Simple Strategies to Avoid Privacy Leaks
The danger: Opening a bank or brokerage account, buying insurance, getting a credit card.
What you're exposing: Banks and brokerage and insurance companies routinely share financial information about their customers with affiliated businesses and other third parties.
Protect yourself: Be sure to opt out of having your information shared. Under federal law, most financial institutions are required to provide a privacy notice and a chance to opt out when you apply for an account or a loan and on an annual basis thereafter. If you don't see an opt-out box on your application or a toll-free number for opting out, call the company's customer-service number and ask how to do it. The Junkbusters site has printable opt-out form letters for financial institutions and credit-card issuers.
The danger: Buying a home, getting married, having a baby.
What you're exposing: These major life events are recorded by a government agency, and the information becomes part of the public record―meaning direct marketers that pay the courts and vital-records offices for your information can use it to send targeted mailings ("Congratulations, New Homeowner!").
Protect yourself: Get off the lists of one of the biggest sellers of public-records info. Call Acxiom's Consumer Advocate Hotline at 877-774-2094, or request an opt-out form at acxiom.com.
The danger: Fraudulent credit-report services that approach you via e-mail.
What you're exposing: Federal law entitles U.S. citizens to order one free copy of their credit report from each of the three nationwide consumer credit-reporting companies―Equifax, Experian, and TransUnion―every 12 months. Ordering and carefully checking these reports is the best way to ensure you haven't unknowingly become a victim of identity theft. But if you fall for one of the many credit-report-related scams out there, you could be in worse shape than ever.
Protect yourself: "Order the reports yourself―straight from the source," says Beth Givens, founder and director of Privacy Rights, a consumer information, research, and advocacy program. The only authorized source for your free annual credit reports from the three nationwide consumer credit-reporting companies is annualcreditreport.com (or call 877-322-8228). The reporting companies will not send an e-mail asking for your personal information. If you get an e-mail or see a pop-up ad claiming it's from annualcreditreport.com or one of the big-three consumer credit-reporting companies, do not reply or click on any links―it's almost surely a scam. If you order a report through the website, don't use a public computer, and double check the URL to make sure you don't fall for an impostor site―there are lots of them. If you're receiving a credit report by mail, have it sent to a secure mailbox, and request that the report display only the last four digits of your Social Security number.
The danger: Filing a permanent-change-of-address form with the U.S. Postal Service.
What you're exposing: When you declare a permanent move, the postal service passes along your new address to direct marketers (that is, junk mailers) who pay a licensing fee to use the National Change of Address database. They can update your profile in their databases to keep cluttering your mailbox with "special offers."
Protect yourself: Instead, file a temporary change of address. Doing so will ensure that your mail is forwarded for 12 months―more than enough time to contact individually the people and businesses you need to receive mail from.
The danger: Prescreened offers of credit or insurance.
What you're exposing: Identity thieves may intercept these and, with the right additional information, apply for credit under your name.
Protect yourself: Opt out of receiving these offers by calling 888-567-8688. With a single request, you can halt preapproved offers of credit or insurance that are based on information from the consumer credit-reporting companies: Equifax, Experian, TransUnion, and Innovis.
The danger: Catalog orders.
What you're exposing: You ordered one cable-knit sweater, and now your mailbox is jammed with catalogs you don't want.
Protect yourself: Opt out of catalog mailing lists through Abacus, which compiles a database shared by catalog and publishing companies. To do so, write to Abacus, P.O. Box 1478, Broomfield, CO 80038. Include the full name of everyone in your house who should stop receiving unsolicited catalogs, your current address, and your previous address if you've moved recently.
The danger: Talking to telemarketers.
What you're exposing: Every time you or someone in your home speaks to one, there's an increased likelihood of unintentionally revealing even more personal information.
Protect yourself: Register your phone numbers on the FTC's Do Not Call list. Go to donotcall.gov, or call 888-382-1222 from the number you want to register. (If you register through the website, be sure to click on a link in the confirmation e-mail you receive.) Most telemarketers should stop calling once you've been in the registry for 31 days. Charities and companies you already have a relationship with are still allowed to call, though. Mark your (long-range) calendar―you must reregister your numbers every five years.
