Monday, 29 July 2013

Have you read your own privacy policy?

I recently came across Aetna's privacy policy and found this curious paragraph:

Please note that your e-mail, like most, if not all, non-encrypted Internet e-mail communications, may be accessed and viewed by other Internet users, without your knowledge and permission, while in transit to us. For that reason, to protect your privacy, please do not use e-mail to communicate information to us that you consider confidential. If you wish, you may contact us instead by telephone at the numbers provided at various locations on our sites or, in the case of our health plan members, at the Member Services toll-free number that appears on your ID card.


The part in bold is the interesting part. It's a pretty basic "contact us with details provided on your health card" statement, but the request in itself is not what got my attention.

In fact, the whole privacy policy itself is fine at least from a non-lawyer perspective. It was written to protect Aetna's assets and is there to provide you with your rights and responsibilities should you have questions about how data is being gathered.

Why am I writing about this then? Let's search Google for the last part of that bold statement as we'll find a lot of sites using this statement. I am fairly certain that the original is the one from Aetna above. All in all, we have over 12,000 results with that particular statement with the privacy policy being tweaked to whatever the author desires. This originally stemmed from a conversation on Full Disclosure.

We have emergency locksmiths, Taiwanese electronics companies, CNC instructors, Indian schools, insurance brokers, and even a law office all using this generic statement.

So who owns this particular policy and why are people seemingly copying it and then just making slight changes? Based on the context, I would gather that this is Aetna's privacy policy but is it really theirs? I have no proof but being that they're a health insurance provider, it would make sense for them to refer to this ID card.

My guess for everyone else is that with exception to the law office, the reason for having done so is a lack of readily available lawyers and the desire to have a boilerplate document for anyone to read. I can at least tell you for one that this marketing firm lifted theirs from Aetna as the name still appears in it.

I'd imagine that there is copyright violation here too, but again I am not a lawyer so I cannot say this is for certain.

It might be time for these site owners to review their privacy policy.

No comments:

Post a Comment