[Med-privacy] Web Firms Choose Profit Over Privacy--now health plans can under HIPAA amndments
DPeelMD@aol.com
DPeelMD@aol.com
Tue, 1 Jul 2003 23:11:39 EDT
--part1_17e.1d35d0a8.2c33a76b_boundary
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Dear Friends and Colleagues,
The Washington Post story below shows how irresistible valuable identifiable=
=20
information is to corporations. Fiduciary responsibility to shareholders=20
overrode corporate promises to consumers not to disclose identifiable privat=
e=20
information. =20
This story illustrates the kind of powerful market forces that caused the=20
elimination of privacy throughout our entire health care system. The insuran=
ce=20
industry, big Pharma, employers, AHA and others applied intense pressure to=20=
seek=20
access to every citizen's medical records.=20
As a result, the HIPAA medical privacy rule was amended to grant over 600,00=
0=20
"covered entities" unfettered access to the medical records of every single=20
American: without notice, without consent, and without recourse, via a newly=
=20
minted doctrine of federal "regulatory permission."
If you want to stop this new federal policy granting access to every=20
citizen's medical records, please consider joining or contributing to the la=
wsuit to=20
stop the HIPAA amendments. (See lawsuit at=20
www.medicalprivacycoalition.com/complaint.php. To make a tax-deductible cont=
ributions to fund the lawsuit, go to=20
www.APPEALforPRIVACY.com)
Identifiable individual patient records are FAR more valuable than the data=20
identifying parents who bought "Hooked on Phonics."
Deborah C. Peel, MD
President, the APPEALforPRIVACY
washingtonpost.com=20
Web Firms Choose Profit Over Privacy=20
By Jonathan Krim
Washington Post Staff Writer
Tuesday, July 1, 2003; Page A01=20
To parents interested in buying the popular Hooked on Phonics learn-to-read=20
programs, the company made a firm promise on its Web site: It would never se=
ll=20
or rent their personal information to other marketers.=20
But that pledge was empty. In the pages of a marketing trade publication,=20
Gateway Learning Corp., the product's California-based parent company, was=20
advertising to rent the list of Hooked on Phonics buyers to other marketers.=
=20
At a price of $95 per 1,000 names, companies could arrange to have=20
unsolicited advertising sent to 105,936 people who bought Hooked on Phonics=20=
in the past=20
year. Included in the information made available to other marketers: ages of=
=20
the buyers' children.
After inquiries from The Washington Post, the company changed its privacy=20
policy and is no longer promising to keep such data from being offered to ot=
hers.=20
A company spokeswoman said the firm was simply slow to update its policy.=20
Previous customers would be notified of the change and offered the chance to=
=20
remove themselves from the list, she said.
Hooked on Phonics is one example of retailers, marketers and an array of=20
service providers expanding their collection and use of consumers' e-mail=20
addresses and other personal information, despite broad assurances to protec=
t=20
individual privacy and honor consumers' choices about how much marketing the=
y want to=20
receive.
Many firms use tactics designed to hide their intent to gather and profit=20
from the data they collect, information that grows in value as more and more=
=20
people use the Internet for information and shopping.=20
"Companies continually troll for, and exploit, personally identifiable=20
information," said Joseph Turow, a media professor at the University of Penn=
sylvania=20
who specializes in mass marketing. "Some Web sites unabashedly collect all=20
the information they can about visitors and market [it] as aggressively as t=
hey=20
can to advertisers and other marketers."
But these techniques have drawn scant attention as the flood of unwanted=20
commercial e-mail has reached tidal-wave proportions. Instead, retailers,=20
advertisers and Internet service providers such as Microsoft Corp., America=20=
Online and=20
Yahoo Inc. have so far successfully lobbied government regulators to put the=
=20
spotlight on deceptive practices of the most unsavory purveyors of scams and=
=20
pornography.
Mallory Duncan, senior vice president and general counsel of the National=20
Retail Federation, argues that mainstream corporations can police their own=20
marketing practices. "The concern with spam is not with the Gap coupon you=20
receive," said Duncan, who represents the largest lobbying and trade group f=
or store=20
owners. "It's the huge amount of porn and other things that were unsolicited=
."
