The website uses Google Analytics and does not disclose this in their Privacy Policy which is mandatory[0] under Google's T&C's.
The Policy also includes this gem: "We may, along with our affiliates and marketing partners enhance and/or merge personal information about you with data collected from other sources and use it in direct and/or online marketing and, to the extent permitted by law, individual reference and look-up service programs."[1]
Also, no HTTPS support but if you try anyway they do have a cert for annualmedicalreport.com. No thanks.
Are there ways to serve a related cert 'by accident' if you don't set up https explicitly for a domain?
Annualmedicalreport is in a related line of work to this site - it's not about medical care but about looking up the information health insurers gather about patients. It has some positive reviews from real news sources, but it also sets off some alarm bells for me. It seems to be eager for your data itself, and has a weird sideline of articles about non-medical consumer reporting that read like sponsored content.
Given all that, I wouldn't be surprised if they were connected to (possibly the creator of) this broker site, and that's why their cert is being served.
None of which actually makes me feel better, and the failure to disclose Analytics certainly isn't encouraging.
I manually added the 's' to the protocol to test and the server sent the only cert it had (if present, this is normal). It's like entering an IP address and having the server return the default site over HTTP.
Many sites ignore the Google Analytics requirement but I think this one should aim a bit higher, especially with all the legal geniuses involved in writing that privacy page.
I think the original poster is pointing out the irony that a site that exists to help people opt out of data mining allows itself, through it's privacy policy, to data mine.
EDIT: Also, there exist free SSL certificate providers.
Ask your attorneys how you are complying with the notice requirement in Section 7 of Google Analytics Terms of Service. That's what the parent was referring to and those terms would normally apply to your company if it is enrolled in analytics and using it on its site.
Your lawyers are awful then. You don't need permission to collect and merge data about us in order to provide this service- if you're explicit about what you actually do then that's all the privacy you need. On top of that your supposed lawyers, in the process of trying to protect you, have you violating the terms of service of one of your vendors and are violating your own privacy policy but not disclosing that you are using google analytics. So your lawyers appear to be doing the exact opposite of protecting you.
In all seriousness, see if you can get a group like the EFF to help you craft a privacy policy that isn't so ridiculous but still protects you.
> As stated, the privacy policy is to legally protect ourselves because we have attorneys working on the project.
I understand how you need a privacy policy (with or without attorneys working on the project). I don't understand how you need a policy that says you will use personal information for direct and online marketting, for protection. Couldn't you just not do that, and have a policy that says you won't?
Going to the website that is data mining you and putting your personal details such as phone, address, full name and email feels counter intuitive. Not sure I feel comfortable doing so.
That's definitely shocking at first glance, but it is Transunion. They're not just a random data reseller, they're a pretty major institution that probably has your SSN already.
How else would your record be found and marked for removal, magic? They already have the information on you... what do you risk by putting it in again?
Assuming malicious/unethical intent, wouldn't the act of submitting that form add some non-trivial pieces of data about yourself? It lets them know you value your privacy and that you possess a certain degree of computer literacy. It also lets them know you (still) exist (the certainty factor of your profile increases).
It does seem, from a maximum-paranoia standpoint, like this confirms the current status of your information, adds any pieces they were missing, and provides an indication that your data is extra valuable.
After all, you're tech literate (suggesting income) and privacy aware (suggesting your information may be scarce)!
(I assume most of these groups are more honest than that, if only because data reselling is legal but that wouldn't be.)
That would be a serious overestimation of their capabilities. Even the most banal of their data are riddled with errors. Thesw companies talk a good talk but their technology moves at the speed of smell.
Are they affiliated with annual credit report . com or trying to confuse? I belive that is the site recommended by the Irs for an actual free credit report each year.
I was thinking about doing a side project based on this a couple weeks ago. A few issues I ran into:
- How do I actually know that my customers have been properly opted out? I have opted out of snailmail marketing using these types a forms before and as far as I can tell my request was sucked into a black hole and I continued receiving spam mail from them.
