"Everyone has the right to respect for his private and family life, his home and his correspondence." - European Convention for the Protection of Human Rights and Fundamental Freedoms
"How to Read Privacy Notices" is here.
This describes how to read "Privacy Notices" and how to respond to them.
US financial businesses and businesses keeping financial data send out annual "Privacy Notice" letters. This describes how to understand and respond to these letters.
"Privacy Notices" are provided under the GLBA (in the US) by businesses who use Personal Data. "GLBA" is the Graham-Leach-Bliley Act (US). Privacy laws are governed by the GLBA, FRCA, HIPAA, the Federal Telemarketing Regulation, and various state laws. A GLBA request is not the same as a "do not call" request, and it is not yet clear whether the two can be combined. Most countries have similar privacy laws, although most don't have the US loophole that requires individuals in the US to "opt out" of having their personal information used commercially.
You only need to read one of these things thoroughly once.
After that, all that's necessary is to look for the"to the extent permitted by lawpart. While that language shows the obvious contempt for consumers, it's fairly common on corporate GLBA "Privacy Notices". The rest is obfuscation.
So read one of these things once. After that, they're easy to scan for the salient portion -- either they include a "to the extent permitted by law section or they respect their customers.
- Necessary language describing credit reporting and other legitimate activities
- Descriptions of intent to "share" with other businesses.
- This consists of other subsidiaries and unrelated businesses.
- Obfuscating language talking about businesses with "partnership" relationships.
- All business transactions are with "partners"; otherwise the information would be posted on Youtube.
- Lengthy descriptions of the fact that the collected data has generic statistical value.
- Meaningless filler concerning turning over the data if required by a government entity
- If this really had meaning, they'd leave it out. Government subpoenas are costly and businesses would prefer to have an excuse to deny a request. This is typically placed just before or after the "to the extent permitted by law section, as an attempt to convince people that unlimited disclosure of personal data is "required by law". (Note the difference between "to the extent permitted by law and "only as required by law)
- Claims that the data is not "sold" or "rented".
- "Not sold" is technically true. Data is rarely "sold"
- Data is almost always rented, so a statement the the data is not "rented" should be regarded as deceptive word play. The agreement to rent your data is generally called a "license" or "service agreement" because data is not referred to as "rented".
Here's a sample privacy request letter for making privacy requests under the GLBA (US).
As a practical matter, there's only a few businesses for which you need to block data. These are the major financial institutions who supply credit cards.
Occasionally a smaller business will decide to enter the personal data marketing business, but in that case, you'll receive a GLBA letter.
Basically, it depends on the business. Obviously a business which has a privacy statement with a combination of
in the same document won't care about complying with a privacy request. The problem they have is the potential of a class action lawsuit, which can have a major impact. For this reason, most will flag an account with a GLBA letter for No Abuse.
- "to the extent permitted by law
- "We do not rent your data"
If the business thought you were the Cindy Shehan of the "Leave Me Alone" movement, they're still not going to retaliate. In the case of writing a GLBA letter, you're one of thousands who tell them "no". If anything, you're probably considered a "high end" customer.
Reasons for Legal Ambiguity
Much of the criteria for requesting privacy and reporting violations is unclear. These laws are open to interpretation by the agencies and courts charged with enforcement. For example, the use of a "diversion" to a request may or may not be accepted as legal.
Where notice is provided could theoretically also depend on when the data was collected. It is conceivable that telephone number data collected via ANI would be subject to a "do not call" request at the time the number was collected.
Large business entities in the US learned that the penalties for violations of the GLBA are trivial, and that people are unlikely to complain.
If you suspect violation, complain to the Government. Typically this is the FTC (Federal Trade Commission) but there are various state and federal regulatory agencies.
Typical violations include:If the cognizant Federal Agencies were to require that all data be destroyed in the case of misuse, GLBA compliance would be instantaneous!
- No Reasonable Opportunity
- Under the GLBA, the business must provide the individual a "reasonable opportunity" (e.g., 30 days) to "opt out" of information sharing. In many cases, data is exploited with total disregard for the waiting period.
- Deceptive Statements
- The most obvious of these is that personal data is "not sold". Data lists are almost never sold for the same reason a copyright isn't sold to the purchasor of a book or software. The data is licensed. (Businesess also claim that this is not "rented", which is deceptive because the data in the list is in fact being used for the economic benefit of third party entities.
- Lack of Disclosure
- Most large business entities refuse to disclose to individuals to whom the data is provided.
- Most "privacy notices" include obfuscating data, such as lengthy descriptions of how data may be turned over to law enforcement agencies under subphoena.
Keep records. (You have a computer, or at least a database for your mobile device.)
There are too many variables to give a generic answer on this. Most of the cognisant federal and state government websites have information on complaints. Try to focus complaints toward clear issues.
In addition to complaining about the business, consider that legally, businesses are fictitious persons. They can't break the law without the cooperation of real live persons, as described in "naming individuals when filing complaints" (the Telemarketing Scum Page's admittedly feeble attempt at being radical).... and there's a special page for naming lawyers
Effect on Business
The myriad regulations place a substantial burden on business, but there is a "safe haven". If a business keeps private data private (i.e., doesn't "share" private information), they shouldn't have trouble.
- I don't know anything about the person or group sponsoring this form.
... and there's a special page for naming lawyers
Comments about this site: email me
site first posted November 3, 1996 ~~ rev April 30, 2018 ~~ written in WordPerfect 5.1 ~~ copyright 1996, 2001 by S. Protigal ~~ Feel free to link to this.