PRC's Privacy Update No. 2, Iss. 3

In this issue . . .

[1] Google’s New Email Service, Gmail, Under Fire for Privacy Concerns, Possible Wiretap Law Violations

[2] PRC Posts Newest Fact Sheet -- Online Privacy for Nonprofits: How to Protect Members’ Privacy and
Personal Information

[3] PRC Urges FTC to Help Consumers Get a Free Copy of All Consumer Reports that Are Covered by the FCRA

[4] Hilarious Consumer Federation of California Ads Call for Financial Privacy -- They Parody Citi's Identity Theft

[5] A PRC Success Story: The Case of the Retirement Home and Its Old-Fashioned Ways

[1] Google’s New Email Service, Gmail, Under Fire for Privacy Concerns, Possible Wiretap Law Violations

April 1, 2004 -- On April Fools Day, Google, the Internet search engine heavyweight, soft-launched its new, free email service called Gmail. Beta testers of the new service benefit from 1 gigabyte of storage space and its developers tout better-search functions than other free email accounts such as Yahoo, MSN, and Hotmail. However, Gmail has raised privacy concerns because users cannot opt out of having incoming emails scanned for keywords that Google then uses for content-targeted advertising. In addition, Google’s Terms of Service admits that Gmail messages may remain on its system for an indefinite period -- even after an account has been deleted.

April 6, 2004 -- Many privacy and civil liberties groups worldwide were alarmed by Gmail’s privacy implications and the fact that no other email service provider has ever reviewed incoming email content for targeted ads. On this day, 31 privacy and civil liberties groups signed on to an open letter asking Google co-founders to suspend the service until privacy concerns were adequately addressed. The letter, co-authored by the World Privacy Forum and the Privacy Rights Clearinghouse, notes that scanning confidential email messages without the sender’s consent and then appending ad content violates the trust of email service users, in particular those non-Gmail users who send messages to Gmail subscribers. In addition scanning creates lower expectations of privacy in the email medium and thereby establishes a potentially dangerous precedent.

The open letter can be read in its entirety at

April 19, 2004 – The UK-based Privacy International filed a complaint asking the privacy and data protection commissioners of many of the EU countries to investigate the serious privacy problems that Google's Gmail service poses. The complaint was sent to France, Germany, the Netherlands, Greece, Italy, Spain, Czech Republic, Belgium, Denmark, Sweden, Ireland, Portugal, Poland, Austria, Australia and Canada along with the European Commission and the EU Commissioners’ internal Article 29 Data Protection Working Group.

The complaint is available at

April 20, 2004 -- California State Senator Liz Figueroa (D-Fremont) introduced legislation that would require email providers to get consent from both parties of an email exchange before the content can be reviewed or used for purposes like ad placement.

The bill can be viewed online at:

May 5, 2004 -- The Electronic Privacy Information Center ( along with the World Privacy Forum ( and the PRC sent a letter to California Attorney General Bill Lockyer asking that it investigate Google’s Gmail service for possible violations of state eavesdropping and wiretapping laws. The letter points out that California law requires all-party consent and that those who send email to the domain have not given express permission for the content of their correspondence to be reviewed for keywords and subsequent ad placement. If Google is found to be in violation of California’s Penal Code 631, Gmail users could face possible civil and criminal penalties, the letter states.

The letter to the California Attorney General is available at

A separate letter to Google Co-founders Sergey Brin and Larry Page, notifying them of Google and Gmail users’ possible liability, is available at

[2] PRC Posts Newest Fact Sheet -- Online Privacy for Nonprofits

Many clubs, homeowners’ associations, parent-teacher associations (PTAs), public interest groups, and religious organizations use the Internet as a powerful way to communicate with members, spread the word on current issues, sign up new members, and much more. It’s increasingly common for groups to distribute newsletters by electronic mail and then post them on the group’s web site. Some organizations offer chat rooms, allowing members and the public to share ideas about current issues and upcoming events.

The PRC’s latest fact sheet explains why organizations that post any personal information on their web sites should develop policies that safeguard individuals’ privacy. The fact sheet advises groups to perform a privacy assessment to identify when personal information is exposed online, such as the group’s e-newsletters, member directories, and board member listings. Fact Sheet 28 also offers useful tips on how groups can safeguard the personal information they collect from their members. Groups are advised to develop a privacy policy and obtain consent from individuals before including names and other personal information on any documents posted on a group’s web site.

