"Everyone has the right to respect for his private and family life, his home and his correspondence." - European Convention for the Protection of Human Rights and Fundamental Freedoms

telescum tape label

[screaming operator logo 46K]

Responding to a "Privacy Policy" Letter

Privacy Rights under the GLBA

"How to Read Privacy Notices" is here.



Purpose

This describes how to read "Privacy Notices" and how to respond to them.



Privacy Notices

US financial businesses and businesses keeping financial data send out annual "Privacy Notice" letters. This describes how to understand and respond to these letters.

"Privacy Notices" are provided under the GLBA (in the US) by businesses who use Personal Data. "GLBA" is the Graham-Leach-Bliley Act (US). Privacy laws are governed by the GLBA, FRCA, HIPAA, the Federal Telemarketing Regulation, and various state laws. A GLBA request is not the same as a "do not call" request, and it is not yet clear whether the two can be combined. Most countries have similar privacy laws, although most don't have the US loophole that requires individuals in the US to "opt out" of having their personal information used commercially.



How to Read Privacy Notices

You only need to read one of these things thoroughly once.

After that, all that's necessary is to look for the

"to the extent permitted by law
part. While that language shows the obvious contempt for consumers, it's fairly common on corporate GLBA "Privacy Notices". The rest is obfuscation.



What's in the Rest of Privacy Notices

Necessary language describing credit reporting and other legitimate activities

Descriptions of intent to "share" with other businesses.
This consists of other subsidiaries and unrelated businesses.

Obfuscating language talking about businesses with "partnership" relationships.
All business transactions are with "partners"; otherwise the information would be posted on Youtube.

Lengthy descriptions of the fact that the collected data has generic statistical value.

Meaningless filler concerning turning over the data if required by a government entity
If this really had meaning, they'd leave it out. Government subpoenas are costly and businesses would prefer to have an excuse to deny a request. This is typically placed just before or after the "to the extent permitted by law section, as an attempt to convince people that unlimited disclosure of personal data is "required by law". (Note the difference between "to the extent permitted by law and "only as required by law)

Claims that the data is not "sold" or "rented".
"Not sold" is technically true. Data is rarely "sold"
Data is almost always rented, so a statement the the data is not "rented" should be regarded as deceptive word play. The agreement to rent your data is generally called a "license" or "service agreement" because data is not referred to as "rented".
So read one of these things once. After that, they're easy to scan for the salient portion -- either they include a "to the extent permitted by law section or they respect their customers.



Then What

Here's a sample privacy request letter for making privacy requests under the GLBA (US).

As a practical matter, there's only a few businesses for which you need to block data. These are the major financial institutions who supply credit cards.

Occasionally a smaller business will decide to enter the personal data marketing business, but in that case, you'll receive a GLBA letter.



How a Business Will Respond

Basically, it depends on the business. Obviously a business which has a privacy statement with a combination of
  1. "to the extent permitted by law
    and
  2. "We do not rent your data"
in the same document won't care about complying with a privacy request. The problem they have is the potential of a class action lawsuit, which can have a major impact. For this reason, most will flag an account with a GLBA letter for No Abuse.



Do they Retaliate?

No.

If the business thought you were the Cindy Shehan of the "Leave Me Alone" movement, they're still not going to retaliate. In the case of writing a GLBA letter, you're one of thousands who tell them "no". If anything, you're probably considered a "high end" customer.

Reasons for Legal Ambiguity

Much of the criteria for requesting privacy and reporting violations is unclear. These laws are open to interpretation by the agencies and courts charged with enforcement. For example, the use of a "diversion" to a request may or may not be accepted as legal.

Where notice is provided could theoretically also depend on when the data was collected. It is conceivable that telephone number data collected via ANI would be subject to a "do not call" request at the time the number was collected.



Violations

Large business entities in the US learned that the penalties for violations of the GLBA are trivial, and that people are unlikely to complain.

If you suspect violation, complain to the Government. Typically this is the FTC (Federal Trade Commission) but there are various state and federal regulatory agencies.

Typical violations include:

No Reasonable Opportunity
Under the GLBA, the business must provide the individual a "reasonable opportunity" (e.g., 30 days) to "opt out" of information sharing. In many cases, data is exploited with total disregard for the waiting period.

Deceptive Statements
The most obvious of these is that personal data is "not sold". Data lists are almost never sold for the same reason a copyright isn't sold to the purchasor of a book or software. The data is licensed. (Businesess also claim that this is not "rented", which is deceptive because the data in the list is in fact being used for the economic benefit of third party entities.

Lack of Disclosure
Most large business entities refuse to disclose to individuals to whom the data is provided.

Obfuscation
Most "privacy notices" include obfuscating data, such as lengthy descriptions of how data may be turned over to law enforcement agencies under subphoena.
If the cognizant Federal Agencies were to require that all data be destroyed in the case of misuse, GLBA compliance would be instantaneous!

Keep records. (You have a computer, or at least a database for your mobile device.)

Reporting

There are too many variables to give a generic answer on this. Most of the cognisant federal and state government websites have information on complaints. Try to focus complaints toward clear issues.

Naming individuals

In addition to complaining about the business, consider that legally, businesses are fictitious persons. They can't break the law without the cooperation of real live persons, as described in "naming individuals when filing complaints" (the Telemarketing Scum Page's admittedly feeble attempt at being radical).

... and there's a special page for naming lawyers

Effect on Business

The myriad regulations place a substantial burden on business, but there is a "safe haven". If a business keeps private data private (i.e., doesn't "share" private information), they shouldn't have trouble.


Other Forms on the Web

consumer.net/telemarketing/logsheet.asp
I don't know anything about the person or group sponsoring this form.


Index