With the onslaught of spam, almost all companies promise not to sell consume=
r=20
data. But many don't mention that such information is rented. This means tha=
t=20
the list owner won't release the data to an outside marketer, but it will=20
send messages to the list on the outsider's behalf. Targeted lists available=
for=20
rent number in the thousands, including those from magazines, professional=20
organizations and even political interest groups such as Republicans for Jes=
us.
Recently, for example, the Christopher Reeve Paralysis Foundation advertised=
=20
that its list of donors, including postal addresses, was for rent.
A charity spokeswoman said that the rental list includes data only from=20
donors who gave through direct-mail appeals, not online. But she acknowledge=
d that=20
those people were provided no privacy information; the charity's Web site sa=
ys=20
it will never sell or share e-mail addresses of donors. Direct-mail donors=20
will now be given a chance to remove their names from the donor list, the=20
spokeswoman said, adding that the organization's lists are offered only to=20
"like-minded" groups.
Sometimes, consumers may not be aware they are handing over information to=20
vendors working behind the scenes at certain Web sites.
Take CartManager, a Provo, Utah, company that is one of many providers of=20
"shopping cart" software used by online retailers. Merchants use the service=
to=20
manage their transactions. Customers select items, put them in virtual shopp=
ing=20
carts, and provide appropriate billing and shipping information to complete=20
the order.
The company, which handles transactions for dozens of small Web retailers,=20
last month offered for rent its list of 781,000 postal and e-mail addresses=20=
of=20
consumers who "regularly buy online." CartManager's privacy policy states th=
at=20
it might share such information. But a consumer might not even notice the fi=
ne=20
print stating that a retailer's shopping cart is "powered by" CartManager,=20
let alone look at the firm's privacy policy. The transaction is done through=
the=20
Web site of the retailer, whose privacy policy is more likely to be=20
scrutinized by concerned consumers.
CartManager executives did not respond to requests seeking comment.
In some cases, marketers are open about their intent, if people take the tim=
e=20
to read the privacy policies on Web sites closely.
Some sites essentially exist to collect e-mail addresses and other personal=20
data to allow future marketing. To entice people to hand over the data, they=
=20
offer discounts on products or entry into sweepstakes.
But in a research study Turow supervised for the University of Pennsylvania,=
=20
57 percent of 1,200 adults who use the Internet at home thought that if a We=
b=20
site merely has a privacy policy, their information would not be shared with=
=20
others.
To expand their databases even further, some marketers employ a controversia=
l=20
technique known as "e-mail append."
List brokers, who buy and sell consumer data for companies, take names and=20
physical addresses in one firm's database and look for corresponding e-mail=20
addresses in outside lists that might contain enough information to match th=
em up.
Columnist Jay Gibson explained the process in a recent edition of Opt-In=20
News, an online publication for marketers. For example, a pizza restaurant c=
annot=20
send e-mails about new services to a customer who orders over the phone=20
because an e-mail address is not provided, Gibson wrote. "But they can take=20=
my name,=20
physical address and telephone number, submit this information to an e-mail=20
append service, and acquire it."
Paul Chachko, chief executive of Datagence, a firm that provides e-mail=20
append, said the service can be performed properly by reconfirming with all=20
consumers on the lists that they wish to receive marketing messages.
"The whole industry that we're involved with relies on . . . integrity and a=
=20
self-policing environment," Chachko said. "But there are a lot of people out=
=20
there that don't play by the rules. We've got to weed those people out."
Marketing executives say they have instituted strict self-policing=20
guidelines, including ensuring that consumers have the ability to "opt out"=20=
of receiving=20
future advertising marketing messages.
But opting out is not always easy.
Bluefly Inc., an online retailer, has an extensive privacy policy.=20
"We take this matter very seriously, and have instituted many policies and=20
procedures to insure that none of your privacy rights as stated herein are e=
ver=20
violated," the policy says.
