Safeguarding your Online Privacy

At the end of 2019 I renewed a membership with an organization. The checkout form required that I enter my birthday. I though this was a bit odd – they do send out amazing birthday cards, but I was surprised it would be required. If I hadn’t waited until the end of the year to renew, I would have contacted the organization and ask why it was mandatory. So, I went ahead and entered it and finished the renewal process. Then to my horror I realized that it posted my birthday. PUBLICLY. Nononononono and NO. This is never acceptable to be do this without giving the users an opt out or some other privacy setting. Even Facebook lets users control who, if anyone can see their birthday. I am a bit of a stickler for online privacy, but I thought this would have been a no brainer. I was wrong.

Needless to say I was not happy, and sent an email asking for the immediate removal of that information. Several days later it was. Upon doing a bit more research, it seems they added publicly displaying birthdays quite some time ago. With no notice, no means to opt out. Nothing. Just hey, lets publicly show people’s private info that we don’t really need anyway. Birthdays are one of the key data points to identity theft. What really disturbs me is it is now almost 2 weeks later and no disclosure has come to the membership about the gaff, and what they did to prevent it happening again. I am a bit of stickler when it comes to online privacy, not only because I have been the victim of identity theft, but also on the flip side, being upfront about mistakes with your customers is the right thing to do. In some cases it’s a legal requirement, but at the very least it’s a moral one.

Who would you trust more – a company that contacted you within hours of a discovered breach and were upfront about what happened, and how they fixed it, or a company that tries to sweep it under the rug and hope no one ever finds out? Let’s take Yahoo as an example. While their reputation has been going down for years, then waited YEARS before taking the trouble to mention that over 1 BILLION accounts had been compromised. Then after they were sold it was discovered that the actual number was around 3 BILLION. Would you ever trust Yahoo again? I admit I cringe when I see a Yahoo email account.

It’s deleted, so all is good now right?

Well, no unfortunately. The birthdays are still available on cached pages. And I don’t know if the information was scraped from the organization’s pages when it was live. A definitive answer would be difficult to say, but analytics could shed some insight on this. While my example was a small local organization, that doesn’t make it safe from web weasels looking for security and data holes. I have confidence in the security of this site in general, I suspect the disclosure of the birthdays was a user error who didn’t understand that it’s just not ok to publicly post private information like that.

Does this fall under CCPA or GDPR?

No, the organization in question is too small to fall under CCPA, California’s Consumer Protection Act or GDPR, the European Union’s Privacy Regulation as they are not doing business in the EU. But both legislation offer key insight into a practical and ethical way of handling consumer data. Despite all of the hoopla about both, they are actually very straightforward. Most of the points in both legislation reduce to one of these three points:

• Disclose what info you collect
• Disclose what you’ll do with the data
• Indicate how you’ll protect that data

Moral of the Story

First – I should have trusted my gut and questioned why my birthday was required.

Second – and a lesson to other businesses and organizations, only collect the information you actually need to conduct business. Entering birthday’s should be optional and should be made clear why that is needed and who has access to it.

Third – when something like this is discovered whether the info was shared out of ignorance, error, or from being hacked, let your customers know. As soon as possible.