Behind the Privacy Policy Veil

Mark Sakalosky

Updated · Jul 30, 2003

“Web Firms Choose Profit Over Privacy” was the title of a great article in The Washington Post earlier this month. It examines the privacy policies of a number of Web companies. In some cases, the Post found businesses clearly violate their own privacy policies by selling customer information to the general public. In other cases, Web firms were in clear compliance with their privacy policies while hawking customer information like carnival barkers. You never know what you'll find hiding behind the privacy policy veil.

The Post learned Hooked on Phonics, a learn-to-read program, is actively renting its customer file at a rate of $95 per 1,000. List buyers even gain access to the ages of the children for whom the programs are purchased. This, despite the fact Hooked on Phonics' Web site clearly stated it would never sell or rent customers' personal information to other marketers. Oops.

The article also references CartManager, a shopping cart software provider. CartManager currently offers its list of over 750,000 postal and e-mail addresses of consumers who recently purchased merchandise online. Unlike Hooked on Phonics, CartManager is not in violation of its privacy policy, which very clearly states the company will pimp the personal information of customers who buy merchandise from online retailers that use CartManager's product. The only way a customer would be aware of this is if she clicked a little blue privacy policy link during checkout. Who really does that, anyway?

Privacy policies. Interesting little devils, aren't they? Nearly every commercial Web site has one, yet no two are the same. No legal entity is charged with policing companies to ensure they're in compliance with their privacy policies nor punishing companies that violate their policies. And consumers rarely read them. I'm guilty as charged on this account.

The most dangerous aspect of privacy policies is the veil they hide behind. Consumers assume by virtue of its existence, a privacy policy must provide privacy protection that benefits consumers. Quite to the contrary, a privacy policy might actually disclose the consumer has no privacy at all. Take the privacy policy for (pronounced shade e biz), which sells automobile sun shades. Excerpts from its privacy policy follow.'s privacy policy covers:

  • How treats personally identifiable information collects and receives. This includes personally identifiable information we collect from you or your computer, with or without your knowledge.
  • Personally identifiable information is information about you that is capable of identifying you personally, including your name, street address, e-mail address, phone number, social security number, bank account number, brokerage account number, credit card number, and other information not available to the general public.

How collects personally identifiable information:

  • captures personally identifiable information, both with and without your knowledge, when you visit our Web site, register with us, and/or purchase our products. If you willingly visit our Web site and/or purchase our products, we're going to use every avenue available to learn everything we can about who you are, what you like, how you access password-protected Web sites, and where you keep your money.
  • During registration, we ask for information such as your name, address, e-mail address, birth date, mother's maiden name, gender, children's names, occupation, personal interests, social security number, bank account number, brokerage account number, and credit card number. You really shouldn't give us all this information, but if you're silly enough to do so, then hooray for us!
  • The process of capturing personally identifiable information without your knowledge refers to information we capture from your computer by downloading spyware and other invasive software products that harvest valuable information about you.
  • At times, we may have obtained information about you from other businesses or companies by hacking into their customer databases. We reserve the right to merge this information with the information you provide and information we capture from your computer without your knowledge.
  • We capture and store information on our server logs from your computer, including your IP address, cookie information, Web pages you request, and a variety of information captured by our spyware that you don't really need, or want, to know about. Based on what you've already read, this shouldn't come as a surprise.

How uses personally identifiable information:

  • We sell personally identifiable information to companies and individuals (such as the Buffalo Spammer). After all, how much money can we make selling automobile shades?
  • Typically, the information we sell is not available to the general public and is, in fact, some of your most highly guarded information. If this information were available to the general public, it wouldn't be very valuable. Therefore, we wouldn't be able to sell it for very much money.
  • If you're lucky, the companies and individuals to whom we sell your personally identifiable information will use this information to send you spam featuring pornography and other content of ill repute.
  • If you're unlucky, the companies and individuals to whom we sell your personally identifiable information will use it to steal your identity, raid your bank account, and run up hundreds of thousands of dollars of debt in your name. There's a good chance you won't find out about it for 12-18 months.'s security and confidentiality statement:

  • We follow federal guidelines and regulations in developing physical and electronic safeguards to protect your personally identifiable information. After all, if we left your data on an insecure server, other companies could steal your personally identifiable information and sell it themselves. This would be very bad for our business.
  • No individuals excepting the proprietors of our business have access to your personally identifiable information. We are extremely paranoid an employee may try to steal your personally identifiable information and sell it on his own. Again, this would be very bad for our business.
  • uses industry-standard SSL-encryption to protect data transmissions. Of course, this is done to provide you with a false sense of security and to convince you to give us your personally identifiable information.

How's communicates changes to it's privacy policy: may change this privacy policy at any time. All changes are retroactive to the date of's creation. We will make the changes known to you via mouse-sized type placed on scarcely traveled pages of our Web site.

How handles questions:

  • If you have questions or suggestions, please try to contact us at: Inc.
    Privacy Policy Concerns
    P.O. Box ID-10-T
    Marsh Harbor, Bahamas 30-00352

  • is a shell corporation with no real assets. The person named as owner on's incorporation documents has been deceased over 25 years. As such, if you have a problem, good luck finding us because we don't exist.

If you haven't figured it out by now, is not a real entity. Hope you enjoyed the ruse. You never know what companies have hidden behind the privacy policy veil, do you? Aren't you glad you read this one?

Adapted from

  • Data Management
  • News
  • Read next