APPENDIXES

APPENDIX 1.-CITICORP POS INFORMATION SERVICES RESPONSES TOADDITIONAL QUESTIONS

I wish to thank you for the invitation to appear before your Subcommittee at its May
16 hearing on data protection, computers and changing information practices. I
appreciated the opportunity to testify on the steps being taken by Citicorp POS
Information Services, Inc. ("Citicorp POS") to respect and safeguard consumer
privacy in our point-of-sale information activities. I found the hearing to be most
interesting and informative and wish to compliment you for the even-handed
manner in which you conducted the meeting which enabled the differing points of
view to receive a full and fair hearing.

Subsequent to the meeting, you asked that Citicorp POS respond to certain
additional questions which were unable to be considered at the hearing. Set forth
below are Citicorp POS's responses to these questions.

Question 1:

Answer:

Does Citicorp have concerns that data protection restrictions
overseas could affect the way in which its business is conducted?
Is the U.S. Government doing everything that it could in the data
protection area to protect the interests of American companies
doing business abroad? Any examples of actual problems that
have developed or of potential problems that could develop in the
next few years would be especially valuable.

Data protection proposals in Europe, Japan and other countries
could have a material effect on private companies like Citibank/
Citicorp. Such data protection measures may impede trade in
services across national boundaries and make business
operations more difficult and expensive. Nevertheless, the private

sector currently plays an important role in providing expertise on U.S. data protection developments. We have established good working relations with data protection authorities in Europe and elsewhere which should help in formulating provisions that are fair to all parties.

There are a variety of U.S. Government agencies, departments and
offices in existence that are capable of performing useful data
protection functions and some of these could represent U.S.
interests abroad. Perhaps what is needed is the establishment of
direct, ongoing responsibility within the State Department, the
office of the U.S. Trade Representative, NTIA or other organizations
for: monitoring international data protection developments; the
advocacy of U.S. data protection policy; preparation of a U.S.
position dealing with EC protective measures based on data
protection "equivalency" issues; and the establishment of a contact
point for foreign inquiries to the U.S. Government

Some examples of potential problems are:

Question 2:

The European Commission has made it clear that nations may impose restrictions on use and interconnection of telecommunications services and facilities if those restrictions legitimately flow from bona fide data privacy concerns. This allowance is tolerated even under EC market opening initiatives.

The Council of Europe has promulgated a data protection Convention which allows the COE member states to "prohibit or subject to special authorization transborder flows of personal data" going to another country if the regulations of that country fail to provide "equivalent" data protection. Similar rights are accorded if the data would transmit a country with regulation failing to provide "equivalent" data protection. Denmark, France, Germany, Luxembourg, Spain and the UK have so far ratified into law the COE Convention. However, Italy, Greece and Portugal have no data protection laws.

Could you clarify the respective rights of Citicorp and participating supermarkets over possession and use of identifiable consumer information generated by "frequent buyer" programs? What information can the supermarkets maintain and use and what information can Citicorp maintain and use?

Answer:

Question 3:

Answer:

Question 4:

Answer:

Under our existing agreements with retailers, Citicorp POS is the
owner of the identifiable consumer information and has the sole
right to use such information commercially. Citicorp will, on
request, make purchase behavior information about a retailer's
customers available to a retailer in order to enable the retailer to
communicate with its own customers about in-store promotions
and other matters of interest to them, but not for any other
purpose. The retailer is prohibited from making this information
available to third parties. Generally, Citicorp POS agrees not to
disclose information concurring one retailer's customers to another
retailer.

You testified that Citicorp will not release purchase information that might be detrimental to consumers. Could you provide some examples of what type of purchase information would be withheld under this standard?

When we say that Citicorp POS will not release purchase information that might be detrimental to consumers we mean that we carefully consider the potential impact on consumers of a proposed use to the data before we authorize the use. By way of example, Citicorp POS would not make its database available to a life insurance company for the purpose of excluding smokers from an offer nor would we make our database available to a cigarette manufacturer for the purpose of distributing discount coupons to non-smokers.

You testified that Citicorp does not respond to requests for information about specific individuals without their consent or a court order.

4a: Do the supermarkets that collect the information operate under the same policy?

Information on consumer purchases, while collected electronically through the supermarket cash register, is transferred nightly over phone lines to Citicorp POS where it is entered into Citicorp's main frame computers. The supermarket does not have the information to provide. It can only obtain the information from Citicorp POS for use in marketing to, or otherwise communicating with, its own customers. If a supermarket were to request that Citicorp POS provide information so that the supermarket could provide it to a third party we would not supply it since it would run counter to our policy not to provide such information absent the consumer's consent or a court order.

Question 4b:

Answer:

Question 4c:

Answer:

Question 5:

Answer:

How would you advise a supermarket to respond in the
following hypothetical situation? Suppose that a woman is
abducted from a supermarket parking lot. She tells the police that
there was a supermarket bag in the car with a loaf of bread, bottle
of milk, and can of baked beans. The police ask the supermarket
manager for a list of everyone who purchased those items.

As mentioned in response to the previous question, the
supermarket does not have this information on hand and Citicorp
POS would not provide the information to the supermarket to
provide to a third party. If the request were made directly to
Citicorp POS, we would not provide the information absent an
appropriate court order or other legal process.

Also, Citicorp POS might well not have in its database information as to who bought those items on the day in question. We are continually assessing our database to determine the precise level at which we should maintain data. We are considering compressing the data to a level other than individual transactions. Were we to so compress our data we may not, for example, be able to identify the specific day of the week on which any individual bought the items in question or the specific form (e.g. a can) of the item which the consumer bought.

If a court order is received for a copy of the identifiable records of a specific consumer, will Citicorp and/or participating supermarkets notify the consumer of the court order in order to allow the consumer to contest the order?

As a general rule, Citicorp POS would notify the consumer that a
court order to review the consumer's file had been received.
However, we would evaluate the facts of each situation to
determine if special circumstances exist which might cause for us to
deviate from our general policy.

The Video Privacy Protection Act (Public Law 100-618) provides
that personally identifiable records of video rentals and sales be
destroyed as soon as practicable, but not later than one year from
the date when the information is no longer necessary.

5a: Does Citicorp have a policy about the destruction of personally identifiable records generated through the supermarket program?

At present, Citicorp POS does not have a set policy which calls for destruction of data after a given date. We are interested in storing only the data we need. As we gain greater knowledge of the depth of information needed by our customers to make informed marketing decisions, we will be in a better position to establish a data destruction policy.

During the question and answer period following the formal presentation, you asked that I supply the Subcommittee with a sample of the form of program application currently being used by Citicorp POS. I am enclosing for the Subcommittee's use a dozen copies of the type of application being used in connection with our Reward America program. You will note that on the inside page of the application consumers are advised that their purchases will be automatically recorded and that they will be receiving offers and information from the retailer and third parties based on their purchases. Consumer's are also given the option not to have their purchase information disclosed by merely checking the box at the bottom of the application.

I hope the foregoing will be of assistance to the Subcommittee. Should you have any further questions, please feel free to contact us.

Sincerely yours,

Gerald (Saltzgaber