US law permits personal data to be used and distributed without the prior permission of the individual. Until this intentional loophole is remedied, it is necessary to "opt out" of businesses "sharing" your own information.

Such letters are not necessary in most other developed countries.

"Everyone has the right to respect for his private and family life, his home and his correspondence." - European Convention for the Protection of Human Rights and Fundamental Freedoms

This is lot of words, but the letter is easy. You write it (or copy it) once and re-use the same letter. If you're like most people, you have 5 or less credit cards, about 8-128 utilities and service companies and perhaps several business house accounts. That's very few letters.

Skip to the sample letter

Go to telecommunications privacy request letter (Link to a separate letter for privacy requests under the US Telecommunications Act 47 CFR § 222)

It is likely that some businesses have multiple categories for handling GLBA requests:

1. No Requests - They regard your personal data as theirs to do as they wish.

2. Standard Requests - telephone requests and requests using their forms

Some, but not all businesses cynically take a "limited compilance" (or non-complance) approach, meaning they may avoid some but not all "sharing" of personally-identifiable data.

This "limited compilance" approach is visible to customers who make a request only to find the request ignored. Difficult-to-understand privacy notices are another indication that the business has a "limited compilance" category.

The text, "We take privacy concerns seriously," coupled with a difficult-to-understand privacy notice is a strong indication that the business has a policy of disregarding privacy when they expect to get away with it.

3. Nonstandard Requests - This would include anything that doesn't fit into a pre-determined format, including letters and letters accompanying their forms.

They could read each of those, but they already know what's in them. The response is to limit "sharing" of personally-identifiable information in all cases where such "sharing" is subject to restriction.

Some businesses place all privacy requests in this category, but others "require" that you send in a letter before they will give you this level of respect.

4. People who actually sued or were successful in filing a complaint.

These people are typically treated like royalty!
Someone figured out that if someone made one complaint to a government agency, they are likely to do the same thing again if provoked. The business may even retaliate by not sending your personal information out to as many third party "partners", so you will miss out on a bunch of "free offers".

5. Special Circumstances

This would include people with protective orders, and similar legal requirements, not relevant here.

Skip to the sample letter

How to Determine if a Business Intends to Distribute Your Private Data

That one's easy -- they sent a Privacy Notice letter. A privacy notice letter is unnecessary if the entity does not intend to "share" the information.

This is not legal advice. That's why this is called The Telemarketing Scum Page. If you want legal advice, find a website which provides proper legal advice. One place to look would be a government agency website. If all you want are samples from a webpage of someone ranting, you're already at the right place.

Why This Isn't Legal Advice

It isn't possible to provide a "generic" privacy request. In addition, some of the requests may not entail legal requirements.

The requests in these forms may be unsupported. For example, a request to "be informed whenever information is provided to third parties" may not have direct legal support.

They may get away with a "mistake", but failure to correct the mistake demonstrates intent to violate the law.

I don't know if a "do not call" request is proper in a GLBA letter. Again, I leave this sort of thing to others to decide.

Some businesses request that their own form be used. I have no idea whether that's enforceable or even if they care; however I have noticed forms which do not include an option to "opt out" of sharing among affiliates. Sometimes I include the business' form with my letter; sometimes I don't.

There are other ambiguities I had not sorted out here. For example, I don't know when a business is permitted to "share" information among affiliates. But I don't care and ask that it not be "shared" anyway. I don't see why a business would object to complying with the request. (The GLBA has a loophole for this. The Fair Credit Reporting Act (FRCA) does have such provisions, and in most cases, the account with your data is a credit account, and transfer of your name from a credit account clearly indicates relevant credit information.)

So if I called it proper legal advice, I'd be misleading.

Okay, here's some legal advice

1. Keep relevant request data including given names of contacts somewhere. You may need it later in order to file an informal (or formal) complaint.
   
   
2. Don't drink and drive.
   
   
3. If you drink and drive, drive fast so you get home before you pass out.
   
   
4. If you drink and drive, drink Jack Daniels. The square bottles ain't gonna roll around on the floor of your truck and distract you, which could cause an unsafe condition.

