Do privacy policies have any teeth?
April 25, 2009 1:56 PM Subscribe
How are violations of a website/vendor's privacy policy enforced?
Recently, I submitted a request for a quote for colocation services in San Francisco. The request was made from a brand new email address, which was not used anywhere else.
48 hours later, I received an email from a different vendor of colocation services asking whether he could bid for our business.
The vendor that contacted me had gotten my address from the vendor that I contacted... since it was a one-time-use address, there is no other place where vendor #2 could've gotten it.
Vendor #1 has a privacy policy here, that they're almost certainly violating. I'd like to make them stop.
Pretend for a moment that I don't want to ask nicely. I'd rather that they be asked not-at-all nicely by the sheriff, prosecutor, attorney general, etc.
So, hive mind, did Vendor #1 violate the law when they violated their policies? If so, how should I go about getting them penalized for it?
Yes, I know it's silly to call them Vendor #1, then link to their site. I'm intentionally not mentioning them by name here, for anti-SEO purposes. I would prefer if you did the same while answering
Recently, I submitted a request for a quote for colocation services in San Francisco. The request was made from a brand new email address, which was not used anywhere else.
48 hours later, I received an email from a different vendor of colocation services asking whether he could bid for our business.
The vendor that contacted me had gotten my address from the vendor that I contacted... since it was a one-time-use address, there is no other place where vendor #2 could've gotten it.
Vendor #1 has a privacy policy here, that they're almost certainly violating. I'd like to make them stop.
Pretend for a moment that I don't want to ask nicely. I'd rather that they be asked not-at-all nicely by the sheriff, prosecutor, attorney general, etc.
So, hive mind, did Vendor #1 violate the law when they violated their policies? If so, how should I go about getting them penalized for it?
Yes, I know it's silly to call them Vendor #1, then link to their site. I'm intentionally not mentioning them by name here, for anti-SEO purposes. I would prefer if you did the same while answering
Couple of related thoughts
1) It might be Vendor 1 couldn't handle your request for whatever reasons so passed it onto vendor 2 to help?
2) Is vendor 2 another trading name of vendor 1?
posted by rus at 3:14 PM on April 25, 2009
1) It might be Vendor 1 couldn't handle your request for whatever reasons so passed it onto vendor 2 to help?
2) Is vendor 2 another trading name of vendor 1?
posted by rus at 3:14 PM on April 25, 2009
Related to rus' comment: There are a bunch of other business names on their site. Was Vendor 2 any of those? Or is Vendor 2 an actual competitor? (Seems weird that they would just pass their inquiries to a competitor.) Did you ever get an response to your request from Vendor 1?
Curious tinfoil hat question: Was this a GMail account?
posted by sageleaf at 3:30 PM on April 25, 2009
Curious tinfoil hat question: Was this a GMail account?
posted by sageleaf at 3:30 PM on April 25, 2009
Best answer: Yeah, privacy laws are extremely weak in the US for this sort of thing...the whole "if people want privacy they'll pay for it / free market / no regulation" idea... if they'd signed up to Safe Harbor you get the FTC involved, but it doesn't look like they have.
Also, this part of their policy:
Customer Account Information: When customers sign up for the Service, and during their Service-relationship, we collect some or all of the following: company name, individual name, title, address, telephone number(s), email address(es), credit card number, and choice of service package. We also record and retain most written communications with customers, including trouble tickets, support requests, and payment history. ServePath uses this information for customer support. We also use contact information to send customers Service-related announcements, including newsletters and notices of new Service features and related products and services provided by ServePath partners.
They could probably argue that they were "using your contact info" so you could receive "services from Servpath partners".
However, if this is a competitor company, what would servepath's interest be in giving them your info and allowing them to bid? Seems odd.
