THE AMERICAN EXPRESS CUSTOMER PRIVACY PRINCIPLES:
1. Collect only customer information that is needed to administer customer accounts, provide customer services, offer new products and services, and fulfill any legal and regulatory requirements. Tell your customers about the general uses of the information you collect about them, and be willing to provide additional explanation if the customer requests it.
2. Give customers choices about how their data will be used. Upon becoming a Cardmember and thereafter on a regular basis, give customers the option to decide whether or not they wish to have their names removed from lists used for mail, telephone, and online marketing.
3. Ensure information quality. Ensure that customer data is processed promptly, accurately, and completely. Require high standards of quality from consumer reporting agencies and others who provide information about prospective customers.
4. Use information security safeguards. Limit access to customer data to those who specifically need it to conduct their business responsibilities and use security techniques designed to protect customer data.
5. Limit the release of customer information. In addition to providing customers with the opportunity to "opt-out" of marketing offers, release information only with the customer's consent or request, or when required to do so by law or other regulatory authority. When a court order or subpoena requires release of customer information, notify the customer promptly to give the customer an opportunity to exercise his or her legal rights. The only exceptions are when an Issuer is prohibited by a court order or law from notifying the customer, or cases in which fraud and/or criminal activity is suspected.
6. Be responsive to customers' requests for explanations. If an Issuer denies an application for services or ends a customer's relationship, to the extent permitted by applicable law, provide an explanation. State the reasons for the action taken and the information upon which the decision was based, unless the issue involves potential criminal activity.
7. Extend these customer privacy principles to business relationships. Require that companies selected as business partners and third party vendor(s) abide by these privacy principles in the handling of customer information.
8. Hold employees responsible for complying with these privacy principles. Conduct training and communication programs to educate employees about the meaning and requirements of these customer privacy principles, and audit compliance.