DMNews published this advertisement today for the personal information of Art.com customers. In it, Art.com proposes to sell its customer list of 385,577 people basically to anyone:
Art.com
Lenser
New List
Description: This file contains buyers from Art.com, a unique resource that brings homeowners, renters, small businesses and interior decorators a wide selection of high-end art prints. These established mail-order buyers are upscale, actively involved in decorating their homes or offices with a selection of fine prints and posters. They are primarily homeowners who are married with children. The average age is 45, the average income is $100,000, and their occupation is mainly in professional and technical fields.
Selects: 385,577 12-month buyers, 3-month, 6-month buyers, gender, $75+, $100+, $200+, state and SCF
Contact: your list broker or Lenser, 899 Northgate Drive, San Rafael, CA 94903
Phone: 415/446-2513
Fax: 415/479-2280
E-mail: Trish@lenser.com
And check out this privacy policy provided by Art.com, where the company seems to say that it doesn’t sell information, but there are exceptions to that rule, and all of Art.com’s rules may change in the future. Email seems to be protected by opt-in standards, but what about other information? And finally, Art.com may profit from your data by selling it to third parties, but it cannot guarantee that these joint marketers will protect your information:
…Except as disclosed in this Privacy Policy, our current policy is to refrain from selling, leasing, or otherwise transferring your personally identifiable information, however, this policy does not apply in all cases and this policy may be changed in the future. We describe below some of the situations in which such information may be disclosed. Art.com will never provide our promotional affiliates with personally identifiable information which would permit them to communicate with Users or their employees by email unless the User “opts-in” and have not “opted-out”, pursuant to our opt-out procedure, from receiving communications. You may have the opportunity to ask us to provide your information to these promotional affiliates. We expect those promotional partners with whom we share information (with consent, as provided herein) to respect the privacy of our Users in the same manner as we do. However, we cannot ensure that they abide by our privacy policies. Art.com, Inc. is the sole owner of information collected through the Service.
Later in the privacy policy, we learn that despite the “current policy” of refraining from selling information, the old “we may share information about you for products we think you want” line appears:
We may use the contact information we collect to provide, by means other than email, information or offers which we believe will be of value to Users and their employees and we may share contact information with other companies that may want to provide our Users, by means other than email, information regarding additional products and services. We may also use the contact information to send our Users information or offers by email which we believe will be of value to them and we may share email contact information with other companies that may want to provide our Users or their employees information regarding additional products and services. Such contact information may be shared based upon the demographic information we collect. Users may opt-out of receiving future communications at any time; see the section below regarding “Opt-out”.
How did we get into this situation with online privacy? How does this system of notice and self-regulation serve individuals’ interests in limiting resale of their data? Does it even effectively inform them that their data is being sold, given the first-mentioned “current policy” of not selling information? Bear in mind that the Annenberg Public Policy Center found (PDF) that 75% of consumers falsely believe that the presence of a privacy policy means that the site cannot sell data.
The Federal Trade Commission has maintained its support of self-regulation, in part on the theory that privacy policies will inform consumers and create a market where individuals can choose among competitors with the best policies. But there is no real way to compare privacy policies across sites, and there are hundreds of other examples of similarly confusing and contradictory privacy policies out there.