5 Companies That Have Been Caught Violating Their Customers’ Privacy

Customer privacy has become a thorny issue for companies.

And it’s only going to get worse as companies collect more and more customer data and certain third parties hunger desperately for said data.

Remember that awkward back-and-forth between Apple and the Feds following the 2015 San Bernardino terrorist attacks in which the Feds asked Apple to give them the key to break into the terrorists’ iPhones? Apple refused in the name of protecting iPhone users from future government intrusions. The Feds figured out how to hack in themselves. Reassuring.

Interestingly, the government is supposed to be largely responsible for keeping companies in line in protecting consumers’ private information, as demonstrated in this statement from the Federal Trade Commission:

“When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information.”

Does anyone else sense some inconsistencies?

Not that the government is the only bad guy here. Sometimes, the companies themselves are the ones misusing customers’ private data. Needless to say, whether in the name of better targeting their marketing efforts to individual customers or getting the government off their backs, companies often fail spectacularly to protect their customers’ privacy. Here are five of the worst offenders:

1. Yahoo

So we thought Yahoo was having a bad turn when a data breach, possibly the largest in history, exposed the account information of over 500 million users. But then we found out that, while Yahoo was getting hacked, they were voluntarily scanning customer emails and handing the data over to the NSA.

Even worse, this particular trigger wasn’t pulled by some disgruntled IT worker. Yahoo CEO Marissa Mayer did it personally.

In response to the Reuters expose which blew this whole thing open on October 4, 2016, Yahoo issued a statement saying only, “Yahoo is a law abiding company, and complies with the laws of the United States.”

This defensive, unapologetic response from the admittedly already embattled company has only riled critics and experts further. Alfredo Lopez at CounterPunch pointed out:

“They didn’t just review the emails, they built a special program to do it and never let their users know they were doing that. It might seem logical — after all, you don’t let the person who you’re spying on know you’re spying — but very few Yahoo users are the subject of investigations.”

Getting hacked into by a bunch of Russian identity thieves is no fun, but a company can move on to build a trusting relationship with their customers. But when you willingly breach your own customers’ privacy? There might be no recovering from this one. Either they completely forsake their customers by saying, “Sorry, but we’re going to keep doing this,” or they shut off their assistance to the government and get both distrust from their customers and a legal crapstorm from the Feds.

2. Vizio

Yes, the guys who make TVs that are just as good as Sony’s and Toshiba’s but cost less. It turns out that, while you’re watching their TVs and other devices, they’re watching you back. It also turns out that these TVs have gotten a little more specific in the level of detail they track about each user, and then they share that information with companies that serve out targeted ads.

“So what’s the big deal?” you might ask. “My computer and Google do the exact same thing.”

The big deal is, Vizio’s devices never ask your permission to track and report your information. This, combined with the depth of the data being gathered, puts Vizio in violation of the Video Privacy Protection Act, according to a new lawsuit. This lawsuit alleges:

“Vizio actually knew that it was disclosing: 1) a user’s identity; 2) the identity of the video material; and 3) the connection between the two — that the given user had ‘requested or obtained’ the given video material.”

All of which is certainly more than any of us bargain for when we scoop up that $600 bargain at that Black Friday sale. Almost certainly, Vizio isn’t the only TV-maker out there doing this — they just got caught. But their real mistake was in not asking for customer permission before doing so.

Question is, will any of us look at our smart TVs the same, knowing that they’re recording our every viewing and then reporting all of that information back, attached to our names, to a third party? As more of our appliances and devices become “smart” — think cars, refrigerators, watches, houses, clothes — this type of wholesale data collection and sharing will only become more widespread.

3. CVS

With all the private, extremely sensitive information exchanged over pharmacy counters, it was inevitable that someone would screw up. But nationwide drug store chain CVS, it seems, has institutionalized the poor handling of customers’ private information.

In just four years, the U.S. Department of Health and Human Services found over 200 instances in which CVS violated federal patient privacy laws. According to some customer complaints:

“One patient’s medication was delivered to his neighbor, revealing he had cancer. Another was upset because a pharmacist had yelled personal information across the counter.”

These might each seem like small, isolated incidents, but when they occur in such frequency, a pattern of negligence at CVS emerges, despite this insistence from a company spokesman:

“CVS Health is strongly committed to protecting the privacy of our patients’ health information. We have established rigorous privacy policies and procedures throughout the Company to safeguard patient information.”

Unlike the other examples mentioned previously, CVS clearly suffers from a lack of training and enforcement. Where Yahoo and Vizio could choose at any moment to simply turn off the offending software, CVS needs to retrain its workforce on how to safely handle customers’ private information and then hold them accountable to do so. And then there’s the problem of incentive.

CVS and other organizations that violated these privacy laws were rarely punished, often getting off with only “reminders” from Health and Human Services. It’s doubtful that CVS will ever invest in such training and enforcement unless they are actually penalized.

4. Verizon

The supercookies are coming. Before you start salivating, these have more in common with the cookies on your web browser and nothing really in common with the baked variety. Web cookies are used by marketers and other parties to track and keep hitting you with ads, even when you leave their website; it’s their way of identifying you. The good thing about normal cookies is that, if you don’t want to be track or recognized by websites, you can simply erase them from your browser.

Unfortunately, marketers don’t want you to be able to delete their cookies. They like having as much data on you as possible. So Verizon created the supercookie to track customers’ browsing history — and in a new format that is very difficult to erase from one’s web browser. Oh, and they didn’t let customers know they were doing it.

Short story: the Federal Communications Commission discovered Verizon’s little scheme and hit them with a (relatively puny) $1.35-million fine. But on the bright side, they forced Verizon to change their policy, so only customers who voluntarily opt-in will be watched by the supercookie.

In regards to the gathering and sharing of data, you should be detecting a pattern here. Companies are becoming increasingly greedy about your data, and they’ll keep finding ways to take more of it until customers or governmental agencies push back.

5. Ashley Madison

Most of the time, breaches of customer privacy are tragic affairs. But every now and then, they cook up some just desserts. The sword of justice fell on the adultery-driven site in June 2015 when hackers notified the site’s owners that they had breached their data and would publicly reveal the personal information of their users unless the site was taken down.

If you’re familiar with the story (Duggar fans were certainly tuned in) you know that the site owners didn’t comply, and the hackers made good on their threat. Thousands of adulterers were outed, surprisingly shocked at how Ashley Madison had betrayed their trust (How much can you really trust a site built on facilitating infidelity and deception?).

At the center of this too-ironic-to-be-true story, however, is an intriguing question about companies’ duty to protect user data in the face of third-party threats. Should the site owners have taken down the site to protect the privacy of their users, knowing that this would jeopardize their very business? Or do they protect their own bottom line and throw their users under the bus?

A new $578-million class action lawsuit from scores of angry Ashley Madison users would argue in favor of the former.

Protecting Privacy is the Best Policy

In the age of big data, companies will have to resist the urge to take and misuse every scrap of data they can. But perhaps more importantly, companies, legislators, and law enforcement need to convene to define what customer information is “private” and off-limits to government and marketers alike and set up clear boundaries. Until then, companies and governments will continue to push farther into our private data and customers will struggle to keep them out.