The Evaporation of Privacy

Have you ever read those inserts that your bank, credit card providers, insurance company, mutual fund company, and others slip inside your statements and bills? We all get them. You know, those flimsy pieces of paper, printed in small type and written in convoluted English. I have started collecting them - sort of like baseball cards. But I doubt they'll ever be valuable. They are entertaining, though ... and disheartening.

Most of us just glance at these things to make sure they "are not important" and then just toss them in the trash. But you really should read them. There are all sorts of interesting things written on those little pieces of paper - and some companies are a lot better than others in terms of what their privacy policy promises.

One thing you'll see in just about every one of these little is the phrase " ... unless otherwise permitted by law." So, basically they are telling us this: "We'll do what we say here unless we can find some law that allows us not to." Oh great! I guess we all have to read every law on the books before we can trust this policy. I'd feel a lot better if the document had the phrase "...unless otherwise forbidden by law" in it. That way we could (hopefully) feel confident trusting the policy to be as strong as what is actually written there, if not more so. As it is, we should feel confident that the policy is not anywhere near as strong as what is actually written there until it is proven otherwise. I guess I'm a pessimist, but I think I'm actually more of a realist with the sad state of data security and protection these days.

Hopefully the above statement refers to the more useful and explicit information found in another privacy policy: "For example, federal law permits us to share information about you with consumer reporting agencies, service providers and financial institutions with which we have joint marketing agreements." At least this company tries to explain their intentions instead of just appending " ... unless otherwise permitted by law" all over the place.

Here is another line that I despise from a different privacy policy: "When required by law, we will ask your permission before we share your information for this type of marketing." The type of marketing referenced here is with "nonaffiliated service providers and joint marketing programs." So, this policy is basically saying that this company will take your information and share it with anyone they want unless the law forbids it. Oh, it does say that they require the folks they share the data with to "keep our investor information confidential and secure and to use it only as authorized by us." But I wonder how strict this requirement is? And, what is the stated privacy policy of these partners?

Here is another "classic" taken verbatim right out of the privacy policy of a large bank: "Even if you do tell us not to share, we may share other types of information within our family." So, why would I even waste my time to try to stop you? If this company were honest they would change the name of this policy to the "lack of privacy policy," because that is what it is. A better privacy policy would protect their customer's information much better. If there are specific things that will always be shared these should be explicitly stated and referenced. And it should be clear what is meant.

It is interesting to compare the privacy policies for the same company as (if) they change each year. One trend seems to be the addition of "chief privacy officers." This could be a good trend. But I bet the chief privacy officer is more concerned with furthering the interests of the company s/he works for than actually protecting the privacy of the company's customers. But maybe I'm being a pessimist again.

One trend seems to be clear, at least to me: Our privacy is evaporating. We should try to do as much as we can to stop that evaporation. So should the companies that we do business with. And so should data management professionals who deal with corporate data on a daily basis.