The danger: Caller ID.
What you're exposing: Yes, it's nice to see who's calling you, but you may not want everyone you call to have such easy access to your name and number.
Protect yourself: In some states, you can sign up for "per-line blocking," which means your number will be blocked every time you make a call from a given phone line (to unblock, dial *82). If this isn't an option where you live, you can use per-call blocking; just dial *67 before dialing and your number won't be transmitted. The phone company can't charge you for using a caller ID-blocking service. If you're calling a toll-free number, however, the party you're calling pays for the call and is therefore permitted to identify your phone number through a system called Automatic Number Identification (ANI). However, Federal Communications Commission (FCC) rules limit the way parties with toll-free numbers can distribute and use this information. For privacy, Givens recommends having an unlisted number or listing your number but not your address.
The danger: Making a phone call (crazy but true).
What you're exposing: The phone company knows your number―as well as the numbers you call, how often you call them, when and how you use your phone, what services you subscribe to, and other sensitive personal information. And if you authorize it (or fail to prohibit it), the company can distribute this information to third parties for marketing purposes.
Protect yourself: Read your phone bill and any other notices you receive from the company, and call if it's not clear how to opt out of sharing personal information. Under federal law, information about your telephone use―known as customer proprietary network information, or CPNI―must be protected. Specifically, the company must obtain your approval to use it, or to share it with affiliates or third parties for the marketing of services or products you don't already receive. (Without approval, though, it may use the information to remind you how great the services you already receive are.) There are two ways a company obtains customer approval: by sending a notice telling you it will use or share CPNI for marketing unless you tell it not to, and by asking you to "opt in" for such information sharing. To learn more about regulation of the phone industry, go to fcc.gov/cgb.
The danger: Using your work computer for anything personal.
What you're exposing: Every Internet search performed and any e-mail you've written―basically, everything you do on your computer.
Protect yourself: "There are really no limits on what employers can do in terms of electronic surveillance," says Frederick Lane, author of The Naked Employee: How Technology Is Compromising Workplace Privacy (American Management Association, $25, amazon.com). While the Electronic Communications Privacy Act of 1986 prohibits employers from any unannounced monitoring of personal telephone calls, there are no nationwide laws limiting surveillance of e-mail or Web use, and about three-quarters of U.S. businesses practice some form of electronic spying on workers. Assume you are being monitored, and act accordingly. Think twice before researching a medical condition online or finding a local AA meeting. And don't think you're protected by using a private e-mail account. Your employer has access to any messages you send from its computer.
The danger: Surfing the Web at home.
What you're exposing: Going online opens you up to hackers, viruses, spyware, and other invaders, which means your saved personal information is at risk.
Protect yourself: First, install good computer-security software and update it frequently. Norton, McAfee, Trend Micro, and ZoneAlarm all offer comprehensive packages that include firewall, antivirus, and antispyware software, and that will detect or delete data-gathering "cookies" stored on your computer. Also, practice good online habits: Don't open e-mail attachments from unknown senders, as they may be infected with viruses, and don't open your computer to file sharing. Use hard-to-guess passwords (combinations of upper- and lowercase letters and numbers), make your wireless connection password-protected, and disconnect from the Internet when you don't need to be online.
Your Shopping Behavior
The danger: Supermarket “loyalty” cards.
What you're exposing: These cards offer discounts in exchange for the right to record your shopping habits. This type of data may be shared with marketers and used to send you “targeted” advertising. It can also be subpoenaed in criminal, divorce, and child-custody proceedings.
Protect yourself: If possible, patronize stores that don’t use these cards but offer the same sales and specials to everyone who shops there. Or, if you must shop at a store with a card program, try registering with a fake name (“Jane D. Shopper”) and address, and supply only as much other information as the store absolutely requires. You can also fill out most of your real information, but leave off, for example, your apartment number or area code, so that companies won’t be able to contact you in the future. “Hold firm if they give you a hard time,” says Givens. “Tell them you’d like to shop at their store and receive cardholder discounts but you’re not comfortable giving out personal information.”
