By Bret A. Fausett
At Our Bank, respecting the privacy and security of your personal information is important to us.
That's terrific, I thought. My privacy and the security of my personal information are important to me, too, especially when I'm selecting a bank. I've been considering online banking, so this is exactly what I want to hear.
This is good advice, especially because the personal data I share with my bank is exactly the kind of information I want to keep private. Thanks for reminding me to read it all the way through.
Hmmm, this changes the picture a little bit. Just two lines ago, the bank was telling me how important it was to respect my privacy and secure my personal information, and now I learn that the bank collects information, uses that information, and under certain circumstances shares it with third parties. Good thing I decided to read the entire policy carefully. What else is in store?
We collect nonpublic personal information about you from the following sources:
From you, on forms, via the Internet, by telephone, or otherwise. Examples of this type of information include your name, address, social security number, credit history, and other financial information.
- From transactions with us, our affiliates, or with others. For example, your payment histories, account balances, and other transaction records.
- From credit reporting agencies, such as information relating to your creditworthiness, your credit score, and credit usage.
- From third parties to verify information you have given us.
"Nonpublic personal information?" OK, I'll consider "nonpublic" to mean the stuff I consider "private," but why quibble over word choice? The bank has now told me that not only does it collect private information about me, but that affiliates, credit agencies, third-parties, andworst of allundefined "others" also may collect information about me and share it with the bank.
Uses of Shared Information: We may share all of the information that we collect, as described above, for the following purposes:
To provide you with the products and services you have requested.
This part is OK, I think. The bank will use my private data only to help me with things I request. This might mean looking at my account history to see what to recommend when I ask about better interest rates, or whether to offer me a different checking account based on my past usage. Because the bank uses the private information only in response to questions that I ask, the use of my information is still within my control, right? OK, I'll accept that one.
To offer you additional products and services, from us or from others, that may be of interest to you.
I'm not as crazy about this one. The bank is going to use my private information to sell me stuff from time to time. I hate junk mail and spam almost as much as I hate telemarketers, but for the right bank and the right price and the right set of services, I can stomach the annoying marketing.
To comply with reporting and other legal requirements.
This seems fair enough, I guess. If the law requires my bank to disclose certain information, then there's really nothing anyone can do about it. Shopping around won't make a difference on this one either, as all banks are governed by the same laws and reporting requirements.
To otherwise conduct business.
It's Called Self-Regulation
Privacy policies were born in the early days of electronic commerce, when the specter of the Internet as a place where you might be watched, catalogued, and placed into various direct marketing databases was just emerging. Much as the movie industry adopted its ratings system years ago to avoid proposed federal regulations on appropriate content for minors, the Internet industry pushed privacy policies as a way to head off government regulation of user privacy. For the most part, the strategy has worked. Other than the Children's Online Privacy Protection Act" (see Robert Cannon's article, "Coping with COPPA," also in this issue), we have no strong federal regulations in the U.S. governing the collection and dissemination of our private data.
Internet privacy policies are supposed to detail exactly how a company interacting with users collects data, uses the data, and shares it with others. Armed with details about what might happen to any information taken from you, you can make an informed decision about whether you want to do business with this company. You might decide to leave a Web site immediately, or you might decide that the services provided are worth the cost of giving up your private data to others.
The thought behind this attempt at self-regulation is that companies will disclose their practices, users will make informed choices about what they want to do, and the combination will empower both.
As encouraging as that sounds in theory, it rarely works so well in practice.
Privacy in the Real World
In the real world, privacy policies are usually, but not always, linked from the home page of a Web site. In the worst cases, they're buried pages deep in a legal section or somewhere in "about our company." Because there's no uniform place for companies to post privacy policies, users are left to hunt for themin a different place at every siteif they want to learn the rules.
And that distinction reveals a fundamental truth about privacy online. The interests of Web users aren't aligned with the interests of Web site operators.
Realizing that privacy policies were difficult for consumers to comprehend or use meaningfully when navigating from site to site, many in the industry backed privacy certification efforts from organizations like TRUSTe and the ESRB. To their credit, these associations help companies develop privacy policies that are comprehensive and comprehensible, and the people who run them have thought intelligently about the issues involved in managing private data.
These organizations bring the goal of self-regulationinformed user choiceone step closer to reality. For the most part, certified policies are written in plain English, are prominently displayed so users won't have to mine a site looking for the policy, and provide a point of contact in the form of the certification agency for confused or dissatisfied users.
Whatever the benefits of the privacy initiatives, they've been adopted by a small minority of commercial Web sites. Even if some of the sites a user routinely visits are privacy certified, many more that make inadequate or unclear disclosures are only a click away. Certification may be helpful for some popular sites, but as an industry cure, it's no solution.
Write Something Meaningful
If you don't share information with third parties and have no plans to change that practice, say it: "We will never share data collected from you with third parties." That's powerful. If I'm looking for a new bank, that's exactly what I want to hear. The word "never" means you're relinquishing the flexibility to someday in the future take a step that might conceivably lead to a future set of circumstances in which you might want to.... Just give it up. Don't be afraid to limit the future if it's the right thing to do.
Write something meaningful to the consumer using words that instill confidence.
A Better Policy
We participate in no so-called "private" privacy initiatives. Indeed, we feel that leaving the protection of privacy to anything less than well enforced laws would be a farce.
The CaveBear site takes no active steps to protect your privacy. We collect the standard logs of access to our systems.
We never have used the access logs for anything but our own administrative usesprimarily monitoring our sites to see whether someone has tried (or succeeded) to penetrate our security. And we have never opened those logs to anyone other than our own administrative staff, who, it may be said, tend to find the contents not merely uninteresting but downright boring.
At the current time, the CaveBear site has no interest in using our logs for any other purpose.
At the present time we do not believe that we have any Web pages that either put "cookies" on your computer or read such cookies that may have been put there by ourselves or by others.
So, if you're concerned about your privacy, you luck outour practices are consistent with your interest in protecting your privacy. However, we do not guarantee that our practices will not someday change or that we will not accidentally disclose something.
It is our recommendation to you that you take such self protections as you feel appropriate. And we further suggest that you do not look to protection of your privacy to come from the private sectorthat sector's interests are not aligned with yours.
The CaveBear site strongly urges that you support national legislation and international treaties that define and protect your privacy.
Bret is an intellectual property and Internet attorney, and a partner with Hancock, Rothert & Bunshoft. Contact him at email@example.com.