ERIC SCHMIDT SAID this when he was Google’s chief executive: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
In his Congressional testimony last week, Facebook chief executive Mark Zuckerberg didn’t say anything nearly as condescending or abrasive. But his testimony was a good reminder that we’re in a very different world privacy-wise than we were even 10 years ago, when Schmidt made his comment.
In recent years, stories about data breaches have become routine. They come in two general categories. First, there’s hacking, either directly into a victim’s computer network or indirectly, via the systems of an organization that holds the victim’s data. Recent examples include data thefts from Target, health insurer Anthem, Yahoo and even the Federal government’s own Office of Personnel Management.
Second, there are phishing attacks, also known as social engineering, that dupe victims into opening the door to a thief. This is the strategy, for example, that hackers used to access emails during the 2016 presidential campaign.
But it turns out there’s a third category: Internet companies share vast amounts of personal data in ways that are perfectly legal—and that’s what really seemed to bother legislators at last week’s hearings. Take Acxiom, a company that’s in the business of matching consumers’ offline and online activity. Buy diapers at the supermarket, for example, and that information will be available to marketers online. For years, Acxiom had been a data provider to Facebook. In the wake of the recent controversy, they terminated this partnership, but there was nothing at all impermissible about it.
As a consumer, what can you do? Internet regulation is still an open question. Fortunately, though, laws exist to protect consumer privacy in most other industries that handle sensitive information. In medicine, HIPAA—the Health Insurance Portability and Accountability Act—has been in place since 1996. In financial services, the 1999 Gramm-Leach-Bliley Act requires financial institutions each year to provide consumers with a breakdown of the information they collect and how they share it. They must also give customers an opportunity to opt out of at least some of this sharing.
Still, these rules put a large part of the responsibility on consumers—to read dense disclosure statements and to take steps to opt out of data sharing when companies give them that option. To manage this, I see four approaches you could take:
1. Do nothing. If the only shows you watch on TV are PG-rated movies, if the only things you buy at the drugstore are vitamins and if your only bank transactions are charitable donations, you might decide that data sharing really doesn’t bother you. In that case, perhaps you just leave well enough alone.
2. Opt out of data sharing. If you’d prefer to limit the degree to which your data is trafficked, you could take five or 10 minutes to read through the privacy notices you receive each year. Look for the “Can you limit sharing?” information and then follow the instructions for opting out. In most cases, you can go online to make these elections and it takes just a minute. Once you opt out, it’s good for five years, so be sure to renew your preferences from time to time.
4. Avoid creating sensitive data. It’s impossible these days to stay completely “off the grid.” But if there’s a particularly sensitive purchase you want to make, it’s not too hard to stay below the radar of internet marketers: Don’t search Google for the best price, don’t buy it online and don’t pay with a credit card. Instead, go into a brick-and-mortar store, don’t use the loyalty card the store gave you—and pay good old-fashioned cash.
Adam M. Grossman’s previous articles include Feeling Lucky, Free Lunch and Three Ps. Adam is the founder of Mayport Wealth Management, a fixed-fee financial planning firm in Boston. He’s an advocate of evidence-based investing and is on a mission to lower the cost of investment advice for consumers. Follow Adam on Twitter @AdamMGrossman.