Page 1 of 1

Don't Trust Privacy Policies

Posted: Tue Jul 01, 2003 6:03 pm
by manadren_it
Wasghinton Post Story

washingtonpost.com

Web Firms Choose Profit Over Privacy

By Jonathan Krim
Washington Post Staff Writer
Tuesday, July 1, 2003; Page A01

To parents interested in buying the popular Hooked on Phonics learn-to-read programs, the company made a firm promise on its Web site: It would never sell or rent their personal information to other marketers.

But that pledge was empty. In the pages of a marketing trade publication, Gateway Learning Corp., the product's California-based parent company, was advertising to rent the list of Hooked on Phonics buyers to other marketers.

At a price of $95 per 1,000 names, companies could arrange to have unsolicited advertising sent to 105,936 people who bought Hooked on Phonics in the past year. Included in the information made available to other marketers: ages of the buyers' children.

After inquiries from The Washington Post, the company changed its privacy policy and is no longer promising to keep such data from being offered to others. A company spokeswoman said the firm was simply slow to update its policy. Previous customers would be notified of the change and offered the chance to remove themselves from the list, she said.

Hooked on Phonics is one example of retailers, marketers and an array of service providers expanding their collection and use of consumers' e-mail addresses and other personal information, despite broad assurances to protect individual privacy and honor consumers' choices about how much marketing they want to receive.

Many firms use tactics designed to hide their intent to gather and profit from the data they collect, information that grows in value as more and more people use the Internet for information and shopping.

"Companies continually troll for, and exploit, personally identifiable information," said Joseph Turow, a media professor at the University of Pennsylvania who specializes in mass marketing. "Some Web sites unabashedly collect all the information they can about visitors and market [it] as aggressively as they can to advertisers and other marketers."

But these techniques have drawn scant attention as the flood of unwanted commercial e-mail has reached tidal-wave proportions. Instead, retailers, advertisers and Internet service providers such as Microsoft Corp., America Online and Yahoo Inc. have so far successfully lobbied government regulators to put the spotlight on deceptive practices of the most unsavory purveyors of scams and pornography.

Mallory Duncan, senior vice president and general counsel of the National Retail Federation, argues that mainstream corporations can police their own marketing practices. "The concern with spam is not with the Gap coupon you receive," said Duncan, who represents the largest lobbying and trade group for store owners. "It's the huge amount of porn and other things that were unsolicited."

With the onslaught of spam, almost all companies promise not to sell consumer data. But many don't mention that such information is rented. This means that the list owner won't release the data to an outside marketer, but it will send messages to the list on the outsider's behalf. Targeted lists available for rent number in the thousands, including those from magazines, professional organizations and even political interest groups such as Republicans for Jesus.

Recently, for example, the Christopher Reeve Paralysis Foundation advertised that its list of donors, including postal addresses, was for rent.

A charity spokeswoman said that the rental list includes data only from donors who gave through direct-mail appeals, not online. But she acknowledged that those people were provided no privacy information; the charity's Web site says it will never sell or share e-mail addresses of donors. Direct-mail donors will now be given a chance to remove their names from the donor list, the spokeswoman said, adding that the organization's lists are offered only to "like-minded" groups.

Sometimes, consumers may not be aware they are handing over information to vendors working behind the scenes at certain Web sites.

Take CartManager, a Provo, Utah, company that is one of many providers of "shopping cart" software used by online retailers. Merchants use the service to manage their transactions. Customers select items, put them in virtual shopping carts, and provide appropriate billing and shipping information to complete the order.

The company, which handles transactions for dozens of small Web retailers, last month offered for rent its list of 781,000 postal and e-mail addresses of consumers who "regularly buy online." CartManager's privacy policy states that it might share such information. But a consumer might not even notice the fine print stating that a retailer's shopping cart is "powered by" CartManager, let alone look at the firm's privacy policy. The transaction is done through the Web site of the retailer, whose privacy policy is more likely to be scrutinized by concerned consumers.

CartManager executives did not respond to requests seeking comment.

In some cases, marketers are open about their intent, if people take the time to read the privacy policies on Web sites closely.

Some sites essentially exist to collect e-mail addresses and other personal data to allow future marketing. To entice people to hand over the data, they offer discounts on products or entry into sweepstakes.

But in a research study Turow supervised for the University of Pennsylvania, 57 percent of 1,200 adults who use the Internet at home thought that if a Web site merely has a privacy policy, their information would not be shared with others.

To expand their databases even further, some marketers employ a controversial technique known as "e-mail append."

List brokers, who buy and sell consumer data for companies, take names and physical addresses in one firm's database and look for corresponding e-mail addresses in outside lists that might contain enough information to match them up.

