One element of privacy on the Internet is "Opt in" versus "Opt out". When you register at a web site you will often see a small box to be checked giving you the “option” to be included or not included in subsequent emails making offers to you. Opt in means you proactively choose to be included. Opt out means you are included by default and you have to take action to be removed from the list of those who will automatically receive the emails. In some cases you have to read the words very carefully to determine which case is the default. This is part of Trust. Is the site really opening up to you and making it very clear what your options are, or are they making the words a bit fuzzy and hoping you won’t figure out what the default actually is?
Citibank introduced a service called c2it back in 2000 that enabled the sending and receiving of cash via email. You simply visited the c2it site, specified which of your checking, savings, or credit card accounts you wanted the money to come from, and entered an email address for someone you want to send the money to. That person would then receive an email, was asked to enroll in c2it, and then could accept the money from you directly into their checking, savings, or credit card account. This seemed like a potentially useful service to me when I learned about it and so I enrolled. Only after I enrolled did I find out that there were fees involved. Then I discovered that incoming amounts are not credited to your account for five to six days, which is longer than if I had received a check and deposited it myself. Then I discovered that there is no fee to receive into a Citibank credit card but there is a fee if it is another bank’s credit card. I am not saying the fees are unreasonable – the competition from PayPal and other services would determine that. C2it ceased operations in 2003. If you visit the c2it site you are told that you could contact c2it for a copy of your statement by writing a letter to "Customer Service Center" in
Sioux Falls, South Dakota and provide them with your full name, e-mail address, phone number, and a copy of your social security card, driver’s license, or a telephone bill, gas or electric bill or bank statement from the last 30 days. What would they do with all that information? Probably sell it to other companies. If you have any doubt of that, just read the Citibank Privacy Notice.
Fast forwarding seven years I would have been hopeful that Citibank would become a leader in gaining our trust. Unfortunately, not the case. Who might Citibank share your personal information with? The list includes affiliates among the family of companies controlled by Citigroup as well as non-affiliated third parties, such as financial services providers and non-financial organizations, such as companies engaged in direct marketing. I can’t think of much that doesn’t fall into one of those categories. What information is it that they might "share"? Your name, e-mail address, zip code, age and income range, information you provide on applications and other forms, information about your transactions with affiliated or nonaffiliated third parties, information received from a consumer reporting agency and information received about you from other sources. I can’t think of much that is not included.
We are talking about a sweeping allowance to provide a broad and undefined amount of information about you with a broad and undefined audience. If you touch Citibank you will quickly start receiving marketing offers. Citigroup says "We may do this even if you ask us to limit disclosure of personal information about you". Not that it really matters, as they say, but how would you make a request to have your privacy respected? You would send them a "Privacy Choices Form" by U.S. mail. Mail? Yes, snail mail. This highly automated web savvy giant can transfer money in and out of any of your accounts in milliseconds but to have your privacy respected "please allow thirty days from our receipt of your privacy choices for them to become effective".
The issue is trust. It was easy to get the feeling that Citibank was not being forthcoming about their c2it offering. Citibank reminds us that it is "allowed by law to share with its affiliates any information about its transactions or experiences with you". Should the default be “check this box if you do not want this"? Seems to me that it should be opt in not opt out.
Brand used to be a feeling conjured up by how a company’s product was physically packaged or how you imagined yourself using it. Increasingly brand is a feeling conjured up by your experience on that company’s web site and from it’s privacy policy. These tie directly to Trust. Companies that have a web site that provides an end-to-end positive experience and which enhances people’s quality of life by saving them time will gain enhanced brand equity. The converse will become obvious. Web sites already have a repository of huge amounts of personal data that represent the byproduct of not just our registrations but also our surfing habits, our purchases, and our interactions with others. In the near future our medical records will be on a web site somewhere and beyond that will come real time data streamed from pacemakers and other medical instruments that are attached to our bodies. All of this data can bring significant benefits to us but only if we are able to trust the holders of the data and have confidence that they will protect it and respect our preferences about how and when it can be used.
Epilogue: This is not a story picking on Citibank. They are one of the giants and they put things in our physical mailboxes on a regular basis, so they have no place to hide. Unfortunately, most privacy policies out there resemble what I have discussed here.