A Privacy Update

18 August 2000
Co-authored by Bradley Gross

Let's take a quick multiple-choice test. What can a private company do with personal information that it receives about you over the Internet? You get to choose one potential answer: (a) It must keep the information secret; (b) It may, only under certain circumstances, release the information to anyone who asks for it; or (c) The company can do whatever it wants with your personal information.

If you live in the United States, the answer is (c). There are virtually no limits to what a company can do with personal information that it has obtained about you. Your name, address, telephone number, social security number, height, weight--practically anything that a company can get its hands on in the normal course of business--can be doled out for money, services or anything else that might benefit them.

How Do They Get My Information?

There are many ways that a company can get your personal information. For example, have you ever noticed that when you sign up for a service or buy something online, there's often a little box, next to which it says, "If you want to learn more about our products or services, check here."

Or, my personal favorite, "Occasionally we disclose a list of our customers to other companies that have products which we believe might be of interest to you. Check here if you want to be included on such a list."

Usually the box is already checked off for you, so if you're not careful, you're automatically enlisted in the "send my information to anybody" club-of-the-month.

How about those chain-e-mail "petitions" which ask you to type your name and then forward the e-mail to others to help prevent an Internet sales tax, or to avert a tax on telephone calls to local Internet service providers? More often than not, these "petitions" are nothing more than personal name/e-mail repositories created by unscrupulous mailing list companies.

Once the list has garnered a few thousand names, it doesn't take a rocket scientist to match the names with their corresponding e-mail addresses. In fact, it's often simple to do. Take it from me, Mark Grossman at mark@mgrossmanlaw.com.

Up until a few months ago, a handful of states were even willing to sell drivers license photos to the highest bidder. If it weren't for an overwhelming surge of consumer outrage, Florida, South Carolina and Colorado all would have sold over 22 million drivers license photos to a private company in New Hampshire. Surprisingly, only a few states actually have laws preventing this from happening.

Armed with a drivers license photo and corresponding name and e-mail address, a company can quickly begin to cross-reference your information against customer lists it may have bought from retail stores, health clubs, sweepstake companies, magazine publishers, telephone companies, and so on. The result is that at least one popular online mailing list broker advertises that it can "track down the phone numbers, postal addresses or e-mail addresses you need . . . in every hemisphere, in every time zone and in almost any language!" Moreover, once this information is cross-referenced, indexed and filed, it can be sold in bulk to another company, which may have information of its own to add to your online identity.

Why Do They Want It?

Your personal information is a hot commodity, and the selling and trading of personal information has blossomed into a multi-million-dollar industry. Today, companies routinely pay thousands of dollars to get a peek at the personal information of other companies' customers. The information helps retailers refine their own online marketing strategies, and advertise their products to appeal to a customer's specific habits, tastes or personality.

It isn't unusual for a company to buy lists of thousands of cross-referenced names at one time. If your name happens to be on one of the lists, you can usually expect to win a lifetime supply of spam e-mail, junk mail, useless faxes and unwanted telephone solicitations. Moreover, if you want to get off the list-good luck! Often it is easier to move out of your house than it is to remove yourself from a company's database.

Need an example? Do this: go check your e-mail, and count how many unsolicited e-mails you got from pornographic websites, sweepstake companies, retail stores, credit card companies and people offering you "get rich quick" schemes. Last time I checked my e-mail account, I received over fifteen such e-mails in a single day.

After that, go check your regular mail. Look at the number of unsolicited catalogs, flyers, credit card applications, and similar items that have been stuffed into the ever-diminishing real estate of your mailbox. Just the other day, all I got was junk mail. It made me long for a bill.

What Can I Do?

If you're looking for a law to protect you, you're out of luck. Currently, there are no laws which govern how or when your personal information may be disseminated by a private business. Even oft-cited privacy laws, such as the Child Online Privacy Protection Act ("COPPA"), and the recently enacted Graham-Leach-Bliley Act, provide no restrictions regarding how private businesses can use the personal information of their adult customers.

For the most part, the industry regulates itself. While this may evoke images of the proverbial mouse guarding the cheese, the movement towards self-regulation is beginning to catch on.

Leading the way are companies such as TRUSTe (www.truste.com) and BBBOnline (www.bbbonline.com), which provide privacy seals to websites that promise to keep consumers' personal information private. The seals are akin to the "UL Listed" emblem that you see on electrical appliances-if you see the seal, you can take comfort in knowing that the website is privacy-friendly. Currently, over 1,500 corporations have been granted the privilege of displaying a TRUSTe or BBBOnline privacy seal on their websites, with more being added each day.

Even websites without a privacy seal are posting privacy policies on their sites, hoping to instill purchasing confidence in their privacy-conscious consumers. Keep in mind, however, that these policies are only good if they're enforced. Since there's no regulation in this area, no one can guarantee that website owners will follow their posted policies. Therefore, you should approach these sites with a healthy dose of caution, and think twice before giving out your personal information to such websites. Instead, before divulging your personal information online, look for a TRUSTe or BBBOnline symbol on the website.


Regardless of the advantages of the Internet, e-commerce will never be fully embraced by the public until the privacy concerns of online consumers are addressed. And while self-regulation by private industries may not be the perfect solution, it's what we have to work with right now.

As consumers become more privacy-conscious, they'll tend to support those websites that offer privacy-friendly policies over those sites that don't. Therefore, if you own a website, you should add a privacy policy to your site, and apply for a privacy seal from one of the recognized online privacy groups.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.