June 2019

Misleader Board

Our attorneys analyzed thousands of privacy policies last month and flagged unusual legalese. What they found might surprise you!

June 2019 Privacy Misleader Board

In April, New York Times publisher A. G. Sulzberger wrote an article detailing The Times’ thoughts on privacy and data.

He notes the hypocrisy of railing on bad actors and bad practices while keeping the publication afloat through similar means. He says that The Times is where it is by collecting, using, and sharing data about readers; by selling ads; by working with big data companies like Google and Facebook.

Sulzberger also says his publication is “more careful about protecting reader data than many others” and aspires to be even better, noting that “the business leadership of The Times has taken steps over the past year to increase privacy protections.”

That is fantastic. So is its pledge to continue refining its privacy practices while informing the public and policymakers about the most significant data privacy issues today.

Still, we couldn’t help but ask ourselves...If The Times has made great strides over the last year, how is its privacy score?

Very Poor. In the lowest privacy range we have.

There is A LOT to unpack in The Times’ privacy policy, and we’re going to share a handful of standout clauses just below. Before we do that, however, it’s worth noting that the policy was last updated on May 24, 2018. This means they aren’t yet holding themselves publicly accountable to the internal policy changes they say they unrolled over the previous year.

Now for some interesting finds from the marketing machine that is The New York Times:

  • Like we noticed with GoFundMe back in April , you can opt your friends into The Times: “If you disclose any personal information relating to other people to us or to our service providers in connection with the NYT Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.”

  • Beyond the information you give when you register, complete surveys, and so on, The Times uses privately-held marketing and data analytics databases to collect information like your age, sex, household income, job industry, and job title.

  • The NYT may share your personal information with a wealth of affiliates, including its newly acquired advertising and marketing agencies Fake Love and HelloSociety.

  • The publisher “will not sell, rent, swap or authorize any third party to use your email address without your permission,” but for print subscribers, it will exchange or rent your name, mailing address, and “other information” (what does that include?) with “reputable companies that offer marketing information or products through direct mail.”

  • Given all the personal information it can and does collect, and given Sulzberger’s commitment to transparency and security, The Times’ own security measures are vague and unclear, at least as outlined in its policy.
Want a closer look? See The New York Times privacy rating.


We identified Evite as one of June’s privacy bad actors and guess what happened before we could even publish this article?

Evite confirmed that a hacker stole 10 million user records and put them for sale on the dark web.

Our primary callout of the popular social planning and electronic invitations site was particularly on point. As we wrote initially, once Evite gets your information, it’s not clear if you can ever make them delete it. From their privacy policy:

Please note that if you close your account, we may still retain, use and disclose information associated with your account...While Evite does not give you the opportunity to remove your information from our database, you may remove your registration information from your My Account page.

According to Evite, the 10 million breached records—which could include full names, email addresses, IP addresses, cleartext passwords, and possibly mailing addresses, phone numbers, and birthdays—were from a 2013 backup. That’s good news for consumers who added their info after 2013. It also underpins why data retention and security measures are two key areas we look at when we assign privacy ratings.

It will be interesting to see if the breach has any impact on Evite’s future data privacy and security measures. Maybe we should send them an Evite to discuss?

 See the Evite privacy rating.


How much privacy do you have at Hyatt hotel and web properties?

With a hotel giant as tech-savvy as Hyatt, that’s a question worth considering as you plan summer travels.

Hyatt’s privacy policy outlines many marketing strategies, including disclosing your personal information to “carefully-selected third parties, who may communicate directly with you” and to companies that also have information about you.

Why combine your data with other sites and services? To paint a fuller picture of your tendencies, which makes it easier for places like Hyatt to better advertise to, upsell, serve you.

If you’re anything like us, you probably skip the fine print when checking into hotels. But now is the time to get informed about how companies like Dick’s Sporting Goods and Hyatt monitor their guests on-site.

Hyatt may process “information collected whilst at a Hyatt Location through the use of closed circuit television systems, internet systems (including wired or wireless networks that collect data about your computer, smart or mobile device, or your location), card key and other security and technology systems.” That’s in addition to processing voice recognition (e.g., through Alexa voice assistant), and has raised legal questions from employees and union representatives about the collection of biometric data without consent.

If you’re not keen to divulge so much, unplug any Echo or other voice assistant devices in your hotel room and use a VPN or skip the hotel WiFi entirely. You could also wear the hotel-provided sleep mask around when you’re in public, though we don’t recommend it.

 See the Hyatt privacy rating.


Ready to set sail somewhere exotic this summer? We can hardly blame you.

If you book through Norwegian Cruise Line (NCL)—the world’s third-largest cruise line by passenger share—then take care of your sensitive personal information as much as you take care of stories about your ex.

Norwegian collects a considerable amount of sensitive personal information, yet provides little detail on how the data is secured. Take this generic security statement, for example:

The Company takes reasonable precautions in order to attempt to ensure the safety and security of our customer’s online transactions. (Bold added for emphasis.)

Okay, so let’s hope their reasonable attempts are enough to secure your family’s bank and credit card info, your medical records, your passport and other government-issued identification information, and so on.

What about your contact info, which webpages and packages you browsed online, which trips you booked in the past, how much you spent at the onboard casino, the information NCL skimmed from your public records (yes, their privacy policy says they collect data from your public records), and everything else that goes into your comprehensive user profile?

