Why Almost Every Major Site Can Sell Your Personal Data
Nasir Pasha & Matt Staub

Why Almost Every Major Site Can Sell Your Personal Data [e205]

Nasir and Matt discuss how many companies maintain privacy policies which allow for the sale of personal data.

Transcript:

NASIR: All right. Welcome to Legally Sound Smart Business. This is our podcast where we cover business in the news and add our legal twist. My name is Nasir Pasha.
MATT: And I’m Matt Staub.
NASIR: And thank you for joining us once again for a series of information and events which you can take in your consideration.
MATT: A series of letters that form into words which form into sentences and who knows what will happen from there…
NASIR: Which eventually forms a podcast episode.
MATT: Yeah, hopefully. We’ll see.
NASIR: At least that’s the objective.
MATT: If we have our personal data after this episode then we’ll have a podcast episode.
NASIR: Well, this personal data thing is crazy. I know you’re just leading into your transition but we’re talking about this because it’s somewhat dated. Everyone remembers the whole RadioShack bankruptcy and then basically sold everything from A to Z. We covered a little bit about it but what was not as publicized is what happened to the actual private data that they’ve collected for over 100 million customers, including everything from social security numbers to credit card numbers to everything in-between.
MATT: Well, luckily, for most people, they hadn’t shopped at RadioShack for a very long time so maybe there’s no personal data on file.
NASIR: Most of the people are probably dead by now of those 100 million customers.
MATT: It’s been at least ten years since I’ve been inside – probably fifteen years since I went to a RadioShack.
NASIR: You know those times where you just need a cable or something like that? I was giving a presentation in the middle of nowhere – when I say middle of nowhere, I didn’t know where I was – and I needed a cable so I had someone go in looking around and they ended up going to RadioShack and they brought in the wrong cable and they went back two or three times and they ended up not having the cable, of course, that I needed. I was like, “What’s the point of this store? I don’t get it.”
MATT: Well, at least it wasn’t your data. You had somebody else pay for it or buy it.
NASIR: True.
MATT: There was a bankruptcy case with RadioShack but it’s not just that. I mean, any sort of merger acquisition, asset sale, any sort of other transaction – let me get the data on this – the 100 biggest sites in the US, 85 of them included language in their privacy policy saying they could transfer user data if one of those triggering things happened – merger acquisition, asset sale, et cetera.
NASIR: And that’s 85 out of… you said 100?
MATT: Yeah.
NASIR: You know, what’s interesting about these privacy policies that are pretty much required – you know, California is one of the first and I think we’ve talked about it in the past, it’s one of the first states to actually require privacy policies – you can pretty much put whatever you want. A lot of times, like Matt said, they’ll say, “Okay, we won’t sell your data unless we are acquired,” or something like that – that’s best case scenario. But, a lot of times, you can just say that, “Yeah, we’re going to use your data and we’re going to use it for marketing purposes,” or they word it in such a way that may not be as egregious but, at the end of the day, allows them to do what they want.
MATT: Yeah, and similar to terms of service – probably even less so than terms of service – people don’t read the privacy policy on websites. I mean, typically, it’s either at the bottom of the page in the small link or you have to go to the site map and find it that way. It’s not something people openly go to – I mean, other than an attorney or someone really interested in tech-related stuff. I can’t see many other people going and checking that out.
NASIR: Which I think is not unreasonable because, you know, when you surf and enter in forms and so forth, it’s hard to kind of go through that every time you do so. I mean, I know what I’d do. I’d just assume that it’s not going to be private. They’re going to share the information so, depending upon what information I’m giving them, I just have to have that expectation.
MATT: Yeah, and I would think that’s probably what most people think as well. It’s 2015. This isn’t the first days of the internet where people did not understand and thought everything was secure. I mean, things are a lot more secure now in terms of transactions but people submitting in user information, I think the expectation has to be there that it’s not going to be that private. Going back to those 100 sites which includes, I mean, 100 biggest sites – we’re talking Facebook, Twitter, Reddit which is a tease into the one podcast episode, LinkedIn, et cetera – only 17 of the top 100 sites said it would alert customers in some way if their data was transferred to another entity. I mean, I’m trying to think for myself. I don’t know if I’ve ever… I’ve definitely gotten emails that we’ve changed our privacy policy if there’s something I have an account for or something like that. I mean, maybe there’s information in there and I probably just don’t read them but I can’t remember getting a specific email saying that my data was transferred to somewhere else.
NASIR: And, depending upon what the privacy policy is, they may not have an obligation to do so. What’s interesting about what happened with RadioShack is that basically they’re selling all their assets and I can’t remember the buyer but the buyer basically purchases all their data, including what they expect is to be 100 million customers – 100-plus million – customer data and the Texas Attorney General and all these other states and I think the FTC got involved as well, they’re basically telling the bankruptcy court and they actually filed a motion like, “Look, you can’t release this data, it needs to be limited,” and they ended up getting to some kind of settlement where, you know, of the 100 million, 50 million were kind of sensitive data for which, you know, security numbers and credit card numbers would be redacted and things of that nature. But one of the things that it hinged on – and I think that pushed this over – is that the privacy policy that was displayed in stores of RadioShack was that, “At RadioShack, we respect your privacy. We do not sell our mailing list,” and things like that were enough to really have some sort of protection of this data. But, without that, I’m not sure if the FTC even would have had such an argument to be able to block the transfer.
