Privacy: Study Reveals Noncompliance and Confusion

California's Shine the Light Privacy Law: Many Companies Are Selling Personal Information Without Consent

Submitted by choofnagle on Wed, 02/13/2008 - 01:07.
5
Average: 5 (1 vote)
Why is your news significant or unique? 

UC Berkeley's Samuelson Law, Technology & Public Policy Clinic conducted the first study on California's "Shine the Light Law" (SB 27). SB 27 allows Californians to request from almost any business a disclosure of its information sharing practices. Of the 86 requests, 22% of the companies either ignored the requests or questioned the validity of the requests and didn't respond. Study results: 2% disclosed a list of information sharing partners (e.g., Walt Disney, Restoration Hardware), 12% never responded (e.g., AT&T/Cingular, Barnes and Noble, Costco, Dell), 50% provided a letter indicating they did not sell personal information to third parties without opt-in consent, 26% responded by providing a privacy policy and an opportunity for the individual to opt out, and 10% claimed the requester did not establish that a business relationship existed and therefore didn't respond (although a followup letter was sent arguing that a relationship existed).

What problem or issue is being addressed here? 

The majority of Americans assume that businesses with privacy policies must obtain consent before selling personal information. The purpose of the study was to better understand how businesses sell personal information and to map the landscape of information sharing among different businesses. The study showed that compliance with SB 27 is all over the map and rarely serves the goal of the legislation - to shine the light on third party information sharing. In fact, in some cases it raised new questions. Examples: 26% sold information to third parties without first obtaining consent. Ann Taylor states in its privacy policy that they do not sell data to third parties yet the same paragraph later states that Ann Taylor "may share information that our clients provide with specially chosen marketing partners."

What’s the big picture? 

Facebook "Beacon" debacle demonstrated how intensely consumers reject the "sharing" of personal information for marketing purposes. In this instance, consumers learned of Facebook's strategy because it was transparent and obvious to the individual. But what most do not realize is that, in the absence of a specific law prohibiting information sharing, businesses are generally free to monetize their customer databases by selling, renting, or trading them to others. In fact, the sale of customer information is a common, albeit opaque practice that, if disclosed at all, is usually mentioned in a "privacy policy" that uses language that is euphemistic, vague and confusing to consumers.

Nobody is perfect, what might go wrong?  

Having business practices that do not comport with consumer expectations can cause consumers to abandon or protest businesses. A recent example is the above-mentioned Facebook Beacon incident. Additionally, materially deceptive or unfair terms in a privacy policy can subject a business to regulatory scrutiny and lawsuits.

How does your news impact people?  

Americans are becoming more sensitive to privacy issues. As their awareness of business practices increases, it should shape corporate behavior. And so, we were pleased to find that most companies responded to SB 27 requests. Half the companies we queried stated that they did not share personal information with third parties. But, the other companies demonstrated policies that contravene consumers' expectations at best. Several interventions could remedy these problems. It would make sense to require online businesses to post their third party information sharing policies as part of their overall privacy policy. Information sharing would be elucidated more fully if privacy policies used standard, non-euphemistic terms to describe their information sharing. The State legislature should consider creating a centralized method of opting out of information sharing similar to the National Do-Not-Call Telemarketing Registry.

What experts, analysts, and/or customers can serve as a third party reference for your news?  

Joanne McNabb, Chief, Office of Privacy Protection, California Office of Information Security and Privacy Protection
Liz Figueroa, author of SB 27 when she was a senator in the California Legislature; she now serves on the California Unemployment Insurance Appeals Board
Beth Givens, Director, Privacy Rights Clearinghouse
Larry Ponemon, Ponemon Institute
Michelle Dennedy, Chief Privacy Officer, Sun Microsystems

Are there any third-party articles, reports, blog posts, podcasts that support your claims? 

"Shine the Light" on Marketers: Find Out How They Know Your Name, Privacy Rights Clearinghouse
http://www.privacyrights.org/fs/fs4a-shinelight.htm

What other relevant information supports your news? 

The study report is available online at:
http://www.law.berkeley.edu/clinics/samuelson/sb27report.pdf

Who is the person(s) that I should speak with to explore the elements of your news in more depth? 

Chris Hoofnagle, Senior Staff Attorney and Research Specialist, Tel: 510.643.0213, choofnagle [at] law [dot] berkeley [dot] edu

Submitters Checklist

My submission is newsworthy
My submission is hyperbole free
My submission is jargon free
My submission is simple and clear
My submission is grammatically correct
My facts are accurate
My information on product names and people is correct

Navigation