Albert took the time to read one of those privacy notices that came to him via e-mail and discovered, as he puts it, "Verizon Wireless is giving themselves the right to share my information quite broadly."
The e-mail referred to Albert's CPNI (Customer Proprietary Network Information), the data collected by telecommunications companies based on the customer's usage. It includes details about the services you buy and use, right down to their location, configuration, and quantity. According to the Privacy and Consumer Profiling report from EPIC (Electronic Privacy Information Center), "CPNI includes subscribers' names, addresses, services, amount of usage of services, and calling records. 'Calling records' are lists of phone numbers that the subscriber receives calls from or dials."
Together with the customer's name and phone number, that can potentially yield a great deal of information about your habits, friends, associates, and interests. This sort of data is fascinating to marketers; they like to purchase aggregated lists of what interests you -- along with easy ways to contact you -- so that they can sell you things.
Even if you don't mind that, things can go terribly wrong when that data falls into the wrong hands. According to the EPIC report, "One of the largest commercial profilers, Metromail (now owned by Experian), used prisoners to enter personal information from surveys into computers." A bad idea? Certainly. According to the report, one woman was stalked as a result by "a convicted rapist and burglar who knew everything about her--including her preferences for bath soap and magazines." In this case, the data was gathered from surveys and sources other than her cell phone habits, but EPIC categorizes this sort of behavior-rich data-gathering as profiling.
"Most people consider CPNI private," says the Privacy and Consumer Profiling report. "And under a 1996 telecommunications law, companies must first gain permission from the subscriber (opt-in) before using CPNI for marketing. However, telecommunications companies have challenged the interpretation of that law, and seek to sell CPNI and allow marketing and profiling based on individuals' calling behaviors with only opt-out protections."
An opt-out is, indeed, what Albert received. The letter stated, "Unless you notify us within 45 days of receiving this notice that you do not want your CPNI ....shared, we will assume that you give us the right to share your CPNI." The e-mail provides a big opt-out button at the bottom of the page; it's also possible to go online at Verizon and opt out at a later date. This is all well and good, Albert points out, if you have an e-mail address on file with Verizon. But what if the e-mail is captured by your spam filter or the e-mail address on file with the company is invalid? In that case, you are unlikely to respond and have, therefore, opted in.
In Albert's example, though, you have not agreed to allow Verizon to sell your CPNI to just any marketing company willing to proffer a little hard cash. The letter is asking permission to share your CPNI with "the Verizon family of companies, which includes our affiliates, agents and parent companies (including Vodafone), as well as their subsidiaries." To make that clear, a bold-faced statement in the letter announces, "Regardless of your decision, your CPNI will never be shared by Verizon Wireless with any unrelated third parties."
Got gripes? Send them to firstname.lastname@example.org.