Logo

Saying no is a hard thing to do, especially when saying it to a representative of the United States Olympic Committee. As much as I support the Olympic movement and the goals of the USOC, I have to make business decisions on whether or not to link to web sites of organizations such as the link requested last week and again today.

The decision is, however, easy when the site to be linked to requires users to provide personally identifiable information and the USOC reserves the right to sell or lease the information to unaffiliated third parties.

Am I being worse than the proverbial "Nanny State" in refusing to link to sites that require personally identifiable information to get access to whatever the sponsoring organization is "selling" or "giving away" to visitors? Maybe so, but is my experience as an information technology consultant and auditor that drives this line of thinking.

Specifically:

1. Your email address is more valuable to marketers and bad guys than your credit card number. Why? Because while people will readily change their credit card number when it is compromised. But the will very, very rarely (if at all) change their email address.

2.  Users NEVER (or at least 99.5% of the time don't) read end-user license agreements and/or privacy policies. It is not that they don't want to, but the don't want to crawl through lines and lines of legalese without knowing what it really means.

3. Users are not as likely as people experienced in information technology to create disposable e-mail addresses for "one off" purposes such as signing up for a web site or a service. If they did, they would quickly find out what companies and organizations are selling their information.

What does the USOC Privacy Policy state that people using their sites may not know? Simply put, you are giving them the right to sell or lease your information to unaffiliated third parties, giving up your right to effectively and easily control the use of your information:

We do not normally disclose any personal information that you provide to us to the USOC's partners, sponsors, suppliers or other unaffiliated third parties.  However, we reserve the right to disclose  personal information that you provide to us to unaffiliated third parties that have agreed in writing to use your personal information only in accordance with the terms of this Privacy Policy. 

The only control you would have would be to "Opt-Out":

These unaffiliated third parties MAY use your personal information to send you information, advertising and promotional materials about their companies via mail, unless you OPT-OUT of receiving such third party materials.  These unaffiliated third parties MAY NOT contact you via e-mail unless you OPT-IN to receiving such third party materials.  To exercise your right to OPT-OUT of or OPT-IN to receiving such materials, please see the OPT-OUT/OPT-IN PROCEDURES section of this Privacy Policy.

Unfortunately, the web site in question does not provide an Opt-In Option, so basically people are asked to give away their information without control. There is a simple solution for all web sites that collect information: follow the IBM model of registration and put check boxes on the form that address all possible uses of the data.





Finally, there is no provision in the USOC Privacy Policy for audit (i.e. verifying they are doing what they say they are doing) by an independent, 3rd-party auditors. As they say in the South, "that dog don't hunt" in terms of our company's standards and practices.