Columnist Jay Gibson explained the process in a recent edition of Opt-In News, an online publication for marketers. For example, a pizza restaurant cannot send e-mails about new services to a customer who orders over the phone because an e-mail address is not provided, Gibson wrote. "But they can take my name, physical address and telephone number, submit this information to an e-mail append service, and acquire it."

Paul Chachko, chief executive of Datagence, a firm that provides e-mail append, said the service can be performed properly by reconfirming with all consumers on the lists that they wish to receive marketing messages.

"The whole industry that we're involved with relies on . . . integrity and a self-policing environment," Chachko said. "But there are a lot of people out there that don't play by the rules. We've got to weed those people out."

Marketing executives say they have instituted strict self-policing guidelines, including ensuring that consumers have the ability to "opt out" of receiving future advertising marketing messages.

But opting out is not always easy.

Bluefly Inc., an online retailer, has an extensive privacy policy.

"We take this matter very seriously, and have instituted many policies and procedures to insure that none of your privacy rights as stated herein are ever violated," the policy says.

The policy tells users that anytime they e-mail the company, they consent to receive messages from the company. But to be removed from future messages, users must e-mail the company.

A spokesman said the company would not send marketing messages to people who e-mailed requesting to be removed from future advertising.

Citibank's parent, Citigroup Inc., requires customers of any of its hundreds of affiliates to tell each one that it wants to stop receiving marketing messages. Citibank has been the object of more than 30 complaints to the Federal Trade Commission over the past year by consumers charging that the company has failed to honor their requests to remove their names from lists, or made it nearly impossible to do so.

An FTC spokeswoman said the agency has not acted on the complaints, adding that it has received more than 1,000 similar complaints about a range of companies.

In a statement, Citibank said, "We continually review our performance, and believe our procedures have been extremely effective in providing for the privacy preferences of our customers."

Marketing and retailing executives want any anti-spam legislation to treat affiliates as separate entities, on the theory that customers of different products don't always pay attention to corporate relationships among companies.

Microsoft, which like many Internet providers markets to its members, recently proposed a system in which industry would agree to an electronic seal-of-approval process that e-mail networks could recognize and allow legitimate marketing through. Among the criteria for such a seal would be that requests of users to be removed from marketing lists would be honored.

But privacy advocates and anti-spam groups are dubious about industry governing itself. Instead, they want computer users to be free of commercial e-mail unless they specifically request it, a system known as "opt-in."

Marketing and Internet industry lobbyists have successfully warded off this approach, while at the same time co-opting the phrase. In marketing parlance, opt-in means that consumers have not specifically asked to be removed from mailing lists.

Thus, nearly all available e-mail lists are advertised as opt-in lists. But according to some in the industry, opt-in is at best a sliding scale.

"If you forget to check a box [asking to be eliminated] from further marketing, that's technically opt-in," said Sherri Jones, a vice president at TKL Interactive, a Southern California marketing firm. She said her firm sends e-mails to all list members asking them to confirm that they want to receive further advertising, a process known as "double opt-in."

Jones said that to regain credibility, her industry must move to a true opt-in system, in which no marketing occurs before a user requests it.

"The opt-in procedure puts the control of the transaction in the hands of the consumer," she said, separating herself from her industry's trade groups. "That's a dramatic paradigm shift that I think a lot of old-school marketers are resisting."

Industry officials counter that if they don't have the right to approach consumers at least once, people will be deprived of potentially valuable offers that they would otherwise not hear about.

Marketers also insist that they maintain the right to send messages to customers with which they have "existing business relationships."

Consumer groups say that this makes sense if that means a customer has recently purchased a product, but it should not apply if he or she merely requests information.

"Some companies, like psycho ex-boyfriends, tend to see relationships where they don't exist," said Chris Murray, legislative counsel for Consumers Union.

Archived topic from Iceteks, old topic ID:1030, old post ID:8950

Don't Trust Privacy Policies

Posted: Tue Jul 01, 2003 7:28 pm
by Red Squirrel
Hmm that's dirty of them to do that!

Archived topic from Iceteks, old topic ID:1030, old post ID:8951

Don't Trust Privacy Policies

Posted: Wed Jul 02, 2003 10:51 am
by manadren_it
This is a somewhat serious concern. Companies we are supposed to be trusting are using legalese to obfuscate privacy concerns and to work loopholes in their own agreements. Kinda like Microsoft and it's EULAs, only worse. They say they won't sell information, so they rent it. They say they won't sell or rent, so they change the policy and notify you after the fact... all without the courtesy of a reach around. They sure do care about their customers, don't they...

Archived topic from Iceteks, old topic ID:1030, old post ID:8985