Another privacy policy that isn’t very private

Today I read the privacy policy for Nuveen Investment Advisors. I like this part:

We do not disclose any nonpublic personal information about you to anyone, except as permitted by law.

"Except as permitted by law". How reassuring. Is it really necessary to have an official policy promising that that you won't break the law? And actually stating that they promise to follow the law on this specific issue raises the question, "So are they willing to break the law with regard to other issues?"

This sentence basically means, "We reserve the right to disclose nonpublic personal information about you to the fullest extent permitted by law."

In particular, later in that paragraph, it states that

... we may disclose the information we collect, as described above, to companies that perform administrative or marketing services on our behalf...

In other words, "We may disclose nonpublic information about you to people who will try to sell you stuff."

All the regulations about privacy disclosure statements hasn't actually secured anybody's privacy, since the regulations only require disclosure; they don't require that they actually do anything to protect your privacy.

Comments (6)
  1. mike says:

    Are these statements also part of an opt-out policy? IOW, after reading these "we’ll only share your info with everyone" clauses, you can jump through various high and flaming hoops in order to request that they do not "protect" your "privacy" as indicated?

  2. Raymond Chen says:

    There is no way to opt out. These are just "This is the way it is. If you don’t like it, feel free to close your account." I just found another privacy statement for yet another company but it’s basically the same as the one above: "We will disclose your information to anybody we want."

  3. Henk Devos says:

    I wonder if they are aware of the laws in Europe?

    For any European citizens, they are not allowed to keep any information in a database without the user’s permission. The user has to be able to see what information is stored in the database and change it if desired. The user has the right to request that data is removed from the database. They are not allowed by law to share any of this information without the user’s explicit permission.

    A very strange exception is email addresses, which are not considered personal information. Europe does allow spamming with similar regulations as the US: You have to be able to opt-out. But most spamming companies don’t follow this regulation too seriously either. Many spam emails still have no opt-out possibilities, and i recently noticed a spammer (sending me the same email about 10 times per day on average) is requesting up to 72 hours to opt out, but changes web sites every few days. This means: By the time the opt-out is in effect, they have changed to a new url and you have to opt out again.

  4. njkayaker says:

    There may be a bit more weasiling going on with "permitted by law".

    I suspect that that they what readers to see "except as required by law" (note the meaningful "required" as opposed to the meaningless "permitted").

Comments are closed.