Enforcing Privacy Policies; Strengthening Oversight

Wired News is reporting that e-mail marketing giant Datran Media has agreed to a $1.1 million fine for knowingly buying marketing lists from companies with privacy policies that promised not to sell or transfer the lists to a third party.

The case, brought by New York Attorney General Eliot Spitzer, includes Datran’s purchaase of a list of 7.2 million Americans’ names, e-mail addresses, home phone numbers and street addresses from Gratis Internet, a company best known for promising free iPods, televisions and DVDs to users willing to sign up for promotions offered by partners such as Citibank, Blockbuster and BMG’s music club. While many people did indeed get a free iPod, all ended up with inboxes full of marketing pitches, which began showing up within hours of registering. Gratis assured registrants they could opt out of such mailings, and claimed in its privacy policy, as of September 2004, that the company would send out marketing messages on behalf of other companies but would never sell or transfer its lists to any third party. Those promises were not kept, according to the settlement between Spitzer and Datran.

It is promising that Spitzer was successful in punishing the Datran for purchasing customer lists that were supposedly protected by privacy policies, but an equally culpable parter in this crime is Gratis, who apparently violated their own privacy policy. Gratis, not surprisingly, doesn’t see anything wrong with what they did, claiming that “appointing a specialized vendor to manage such ‘in-house’ marketing operations is a commonplace, industry-wide practice…it is a standard and totally lawful practice.” But if Datran was guilty of illegally purchasing a list, then Gratis must have sold it to them in clear violation of their privacy policy. This wasn’t a case of hiring a trusted vendor to do some “in house” work, and then that vendor stealing your customer list. Datran bought it; Gratis sold it.

Stronger oversight of company’s privacy policies is required. Gratis’ privacy policy was supposedly endorsed by Truste, a nonprofit group that claims to certify and monitor website privacy and e-mail policies. When asked by Wired News in 2004 how third-party spammers got hold of Gratis members’ e-mail addresses, Truste said it could not find a problem with Gratis’ practices. Truste later revoked, reinstated, and again revoked their seal of approval on Gratis’ site. No explanation was given. Let me repeat: the people who are trusted to oversee a company’s privacy policies waffled on whether Gratis satisfied their requirements, but didn’t provide any information to the public to help inform or protect themselves. (Apparently, Truste has long been criticized as ineffective and too eager to make apologies for companies that violate the spirit of their privacy promises.)

Spitzer needs to but both Gratis and Truste in his sights if we want strong enforcement of corporate privacy policies, and trustworthy oversight of whether those promises are being kept.

UPDATE (03-23-06): Spitzer filed suit against Gratis today. From the WiredNews mention:

Spitzer claims Gratis wrongfully shared as many as 7 million “user records,” creating the largest deliberate breach of a privacy policy discovered by U.S. law enforcement. He said the company’s promises to consumers included: “We will never give out, sell or lend your name or information to anyone,” and “We will never lend, sell or give out for any reason your e-mail address or personal information.”

1 comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s