More on's Privacy Policy

I recently brought to attention Thomas MacEntree's redline analysis of the updated privacy policy at here along with a few thoughts of my own to put it in perspective. My main point was to hark back to warnings I've been making for years that privacy policies of companies can change--even against the company's expressed wishes (such as in bankruptcy proceedings).

In addition to my 2002 commentary, my Center for Financial Privacy and Human Rights signed on to comments to the Federal Trade Commission on a related issue in 2009 (PDF), which read, in part:

The issue of whether data about me is "my data", or is actually owned by commercial entities that have collected or obtained it, is most important when such a company goes bankrupt.

No consumer actually intends to agree, when they provide personal information to a business, that if the company goes bankrupt, that personal information not only can but should and must be sold to the highest bidder for the sole benefit of the company's creditors, not the individuals to whom that data pertains. In assuming this, the bankruptcy laws flagrantly violate any reasonable or likely understanding of consumers actual expectations.

The possibility of a bankruptcy auction of a personal data archive about consumers is not
limited, of course, to the possibility of bankruptcy of a travel company...

Reform of the bankruptcy laws is urgently needed to protect personal information about consumers, which they provided to a particular company for a particular purpose, from being sold at bankruptcy auction to an unrelated third party, most likely a data mining or direct marketing company, without the consent of the individuals to whom this data pertains. And the potential bankruptcy liquidation of a travel company is clearly the paradigmatic case of the danger posed by the current lack of protection in bankruptcy law for personal information.

I also neglected to mention how the importance of this issue has been gathering public attention. Let me rectify that now. The New York Times has an article out "When a Company Is Put Up for Sale, in Many Cases, Your Personal Data Is, Too" repeating my warning from years ago about the change of data policies when a company changes hands. From the article citing the privacy policy of a major online video company, it says

That respect could lapse, however, if the company is ever sold or goes bankrupt. At that point, according to a clause several screens deep in the policy, the host of details that Hulu can gather about subscribers -- names, birth dates, email addresses, videos watched, device locations and more -- could be transferred to "one or more third parties as part of the transaction." The policy does not promise to contact users if their data changes hands.

The article then went on to cite the bankruptcy case I wrote about at the time. The NYTs article does offer some hope. It relates the story of how the Texas Attorney General's office intervened to protect the consumer data privacy of the online dating site which was going through a bankruptcy proceeding.

I guess the moral of that story is that we'd have to argue genealogy sites are really like online dating sites!