---

Comments on the Wording

A number of businesses include the statement that they intend to share personal information. The generic letter opens with a reference to that language.

The "... to the extent ... permitted by law." is starting to disappear from privacy notices, probably as a result of GLBA request letters citing that language. Again, read the text and see what the business is stating.

A final request is to be, "informed whenever ... information is provided to third parties... ." - As mentioned above, it is not clear that a company has an obligation to provide this; however the situation may be quite different if the information is provided contrary to a valid privacy request. This reaches the company's obligation to remedy the wrong, and the intent of the company to violate the law. In other words, the combination of ignoring the request to be informed and ignoring the underlying GLBA request may show intent.

These requests should not create any burden on business whatsoever, unless data is normally used by them without prior approval of their customers.

Using the Forms

LOOK at what you are sending. HIPAA is only applicable to medical data (mostly pharmacuticals). There are several lines with blanks. If the lines are inapplicable, don't use them!

Electronic Media

Electronic media includes:

1. Internet Providers
2. Cellphone Providers
3. Cable Companies

A separate form includes provisions for privacy of data based on:

1. impressions (user views)
2. "click though" data (user responses)
3. demographics

Skill Level

This requires at least a 10th grade education level (or the equivalent) to complete. Actually if you've gotten this far, don't let the formal style put you off.

Time Required and What's Involved

You pretty much only have to write this once. I save mine as a form (glba_ltr.wpd), and save each one I write with the name of the business (glba_ltr-WeHateOurCustomers.wpd). That way, I don't even bother filing a paper copy, unless it's for a business I expect to file a complaint on later.

So the Time Required is about 30 minutes. Plus another 3-4 hours to attempt to read one of those notices (I'm exaggerating about the 3-4 hours, but you only need to read one of those notices.) Then you're talking 10 or 15 minutes per business, if you count posting the letter, etc.

Alternatively, there are "fill-in" forms at the bottom of this page.

OPENING PARAGRAPHS IN RESPONSE TO SPECIFIC PROBLEMS

I wish to withhold my consent to any use of my personal information except as necessary to service my account and meet my requests for goods or services.
      ~~~
I am in receipt of your form describing various options to "opt out" of disclosure of my personal information. I strongly object to the requirement to "opt out" of disclosure of personal information instead of being asked to expressly consent to such disclosure. In reading that form, I was also unable to determine how to decline my consent to any use of my personal information extending beyond use of the information for the purpose of servicing my account.
      ~~~
I was surprised to have received a GLBA "Privacy Notice" from your company because if someone doesn't intend to 'share' my information, the notice is never required. I wish the only time information is shared is if I specifically 'opt in' to have information shared.
      ~~~
I was surprised to have received a GLBA "Privacy Notice" from your company, because if someone doesn't intend to 'share' my information, the notice is never required.
      ~~~
Your privacy notice indicates that you take customer privacy concerns seriously. Naturally, I am concerned about that statement inserted into a GLBA Privacy Notice, because they are only required if a business intends to "share" personal information.
      ~~~
Your privacy notice states unambiguously that you may use my information "when permitted ... by law". I am naturally concerned about the implications of this very broad statement.
      ~~~
This is in response to a ______ I received from a company which identified itself in a way to indicate that they were somehow part of your company. I expect better business ethics than represented by that, but unfortunately that was not the case.
      ~~~
I had recently discovered that my ______________ had been carelessly provided to an outside company without my permission. It appears that they obtained this information from your company.
      ~~~
I had recently received correspondence from an outside company which said on the face of the envelope, "_______________". Obviously that company is under no obligation to basic business ethics. In addition, the nature of the correspondence indicates that particular company now has my personal information including age and possession of a credit account with your company. I expect more than that sort of "no- business-ethics" approach from people I do business with. I wish your company had more respect for its customers.
      ~~~
I do not expect this to create any burden on your company whatsoever if you respect your customers' private data.

HIPAA Restrictions on Medical Data

HIPAA relates to medical data. It normally makes no sense to include this in a credit card privacy request.

General Form Letter

Again, pay attention to what you are sending.

