Making Data-Sharing Choices With Incomplete Information
Tuesday, November 15, 2011
This morning, I signed into my Discover credit card online account to read the new privacy policy which the bank had sent several e-mail messages about. Since writing this blog, I have learned two things: banks constantly tweak their terms and privacy policies, and it is important to read the fine print. Frankly, I found the online experience unsatisfactory.
The new policy clearly describes what Discover shares about sharing cardholders' personal information. Some of this personal data sharing is necessary (and appropriate) for banks to report consumers' balances to credit reporting agencies (e.g., Equifax, Experian, TransUnion). Note that the policy includes three types of companies (e.g., Affiliates, Non-Affiliates, and Joint Marketing):
The new policy also defines the three classes of companies Discover does business with and shares cardholders' personal information with:
This new policy doesn't list the actual company names within each category. It leaves cardholders to guess, and make an uninformed decision about whether to share their personal data where Discover allows above. And, you can't make your sharing decisions online at the website. you have to call the toll-free number.
This incomplete disclopsure makes the new privacy policy pretty useless for the following reasons:
- The policy doesn't provide enough information (e.g., specific company names by category) to make an infomred decision,
- For one class of companies, cardholders have to go hunting in another document,
- The new policy didn't highlight what had changed from the old policy, and
- The whole data-sharing decision process forces Discover cardholders to be financial experts about Discover's business relationships in order to make a decision about whether to share their personal information.
The new Discover Privacy Policy is also available to the public here. The above policy is not full, honest, transparent disclosure. Not even close.
While at the website, I sent this secure message to Discover to try and get an answer:
"This morning, I read online your new privacy policy about changes in information you share with affiliates, non-affiliates, and joint marketing companies. I found the whole online experience unsatisfactory, since it never provides examples of actual companies in each category. This makes it difficult for customers to make informed choices. When will you update the policy with actual company names?"
To try and learn more, I also started an online chat with one of the Discover customer service representatives. The text of that chat is below. Note that the representative provided only an example of a corporate affiliate:
"Katie: Thank you for visiting Discover.com. What questions can I help you with today?
George: I have a question about the new privacy policy. Which companies are affiliates, non-affiliates and joint marketing?
Katie: That's a great question! Our corporate affiliates are GE Money Bank (Sam's Club and Wal-Mart Discover Cards) as well as HSBC as we do offer a Discover Card through them."
Hmmmmm. I didn't say anything but I recognize the GE Money Bank and Wal-Mart company names from this prior post. The online chat session resumed:
"Katie: As to who is included as a joint marketer; I am not sure. I can forward that information to a specialist and email you back as soon as I hear from them.
George: Is there a list somewhere, so I can make an informed decision about whether or not to share my personal data?
Katie: Those partners should be listed in your most recent Cardmember Terms and Agreement. Would you like me to mail you a copy of that document?
George: Yes, please.
Katie: Thank you. Can I help you with anything else today?
George: It would be nice if you listed the companies online at the website privacy policy and terms policy. Please tell your managers of this request.
Katie: I can certainly forward your feedback! Have a great day, Mr. Jenkins!"
Sadly, Discover isn't the only bank that does this. Many banks and non-financial companies have similarly incomplete privacy policies.
Comments