PRC's Privacy Update No. 2, Iss. 2

Send to PrinterSend to Printer

Copyright © 2004-2015
Privacy Rights Clearinghouse
Posted April 2, 2004


In this issue . . .

[1] PRC Statement on Privacy and Outsourcing

[2] Test Your Privacy IQ -- PRC and ComputerWorld Develop Privacy Quiz

[3] California Product Registration Card Law Is Now in Effect

[4] A PRC Success Story: The Case of the Doctor with PMS -- Physician Mishandling Subscribers

[1] PRC Statement on Privacy and Outsourcing

Privacy Rights Clearinghouse Director Beth Givens provided written testimony on outsourcing for a March 9 legislative hearing of the California Senate Business and Professions Committee. Givens’ testimony noted the potential risks to privacy and security when records containing sensitive personal information are transmitted to, processed by, and stored within overseas companies, usually referred to as “outsourcing.”

Givens testified, “Consider the data elements in a typical tax return or mortgage application, documents that are increasingly being processed overseas. They contain the customer’s Social Security number, date of birth, and financial account numbers, for starters. It’s not only financial-related companies that are sending customers’ records offshore. Many healthcare providers and medical contractors are doing the same, sending highly sensitive information about patients’ health as well as their Social Security numbers and dates of birth overseas.”

Givens added, the question remains whether there is sufficient oversight, accountability, and protection under U.S. law to adequately safeguard sensitive personal information when data processing occurs in overseas companies.

The California legislature will debate at least a dozen bills aimed at curbing or providing notice about outsourcing. For an overview and link to those bills and other privacy legislation, go to

Givens’ full testimony, Statement on Outsourcing and Privacy, is posted online at:

[2] Test Your Privacy IQ -- PRC and ComputerWorld Develop Privacy Quiz

The PRC teamed up with ComputerWorld to create a test for privacy officers and IT staff to check their knowledge of privacy laws and best practices. The survey covers medical records, financial information, security breaches, shredding laws, identity theft and more.

You can find this fun privacy IQ test by visiting the ComputerWorld web site at and entering QuickLink 45268 in the upper navigation bar. Or go directly to,10801,91047,00.html

[3] California Product Registration Card Law Is Now in Effect

No doubt you have purchased many consumer products that contained the so-called “warranty registration card” in the packaging. Consumers are led to believe that the warranty might not be valid unless they fill out and mail the card. Most such cards ask consumers to provide personal information such as income, education level, whether they rent or own their home, ages of family members, and hobbies. Some registration cards ask even more personal questions such as whether the consumer plans to have a baby, get married, buy a home, or change jobs within the next 12 months. Obviously, these questions have nothing to do with the warranty on the product.

A California law (Civil Code Section 1793.1) that became effective January 2004 clarifies that these cards cannot mislead consumers into thinking they must complete the card for the warranty to be valid. The bill was introduced by Senator Debra Bowen. The law requires that such cards note that they are for product registration only so that if there is a recall on the product, the purchaser can be notified. Such notices must also inform the consumer that failure to complete and return the card does not diminish his or her warranty rights.

You might wonder, where does all that consumer profile data end up? Registration cards are usually not mailed to the company that manufactured the product, but to a Denver post office box of Equifax Direct Marketing Solutions (formerly Polk National Demographics and Lifestyles). This company compiles consumer profiles and sells the information to other companies for marketing purposes. Experian and Acxiom also compile consumer data from registration forms.

Remember, when you buy a product, there is no need to fill out the product registration card. In most cases your receipt ensures that you are covered by the warranty if the product is defective. If you decide to send the registration card, include only minimal information -- name, address, date of purchase and product serial number.

For more information about reducing junk mail, read our Fact Sheet No. 4, "Junk" Mail: How Did They All Get My Address? at

[4] A PRC Success Story: The Case of the Doctor with PMS -- Physician Mishandling Subscribers

A new feature of our Privacy Update is true stories of individuals who turn to us for assistance and what we do to help them. The following is just such an example. We call it the Case of the Doctor with PMS -- Physician Mishandling Subscribers.

We were contacted by an individual who visited a web site operated by a doctor from New Jersey offering alternative health advice for women suffering from Pre-Menstrual Syndrome (PMS). She was shocked to discover that the site posted the names, email addresses, and phone numbers of approximately 200 people and the numerous categories they may have checked such as Moms with PMS, PMS under 20, or Men in Relationships with PMSing Women.

The personal information was published to the site after consumers subscribed to an email newsletter. The individual contacted the support email address provided on the web site, but received a message saying the email box was full. There was no other contact information noted on the web site and no privacy policy posted.

Given the sensitive nature of the information and the responsibility of doctors to safeguard medical information, we immediately tracked down the physician whose web site it was. We were concerned that a person whose information was inadvertently posted might be searchable by a prospective employer or worse yet by a stalker -- let alone the embarrassment of being identified on such a site.

Using we located the medical group the doctor belonged to. Eventually, we spoke to and emailed the doctor who told us he was not aware of the problem. He contacted the webmaster to have the page with the personal information removed and he offered his apologies.

Unfortunately, even after he claims to have solved the problem, we visited his web site and found new subscriber information. Next step? Filing complaints with the state medical board and the U.S. Dept. of Health and Human Services.

Such intervention is a daily occurrence for PRC staff. Unfortunately, there are all too many instances of irresponsible information-handling that result in egregious privacy abuses such as the doctor with PMS. Stay tuned to future issues of the PRC Update for more stories. Though this situation was relatively easy to address, others are more complicated, needing repeated follow-up and at times, threats of media exposure as well as legislative and regulatory agency action.

  To subscribe to our free email newsletter, go to

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


Sign In!