 FRONT PAGE Archive Index Feedback |
|
|||||
|
|||||
|
| |||||
Law & Technology
Law and TechnologyWhat are they doing with my personal information? Privacy Policies and Fair Information Practices
By Deborah Pierce
Nov 21, 2001 -- The last article I wrote focused on the "Notice" provision of Fair Information Practices. This article will focus on the "Choice" provision. The sidebar has links to web sites with more information including (for those who missed last issue) the core elements of Fair Information Practices (Notice, Choice, Access, Security, and Enforcement).Choice: The data collector should give you a choice about how they can use the data: opting-in or opting-out.
Choice
There are two basic methods of choice: opt-in or opt-out. Opt-in requires that the data collector get affirmative consent from the individual before selling or sharing data about that person. If there is no consent, the data cannot be shared or sold. Opt-out, on the other hand, allows the data collector to sell or share information about an individual unless the individual has said no. The big difference between the two is that opt-in places the burden on the data collector to get consent or forego selling or sharing of data. Opt-out places the burden on the individual to say no. If the individual doesn't respond, then consent is presumed and the data collector is generally free to share or sell information that has been collected about the individual.
First, I'll give two examples that illustrate how opt-out does little to protect your privacy, and then one to show the benefits of opt-in.
The Financial Modernization Act
This Act, otherwise known as Gramm/Leach/Bliley (GLB) was passed last year to give some privacy protections to individuals while at the same time tearing down barriers between financial institutions such as banking, insurance and securities firms.
By July 2001, financial institutions were required to have sent notices to all of their customers explaining what kinds of information they collect and how they use that information. They also had to send out "opt-out" notices to all of their customers, explaining how an individual could opt-out of data sharing with third party, non-affiliated, marketers.
The problem with the opt-out notices was that many of the notices were written so as to be very difficult to read. (For more information, visit the Privacy Rights Clearinghouse (PRC) study of opt-out notices.) Compounding the problem was that the opt-out notices were often mixed with bank statements or other information sent by the financial institution, and so were inadvertently thrown away by many people. In any event, the response rate was low: less than five percent of notices were filled out and returned.
You might have seen this five percent number cited as evidence when industry argues that most people don't care whether their financial information is shared. I would argue that the low response rate reflects the confusion people have about the content of the notices or whether they even recognize that the notices are to be filled out and returned.
Anybirthday.com
The more difficult cases are the sites that collect large amounts of personal information about you even though you do not have a business relationship with them. A great example of this is anybirthday.com.
Go to anybirthday's site and type in a person's name. You'll get back a list of everyone in the database with that name, as well as the birth date and zip code associated with that person. For a fee of $39 you can get a recent address for that person. You might think that you're not in the database because you have an unlisted or unpublished phone number, but the folks at anybirthday have anticipated people like you. They collect birth dates from public records (a separate topic in its own right), in this case voter records and DMV records, so unless you don't have a driver's license or haven't voted, chances are high that you are in their database.
The result is that for $39 some fairly personal information about you is widely available.
You might find this a bit creepy and want to get out of their database, so how do you do it? Go to their site, click on "privacy" and then click on "opt-out option" and follow the instructions.
The problem here is that unless you know that the anybirthday.com site exists, you can't opt-out. And, once you find out about it, the burden is on you to "opt-out" of the database.
| Privacy Web links |
|
Privacy Rights Clearinghouse http://privacyrights.org. Anybirthday.com http://www.anybirthday.com. Vermont report on financial privacy http://www.state.vt.us/atg/Final%20Report%20on%20Financial%20Privacy.htm. |
Vermont: A financial privacy opt-in approach
The state of Vermont has had a long-standing opt-in approach to financial privacy. The Attorney General of Vermont issued a report last February detailing the concerns that would go along with a change from the opt-in approach to the opt-out approach favored by the banking industry.
Some of the concerns voiced are that if opt-out were adopted, consumers would be harmed because they would no longer be able to affirmatively choose how their information will be shared; they wouldn't be able to control unexpected information sharing by financial institutions; and consumers would have to put up with more telemarketers.
What can you do?
Find out what kind of opt-in/opt-out policies businesses you deal with online and off have and opt-out where you are uncomfortable. If you don't want your bank sharing your financial information with third parties, request the opt-out form and opt-out. Sites like anybirthday.com are a little more difficult, since many of them are using public records that are, after all, public. For now you'll have to opt-out on a case-by-case basis.
Reader Comments
Discuss this article in the forums!
| Anonymous | Mar 15, 2002 | oakland, ca | |
| I have a question about anybirthday.com - wouldn't going to the site, searching for your record, then re-entering your name, birth date, and ZIP code just be a way for the company to CONFIRM your information? What's to stop them from making it seem as if your record was deleted for a little while, then just putting it on a list of records that are now more valuable since they have been confirmed? | |||
| Temple | Dec 16, 2002 | Florida | student |
| This is deffinately wrong!!! Can you try to see if my name is in there? My name is Temple Foulks. | |||
| Dorothy Heavelow | Mar 30, 2003 | Excelsio r Springs Mo. | rretired |
| Anonymous | May 26, 2003 | retired | |
| Is it true that July 1st 2003 personal information goes public which includes financial? | |||
| Anonymous | Jul 10, 2005 | ||
| ANybirthday.com does, in fact, rmove the information once you opt out. it's contractually and legally obligated to do so. Using your opt out request as confirmation after presentinghte info request as an opt out instead of a confirmation would be fraud, and htus, illegal. | |||
| HD | Nov 14, 2005 | ||
| Anyone know what happened to Anybirthday.com? | |||
