The whole idea of privacy has become a joke. On one hand we have consumers who will give away their personal details to random Web sites (as well as to Mrs. Sikiratu Seki Adam, “a widow to Late Saheed Baba Adams”) at the drop of a virtual hat, and on the other we have businesses losing personally identifiable information and transaction data with wild abandon … yes, I’m talking about you Heartland Payment Systems. (Heartland lost data on more than 100 million transactions although it is hardly alone — check out the data loss database at the Open Security Foundation).
This widespread carelessness has compromised the privacy of tens of millions of consumers and businesses. While carelessness is the cause, what has allowed it to go unchecked are a number of factors: The Internet making transactions easier and faster; the systems we use on the Internet (particularly Windows PCs) being as secure as the First Little Pig’s house of straw; organizations not taking security seriously enough; naïve consumers; and inadequate regulation of the companies that hold private data.
What got me thinking about this privacy void was a letter my wife received from Nordstrom Bank yesterday. My wife has a Nordstrom credit card and the company sent us, for what seems like the 1,000th time, its latest privacy policy.
This version was one page of small text that more or less says what every other privacy notice from financial services companies say (we average about one of these “revised” policies every couple of weeks).
The policy starts by defining what data is collected, which is more or less anything and everything they can, and what they want to “share” with their “affiliates”, which is, again, pretty much anything and everything.
The document outlines what they want to share with “third parties” (how are these different from affiliates?), which pretty much means it wants to do deals with all comers; makes a vague commitment to its provisions for confidentiality and security (we know there’s a good chance these provisions mean squat in reality); offers you the option of opting out, and states that even when you are no longer a customer it still has your data and will treat it just as they would if you were a customer.
Here’s the problem with policies like these: They favor and protect the company not the customer, despite customer protection being the original reason companies were obliged to create and disseminate such policies.
Maybe there’s one company out there with a privacy policy that is less one-sided and favors the customer, but if there is I haven’t seen it (feel free to let me know if you have found such a mythical beast).
Here’s what I want to see: a law that defines a uniform privacy policy that applies to all customers of all companies (not just those providing financial service), that specifically disallows “sharing” of data with “affiliates” and third parties unless expressly permitted by the customer. In other words, opt-in rather than opt-out.
Special provisions in privacy policies would require regulatory approval and, should a company lose customer data for whatever reason, it would immediately be prohibited from any kind of data sharing, even for those customers that (foolishly) agreed to allow it.
These reforms would mean we wouldn’t have to read endless variations of what is essentially the same policy, gratuitous data sharing would be vastly reduced (imagine the effort and incentives that data owning companies would make to get you to allow them to share your data!) and companies would be far more motivated to be more careful with data.
We’ve had decades of companies of all kinds calling the shots and playing fast and loose with our privacy. It’s time the customer got what is really theirs in the first place: The right to own their privacy, something that isn’t a joking matter.