The website uses Google Analytics and does not disclose this in their Privacy Policy which is mandatory[0] under Google's T&C's.
The Policy also includes this gem: "We may, along with our affiliates and marketing partners enhance and/or merge personal information about you with data collected from other sources and use it in direct and/or online marketing and, to the extent permitted by law, individual reference and look-up service programs."[1]
Also, no HTTPS support but if you try anyway they do have a cert for annualmedicalreport.com. No thanks.
Are there ways to serve a related cert 'by accident' if you don't set up https explicitly for a domain?
Annualmedicalreport is in a related line of work to this site - it's not about medical care but about looking up the information health insurers gather about patients. It has some positive reviews from real news sources, but it also sets off some alarm bells for me. It seems to be eager for your data itself, and has a weird sideline of articles about non-medical consumer reporting that read like sponsored content.
Given all that, I wouldn't be surprised if they were connected to (possibly the creator of) this broker site, and that's why their cert is being served.
None of which actually makes me feel better, and the failure to disclose Analytics certainly isn't encouraging.
I manually added the 's' to the protocol to test and the server sent the only cert it had (if present, this is normal). It's like entering an IP address and having the server return the default site over HTTP.
Many sites ignore the Google Analytics requirement but I think this one should aim a bit higher, especially with all the legal geniuses involved in writing that privacy page.
I think the original poster is pointing out the irony that a site that exists to help people opt out of data mining allows itself, through it's privacy policy, to data mine.
EDIT: Also, there exist free SSL certificate providers.
Ask your attorneys how you are complying with the notice requirement in Section 7 of Google Analytics Terms of Service. That's what the parent was referring to and those terms would normally apply to your company if it is enrolled in analytics and using it on its site.
Your lawyers are awful then. You don't need permission to collect and merge data about us in order to provide this service- if you're explicit about what you actually do then that's all the privacy you need. On top of that your supposed lawyers, in the process of trying to protect you, have you violating the terms of service of one of your vendors and are violating your own privacy policy but not disclosing that you are using google analytics. So your lawyers appear to be doing the exact opposite of protecting you.
In all seriousness, see if you can get a group like the EFF to help you craft a privacy policy that isn't so ridiculous but still protects you.
> As stated, the privacy policy is to legally protect ourselves because we have attorneys working on the project.
I understand how you need a privacy policy (with or without attorneys working on the project). I don't understand how you need a policy that says you will use personal information for direct and online marketting, for protection. Couldn't you just not do that, and have a policy that says you won't?
The website uses Google Analytics and does not disclose this in their Privacy Policy which is mandatory[0] under Google's T&C's.
The Policy also includes this gem: "We may, along with our affiliates and marketing partners enhance and/or merge personal information about you with data collected from other sources and use it in direct and/or online marketing and, to the extent permitted by law, individual reference and look-up service programs."[1]
Also, no HTTPS support but if you try anyway they do have a cert for annualmedicalreport.com. No thanks.
[0]https://www.google.com/analytics/terms/us.html
[1]http://www.stopdatamining.me/privacy-policy/