Privacy Almost Does Not Exist with Website Privacy Policies

We like our privacy. Privacy helps our society. Websites sport privacy policies that promise privacy. But they’re usually badly misunderstood and totally ineffectual. Not just weak; but without any efficacy at all.

The biggest problem may be the exception they provide for law, which most people think is only about police and court orders and such like. Not so.

Your personal information can be sold regardless of what a privacy policy says. Unless some higher law says no, the law says your information can be sold and may require it.

What follows is based largely on United States law, and similar laws exist in many other nations.

If the website owner with your information agrees to a contract to sell your information, the owner must comply with the contract and sell your information. That’s too bad about your email address and what pages you’ve been looking at, but if the contract says they’re selling them then sold they will be. About all you can do about it is squawk while they hand over your information.

That’s the law. If the owner tries to hide behind the privacy policy and keep your information private, a judge will straighten the owner out and force the handing over of the information.

Contracts are law. Privacy policies may be law, but they’re below a contract. Lawyers know this but most people are not trained in law and don’t know that a contract itself is law while a privacy policy is often only advisory.

Privacy policies are usually not contracts, not even between website owners and users. They’re, at most, unilateral promises, and unilateral promises cannot be contracts. That’s in the legal definitions of contract. The website owner can amend or revoke its privacy policy at any time, and therefore no promise the owner makes is binding on the owner. Therefore, there’s no mutuality of promise, and that means it’s not a contract.

My own website privacy policy illustrates this. It’s the most realistic policy of its type, to my knowledge. Go ahead and read it.

Exceptions exist where law higher than what the website owner can issue requires them. For example, the privacy of children under 13 years old is protected by a Federal law and so is some personal health information. For those exceptions, a privacy policy may have teeth. Even if the owner revokes the policy, the Federal law protecting that information would likely still be in effect. But most of us don’t come under those statutory protections of privacy.

You might have given very little of your information to anyone. But a little here and a little there can be put together to make a dossier. One report said that with a Zip code and your name a store can assemble your complete address. With that, maybe your email address and shopping habits can be sold, too.

A website owner could make a contract with you for your privacy, but I haven’t heard of that being done. You’d probably have to pay money for that. How much is it worth to you?

While some privacy advocates have been trying to prevent owners from misusing your information, they’re probably going about it in a way that owners can ignore. It won’t work.

What’s needed in law is an amendment to contract law, the law governing what contracts may do. That requires 50 state laws and one Federal law. That’s 51 statutes, 51 bills to be introduced. Enacting them will need a large popular movement. I don’t know who’s going to organize that. Almost certainly, no one will.

The new European statute, the General Data Protection Regulation (GDPR), offers strong protection but only where there is jurisdiction. Many websites outside of the European Union (EU) and having little or no connection to the EU are not under the GDPR and can ignore it as the owner desires. If the only connection to Europe is that someone in Europe can visit the outside website, that's not enough of a conection to give the European Union legal jurusdiction. (There may be another connection and it may not be obvious, but you should assume the worst for your privacy.)

Unilaterally, policies can be amended by an owner. Your permission is not needed. Prior notice is not needed. (One major company even asserted a right to retroactive amendment of its policy, and if visitors were required to agree to the whole policy then retroactivity might be lawful.) If a store has a policy of having great sales on Mondays and decides not to have any sale this Monday and no higher law says otherwise, too bad for the hopeful customers, because the store can amend its policies at will. Likewise for privacy poplicies.

One possibility I have not investigated much is that someone else’s bankruptcy may leave you vulnerable, if a judge decides to void a privacy agreement in order to free an asset (like your data) for sale to the highest bidder in order better to satisfy a creditor. If you are not a creditor, you may not even find out until after your information has been transferred, if you ever find out.

Deletion options may not really delete data. They may merely hide it. They may hide your data only from you. The holder of the data may still be able to access it, act on it, and reveal it again.

Meanwhile, if you’re not within an exception, either don’t give your information to a website or live with it being known to other people.