As a Solution Architect who has on more than one occasional suffered through the pain of working with a company’s Legal department to draft legal disclaimers for use on the web, I’m amazed (and frustrated) by organizations who take the time to post but then ignore their own Terms & Conditions or Privacy Policy.  Not surprisingly, it bothers me more when this irresponsible behavior impacts me personally.

This was obvious both in dealings with my College and with USA Triathlon, the governing body for the sport of triathlon in the United States.  The former ended up handling it very professionally, the latter not so much.  Well, not at all actually.

And ultimately, how an organization handles the situation can go a long way.

Companies often try to stand behind legislation they don’t understand.  In 2011, Florida State College cancelled two courses for which I had registered after attendance levels were lower than what would allow them to hold the classes.  Understandable.  Rather than refunding my tuition to my AMEX, they sent my personal information to a bank in Connecticut that opened a secured, pre-paid credit card in my name, mailing it to me along with instructions on how to activate it.

The bank, Higher One, is no stranger to complaints.  Even consumer groups warn students to avoid them for reasons such as their $19 monthly fee for cards that are not used for transactions.  Students have protested the use of Higher One for some time and a few have even gone so far as to file a couple lawsuits against the company, resulting in the return more than $11 million in 2012 and more than $16 million in 2013 to students for unfair and deceptive practices following FDIC investigations.  Congress, the Consumer Financial Protection Bureau, and the Department of Education are all becoming more involved as they continue to field complaints about the issues.

So, now this company had my personal information (including home telephone, mobile telephone, home address, and email addresses) and was repeatedly calling my mobile phone with a recorded solicitation message, unlawful under Florida Statute 501.059(7)(a), the Telephone Consumer Protection Act of 1991, and FCC regulations. Their web site has a link to their terms and conditions as well as a privacy policy, but you have to create an account in order to view them.  A link to a different address in their email pointed to a privacy policy with disclosure that they share your personal information with other companies who wish to offer you products and instructions on how to opt out and request that they remove your information.  I had no interest in using their card or otherwise creating a business relationship with their company, so neither activating the card nor giving them my bank account information (for deposit of the pre-loaded balance) was a reasonable option for me.

Instead, I called Higher One to request that they stop calling me and remove my information from their systems.  They refused — despite their privacy policy allowing for such a request — saying that I had to activate the card in order to stop the calls and assuring me that they are permitted access to my information under the Gramm-Leach-Bliley Act, which ironically stipulates the College would have been required to issue a privacy notice and allow me to opt out of their sharing my information with Higher One in the first place.  After pointing out that this requires me to agree to the very terms and conditions I have a problem with, they told me that if I wanted the calls to stop or my refund, I’d have to activate the card.  So I decided to pursue it with the College instead, assuming the school’s policy of returning tuition refunds to the original method of payment (American Express) gives me at least some ammunition to get this resolved.

After a couple of emails telling me I had to use the card, I included the President of the College in my final email explaining what course of action I planned to take, including contacting the Chancellor of State Colleges and potentially a private attorney.  Amazingly, I got a really well-written letter from a Vice-President a day later explaining not only that they should have refunded my payment to the AMEX and that this would be done, but assuring me that they had already contacted Higher One and that they agreed to remove my information from their systems.  The letter was superbly-written and in the end, my impression of FSCJ was much better than it had been for the previous couple of weeks.

By contrast, USA Triathlon plainly gives its members tools to indicate their marketing preferences; they just don’t honor them.  Worse, complaints about this are either handled dishonestly or ignored completely.  All triathletes who register for a sanctioned triathlon in the United States are required to be a member of USAT for at least the day of the event.  Most athletes seek an annual membership ($40) rather than pay $10 for a single day.  USAT requests personally-identifiable and/or sensitive information from them for several reasons, ranging from standard contact information to personal details for a family member (or other emergency contact) as well as education levels and income ranges for statistical purposes.  In addition to providing this information, I also indicated that I did not want to receive any marketing emails, nor did I want them sharing my information with other parties.

I started getting unsolicited emails from a USAT coach here in Florida last Fall and used the unsubscribe link in her email to request that she stop sending me emails.  When I received another a few weeks later, the unsubscribe text at the bottom was blue and underlined, but no longer included a link to unsubscribe.  After emailing the coach to ask that she stop contacting me, I checked my marketing preferences and emailed USAT, who advised they confirmed my profile was set correctly (no kidding, seriously) and assured me they would have the coach purge my information.  The coach later wrote me confirming she had removed me from their database.

A few weeks later, another email from the coach arrived encouraging me to consider a training session she had coming up.  My subsequent email to USAT has gone unanswered, with no response from the membership coordinator or the two members of her executive team that I included on the correspondence.  Not really the smartest way to respond to an inquiry regarding the misuse of personal data belonging to a paying member of your organization.

Whether USAT routinely mishandles member information or if it gives its coaches special access to it and this particular coach used information in a manner she wasn’t supposed to, well, who knows?  It would require a response from the organization to know this, wouldn’t it?

Ultimately, my goal is for fewer organizations and companies to have my information.  Optimally, I’d like to know when they store it and exactly what they store, and I’d appreciate some level of control over the sharing of this data.  Some entities afford you these very reasonable things, whereas others do not. Worse, some like USAT, give you the false security of thinking you have control over them only to find out they betray your trust anyway.