At a minimum, it’s almost a given that Norwegian will share the information with its sister lines Oceania Cruises and Regent Seven Seas Cruises. That’s not too surprising. What we’re less comfortable with from a privacy perspective is this blanket add-on:

We may also share your personal data with third parties that have joint or cooperative marketing arrangements with us.

There is no mention of which data Norwegian shares, with which companies, or for what purposes. There is also no mention of a consent requirement for sharing data, meaning Norwegian customers won’t know if their data was shared (though a sudden onset of mailers and ads from a seemingly random company might be a good indicator). Not an EU resident? Forget about opting out!

 See the Norwegian Cruise Line privacy rating.


Mercari is a consumer-to-consumer platform to “Sell or buy almost anything.”

The ecommerce site says it’s topped 45 million downloads in the US (it also has a growing presence in Japan) and that its users list 150,000 items per day.

Those are some pretty impressive numbers, to be sure, as is its 4.8-star rating on the App Store. Looking at a multitude of other review sites paints a dramatically grimmer picture, however.

So what does our team of legal experts have to say about the shopping site? As you may have guessed, it’s not good.

With a sub-580 privacy score, Mercari lands itself in the lowest privacy range we have—Very Poor.

By contrast, eBay’s current score nets a Good rating, which is two ranges above Mercari.

As with all lower scoring sites, we recommend that you be mindful when sharing personal data with Mercari. If you do choose to do business on the platform, heed their advice:

Carefully review this policy. We will amend it from time to time as our technology, services, features and business models change, so you should review our current privacy policy every time you use our service. Our privacy practices are summarized in our Privacy Notice.

 See the Mercari privacy rating.


Enterprise nets a Fair privacy score from our team of experts and much of what we found is pretty standard (e.g., they keep your cookies and similar identifying data for up to three years and share some of your information with subsidiaries and business partners.)

There is one less-common area that we want to highlight, however, especially for the average rental car customer.

Many rental cars come with telematics systems, which allow companies like Enterprise to use, disclose, or access a vehicle’s location information, crash data, mileage, and performance. The systems can also report behavioral information related to your driving.

If you rent from Enterprise and don’t want to leave a paper trail of your driving record, take note:

We are not responsible for any data that is left in the vehicle as a result of your use. We cannot guarantee the privacy or confidentiality of such information and you must wipe it before you return the vehicle to us.

It makes sense that Enterprise uses telematics to keep track of its fleet. It makes less sense that the average driver would know how to (or remember to) erase data before returning a rental. And then there’s the question of what happens to data that isn’t wiped.

 See the Enterprise Rent-A-Car privacy rating.


To many, a privacy policy from 2016 sounds dated. But then again, so does the idea of renting a physical DVD.

When Redbox and Lionsgate announced their new partnership last week (films will be available to rent the same day they’re released for sale), we decided to take a look at Redbox’s privacy score.

Unfortunately, what we found isn’t as heart-warming as knowing that people still rent physical DVDs. Put a different way, if Siskel and Ebert had reviewed privacy policies instead of movies, they would not have given Redbox two thumbs down.

The next time you visit one of the rental company’s websites, apps, or 42,000 kiosks, know this:

Like Evite, don’t expect Redbox to purge your information fully:

Note that when you edit your Personal Information or change your preferences on a Redbox Platform, information that you remove may persist internally for Redbox’s administrative purposes or within backup media.

Or to respect your browser’s do not track (DNT) requests:


Like many websites and online services, the Redbox Platforms do not alter their practices when they receive a “Do Not Track” from a visitor’s browser.

Or to keep your information private from third-party advertisers and analytics companies:


These third parties may set and access their own tracking technologies on your device...Some of these parties may collect Personal Information over time when you visit the Redbox Platforms or other online websites and services. We may share non-personal information, including information that has been de-identified, Usage Information, and location information, with third party advertising companies, analytics providers and other third parties, including for the purpose of serving you more relevant ads.

Or—and this part’s the most unsettling—to only collect your information on their own properties:


This Privacy Policy only covers information collected on the Redbox Platforms and does not cover any information collected at any other web site or elsewhere by Redbox (unless specifically stated).

If you’re creeped out by this statement, we understand. Where else does Redbox collect consumer info? What data do they collect? What do they do with it? What privacy policy governs this off-property data collection?

 See the Redbox privacy rating.


“Protection of personal privacy has always been a hallmark of Gallup.”

The opening statement of Gallup’s privacy statement is a noble one. It’s almost enough to make us say, “It’s okay, we don’t need to read anymore.”

But our attorneys did keep reading.

They answered over 150 questions about Gallup’s privacy documents.

Gallup’s hallmark? It translates into a Fair privacy rating. That’s the second lowest privacy rating range there is.

Of note, the privacy policy states that Gallup processes non-sensitive and sensitive personal information. However, it does not say exactly which information is collected.

The analytics and advisory company also utilizes a number of third-party targeting cookies for advertising purposes.

If you don’t want Gallup (or thousands upon thousands of other websites) to follow you around the internet with ads, why don’t you disable third-party cookies? Gallup itself puts it quite nicely, “Although most Web browsers automatically accept cookies, the decision of whether to accept or not is yours.”

 See the Gallup privacy rating.

Outsmart the Misleaders...

Made with in Austin, Texas

Austin Texas Skyline Illustration

Please choose your platform: