Data Privacy Policies

You really should read them. There are all sorts of interesting language written on those little pieces of paper – and some companies are a lot better than others in terms of what their privacy policy promises.

One thing you’ll see in just about every one of these little documents is the phrase “…unless otherwise permitted by law.” So, basically they are telling us this: “We’ll do what we say here unless we can find some law that allows us not to.” Oh great! I guess we all have to read every law on the books before we can trust this policy. I’d feel a lot better if the document had the phrase “…unless otherwise forbidden by law” in it. That way we could (hopefully) feel confident trusting the policy to be as strong as what is actually written there, if not moreso. As it is, we should feel confident that the policy is not anywhere near as strong as what is actually written there until it is proven otherwise. I guess I’m a pessimist, but I think I’m actually more of a realist with the sad state of data security and protection these days.

Hopefully the above statement refers to the more useful and explicit information found in another privacy policy: “For example, federal law permits us to share information about you with consumer reporting agencies, service providers and financial institutions with which we have joint marketing agreements.” At least this company tries to explain their intentions instead of just appending “…unless otherwise permitted by law” all over the place.

Here is another line that I despise from a different privacy policy: “When required by law, we will ask your permission before we share your information for this type of marketing.” The type of marketing referenced here is with “nonaffiliated service providers and joint marketing programs.” So, this policy is basically saying that this company will take your information and share it with anyone they want unless the law forbids it. Oh, it does say that they require the folks they share the data with to “keep our investor information confidential and secure and to use it only as authorized by us.” But I wonder how strict this requirement is? And what is the stated privacy policy of these partners?

Here is a classic taken verbatim right out of one of the privacy policy of a large bank: “Even if you do tell us not to share, we may share other types of information within our family.” So, why would I even waste my time to try to stop you? If this company were honest they would change the name of this policy to the “lack of privacy policy,” because that is what it is.

A better privacy policy would protect their customer’s information much better. If there are specific things that will always be shared these should be explicitly stated and referenced. And it should be clear what is meant.

It is interesting to compare the privacy policies for the same company as (if) they change each year. One trend seems to be the addition of Chief Privacy Officers. This could be a good trend. But I bet the Chief Privacy Officer is more concerned with furthering the interests of the company s/he works for than actually protecting the privacy of the company’s customers. But maybe I’m being a pessimist again.

Our privacy is evaporating. We should try to do as much as we can to stop that evaporation. So should the companies that we do business with. And so should DBAs and data management professionals who deal with corporate data on a daily basis.

© 2006, Mullins Consulting, Inc.