The policy tells users that anytime they e-mail the company, they consent to=
=20
receive messages from the company. But to be removed from future messages,=20
users must e-mail the company.
A spokesman said the company would not send marketing messages to people who=
=20
e-mailed requesting to be removed from future advertising.=20
Citibank's parent, Citigroup Inc., requires customers of any of its hundreds=
=20
of affiliates to tell each one that it wants to stop receiving marketing=20
messages. Citibank has been the object of more than 30 complaints to the Fed=
eral=20
Trade Commission over the past year by consumers charging that the company h=
as=20
failed to honor their requests to remove their names from lists, or made it=20
nearly impossible to do so.
An FTC spokeswoman said the agency has not acted on the complaints, adding=20
that it has received more than 1,000 similar complaints about a range of=20
companies.
In a statement, Citibank said, "We continually review our performance, and=20
believe our procedures have been extremely effective in providing for the=20
privacy preferences of our customers."
Marketing and retailing executives want any anti-spam legislation to treat=20
affiliates as separate entities, on the theory that customers of different=20
products don't always pay attention to corporate relationships among compani=
es.
Microsoft, which like many Internet providers markets to its members,=20
recently proposed a system in which industry would agree to an electronic=20
seal-of-approval process that e-mail networks could recognize and allow legi=
timate=20
marketing through. Among the criteria for such a seal would be that requests=
of=20
users to be removed from marketing lists would be honored.
But privacy advocates and anti-spam groups are dubious about industry=20
governing itself. Instead, they want computer users to be free of commercial=
e-mail=20
unless they specifically request it, a system known as "opt-in."
Marketing and Internet industry lobbyists have successfully warded off this=20
approach, while at the same time co-opting the phrase. In marketing parlance=
,=20
opt-in means that consumers have not specifically asked to be removed from=20
mailing lists.
Thus, nearly all available e-mail lists are advertised as opt-in lists. But=20
according to some in the industry, opt-in is at best a sliding scale.
"If you forget to check a box [asking to be eliminated] from further=20
marketing, that's technically opt-in," said Sherri Jones, a vice president a=
t TKL=20
Interactive, a Southern California marketing firm. She said her firm sends e=
-mails=20
to all list members asking them to confirm that they want to receive further=
=20
advertising, a process known as "double opt-in."
Jones said that to regain credibility, her industry must move to a true=20
opt-in system, in which no marketing occurs before a user requests it.=20
"The opt-in procedure puts the control of the transaction in the hands of th=
e=20
consumer," she said, separating herself from her industry's trade groups.=20
"That's a dramatic paradigm shift that I think a lot of old-school marketers=
are=20
resisting."
Industry officials counter that if they don't have the right to approach=20
consumers at least once, people will be deprived of potentially valuable off=
ers=20
that they would otherwise not hear about.=20
Marketers also insist that they maintain the right to send messages to=20
customers with which they have "existing business relationships."
Consumer groups say that this makes sense if that means a customer has=20
recently purchased a product, but it should not apply if he or she merely re=
quests=20
information.
"Some companies, like psycho ex-boyfriends, tend to see relationships where=20
they don't exist," said Chris Murray, legislative counsel for Consumers Unio=
n.
