As enterprises strive to leverage data in every way possible, corporate privacy policies detail exactly what they’re trying to get away with — and are written in the fervent hope that no one ever reads the details.
In recent months, privacy policies have veered wildly off course. Instead of being a document that comforts customers/prospects that the company is protecting privacy as much as possible, many now spell out the most frightening scenarios possible — on the off chance the company opts to try any of them.
It’s the same approach the legal beagles (and the companies they serve) take with patents, most of which they have zero intent to turn into a product or service. And it’s the same approach taken by people who write up prospectuses: here are 50 things that might go wrong. But with privacy, these throw-spaghetti-again-the-wall “maybe-maybe” scenarios are going to scare away customers and prospects. These approaches do the opposite.
How bad have things gotten? Let’s look at what Instacart — the $3 billion delivery giant that is legally dubbed Maplebear — did when it updated its privacy policy on May 17.
The Instacart mess
Instacart’s new policy gives it the right to retain and sell a wide range of customer details, including psychiatric diagnoses, birthdate/age and even license plate numbers. It declared plans — for the moment — to ignore Do Not Track browser settings and said it might choose to share customers’ personal health information “in connection with a business transaction or bankruptcy proceeding.” (Note: choosing to sell a customer’s information to a third party is, by definition, a business transaction.)
Instacart did not respond to a request for comment.
The privacy policy lists all of the information Instacart collects and reserves the right to use or share that information when it wants to. What it collects depends on the services a customer uses.
A license plate number, for example, becomes an issue when a customer does curbside pickup. Health information becomes a potential issue if medical prescriptions are delivered, and if pharmacy deliveries are used, Instacart says it will retain, use and potentially share “your past, present or future physical or mental health or condition; the provision of health care to you; or your past, present, or future payment for the provision of health care.”
Though Instacart wrote that it will not disclose personal health information “without prior written consent,” it lists various exceptions, including the vague and broad “in connection with a business transaction or bankruptcy proceeding.”
Instacart “may collect or receive personal information relating to you” from “law enforcement, public health or other governmental authorities.” It might “use your Personal Information” to “respond to requests and communications from law enforcement authorities or other government officials.”
Is law enforcement now using Instacart deliveries to gather information? Will the company be adding “arrest warrant” to the items that can be delivered within 30 minutes?
Instacart adds, “We may also disclose your Personal Information to other parties if we believe it necessary or appropriate” to “protect our operations and those of any of our affiliates; (c) to protect our rights, privacy, safety, or property, and/or those of others; or (d) to allow us to pursue available remedies or limit damages that we may sustain.”
Really? In other words, it is saying to customers that it won’t sell your personal information — unless it’s in their business interests to do so. How comforting.
What is perhaps the contrarian part of this privacy policy is where Instacart explicitly says it will ignore “Do Not Track” (DNT) requests for privacy. This is the developing standard for web browsers that tells websites you visit that you do not want information about your online activity collected over time and across third-party websites or online services. “Although we do our best to honor the privacy preferences of our users, we do not interpret or respond to DNT or other similar signals from your browser at this time.” Good to know.
And finally, while Instacart will allow you to ask that personal information be deleted, “to do so, we require you to submit up to three pieces of Personal Information that we then match against the account information we have on file for you.” Good luck with that.
Send in the feds?
“This does not come close to complying with basic privacy principles,” said Mark Rasch, an attorney who specializes in cybersecurity and is the former head of the US Justice Department’s high-tech crimes unit. “This is written in such a way that a reasonable consumer might think that (Instacart) is protecting privacy when in fact they are doing the exact opposite.”
He noted that even some seemingly innocuous references — such as that retail partners can share information — are so vague they open the door to limitless possibilities.
“What information is being shared?” Rasch said. “About what and what are you doing with it? It’s written in such a way that it gives the illusion that suggests what it will be used for but it doesn’t state that outright. This means that Instacart can, without a warrant or subpoena, tell police in Alabama the name of every woman who has been prescribed abortion pills. It doesn’t mean that they are going to, but it means that they can. And why would the police be giving Instacart information? It’s so that Instacart can monitor people for law enforcement purposes.”
He added that these kinds of privacy policies are “driven by fear of litigation. They want to make it far more difficult to inadvertently violate it. But that defeats the whole purpose of a privacy policy.”
In 2024, these privacy policies have become macabre lists of the worst possible things a company might try to get away with. Is that really something we want to create, let alone announce and invite customers to read? How about going back to what privacy policies are supposed to be, which is a description of how the company is protecting customers’ privacy?
If the corporate lawyers balk — and that is indeed what lawyers do best — simply tell them the sad truth: “Chill out. If any execs decide to violate the policy, we can simply update it right before you let them do anything. And then we only need to change that one sentence to permit that one horrific action.”
It’s hardly moral or ethical, but it’s likely as close any enterprise Legal department can get these days.
Remember, a lot of the privacy rules now in place assume that violations would happen by the companies that must gather the data. In other words, for healthcare data governed by HIPAA, the assumption has been that potential violators would be hospitals, doctor offices, labs and pharmacies, and other medical professionals.
No one gave much thought to the idea that a grocery delivery company would have access to such information. If they engaged in this behavior, could they be sued? Absolutely. (These are the kinds of cases that Instacart does not want to get in front of a jury of their customers’ peers.) But can government agencies fine or otherwise punish them? That’s unclear.
Law, meet loophole.
One of the few agencies that could, in theory, punish such behavior from any business is the Federal Trade Commission (FTC). But the FTC’s main tactic involves accusing businesses of fraudulent behavior. In other words, it cracks down on companies not doing what they tell customers they will do.
These kind of extreme privacy policies are precisely designed to thwart any such FTC actions. There’s no fraud if they publicly announce what they are going to do. That’s a key reason lawyers love these overly broad privacy policies. And it’s the best reason these types of privacy policies must be shut down.