Gentlepeople:

re: Acct. No. xxxxxxx

Your privacy notice states unambiguously that you may use my information as "permitted by law". I am exercising my rights under the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act to not have my information shared.

I request that my personally-identifiable information be used only as necessary for the explicit purpose of fulfilling my requests for services and products, and for processing transactions requested by me as your customer.

I request that my personally-identifiable information not be "shared" with third party companies or individuals, whether affiliated, non-affiliated or otherwise. I do not wish to receive marketing offers. I do not wish to have my information "shared" with affiliates.

You do not have my permission to "share" information about my creditworthiness or credit status with any affiliate of your company. I am exercising my rights under the Fair Credit Reporting Act to opt out of any sharing of this information by your company.

Specifically, I do not wish to have my name, my address, telephone number, email address, age-related data and income- related data shared. I do not wish the fact that I have an account with you shared, since that fact indicates credit status.

GLBA and ITADA Request to be Informed of Distribution

I further request under the GLBA that I be informed whenever my personally-identifiable information is provided to third parties, and to whom the information is provided. I wish to be informed regardless of whether the providing of the information is contrary to my request.

HIPAA Restrictions on Medical Data

I request that all information be used solely for the purpose of obtaining medical treatment, processing my request or purchase, and for obtaining insurance payment. I do not agree to the collection of data for any other purpose.

Specifically, I do not wish to have personal information, such as my name, my address, telephone number, email address, age- related data and income-related data shared.

I do not expect this to create any burden on your company whatsoever, unless data is normally used by your firm without prior approval of your customers.

"Do Not Call" Request

Please do not call me for marketing purposes. This includes promotional calls and so-called "courtesy" calls.

---

If you want to get assertive, consider including the following:

This request is also made under the The Identity Theft Assumption and Deterrence Act (ITADA) because providing such information comprises transfer of "without lawful authority, [of] a means of identification". (18 U.S.C.§1028(a)(7))

Electronic media includes:

1. Internet Providers
2. Cellphone Providers
3. Telephone Companies
4. Cable Companies

This is addressed by The (US) Telecommunications Act, at 47 CFR § 222. 47 CFR § 222 prohibits, prohibits telecommunication common carriers from accessing account information for marketing purposes.

A separate form includes provisions for privacy of data based on:

1. impressions (user views)
2. "click though" data (user responses)
3. demographics

The (US) Telecommunications Act, at 47 CFR § 222, prohibits telecommunication common carriers from accessing account information for marketing purposes. The following is directed toward carriers abusing their own customers by providing "impression" and "click-through" information.

to telecommunications privacy request letter (for privacy requests under the US Telecommunications Act 47 CFR § 222)

I don't do these, probably because they're too easy to read! But I did find few here: sample form letters, from Privacy Rights Clearinghouse (privacyrights.org)

They also have a list of opt-out addresses.

What about the business' "checkbox" form?

A few businesses request that customers use their own privacy "checkbox" forms. I don't think it matters if the "checkbox" form is used, but I will almost always include my form as well. Their form alone may be useful if you want certain forms of ads. (Some people do.)

Because you served me with a GLBA Privacy Notice? If someone sends you a GLBA Privacy Notice, they did so for a reason. GLBA Privacy Notices are only required if a business intends to "share" your information.

"We sent that because these notices are required by regulations."

"Yes. I know a notice sent to meet regulations was sent to meet regulations. I also know that if someone doesn't intend to 'share' my information, the notice is never required. I wish the only time information were shared was if the customer specifically 'opts in' to have information shared."

to telecommunications privacy request letter (for privacy requests under the US Telecommunications Act 47 CFR § 222)

site first posted November 3, 1996 this page posted 23-Dec-03 ~~ this page rev 30-Apr-18 ~~ written in WordPerfect 5.1 ~~ copyright 2003 by S. Protigal ~~ Feel free to link to this.

The Telemarketing Scum Page website can be located on any search engine by searching for "The Telemarketing Scum Page".

THIS page can be located by searching for "GLBA privacy request" or by searching for "privacy request" and looking for a skoozeme.com or scn.org website.