security of consumer data be added to Title I of the statute.
With respect to the matter of notice, we support the principle found in Section 101(b) that adequate notice requires a disclosure of the type of information being sought, the purposes for which the information will be used and with whom, if anyone, the information may be shared. We agree, of course, that, to be meaningful, any notice must be clear and understandable to the consumer, and must be given prior to any marketing use or sharing of the consumer' s data.
With respect to the matter of choice, a substantial argument can be made that consumers should affirmatively give permission for any use of personally identifiable information (that is, a so-called "opt-in" consent). Nonetheless, we believe the Bill draws a reasonable distinction between general information, and matters such as social security numbers and information held by financial institutions and health care providers. These latter types of information are so sensitive that appropriate protection of personal privacy requires that the individual providing the information affirmatively express a willingness to have the information disclosed to others. Although there may well be other categories of information that also deserve this special type of protection, the same degree of sensitivity is generally not present in the information sought in a typical commercial transaction and hence an opt-out provision may be sufficient.
Because we believe our guests should have the right to opt out of receiving marketing materials from Disney, as well as having us not share their information with third parties, our Privacy Principles will provide multiple choices for our guests. Thus, a guest may elect to receive marketing or other information from Disney, but opt out of our sharing any of the guest's data with third parties. Or, the guest may simply opt not to receive any marketing information at all from Disney and our related companies.
In this regard, let me now voice some concern about the scope of Section 101 (a) of the Act. There, the Act proposes to limit its coverage to: (1) disclosure of personally identifiable information to nonaffiliated third parties for marketing purposes; and, (2) sale of such information to nonaffiliated third parties. In keeping with our view of consumer privacy, we believe this subsection should be modified to extend the Act's purview to all commercial sharing of personally identifiable information with nonaffiliated third parties. In turn, the exception provided by Subsection (a) (2) should be broadened to track, in appropriately modified form, the exceptions provided by Section 502 of the Gramm-Leach-Bliley Act.
In this manner, consumers would be protected against all improper and unauthorized disclosure of their personal information to nonaffiliated third parties. At the same time, non-financial businesses would have the same flexibility that financial institutions enjoy to disclose information for legitimate purposes, such as to prevent fraudulent transactions, comply with governmental regulatory requirements, and outsource marketing and fulfillment functions to entities that are contractually obligated to respect the confidentiality of their customers' data.
Turning to the matter of security, we at Disney believe that the privacy of personal information is only as strong as the security measures that protect that information. We therefore suggest adding to the Bill a requirement that entities that collect consumers' personal information maintain reasonable security measures to safeguard the confidentiality of that information. Of course, for general consumer information, such as that covered by Title I of this legislation, those security measures need not be as elaborate as the measures that apply to the sensitive data held by financial institutions and health care providers.
Perhaps the most important provision of this measure is Section 105, which provides for preemption of state common and statutory law. Broad federal preemption is critical to this or any similar legislation. As we all know, the Internet has shrunken our world further than we could ever have imagined. As a result, information given in one jurisdiction can appear in another in a nanosecond. While the international implications of this fact are themselves daunting, the prospect of the several States acting to address these issues in varying and perhaps conflicting ways is horrifying.
One of the great strengths of our country lies in the integration of our national economy under federal control over interstate commerce. Without broad federal preemption in this area, the inevitable patchwork of state laws will present a formidable barrier to commerce and will, in essence, cede what should be a federal mandate to the parochial interests of the various States. American business simply cannot operate efficiently under a myriad of conflicting rules governing national economic activity. Thus, it is vital that, at least for the United States, there be a single set of rules on this subject mandated through federal legislation and preemption.
In closing, we at The Walt Disney Company congratulate Senator Feinstein on the Bill's approach to balancing the need for governmental regulation with responsible private action through FTC-approved Safe Harbor programs. Indeed, as I mentioned at the outset, we soon will be backing our commitment to our guests' privacy with the adoption of our own voluntary Privacy Principles.
Thank you. I would be pleased to answer any questions the sub-committee may have.