How to hide privacy violations in a privacy disclosure statement, part 2


It seems that nearly every privacy statement somebody sends me doesn’t actually protect my privacy. They start out saying all sorts of great things, like

Company X is committed to maintaining the privacy of its customers.

After the section listing what information they collect, there’s the section describing who they will disclose it to.

We do not share non-public personal information with outside parties except as permitted by law…

Oh, gee, thanks. Your policy is not to do anything illegal. And you need a privacy statement for this?

Actually, it’s worse, The full sentence goes like this:

We do not share non-public personal information with outside parties except as permitted by law or as is necessary to service customer accounts.

Notice the “or” rather than the “and”. That means that they reserve the right to violate the law if it is necessary to provide service to a customer.

And then, if they haven’t already promised to protect nothing, they throw this in:

Additionally, except as prohibited by law, we may disclose non-public personal information to companies that perform marketing services on our behalf or to other institutions with whom we have joint marketing agreements.

Translation: We will sell your personal information to other companies for marketing purposes to the maximum extent permitted by law.

But that’s okay, because they restate their commitment to privacy in a final italicized paragraph.

Protecting the confidentiality of your non-public personal information remains a priority for us, and is one way in which we respond to the trust you have placed in our organization.

Because if you put it in italics, you really really mean it. Even if the other stuff contradicts it.

Comments (27)
  1. bins says:

    They use the term non-public instead of private – they must be subtly different in some way …

  2. Mark says:

    bins: yes, private would usually be stuff you haven’t shared with them, while non-public would include, say, emails.  I guess it’s because privacy is so variable these days.

  3. Mike says:

    Don’t forget the clause that states that they reserve the right to change the terms of the agreement at thier sole discrection, without any notice.

    i.e. there is literally no committment to privacy whatsoever.  Everything you’ve just read is a lie, and they will do anything they want to do and you have no recourse.

  4. someone else says:

    “Don’t forget the clause that states that they reserve the right to change the terms of the agreement at thier sole discrection, without any notice.”

    Where I come from, this is illegal. A change of terms (of which the customer has to be notified) is grounds for premature termination of contract.

  5. peterchen says:

    I usually stop reading at the "committed to maintaining your privacy" – reminds me to much of an "please bend over" request.

    The "or" is a great find, though. So muhc power in this little word.

  6. mmh! says:

    > They use the term non-public instead of private – they must be subtly different in some way …

    Yikes of course. You can inherit non-public information but not private one! In this way information is.. duh.. protected. That, in any case, it’s always better than internal (ok. I’m stretching it too far).

  7. John says:

    http://privacy.microsoft.com/en-us/fullnotice.mspx

    Not quite as bad as the cookie cutter privacy policy described by Raymond, but there is still a hole as they have a provision to share the information with other companies.

    "Yeah.  Well, that sounds like a pretty good deal.  But I think I may have a better one.  How about I give you the finger … and you give me my privacy."

  8. J says:

    "but there is still a hole as they have a provision to share the information with other companies."

    John, a privacy statement is just disclosure of what a site does with your personal info.  There’s not a hole in that policy you linked to, because that would imply that the purpose of the privacy statement is to guarantee that the company won’t distribute your personal info.  That’s not the purpose at all.

    Raymond’s post is about disclosure agreements that attempt to hide that they’re going to distribute info about you.

  9. Brad says:

    But you neglect the fact that the OR in the English language is generally assumed to be and/or rather than XOR

  10. Whatever says:

    And if you read any medical provider’s HIPAA policy, you’ll find that you have absolutely no control whatsoever over the disposition of information about your own medical history.  None.  You can request that they not share it, but they don’t have to honor that request.  HIPAA bites.

  11. Andres says:

    @Brad: "But you neglect the fact that the OR in the English language is generally assumed to be and/or rather than XOR"

    What does that have to do with anything? He clearly used the term "reserve the right", meaning that they have to option, just as your "and/or"…

  12. Bonzo says:

    There must be a term for this environment, where corporations and government have too much power, and the individual loses their rights.

  13. MadQ says:

    Sorry, Raymond, I can’t resist the urge to even more off-topic.

    @Whatever: HIPAA is not at all what it was intended to be when the person who first started working on it (and who is customer of mine) over 20 years ago. But HIPAA had to be backwards-compatible, and it’s a step in the right direction. Pre-HIPAA privacy was practically non-existent.

  14. Kyralessa says:

    "We do not share non-public personal information with outside parties except as permitted by law…"

    That’s my favorite part.  We’re so used to the phrase "required by law" that it’s easy to overlook that they’ve subtly changed it to *permitted* instead.

  15. Worf says:

    And people wonder why the only thing companies get from me are my address, name, and credit card number. Anything else not related to the transaction is made up. Ages, etc.

    And if you’re not doing business with me, you don’t even get my real name. If you’re special, you’ll get my hotmail account. If not, you’ll get an email address I can track who you sell to.

  16. Bobby says:

    "And people wonder why the only thing companies get from me are my address, name, and credit card number."

    Well then, it’s a good thing that they can’t do anything bad with that info! Wait a minute…

  17. Wound says:

    Sounds like you Americans need something like our data protection act.

    http://en.wikipedia.org/wiki/Data_protection_act

  18. Maurits says:

    But you neglect the fact that the OR in the English language is generally assumed to be and/or rather than XOR

    Which would imply that Company X will NOT  share non-public personal information with outside parties when it is BOTH permitted by law and is ALSO necessary to service customer accounts.  Only one it is one but not the other.

    I’ll buy that.

  19. Brian Tkatch says:

    Like i always say: you only need to advertise that which isn’t true.

  20. eff Five says:

    It sounds like a US financial intuition is merely attempting to comply with the Gramm-Leach-Bliley Act.

    Taken from

    http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act#Financial_Privacy_Rule

    Financial Privacy Rule (Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801–6809) The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.

    So Raymond, I’m imagining a world where you are running the compliance department of a Financial Institution. I’m now picturing those initial and annual disclosures I would see with pre-emptive snarky comments at the end.

  21. James Schend says:

    Andres: Not really, it’s pretty context-sensitive in English. But from my experience, "or" in English *usually* means exclusive-or the vast majority of the time.

    Take this example: "You can have bacon or sausage with your eggs." If you see that on a menu, and order both bacon and sausage, you’ll get a surcharge.

  22. Roger says:

    The data protection act can be worked around.  I worked for a staffing agency for a while.  The DPA only covers electronic records so if we needed to note something about an individual there was a book to write it down in, and then the electronic record just referenced the page number in the book.

    A while back I ordered memory from a prominent supplier.  Their terms and conditions stated that you agreed to any terms and conditions *anywhere* on their website, and that they could change them at any time.  There was also some nonsense about only being able to look at pages directly related to your transaction, and not using any form of automation.  I have no idea how they expected me to read every page on their website in case it contained more terms and conditions, nor how I was supposed to repeatedly poll them for changes.  Fortunately they changed them to be more sensible a few months later.

  23. tb says:

    If it’s on the internet, it’s not private. You can try to make it less public, but trying to ensure privacy online is like sailing a sinking ship.

  24. GWO says:

    <blockquote><i>Roger: I worked for a staffing agency for a while.  The DPA only covers electronic records</i></blockquote>I don’t know who told you that, but they are wrong.  The DPA covers anything held "on a computer or relevant filing system".  A book of notes indexed by a database is a relevant filing system.

  25. Another Roger says:

    Last month I went to MS’s Dreamspark site for students and was redirected to a trusted 3rd-party website to verify my student status. After selecting my school, it prompted me to enter my SSN. It had a note along the lines of: "Privacy Note: you are not actually providing your SSN to us. We encrypt and send it directly to your school’s verification system, and they already have your SSN."

    I didn’t complete the form, and guesss what – this month, there’s a much better system in place that doesn’t require that.

    To all commenters: please include your bank account information in your comment. Don’t worry, you aren’t actually providing this data.

  26. Igor Levicki says:

    "and is one way in which we respond to the trust you have placed in our organization."

    This has been written by someone who is not thinking in English.

Comments are closed.