=A9 2003 The Washington Post Company=20
--part1_17e.1d35d0a8.2c33a76b_boundary
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><FONT FACE=3Darial,helvetica><FONT SIZE=3D2>Dear Friends and Colleagu=
es,<BR>
The Washington Post story below shows how irresistible valuable identifiable=
information is to corporations. Fiduciary responsibility to shareholders ov=
errode corporate promises to consumers not to disclose identifiable private=20=
information. <BR>
<BR>
This story illustrates the kind of powerful market forces that caused the el=
imination of privacy throughout our entire health care system. The insurance=
industry, big Pharma, employers, AHA and others applied intense pressure to=
seek access to every citizen's medical records. <BR>
<BR>
As a result, the HIPAA medical privacy rule was amended to grant over 600,00=
0 "covered entities" unfettered access to the medical records of every singl=
e American: without notice, without consent, and without recourse, via a new=
ly minted doctrine of federal "regulatory permission."<BR>
<BR>
If you want to stop this new federal policy granting access to every citizen=
's medical records, please consider joining or contributing to the lawsuit t=
o stop the HIPAA amendments. (See lawsuit at www.medicalprivacycoalition.com=
/complaint.php. To make a tax-deductible contributions to fund the lawsuit,=20=
go to www.APPEALforPRIVACY.com)<BR>
<BR>
Identifiable individual patient records are FAR more valuable than the data=20=
identifying parents who bought "Hooked on Phonics."<BR>
<BR>
Deborah C. Peel, MD<BR>
President, the APPEAL<I>for</I>PRIVACY<BR>
<B><BR>
<BR>
washingtonpost.com</B> <BR>
</FONT><FONT COLOR=3D"#000000" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D5=
FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0"><B>Web Firms Choose Profit O=
ver Privacy</FONT><FONT COLOR=3D"#000000" style=3D"BACKGROUND-COLOR: #fffff=
f" SIZE=3D3 FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0"></B> <BR>
</FONT><FONT COLOR=3D"#000000" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D2=
FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0">By Jonathan Krim<BR>
Washington Post Staff Writer<BR>
Tuesday, July 1, 2003; Page A01 <BR>
<BR>
</FONT><FONT COLOR=3D"#000000" style=3D"BACKGROUND-COLOR: #ffffff" SIZE=3D3=
FAMILY=3D"SANSSERIF" FACE=3D"Arial" LANG=3D"0">To parents interested in buy=
ing the popular Hooked on Phonics learn-to-read programs, the company made a=
firm promise on its Web site: It would never sell or rent their personal in=
formation to other marketers. <BR>
<BR>
But that pledge was empty. In the pages of a marketing trade publication, Ga=
teway Learning Corp., the product's California-based parent company, was adv=
ertising to rent the list of Hooked on Phonics buyers to other marketers. <B=
R>
<BR>
At a price of $95 per 1,000 names, companies could arrange to have unsolicit=
ed advertising sent to 105,936 people who bought Hooked on Phonics in the pa=
st year. Included in the information made available to other marketers: ages=
of the buyers' children.<BR>
<BR>
After inquiries from The Washington Post, the company changed its privacy po=
licy and is no longer promising to keep such data from being offered to othe=
rs. A company spokeswoman said the firm was simply slow to update its policy=
. Previous customers would be notified of the change and offered the chance=20=
to remove themselves from the list, she said.<BR>
<BR>
Hooked on Phonics is one example of retailers, marketers and an array of ser=
vice providers expanding their collection and use of consumers' e-mail addre=
sses and other personal information, despite broad assurances to protect ind=
ividual privacy and honor consumers' choices about how much marketing they w=
ant to receive.<BR>
<BR>
Many firms use tactics designed to hide their intent to gather and profit fr=
om the data they collect, information that grows in value as more and more p=
eople use the Internet for information and shopping. <BR>
<BR>
"Companies continually troll for, and exploit, personally identifiable infor=
mation," said Joseph Turow, a media professor at the University of Pennsylva=
nia who specializes in mass marketing. "Some Web sites unabashedly collect a=
ll the information they can about visitors and market [it] as aggressively a=
s they can to advertisers and other marketers."<BR>
<BR>
But these techniques have drawn scant attention as the flood of unwanted com=
mercial e-mail has reached tidal-wave proportions. Instead, retailers, adver=
tisers and Internet service providers such as Microsoft Corp., America Onlin=
e and Yahoo Inc. have so far successfully lobbied government regulators to p=
