screen door
Screen Door Awards: Distributing PII without Adequate Customer Control

These screen door awards go to business practices or privacy policy features that broaden the distribution of customer PII or fail to empower customers to exert control of their PII. And the awards go to...



1. Collecting Excess Information

Web sites should only collect the personal information that they need to fulfill their services/orders. Stockpiling more PII than necessary can lead to trouble for the customer and the company. For the customer, the more places their PII is located, the easier it is for identity thieves to find it. For the company, the more PII they have stored, the more exposure they have if they experience a security breach. collects excess information. A number of the websites we surveyed were sites hosted by Yahoo! Stores (e.g. Customers who shop through Yahoo! Shopping or at Yahoo! Stores have their PII collected by both the merchant and by Yahoo. While the Yahoo! privacy policy states that they will not give PII to any partners or advertisers, many consumers may not even realize they are handing PII over to Yahoo!.

To use features which make shopping via Yahoo! convenient customers must register with Yahoo!, and hand over a lot of PII. The Yahoo! privacy policy states, "When you register we ask for information such as your name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests. For some financial products and services we might also ask for your address, Social Security number, and information about your assets. When you register with Yahoo! and sign in to our services, you are not anonymous to us."1

2. Sale of Personal Information

Web sites that sell or “may sell” PII are doing their customers a disservice by removing their ability to chose who has access to their information, and making a profit in the process. Businesses should not sell PII without offering their customers the ability to choose not to have their information sold.

The privacy policy at states that they sell only some of consumers’ PII. They should be selling none of your personally identifiable information. Their policy states, “While we will not share your email address with third parties, we may rent, share, sell or exchange your postal address with third parties that we think may be of interest to you.”2

3. Compiling Customer Profiles Using Information from "Other Sources"

Some companies obtain consumer information from other sources and use it to add to or update the PII in their databases. This practice is intrusive to consumer privacy – consumers should be able to rest assured that a certain company has only the information they have chosen to give to them.

The privacy policy at states, “We may combine Personally Identifiable Information you give us online or through our catalogs. We may also combine that information with publicly available information about you that we may receive from third parties.”3

The privacy policy at says, “Our company may combine site usage information with other personal information about you that is available to us from other sources."4

4. Poor Opt Out Policies

Consumer-friendly policies offer consumers the ability to opt in or out of sharing practices at the time you enter your information into the company’s Web site. Poor examples, such as these screen door award recipients, share consumers’ information unless the consumer searches the privacy policy to figure out how to opt out of the sharing.’s privacy policy reads, “If you purchase through our catalogue, you may also receive mailings from other carefully screened companies to whom we may make such mailing lists available… If you prefer, you can have your name put on our do-not-share list by writing to us at our address above.”5 says, “From time-to-time we may disclose certain information (names, postal addresses and non-sensitive transactional information such as your purchase history, amounts paid and products ordered) to direct marketing companies for trade or rental purposes. You may "opt out," or instruct us not to distribute such information to third parties in the future by calling us… or by sending an email.”6

5. Treating Personal Information as a Transferable Asset

Some privacy policies disclose that customer information will or “may” be transferred to the buyers if the company is sold. Handing over PII to a new business entity in the case of a merger or sale without allowing customers to weigh in on the decision is disempowering to consumers. Even more worrisome is the possibility that many businesses engage in this practice and don’t disclose it. is one of many Web sites we found that engage in this practice. Their privacy policy states, “If our business enters into a joint venture with or is sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.”7

<<Previous 2 3 4 5 6 7 8 Next>>