Privacy Almost Does Not Exist with Website Privacy Policies
We like our privacy. Privacy helps our society. Websites sport privacy policies that promise privacy. But they’re usually badly misunderstood and totally ineffectual. Not just weak; but without any efficacy at all.
The biggest problem may be the exception they provide for law, which most people think is only about police and court orders and such like. Not so.
What follows is based largely on United States law, and similar laws exist in many other nations.
If the website owner with your information agrees to a contract to sell your information, the owner must comply with the contract and sell your information. That’s too bad about your email address and what pages you’ve been looking at, but if the contract says they’re selling them then sold they will be. About all you can do about it is squawk while they hand over your information.
You might have given very little of your information to anyone. But a little here and a little there can be put together to make a dossier. One report said that with a Zip code and your name a store can assemble your complete address. With that, maybe your email address and shopping habits can be sold, too.
A website owner could make a contract with you for your privacy, but I haven’t heard of that being done. You’d probably have to pay money for that. How much is it worth to you?
While some privacy advocates have been trying to prevent owners from misusing your information, they’re probably going about it in a way that owners can ignore. It won’t work.
What’s needed in law is an amendment to contract law, the law governing what contracts may do. That requires 50 state laws and one Federal law. That’s 51 statutes, 51 bills to be introduced. Enacting them will need a large popular movement. I don’t know who’s going to organize that. Almost certainly, no one will.
The new European statute, the General Data Protection Regulation (GDPR), offers strong protection but only where there is jurisdiction. Many websites outside of the European Union (EU) and having little or no connection to the EU are not under the GDPR and can ignore it as the owner desires. If the only connection to Europe is that someone in Europe can visit the outside website, that's not enough of a conection to give the European Union legal jurusdiction. (There may be another connection and it may not be obvious, but you should assume the worst for your privacy.)
Unilaterally, policies can be amended by an owner. Your permission is not needed. Prior notice is not needed. (One major company even asserted a right to retroactive amendment of its policy, and if visitors were required to agree to the whole policy then retroactivity might be lawful.) If a store has a policy of having great sales on Mondays and decides not to have any sale this Monday and no higher law says otherwise, too bad for the hopeful customers, because the store can amend its policies at will. Likewise for privacy poplicies.
One possibility I have not investigated much is that someone else’s bankruptcy may leave you vulnerable, if a judge decides to void a privacy agreement in order to free an asset (like your data) for sale to the highest bidder in order better to satisfy a creditor. If you are not a creditor, you may not even find out until after your information has been transferred, if you ever find out.
Deletion options may not really delete data. They may merely hide it. They may hide your data only from you. The holder of the data may still be able to access it, act on it, and reveal it again.
Meanwhile, if you’re not within an exception, either don’t give your information to a website or live with it being known to other people.