The danger: Product registration cards and sweepstakes forms.
What you're exposing: You have not only entered to win, you have entered your information in a marketing database.
Protect yourself: Just don’t do it. Many consumers confuse the product-registration card that comes in the box with that new coffeemaker, DVD player, or washing machine with a warranty card. It may not have anything to do with the product warranty―it’s just a sneaky way of collecting your name, address, and any other juicy tidbits that can be used to build your profile in someone’s marketing database. A receipt documenting your purchase of the item is often all you need to be eligible for warranty coverage. If you do want the manufacturer to have your contact information―if, say, you’re buying a child’s car seat and you want to be notified of a safety recall―fill out only the top half of the registration card, not the part with questions about other products you own, how much you earn, what kind of car you have. And look closely for a box to check to opt out of receiving unsolicited marketing materials. Sweepstakes forms (distributed through the mail and online) “are a vehicle for obtaining names and other information for marketers,” says Givens. Do you want to give up private information for a slim chance of winning a prize?
The danger: Providing unnecessary additional information when making a check or credit-card purchase.
What you're exposing: Has a merchant ever asked for your address and phone number when you bought something with a credit card? Or written your credit-card number on the back of the check you’re paying with? Both practices may violate your privacy, and they may also violate card-company rules and state law.
Protect yourself: Refuse―nicely―to provide the information. Some merchants just aren’t aware of the rules and are “only following store policy.” You can inform them that Visa, MasterCard, and American Express all forbid merchants to refuse a sale just because someone doesn’t want to provide more information than is already on her card. Know, too, that a number of states have passed laws prohibiting merchants from recording certain personal information in connection with credit-card transactions. If you’re paying with a check, merchants often ask to see two forms of ID―typically a driver’s license and a credit card. You can show them the cards, but don’t let them write your credit-card number on the check. Aside from the obvious risk of fraud, the practice is illegal in more than 20 states. Never let anyone write your Social Security number on a check, either. For a list of states and the privacy laws pertaining to credit-card and check transactions, go to privacyrights.org.
Your Medical Records
The danger: Going to the doctor (without knowing your privacy rights).
What you're exposing: Your medical records may contain information not only about your physical health but also about your family relationships, sexual behavior, substance use, and even thoughts you’ve expressed to a psychotherapist. This information is often keyed to a Social Security number, meaning that―like your personal financial information―it is vulnerable to hacking. Parts of your medical record may also be made available, with or without your permission, to a variety of other parties, and this information can influence your ability to get health insurance and the rate you pay for coverage.
Protect yourself: Be aware of the authorized uses of your information. The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health-care providers to give every patient a Notice of Privacy Practices, which explains how the provider may use the information in your health records. Be aware, though, that even with these privacy protections, there are cases where PHI may be shared without your consent―for emergency treatment or to obtain a third-party payment, for example, or if subpoenaed for a court case. Health providers must have authorization, though, to use your data for most marketing, research, and fund-raising activities.
As with your credit report, it’s important to know what’s in your medical records and to correct any inaccurate information. Under HIPAA, you have the right to inspect and request amendments to your health records and to know if any information has been disclosed without your authorization. Also under HIPAA, your health provider and insurer must provide you with information on when, why, and with whom your records were shared (only if you request it and only once a year). You also have the right to request that communications about your health be sent confidentially (to a particular address or phone number or in an envelope instead of on a postcard, for example) and that additional restrictions be placed on what can be disclosed about your treatment or state of health. You could request, for instance, that a hospital not disclose anything about a surgical procedure you’ve had. Note that providers are obligated only to consider such requests, not necessarily to agree to them.
If you can avoid having your Social Security number linked to your medical records, so much the better (although some providers may refuse service if you choose not to provide them with your number). For more information on health-care privacy, visit the Department of Health and Human Services at hhs.gov.