MATT: Yeah, that was physically up in stores, right? I don’t know what it said on its actual privacy policy on the website.
NASIR: But I imagine that, you know, as we joke of people not going to the stores, I assume people didn’t really shop on the website either so I assume most of those, I think it’s 117 million customers were in-store customers, I would assume. I think I see Verizon or some of the other cellular phone companies also joining in that motion because I think perhaps RadioShack was selling phones and so forth so maybe the data they collected was in connection to that as well so that may have played a part. But what’s interesting is Texas is involved in that. Of all states, California actually has a right of privacy within their constitution. There’s no such equivalent in Texas yet it’s not the only one that they’ve actually been objected to – not just RadioShack. They’ve also gotten involved with other areas of interest where confidential information – or I should say privacy information – was actually being transferred in connection with a sale or bankruptcy.
MATT: We’ve talked mostly about this from the consumer perspective, I think. And so, from the business side of things, how does this affect businesses? I guess the obvious thing would be, if you don’t have these terms in your privacy policy, you’re in the minority.
NASIR: Yeah.
MATT: I mean, obviously, you have to go about it the right way. You can’t just say, “We own all of your information,” if they poorly word it like that. But, from a business perspective, especially in California, like you said, you need that privacy policy. If a company or a business was hesitant about putting that in their policy, they can feel a little bit more comfortable in doing so.
NASIR: This isn’t just a big business issue because I’ve seen many times – even failed start-ups – where you’ll have a software product that is being sold over a course of number of years but then ends up going under. But, in the course of that, their end up is still being substantial valued just in the data they have been able to collect. In other words, even if they didn’t make any money but if they’ve sold all these services, just think if like Twitter in its early days that – it’s not the best example but let’s say they didn’t make much money but they had a ton of users but they were just losing money because they weren’t being paid anything but there were a lot of people using it – that data alone is worth quite a bit and, if it went under, they could have sold it if they have the proper privacy policy disclaimers in there. And that’s why, when people ask us about privacy policies, it’s you have to have it in the sense that you to have it to be able to disclose how you’re handling this data that you’re collecting. But, you should also construe it in a way that is both in your favor but also communicate to your users to make sure that you don’t get any blowback. I mean, Facebook is famous for this, right? Every time they change their privacy policy, it’s on all the blogs and people are scrutinizing it.
MATT: Yeah, it’s a situation where people go crazy about it, threaten to get off Facebook, and then don’t. So, never too concerned about that. I guess what you have to watch out for too if you’re business, let’s assume that you have that privacy policy language in there that’s saying that you’re entitled, upon the sale or transfer of the company, you can give away this personal information or transfer that along with it. The key is just to not have that be in conflict with anything else that you put out there. And I don’t think that it would be contradicted in the privacy policy itself but don’t go around preaching that you’re a different company and you respect privacy and all these things and have that in there, that’s the opposite. I mean, I don’t think that’s saying that you support privacy and then having those terms in there is a direct conflict but it’s enough for it to make you look bad.
NASIR: Yeah, and it’s just like RadioShack. Like, they could have had the best privacy ever but then, if they put out a sign saying, “We do not sell our mailing list,” then that’s enough to cause a big problem.
MATT: Yeah.
NASIR: I just love bashing RadioShack just for fun. It’s an easy target, I suppose.
MATT: I did look and they still have “RadioShack is open and here to stay! Over 1,700 convenient locations.”
NASIR: Really?
MATT: There’s one right across from the gas station that I think I’ve mentioned before that I go to pretty frequently and I just don’t really see anyone there. It’s next to a 24-hour Subway which I don’t know who is going to that either at 24 hours a day. So, lots of interesting things on the other side of the road.
NASIR: Before we go, if you guys remember when Facebook purchased WhatsApp, New York Times did a great job in going through and deep-diving into these privacy policies and some of them were WhatsApp and so forth. It was just interesting. People were describing how, when that happened, there was some strange coincidences of their belief that privacy information was being shared between the two which is not unheard of – it makes sense where they would add someone on a WhatsApp contact and then, when they log on on Facebook, it would recommend them to be a friend, and that can get a little creepy. I can definitely see people kind of get annoyed by that. If you just disclose that in the privacy policy, there’s no problem.
MATT: Yeah, and that’s the thing, that’s what I always come back to. People go crazy about that every time. They go, “Oh, how come this happens?” It’s like, “Well, you agreed to it whether you read it or not and, if you really have a problem with it, there’s ways you can have that stopped and you just have to do it,” and then people are right back on there, not complaining. I mean, a few I’m sure actually follow through with it. But people like to complain as we’ve detailed many times on this podcast.
NASIR: That’s right. Well, okay. If you want to send any complaints about our podcast, send it in to ask@legallysoundsmartbusiness.com. Thanks for joining us!
MATT: Keep it sound and keep it smart.

Play

Read More