Web sites should only collect the personal information that they need to fulfill their services/orders. Stockpiling more PII than necessary can lead to trouble for the customer and the company. For the customer, the more places their PII is located, the easier it is for identity thieves to find it. For the company, the more PII they have stored, the more exposure they have if they experience a security breach. Web sites should not simply collect and store every piece of a customer’s information they come in contact with – especially information irrelevant to the service the company provides.

neimanmarcus.com states “We receive and store any personally identifiable information you enter on the Web site, whenever you shop with Neiman Marcus -- online, through our catalogs, or in our stores, or information you give us in any other way. For example, we may collect the following personally identifiable information: your name, address, telephone number, driver's license number, birth date, and e-mail address. If you use a credit or debit card or pay by check, we will also include your account number.”¹

Web sites that sell or “may sell” PII are doing their customers a disservice by removing their ability to chose who has access to their information, and making a profit in the process. Businesses should not sell PII without offering their customers the ability to choose not to have their information sold.

nationalbusinessfurniture.com states “In order to reach customers who would benefit from our products we do rent other companies' customer lists and, in turn, we occasionally rent our customer list to carefully selected companies. Information shared in this process consists only of company name and address. NBF.com does not rent or sell email addresses or phone numbers.”²

junonia.com states “We never share, sell or distribute your personal information or e-mail address… Occasionally, we rent our customer list to other vendors who offer products that we think appeal to our customers. Be assured, however, that we will never disclose your telephone number or email address.”³

After reading some privacy policies, customers may be left with a sense that many third parties will have access to their information, but still be unsure exactly who those third parties will be. This is because some policies are vague about the parties with whom they will share consumers’ personal information, while others give a staggering list of third parties they will or “may” share your PII with. Minimizing the number of third parties that have access to customer PII would reduce the changes that customer information falls into the wrong hands.

restorationhardware.com states “We maintain business partnerships with other persons or companies whom we have deemed to be trustworthy and responsible and whose privacy policies are aligned with ours. In some instances we may share and cross-reference information, including personal information about you and/or your order, that will allow such persons or companies to contact you regarding products and/or services that may be of interest to you.”⁴

Entering your personally identifiable information into a website to make a purchase shouldn’t mean you are relinquishing control of that information. In addition to closely guarding consumers’ information, companies should give consumers the opportunity to edit and to delete their own information from the company’s records. Many policies do not address this issue at all. Others explicitly deny consumers the ability to control their PII.

The privacy policy at rei.com says “We do not maintain all personal information in a form that can be accessed or updated by you and some items may not be changed (e.g., transaction records). Accordingly, we will determine what may be accessed and how; we may also keep a record of chances (including deletions) and disclose them for lawful purposes. We keep personal information for as long as we think is necessary or advisable and we reserve the right to retain it to the full extent not prohibited by law. We may discard personal information in our discretion so you should retain your own records. Often it is not feasible or advisable to discard personal information (such as commingled personal information), so we reserve the right to retain it but treat it as inactive or discarded.⁵

Some privacy policies disclose that customer information will or “may” be transferred to the buyers if the company is sold. Handing over PII to a new business entity in the case of a merger or sale without allowing customers to weigh in on the decision is disempowering to consumers. Even more worrisome is the possibility that many businesses engage in this practice and don’t disclose it.

homedepot.com says “The Home Depot reserves the right to transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets to a third party acquirer.”⁶

Some companies obtain consumer information from other sources and use it to update the PII in their databases. This practice is intrusive to consumer privacy – consumers should be able to rest assured that a certain company has only the information they have chosen to give to them.

petsmart.com states “We may combine the personal information you provide to us (on our Site, at our stores, through our programs) with publicly available information and information we receive from or cross-reference with our marketing partners and others. We use the combined information to enhance and personalize your experience with us; improve the accuracy of our customer database (such as the U.S. Post Office to verify accuracy of addresses); increase our understanding of our customers; identify potential customers; and send PetSmart Marketing Communications.”⁷