I think you should email them and ask for an explanation.. post their response here. I'm curious.
posted by modernnomad at 3:42 PM on April 25, 2009
Also, this part of their policy:
Customer Account Information: When customers sign up for the Service, and during their Service-relationship, we collect some or all of the following: company name, individual name, title, address, telephone number(s), email address(es), credit card number, and choice of service package. We also record and retain most written communications with customers, including trouble tickets, support requests, and payment history. ServePath uses this information for customer support. We also use contact information to send customers Service-related announcements, including newsletters and notices of new Service features and related products and services provided by ServePath partners.
They could probably argue that they were "using your contact info" so you could receive "services from Servpath partners".
However, if this is a competitor company, what would servepath's interest be in giving them your info and allowing them to bid? Seems odd.
I think you should email them and ask for an explanation.. post their response here. I'm curious.
posted by modernnomad at 3:42 PM on April 25, 2009
Even if they did pass your request on to another vendor, how was your privacy violated?
posted by gjc at 4:42 PM on April 25, 2009
posted by gjc at 4:42 PM on April 25, 2009
Best answer: I am not your attorney.
I actually worked on matters like this at a state attorney general's office years ago. Modernnomad is correct that US privacy laws are largely pretty weak, and there's a good chance that there's no specific law that would prohibit this practice or provide a remedy for it. However, California as I recall does have some laws specifically related to online privacy matters, so you may have a little more luck than usual there. (In addition to not being your lawyer, I have not practiced California law nor have I studied it in any detail.)
That said, our view at the AG's office was that a privacy policy represented a contract with the end user, and a violation of such a policy would amount to a breach of contract. I don't know if this has ever been successfully argued in a court of law (we never went to court on any such matter while I was at the AG's office), and I'm sure plenty of people out there think this is a stupid or otherwise objectionable idea. But at least one major company we investigated bought into our viewpoint enough to want to settle with us and change its privacy practices.
So, try contacting your AG. Given the number of complaints lodged at state AG's offices every year, and the limited resources of any government office, there's no way to know if your complaint will be investigated. That said, you should still do so. A big factor in deciding whether to investigate something is often the number of complaints about it. You'll be doing your AG a favor if others have complained about this company before.
posted by DavidNYC at 4:58 PM on April 25, 2009
I actually worked on matters like this at a state attorney general's office years ago. Modernnomad is correct that US privacy laws are largely pretty weak, and there's a good chance that there's no specific law that would prohibit this practice or provide a remedy for it. However, California as I recall does have some laws specifically related to online privacy matters, so you may have a little more luck than usual there. (In addition to not being your lawyer, I have not practiced California law nor have I studied it in any detail.)
That said, our view at the AG's office was that a privacy policy represented a contract with the end user, and a violation of such a policy would amount to a breach of contract. I don't know if this has ever been successfully argued in a court of law (we never went to court on any such matter while I was at the AG's office), and I'm sure plenty of people out there think this is a stupid or otherwise objectionable idea. But at least one major company we investigated bought into our viewpoint enough to want to settle with us and change its privacy practices.
So, try contacting your AG. Given the number of complaints lodged at state AG's offices every year, and the limited resources of any government office, there's no way to know if your complaint will be investigated. That said, you should still do so. A big factor in deciding whether to investigate something is often the number of complaints about it. You'll be doing your AG a favor if others have complained about this company before.
posted by DavidNYC at 4:58 PM on April 25, 2009
Reporting Misuse of Data
Customers and other third parties should contact ServePath about any suspected misuse of their personally identifiable information or other data. All such inquiries or complaints should be directed to us via email to abuse@servepath.com.
Have you emailed them about this? I know you said you don't want to, but you ought to. If this is not a function of the company but one individual AT that company who has been compromised and is sending sales leads to competitors, this is not only something they'd like to know about, but also something that would make it stop.
But . . . legal recourse? Really? Over one email to a throw-away address? Please don't waste the court system's time. There are people who have real issues who would appreciate you not clogging up dockets over something so trite.
Hopefully you also see the humor in setting up a one-time-use email address to catch spam and then being outraged that it received some.
