As consumers go online to browse websites and search for news and information, they may be completely unware that their personal data is being collected and retained by online companies. In some cases, that data is being used by these online companies to market other services, shared with affiliates, and sold to other companies.
Seldom do consumers take the time to read lengthy online privacy agreements and, once they sign up with a website, they may have little control over making sure their data is secured and not shared across other services, applications and companies. Simply put, existing laws don’t offer consumers any protection from such data sharing.
One of the prime perpetrators of this massive online data collection is Google, whose record on data privacy has been littered with fine after fine involving privacy violations. In return for using free Google services – like its search engine, YouTube, Google+, Gmail and others – Google captures, stores and shares its information from one product across all of its products. Consumers may not realize that there is a price for these free services – reduced privacy protections. And given Google’s astounding market share, this data collection affects a lot of consumers, to say the least.
This lack of protection is evident in merchants handing of credit card information. While banks and credit unions that issue credit cards must adhere to strict data security laws and notify you of breaches, the same laws do not apply to merchants that handle your credit cards every day. Merchants aren’t required to put in place firewalls on their servers, to use data encryption, or even to have virus and malware protection to stave off hackers. Yet, some merchants are keeping consumer transaction data for longer than necessary in order to use consumer information for marketing.
No matter how aggressive your financial institution is in protecting your credit card, it’s often merchants’ technology gap that allows for credit card thievery. Fortunately, there is proposed legislation that would require merchants to more adequately protect the consumer information they collect and store.
The transfer of data between affiliated companies is yet another a major consumer concern. Test-prep company Princeton Review has been cited as potentially violating student privacy. The company offers courses to improve student scores for SAT college-entry tests, as well as graduate-level tests, like the MCAT for medical school and the LSAT for law school. But The Princeton Review and Tutor.com, which connects students with tutors, is now owned by Dallas-based Match Group Inc., which also owns some 45 dating sites and hookup apps, such as Match.com and Tinder. Match Group is expert at mining personal data for marketing purposes.
Again, there is nothing preventing the personal data of consumers (in this case, a portion of which are minors) who sign up for The Princeton Review and Tutor.com from being coopted by the sister dating sites to, in turn, lure them onto that side of the umbrella company.
A researcher from Stanford University reportedly found that one of Match Group’s websites, OkCupid, was leaking personal data to marketing partners. That’s not OK for any company, but it’s certainly worse if we’re talking about students who didn’t explicitly opt into this website in the first place.
A big problem, too, is the vulnerability of the data to hackers. For its part, Match Group is under no illusion that customer data is safe. In its filing to the Securities and Exchange Commission for its initial public offering last fall, it said something customers should cringe at: “We are frequently under attack by perpetrators of random or targeted malicious technology-related events. There can be no assurance that our efforts will prevent significant breaches in our systems or other such events from occurring.”
Looking across several industries, the practice of sharing private data without appropriate consent leaves consumers – and, in some cases, minors – vulnerable to marketing overtures by these companies and their affiliates. Instead, these companies should be required to receive an explicit and separate consumer approval – an “opt-in” agreement – from consumers before their personal information is allowed to be sold or given to business affiliates. Lawmakers need to take action to protect consumers from this potential abuse.