Fact Sheet 28, entitled Online Privacy for Nonprofits: How to Protect Members’ Privacy and Personal Information is available on the PRC web site at

[3] PRC Urges FTC to Help Consumers Get a Free Copy of All Consumer Reports that Are Covered by the FCRA

As noted in our February newsletter, recent updates to the Fair Credit Reporting Act (FCRA) will allow consumers to get a free copy of their consumer credit report once a year beginning on the West Coast in December 2004.

But not many consumers know that there are other types of “consumer reporting agencies” (CRAs) that are covered by the FCRA.

Such CRAs include entities that compile and report consumer data such as:
-- Medical records assembled by the Medical Information Bureau (MIB);
-- Residential and tenant histories such as the Unlawful Detainer (UD) Registry;
-- Insurance claims noted in Comprehensive Loss Underwriting Exchange (CLUE) reports;
-- Employment reports compiled by companies such as Choicepoint for background checks.

In recent comments the PRC submitted to the Federal Trade Commission, we strongly recommend that the agency study this category of consumer reporting agencies and undertake an aggressive consumer education program.

The reason for the request is the many complaints we’ve received from individuals who have been harmed or otherwise disadvantaged because of erroneous or inappropriate information in such consumer reports. Here are just a few examples from our files:

--The jobseeker who was repeatedly turned down for employment because, unbeknownst to her, she had a
wrongful criminal record because of the actions of an identity thief who used her name when arrested.

--The individual who was not able to rent an apartment because a tenant registry listed the eviction record of the wrong John Smith.

--The home insurance policy that was increased substantially because inappropriate information was provided to the CRA by the insurance agent.

--The individual who was turned down for health insurance because of a medical condition that was no longer a problem and that is reported after the 7-year limit on the MIB report.

For more information about these types of consumer reporting agencies, see the following Fact Sheets on the PRC web site:

-- Fact Sheet 8, How Private Is My Medical Information? at:
-- Fact Sheet 27, CLUE and You: How Insurers Size You Up, at:
-- Fact Sheet 16, Employment Background Checks: A Jobseeker's Guide at:

[4] Online Ads Call for Financial Privacy and Parody Citi's Identity Theft Commercials

In a hilarious parody of Citi’s TV commercials touting its Identity Theft protection service, Consumer Federation of California (CFC) takes aim at the banking industry’s highly-profitable sale of their customers’ financial account information. CFC cleverly highlights the irony of marketing a product to protect privacy while sacrificing the intimate details of customers’ income, savings, investments, debts, and spending habits.

With animated characters stating “why break the law when you can, like, pay someone to write them for you?”, the online commercials urge consumers to join the National Financial Privacy Campaign and protect their financial privacy. The animated online commercials are available online at:

To participate in the National Financial Privacy Campaign, go to

For more information about the battle to protect financial privacy in California and in Congress, go to

[5] A PRC Success Story: The Case of the Retirement Home and Its Old-Fashioned Ways

A woman whose mother works for a retirement home in Central California recently contacted the PRC. For years, employees received their paychecks from a binder kept in the office. The unfortunate aspect of this practice was that the binder also displayed the Social Security numbers (SSNs) of all 60 employees for anyone to see. Her mother had repeatedly, to no avail, asked management to stop the long-standing procedure, citing concerns about identity theft. The woman’s daughter contacted us looking for assistance in getting this practice stopped.

The PRC sent a letter to the retirement home, noting the number of victims of identity theft reported by the Federal Trade Commission (FTC) last September, and emphasizing that the SSN is the key to perpetrating this crime. We also noted California’s law that prohibits employers from publicly posting or displaying a person’s SSN. (California Civil Code § 1798.85)

Soon after, we received a written reply from the Executive Director of the facility that noted that they will no longer display the SSNs. We confirmed with the daughter that, in fact, a supervisor is now handing out paychecks instead of being posted in a binder.

If you are a consumer who is concerned about the posting or display of your SSN in the workplace or having it used as an identification or account number with a private business, it’s often a matter of bringing the situation to the attention of those in charge. The following links can assist you in addressing situations similar to “the retirement home and its old-fashioned ways.”

A compilation of identity theft surveys and studies that you can cite is available on the PRC web site at:

Information about the California law that prohibits the public posting or display of the SSN is available on the web site of the CA Office of Privacy Protection (OPP) at:

The OPP also provides a form letter that California consumers can use to notify a private business that is using their SSN as an account number to provide an alternate number at:


  To subscribe to our free email newsletter, go to