Also, not mentioning the company's name is somewhat silly. They're already #1 for searches for the company name.
posted by toomuchpete at 5:06 PM on April 25, 2009
Customers and other third parties should contact ServePath about any suspected misuse of their personally identifiable information or other data. All such inquiries or complaints should be directed to us via email to abuse@servepath.com.
Have you emailed them about this? I know you said you don't want to, but you ought to. If this is not a function of the company but one individual AT that company who has been compromised and is sending sales leads to competitors, this is not only something they'd like to know about, but also something that would make it stop.
But . . . legal recourse? Really? Over one email to a throw-away address? Please don't waste the court system's time. There are people who have real issues who would appreciate you not clogging up dockets over something so trite.
Hopefully you also see the humor in setting up a one-time-use email address to catch spam and then being outraged that it received some.
Also, not mentioning the company's name is somewhat silly. They're already #1 for searches for the company name.
posted by toomuchpete at 5:06 PM on April 25, 2009
Response by poster: To followup.
1. Vendor #2 is not an affiliate of Vendor #1. It is a vendor that is usually known for providing IP transit only, though they do also resell carrier-neutral colo space (with a cross-connect, presumably).
In general, I would classify Vendor #2 as a competitor. I think that Vendor #1 saw the request, decided they weren't interested, and sold the lead to Vendor #2.
2. This wasn't a one time address specifically for spam, nor was it on gmail. We may have submitted multiple requests to a each vendor, with some parameters changed (or, perhaps some company details changed -- you'd be surprised how much the price for the same service will differ if you say "I'm with XYZ, an unknown startup" vs. "I'm with ABC, a fortune 500"). We use the one-time addresses to track the parameters of each request.
Sorry about being a little cagey about it, but it's a small industry in a smallish town, and because the company I represent doesn't want it known that they're looking for new/more colo space. This isn't all that unusual, actually.
3. Toomuchpete. By not mentioning the company name, it made it unlikely that THIS page would come up on a search. Of course, if you're looking for the company, you'd find their page. But, since someone above you didn't strip the name when copying from the privacy policy, it doesn't much matter anyway.
4. As to how my privacy was violated:
Let's say for a minute that I am already a customer of Vendor #2... and I don't want them to know that I'm seeking competitive bids, because I'm going to use them to negotiate (or because I don't want them to start treating us poorly, because they know we're moving out). When Vendor #1 says "We won't give away your information", I expect them to honor that. I don't feel "violated", the way you would if your boudoir photos were lifted from the "private" area of your flickr account... but I'm irked that they told me explicitly that they wouldn't do something, and then did it anyway.
Believe me, we're really glad that this particular one-time-use address wasn't one of the ones that revealed the real company name.
posted by toxic at 6:07 PM on April 25, 2009
1. Vendor #2 is not an affiliate of Vendor #1. It is a vendor that is usually known for providing IP transit only, though they do also resell carrier-neutral colo space (with a cross-connect, presumably).
In general, I would classify Vendor #2 as a competitor. I think that Vendor #1 saw the request, decided they weren't interested, and sold the lead to Vendor #2.
2. This wasn't a one time address specifically for spam, nor was it on gmail. We may have submitted multiple requests to a each vendor, with some parameters changed (or, perhaps some company details changed -- you'd be surprised how much the price for the same service will differ if you say "I'm with XYZ, an unknown startup" vs. "I'm with ABC, a fortune 500"). We use the one-time addresses to track the parameters of each request.
Sorry about being a little cagey about it, but it's a small industry in a smallish town, and because the company I represent doesn't want it known that they're looking for new/more colo space. This isn't all that unusual, actually.
3. Toomuchpete. By not mentioning the company name, it made it unlikely that THIS page would come up on a search. Of course, if you're looking for the company, you'd find their page. But, since someone above you didn't strip the name when copying from the privacy policy, it doesn't much matter anyway.
