The Privacy Pirates

Corporate policies on the collection and management of personal data do precious little to protect your privacy

One of the only "facts" that I took away from high school biology was that the human body, when broken down into basic elements and minerals, is worth $4.50. Our electronic corpus, however, is worth far more—at least a couple of hundred dollars to the right marketers. Our vital information combined with our demographics and buying patterns are worth hard cash to the right people, as anyone who has ever rented a mailing list knows. It seems to me that if we can sell it, it's ours. If someone else can make money off tracking our activities, shouldn't we get paid, too?

Why isn't taking this valuable electronic information from us without payment considered stealing? Taking other people's digital property is—as the movie and music industries are fond of telling us—theft.

It's privacy piracy, except these buccaneers don't brandish cutlasses; they use privacy policies. Every commercial Web site has one. These legal statements are non sequiturs used to quell complaints about corporate misuse of personal data. They are one-sided contracts forced on consumers by OPLs (Other People's Lawyers).

Read a privacy policy some time. The language in the beginning that sounds warm and protective is vague. AT&T (T): "We respect and protect the privacy of our customers"; Microsoft (MSFT): "Microsoft is committed to protecting your privacy"; Experian: "Our responsibility is to ensure the security of the information in our care and to maintain the privacy of consumers through appropriate, responsible use." Yet the language giving these companies the right to do what they want with your information is quite explicit. Those words are a license to steal consumer information, wrapped up in legal tinsel.

Most privacy policies have these components:

Your data might only be used by us, our partners, or subsidiaries. Yahoo (YHOO): "These companies may use your personal information to help Yahoo! communicate with you about offers from Yahoo! and our marketing partners."

If we sell our company or our business, then your information gets sold along with it. Facebook: "If the ownership of all or substantially all of the Facebook business, or individual business units owned by Facebook, Inc., were to change, your user information may be transferred to the new owner so the service can continue operations."

We might buy or get other information about you without your knowledge, like credit reports, and save that, too. Amazon (AMZN): "Examples of information we receive from other sources include… credit history information from credit bureaus."

If we want to do more, then we can change our policy instantly. Time Warner's (TWX) AOL: "The AOL Network may update this Privacy Policy from time to time, and so you should review this Policy periodically. If there are significant changes to the AOL Network's information practices, you will be provided with appropriate online notice."

It's interesting to note that these policies rarely, if ever, hamper the company's ability to use your information in any way it wishes. The typical privacy policy is missing several key consumer protections that any negotiated or legally mandated agreement would certainly have had. For example, I can't find a single instance of a major company discussing when and if they will ever delete your valuable data, even after you're no longer their customer.

Corporate America defines our personal information as their business asset.

AT&T was recently in the news because of a modification it made to the privacy policy covering its U-verse video service.

Two statements in this policy clearly state what has been only implied by other firms' policies: "While your Account Information may be personal to you, these records constitute business records that are owned by AT&T." Also: "Please read this Privacy Policy carefully. Before using your Service(s), you must agree to this Policy."

Prominently featured on the top of the AT&T privacy-policy page is a seal of an organization called "Trust-E" ( Trust-E is an independent nonprofit organization joined by many corporations that tout the seal prominently on their Web sites. The group investigates "eligible privacy complaints" about their licensees.


One of the prerequisites for an eligible complaint that Trust-E will investigate is: "The complaint alleges that the Licensee collected, used, or disclosed the personally identifiable information in a manner inconsistent with its published online privacy statement." That's it. The presence of a Trust-E seal simply means that the member company will abide by its own policy, which in most cases, can be changed in seconds. Trust-E is an idea that sounds much better than it really is, primarily because it is funded and, to a large extent, run by the same companies that it ought to be watching. Their sponsors, for instance, are AOL, DoubleClick, Intuit (INTU), and Microsoft.

As consumers, we should be entitled to only give out our information when we want, and maintain some control over its subsequent disposition, including mandatory erasure when our business relationship is terminated. If a company wants to use our valuable data, they should pay us, just like we should pay to use software or watch a movie. Scamming our information through privacy policies may be legal, but ethically bereft, occurring only in the vacuum of meaningful consumer privacy regulation.

Absent a strong claim of ownership for personal data, it will become increasingly difficult to force respectful and equitable treatment online from many companies. Congress should establish the ownership issue now, before AT&T's trial policy becomes an industry standard.

Before it's here, it's on the Bloomberg Terminal.