In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.
First of all, if one of the sites which you are paying is selling or otherwise sharing the names and contact information of people who enquire specifically about your products, programs, and services to your competitors, you may want to discuss their practices with them. On economic grounds alone, such behavior may be counterproductive; worse, it may tarnish your reputation as an institution of integrity or erroneously give prospects and clients the impression of improper behavior. Therefore, your organization should periodically audit sites marketing information about you on the Web.
For example, in researching this question I found sites whose privacy policies do little to protect visitors’ privacy. Some of these policies state that information collected on the site may be shared with business partners, service providers, sweepstakes and promotions organizers, subsidiaries, law enforcement, and non-affiliated companies.
One text about non-affiliated companies would raise concerns for anyone. The policy begins reassuringly, “We do not share Information with any non-affiliated third party except: (1) in select circumstances when Our business partner refers you to Us and you give Us permission to share specific Information, such as your name and e-mail address, with such business partner on your order form.”
Unfortunately, it continues with “or (2) when Our business partner provides a product or service that We feel may be of interest to you.” That second part makes the assurance meaningless. The statement means that the company will share personally identifiable information with anyone it chooses to do business with – or more bluntly, to whom it will sell prospects’ names for profit. Give them enough money and I’m sure that practically anything will seem interesting.
The lesson I draw from this cursory investigation is that no one can afford to do business with people who do not use the same strict policies of privacy protection as their own organization. Readers should perform a systematic audit of all their organizations’ links to third parties to verify that deviations from their privacy policies do not lead to embarrassment and legal liability.
The unacceptable site I located includes methods for opting out of the unwanted advertising and sharing of personally identifiable information; that topic is the subject of the third article in this series.
M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance at Norwich University.