ut the spotlight on deceptive practices of the most unsavory purveyors of sc=
ams and pornography.<BR>
<BR>
Mallory Duncan, senior vice president and general counsel of the National Re=
tail Federation, argues that mainstream corporations can police their own ma=
rketing practices. "The concern with spam is not with the Gap coupon you rec=
eive," said Duncan, who represents the largest lobbying and trade group for=20=
store owners. "It's the huge amount of porn and other things that were unsol=
icited."<BR>
<BR>
With the onslaught of spam, almost all companies promise not to sell consume=
r data. But many don't mention that such information is rented. This means t=
hat the list owner won't release the data to an outside marketer, but it wil=
l send messages to the list on the outsider's behalf. Targeted lists availab=
le for rent number in the thousands, including those from magazines, profess=
ional organizations and even political interest groups such as Republicans f=
or Jesus.<BR>
<BR>
Recently, for example, the Christopher Reeve Paralysis Foundation advertised=
that its list of donors, including postal addresses, was for rent.<BR>
<BR>
A charity spokeswoman said that the rental list includes data only from dono=
rs who gave through direct-mail appeals, not online. But she acknowledged th=
at those people were provided no privacy information; the charity's Web site=
says it will never sell or share e-mail addresses of donors. Direct-mail do=
nors will now be given a chance to remove their names from the donor list, t=
he spokeswoman said, adding that the organization's lists are offered only t=
o "like-minded" groups.<BR>
<BR>
Sometimes, consumers may not be aware they are handing over information to v=
endors working behind the scenes at certain Web sites.<BR>
<BR>
Take CartManager, a Provo, Utah, company that is one of many providers of "s=
hopping cart" software used by online retailers. Merchants use the service t=
o manage their transactions. Customers select items, put them in virtual sho=
pping carts, and provide appropriate billing and shipping information to com=
plete the order.<BR>
<BR>
The company, which handles transactions for dozens of small Web retailers, l=
ast month offered for rent its list of 781,000 postal and e-mail addresses o=
f consumers who "regularly buy online." CartManager's privacy policy states=20=
that it might share such information. But a consumer might not even notice t=
he fine print stating that a retailer's shopping cart is "powered by" CartMa=
nager, let alone look at the firm's privacy policy. The transaction is done=20=
through the Web site of the retailer, whose privacy policy is more likely to=
be scrutinized by concerned consumers.<BR>
<BR>
CartManager executives did not respond to requests seeking comment.<BR>
<BR>
In some cases, marketers are open about their intent, if people take the tim=
e to read the privacy policies on Web sites closely.<BR>
<BR>
Some sites essentially exist to collect e-mail addresses and other personal=20=
data to allow future marketing. To entice people to hand over the data, they=
offer discounts on products or entry into sweepstakes.<BR>
<BR>
But in a research study Turow supervised for the University of Pennsylvania,=
57 percent of 1,200 adults who use the Internet at home thought that if a W=
eb site merely has a privacy policy, their information would not be shared w=
ith others.<BR>
<BR>
To expand their databases even further, some marketers employ a controversia=
l technique known as "e-mail append."<BR>
<BR>
List brokers, who buy and sell consumer data for companies, take names and p=
hysical addresses in one firm's database and look for corresponding e-mail a=
ddresses in outside lists that might contain enough information to match the=
m up.<BR>
<BR>
Columnist Jay Gibson explained the process in a recent edition of Opt-In New=
s, an online publication for marketers. For example, a pizza restaurant cann=
ot send e-mails about new services to a customer who orders over the phone b=
ecause an e-mail address is not provided, Gibson wrote. "But they can take m=
y name, physical address and telephone number, submit this information to an=
e-mail append service, and acquire it."<BR>
<BR>
Paul Chachko, chief executive of Datagence, a firm that provides e-mail appe=
nd, said the service can be performed properly by reconfirming with all cons=
umers on the lists that they wish to receive marketing messages.<BR>
<BR>
"The whole industry that we're involved with relies on . . . integrity and a=
self-policing environment," Chachko said. "But there are a lot of people ou=