- Some of these companies require a gross amount of information to opt yourself out. Another commenter mentioned transunion requires you to submit your SSN. I wouldn't be comfortable collecting that information and I dont think customers would be comfortable handing it over.
- There also a trust issue, how can you assure users that you won't turn around and sell their complete data to someone else?
Good points. I think you could eventually solve trust with good behavior, transparency, and involvement of good people.
On the black hole thing, is there any laws like CANSPAM that compel them to prove they're doing the right thing?
What about testing them by buying lists anonymously and seeing if people are really opted out? This could also be used to generate press and goodwill by sharing who the worst offenders are.
The two companies I'm aware of in this space are Abine and SafeShepard. I switched to using SafeShepard because Abine's deleteme service appears to be basically unsupported.
FWIW, in Canada, it's highly dependent on the awareness of marketing and legal folks within companies to ensure that opted-out people do not get contacted.
If someone accidentally forgets to ensure the mailing list is cleaned out of people who've opted out, you could still be contacted.
The solution provided here is not scalable - basically every company in the world will have a list of opt outs by the time we're done. There needs to be something done at a higher level but that also comes with its own set of issues.
On my part, I have always asked people what they are going to do with an extract of customer information. Having an anti-spam law also lets me calculate what the costs will be if we get fined.
> There needs to be something done at a higher level but that also comes with its own set of issues.
There's an obvious 'issue'—the poor little companies that want to track to us will have a hard time, because we don't want to be tracked—an administrative issue—there has to be some easy way for just about anybody to query whatever central database—and, perhaps, a security issue—a central database with everyone's contact information could be a desireable target. That's all that I can think of, though; what else do you have in mind?
The issue I thought about was who is going to be the one housing the centralized database. Would it be governments? Private corporations? Mixture of both? It's not clear what's the best option. Not everyone trusts the government to have all that information and not everyone trusts private corporations either.
I vaguely remember a similar service in NL that ended up selling this list of, now confirmed, email addresses. You should not have to opt out of spam/tracking bullshit.
I work on this project! We built this site years ago and have had some challenges along the way, but still believe in the objectives. Happy to answer any questions.
Instead of opting out of these, a better idea would be to fill them up with fake info if that were possible. Like some other comments mentioned, you're confirming the data for them when you fill out these forms.
Lexis Nexis is a major one and only lets you opt out under unique circumstances that will not apply for most people.
Anyone have good sources on where these companies pull their data from?
Not sure if how much external consumer data the credit rating agencies use, but I can't help but think of the possibility of repercussions to your credit.
I've been in a years-long dispute with Transunion over my credit due to incorrect data they have on my financial history, all because my SSN became tied to another person in their records. No malicious intent was ever found, but it hasn't stopped them from wrecking my credit.
Fake data makes sense in some of these cases, but trying to pollute your records with the credit agencies seems like a really bad idea based on my experience dealing with them.
It's effective in getting these companies to clear your data. But do you actually get fewer unsolicited calls/emails, etc.?
The do-not-call has been fantastically ineffective for me. I imagine this could be the same. It's also possible that all of the companies strictly adhering to the FTC rules (i.e. those on the OP site) constitute a minority of the market, and spammers are getting data from other less scrupulous sources.
But it would have taken you even longer--or more likely would have been impossible for you--if we hadn't collected this information and put all it one place.
I wrote some client code from one of these providers, for a big company, and was allowed to "cache" the fetched information (read: duplicate the records).
The website uses Google Analytics and does not disclose this in their Privacy Policy which is mandatory[0] under Google's T&C's.
The Policy also includes this gem: "We may, along with our affiliates and marketing partners enhance and/or merge personal information about you with data collected from other sources and use it in direct and/or online marketing and, to the extent permitted by law, individual reference and look-up service programs."[1]
Also, no HTTPS support but if you try anyway they do have a cert for annualmedicalreport.com. No thanks.
[0]https://www.google.com/analytics/terms/us.html
[1]http://www.stopdatamining.me/privacy-policy/