4. As to how my privacy was violated:
Let's say for a minute that I am already a customer of Vendor #2... and I don't want them to know that I'm seeking competitive bids, because I'm going to use them to negotiate (or because I don't want them to start treating us poorly, because they know we're moving out). When Vendor #1 says "We won't give away your information", I expect them to honor that. I don't feel "violated", the way you would if your boudoir photos were lifted from the "private" area of your flickr account... but I'm irked that they told me explicitly that they wouldn't do something, and then did it anyway.
Believe me, we're really glad that this particular one-time-use address wasn't one of the ones that revealed the real company name.
posted by toxic at 6:07 PM on April 25, 2009
Your #4, how your privacy was violated, is actually how your privacy would have been violated had you been a customer of Vendor2. That's how the law will see it. The legal system doesn't generally operate to proactively change bad behavior; it's for setting right something (usually quantifiable) that has already happened. Contact them, find out what happened, and if it is an actual breach of contract, and you're really intent on changing their behavior and affecting US policy, then contact a lawyer to see if you can find some damages. Meanwhile, contact the BBB if there was an actual breach of contract.
I'd guess, however, that a company who is one of the main players in a market would be able to craft the policy in such a way as to cover all of their activities. There are probably legal terms and loopholes that you aren't seeing.
posted by thebazilist at 7:20 AM on April 26, 2009
I'd guess, however, that a company who is one of the main players in a market would be able to craft the policy in such a way as to cover all of their activities. There are probably legal terms and loopholes that you aren't seeing.
posted by thebazilist at 7:20 AM on April 26, 2009
Based on what you're saying, I'm more inclined to think that this is a case of corporate espionage. Why would any vendor want to pass info about a potential customer to a competitor? That doesn't seem likely. But the competitor wanting to illicitly gain that info makes a lot more sense.
posted by Chocolate Pickle at 5:07 PM on April 26, 2009
posted by Chocolate Pickle at 5:07 PM on April 26, 2009
Response by poster: I ended up talking with Vendor #1 about it, and they admitted to passing off the lead. They weren't going to be able to bid on the business (they didn't have sufficient available room in their facility), so they thought they were doing us a favor by shopping it to (more than one) other vendor. They stood to earn a commission/finder's fee for the lead.
thebazlist: We are existing customers of Vendor #2. We do not want them to know that we were seeking competitive bids. We're very glad that it was one of the sockpuppets that was given to Vendor #2, and this will most likely lead us to use even more sockpuppets in the future.
When I explained this to Vendor #1, they were apologetic, but I don't think they're going to think twice before doing this again, if there's a commission in it.
posted by toxic at 6:02 PM on April 28, 2009
thebazlist: We are existing customers of Vendor #2. We do not want them to know that we were seeking competitive bids. We're very glad that it was one of the sockpuppets that was given to Vendor #2, and this will most likely lead us to use even more sockpuppets in the future.
When I explained this to Vendor #1, they were apologetic, but I don't think they're going to think twice before doing this again, if there's a commission in it.
posted by toxic at 6:02 PM on April 28, 2009
This thread is closed to new comments.
B. [Vendor 1] sometimes employs independent contractors to help run the Service, and such contractors may have access to data, similar to the access we give our employees. Also, [Vendor 1] stores sales account data, including customer passwords and personally identifiable information, with a third party application service provider. The current provider is [Other Company Z]. This third party data storage does not apply to Hosted Data. [emphasis added]
It could be that you were passed to an affiliated independent contractor to fulfill your service. Which is allowed under their privacy policy.
But, to answer your questions (IANAL):
1) Vendor 1 did not violate any law I'm aware of. They did violate an agreement with you (one indicated by their privacy policy). If you believe that you have been harmed (not just pissed off, harmed), then you could sue them for something along the lines of breach of contract. You'll need to have evidence of the harm (damages) they've done to you. (Personally, I don't think you've been harmed very much at all. You used a throwaway account. Do they have realworld contact info for you?)
2) You can't get them penalized for it. They've not violated any criminal law. You can sue them, and if you win, you'll be compensated for your losses out of their assets. There is a concept of punitive damages, but I don't know if it applies, or how it works.
posted by Netzapper at 2:46 PM on April 25, 2009