Privacy Policies: A Misleading Misnomer

Posted 15 Dec 2009

Have you ever read the privacy policy of some company that is collecting your personal information and felt secure, thinking that they protect your privacy.  Privacy policies are everywhere and usually make people feel like their personal information will not be used by anyone who is not a party to the immediate transaction. 

This is because most people believe these policies prevent the company from sharing their information.  This understanding of privacy policies is incorrect and misplaced confidence in them can create a false sense of security.    Your data can still be shared.

What Are Privacy Policies

Most companies that deal in any way with personal information, names, addresses, etc., will have customers agree to a privacy policy when those companies collect data.  In some cases, laws like HIPAA will control how personal information may be shared, but even so, each company has significant control over drafting their own privacy policy. 

This leads to as many unique policies as there are companies.  Even with so much diversity, most privacy policies share a lot of important similarities.   They will often be drafted in a way that appears to limit severely the way that information is shared after it is gathered but in fact permit more sharing of information than most people would think.

What People Think About Privacy Policies

Most people believe that if they share their information with a company under the terms of a privacy policy, it will never be shared with anyone else.  Almost all privacy policies have significant exceptions, either those imposed by law, or otherwise.  Disclosures required by law require changing the law to prevent.

  A common exception not required by law is the permission to share information with "affiliates" or some other entity whose services are used for normal business purposes.  The definition of affiliate will vary but the term is generally far more broad than most people suspect.  

This false perception of who may be included in the sharing group creates a gap between what people think is protected by the privacy policy and what is actually permissible information sharing.  Privacy policies that do not include a provision for sharing information with other affiliated companies are doing a better job of truly protecting your privacy.

What Is Permissible To Share Under Most Privacy Policies

Once information is collected under a privacy policy that permits sharing with select "affiliates" or some other business partners, selecting who is an affiliate is usually at the discretion of the company. Many times an affiliate is anyone that the company is working with either as a business partner or as an outsourced service like payroll or accounting. 

Once the information is in the hands of the affiliate, they are usually not bound by any privacy policy that you agreed to.  There would have to be a separate agreement between the company and an affiliate, probably not enforceable by you if it is broken, which limits the use of the information by affiliates. 

Thus, once a company sends its aggregate data to an accounting firm to do their taxes, or to its outsourced billing department, your data is no longer protected by the privacy policy.  Even when there are laws limiting the disclosure of information, like HIPAA, the protection of the privacy policy generally ends where the affiliates begin.

We can follow where personal information is likely to go if we think about providing personal information to a medical provider for a typical medical visit or procedure.  Having a simple medical procedure will require a significant amount of data to be gathered. 

Even under HIPAA, the information can be shared with other companies if sharing some of the information is a needed part of providing the service.  Many times there will be an insurance company (affiliate) that will need to have all of the billing information to verify expenses, personal information, to verify coverage, and procedure information to verify that it qualifies under the insurance plan. 

The medical facility will likely have an outsourced billing department (affiliate) who also needs your name and personal information.  There might be independent medical suppliers (affiliate), accounting (affiliate), janitorial staff (affiliate), all of whom might need to have access to some of your data. 

Many will have access to all of your data.  There are a lot of needy companies in this network, all of whom might have your data, none of whom are probably covered under the privacy policy and who then may share some of your information without the constraints of the privacy policy.  Even if there is no willful sharing of information outside of this network, the fact that the data now resides in so many different places increases the risk of nefarious misappropriation of data or identity theft.

What Can Be Done

One of the best ways to keep your private information from being compromised is to avoid disclosing your private data in exchange for goods and services.  Using the techniques for transacting anonymously, like using cash, and many of the other techniques outlined in the book How To Vanish, will help you keep your data under control. 

If you must provide some personal information, understand that the privacy policy probably won't keep the information you share as safe as you would like it to be.