IP: Citibank's meaningless privacy notice: [risks] Risks Digest 21.38

[David Farber <dave () farber net>]

> Date: Thu, 3 May 2001 02:03:04 -0400 (EDT)
> From: VASSILIS  PREVELAKIS <vassilip () dsl cis upenn edu>
> Subject: Citibank's meaningless privacy notice
>
> Citibank(South Dakota, N.A.) sent a leaflet to its customers to "...tell you
> how you can limit our disclosing personal information about you."
>
> Observe what great choice Citibank customers have:
>
>     [...]
>
>     Categories of Nonaffiliated Third parties to whom we may disclose
>     personal information
>
>     Nonaffiliated third parties are those not part of the family of
>     companies controlled by Citigroup Inc.
>
>     We may disclose personal information about you to the following
>     types of nonaffiliated third parties:
>
>     * Financial services providers, such as companies engaged in banking,
>       credit cards, consumer finance, securities and insurance,
>
>     * Non-financial companies, such as companies engaged in direct
>       marketing and the selling of consumer products and services
>
>     If you check box 1 on the Privacy Choices Form, we will not make
>     those disclosures except as follows. First, we may disclose information
>                       ^^^^^^^^^^^^^^^^^
>     about you as described above in "Categories of Personal Information
>     we collect and may disclose" to third parties that perform marketing
>     services on our behalf or to other financial institutions with
>     whom we have joint marketing agreements. Second, we may disclose
>     personal information about you to third parties as permitted by law,
>                                                     ^^^^^^^^^^^^^^^^^^^
>     including disclosures necessary to process and service your
>     Citi Card account.
>
>     [...]
>
>     Sharing with Citigroup Affiliates (Box 2)
>
>     The law allows us to share with our affiliates any information about
>     your transactions or experiences with you.
>     Unless otherwise permitted by law, we will not share with our
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     affiliates other information that you provide to us or that we
>     obtain from third parties (for example credit bureaus) if you check
>     Box 2 on the Privacy Choices Form.
>
>     [...]
>
> The options the clients are given are non-sensical as the bank retains the
> right to share information "as permitted by law" with just about everybody.
>
> Let's consider Box 1. Assuming that Citibank does not break the law, if the
> customer does not check the box, Citibank can share personal information
> with third parties. If the customer checks the box, Citibank "may disclose
> personal information to third parties"
>
> So whether Box 1 is checked or not the effect is the same unless Citibank
> breaks the law in sharing information with third parties.  Only in this case
> checking the box makes a difference. If the box is checked, the customer
> essentially asks Citibank to stop performing these illegal activities.
>
> Let us now consider box 2. Regardless of the state of the box, Citibank can
> share with its affiliates "any information about [Citibank's] transactions
> or experiences with [the customer]."
>
> The information that box 2 is supposed to control is information "obtain[ed]
> from third parties". Again if the box is not checked then this information
> may also be shared, while if the box is checked personal information may
> still be shared unless prohibited by law.
>
> Great choice!
>
> On their web site "http://www.citibank.com/privacy"; Citibank claims:
>     "6. We will tell customers in plain language initially, and at
>         least once annually, how they may remove their names from
>         marketing lists. ..."
>
> If the language that was used in the leaflet is "plain" then Citibank must
> assume that all their clients are lawyers.
>
> In fact the whole purpose of the leaflet is to *pretend* that Citibank cares
> about the privacy of the customers, while retaining the right to distribute
> the personal information of their customers in any way they like.
>
> I have no problem with that - if I want privacy I can open a dollar account
> with a European bank and enjoy the protection of the EU laws.  I *do*
> object, however, to being handed a document like that which treats me like
> an idiot.
>
> Vassilis Prevelakis, University of Pennsylvania



For archives see: http://www.interesting-people.org/