t there that don't play by the rules. We've got to weed those people out."<B=
R>
<BR>
Marketing executives say they have instituted strict self-policing guideline=
s, including ensuring that consumers have the ability to "opt out" of receiv=
ing future advertising marketing messages.<BR>
<BR>
But opting out is not always easy.<BR>
<BR>
Bluefly Inc., an online retailer, has an extensive privacy policy. <BR>
<BR>
"We take this matter very seriously, and have instituted many policies and p=
rocedures to insure that none of your privacy rights as stated herein are ev=
er violated," the policy says.<BR>
<BR>
The policy tells users that anytime they e-mail the company, they consent to=
receive messages from the company. But to be removed from future messages,=20=
users must e-mail the company.<BR>
<BR>
A spokesman said the company would not send marketing messages to people who=
e-mailed requesting to be removed from future advertising. <BR>
<BR>
Citibank's parent, Citigroup Inc., requires customers of any of its hundreds=
of affiliates to tell each one that it wants to stop receiving marketing me=
ssages. Citibank has been the object of more than 30 complaints to the Feder=
al Trade Commission over the past year by consumers charging that the compan=
y has failed to honor their requests to remove their names from lists, or ma=
de it nearly impossible to do so.<BR>
<BR>
An FTC spokeswoman said the agency has not acted on the complaints, adding t=
hat it has received more than 1,000 similar complaints about a range of comp=
anies.<BR>
<BR>
In a statement, Citibank said, "We continually review our performance, and b=
elieve our procedures have been extremely effective in providing for the pri=
vacy preferences of our customers."<BR>
<BR>
Marketing and retailing executives want any anti-spam legislation to treat a=
ffiliates as separate entities, on the theory that customers of different pr=
oducts don't always pay attention to corporate relationships among companies=
.<BR>
<BR>
Microsoft, which like many Internet providers markets to its members, recent=
ly proposed a system in which industry would agree to an electronic seal-of-=
approval process that e-mail networks could recognize and allow legitimate m=
arketing through. Among the criteria for such a seal would be that requests=20=
of users to be removed from marketing lists would be honored.<BR>
<BR>
But privacy advocates and anti-spam groups are dubious about industry govern=
ing itself. Instead, they want computer users to be free of commercial e-mai=
l unless they specifically request it, a system known as "opt-in."<BR>
<BR>
Marketing and Internet industry lobbyists have successfully warded off this=20=
approach, while at the same time co-opting the phrase. In marketing parlance=
, opt-in means that consumers have not specifically asked to be removed from=
mailing lists.<BR>
<BR>
Thus, nearly all available e-mail lists are advertised as opt-in lists. But=20=
according to some in the industry, opt-in is at best a sliding scale.<BR>
<BR>
"If you forget to check a box [asking to be eliminated] from further marketi=
ng, that's technically opt-in," said Sherri Jones, a vice president at TKL I=
nteractive, a Southern California marketing firm. She said her firm sends e-=
mails to all list members asking them to confirm that they want to receive f=
urther advertising, a process known as "double opt-in."<BR>
<BR>
Jones said that to regain credibility, her industry must move to a true opt-=
in system, in which no marketing occurs before a user requests it. <BR>
<BR>
"The opt-in procedure puts the control of the transaction in the hands of th=
e consumer," she said, separating herself from her industry's trade groups.=20=
"That's a dramatic paradigm shift that I think a lot of old-school marketers=
are resisting."<BR>
<BR>
Industry officials counter that if they don't have the right to approach con=
sumers at least once, people will be deprived of potentially valuable offers=
that they would otherwise not hear about. <BR>
<BR>
Marketers also insist that they maintain the right to send messages to custo=
mers with which they have "existing business relationships."<BR>
<BR>
Consumer groups say that this makes sense if that means a customer has recen=
tly purchased a product, but it should not apply if he or she merely request=
s information.<BR>
<BR>
"Some companies, like psycho ex-boyfriends, tend to see relationships where=20=
they don't exist," said Chris Murray, legislative counsel for Consumers Unio=
n.<BR>
<BR>
<P ALIGN=3DCENTER>=A9 2003 The Washington Post Company <BR>
<P ALIGN=3DLEFT><BR>
</P></P></FONT></HTML>
--part1_17e.1d35d0a8.2c33a76b_boundary--