Austin—Anyone who has an Evite account may be a bit wary right now: The company confirmed this month that personal data of some of its users, including names, dates of birth, and mailing addresses, were stolen.
Some folks may have changed their password (recommended!), while others may have deleted their accounts to say good riddance. For anyone in the latter group, it may not matter. Once Evite gets your information, it’s unclear if you can ever make the Los Angeles-based company delete it, according to a new report from data privacy startup Osano.
Austin-based Osano is a company that launched in March with a $3 million seed funding round led by LiveOak Ventures and a long list of other investors. CEO Arlo Gilbert previously ran Meta SaaS, which sold to Itasca, IL-based Flexera in 2018 for an undisclosed amount. Osano offers a free plug-in that helps users see how websites and other services are using their data, providing a privacy rating for each company whose policy it has examined (about 3,000 so far). The rating is like a credit score and runs from 300 (very poor) to 850 (excellent).
Osano has also started releasing a monthly “Misleader Board” report that flags unusual or troublesome phrasing in the legal documents of about eight companies, particularly their privacy and data use policies. Osano employs and contracts with about 24 attorneys nationally who pore over all the legal documents and policies we all don’t want to read but readily comply with. The attorneys are freelance workers, though Osano does have an in-house attorney.
“Please note that if you close your account, we may still retain, use and disclose information associated with your account…While Evite does not give you the opportunity to remove your information from our database, you may remove your registration information from your My Account page,” the policy reads, according to Osano’s report.
Evite hasn’t responded to a request for comment. Notably, Osano had already decided to include Evite in its June report before Evite confirmed last week that the company had suffered a hack, Gilbert says. Someone stole and put on sale records of 10 million users that included names, dates of birth, mailing addresses, and other information earlier this year, according to news reports.
The “Misleader Board” report, like Osano’s plug-in, is intended to raise awareness among consumers about what data they are agreeing to give away, how it’s being used, and who is using it, Gilbert says. Osano asks 163 questions to the attorneys who review a business’s documents to determine the privacy rating for a company (along with other data it uses), and asks its attorneys to answer one additional question used to create the report:
“Did you find anything scary or sneaky in these documents?” Gilbert says.
The New York Times apparently includes something in its policies that caught the attorneys’ attention. Its policy, which Osano notes was last updated May 24, 2018, lets The Times collect information on users like age, sex, household income, and work information. But the policy also allows The Times to share users’ personal information with affiliate marketing and advertising companies and includes vague and unclear security measures, among other issues, Osano notes.
That earned The Times a 571 (very poor) rating from Osano. The rating comes after Publisher A.G. Sulzberger published a piece in April commenting on the juxtaposition of The Times using these data-tracking methods, while its journalists have simultaneously been reporting “aggressively on the erosion of digital privacy.”
Meanwhile, Enterprise Holdings, which is based in St. Louis, MO, had the highest score of the group published in this most recent report: a “fair” rating of 630. Osano notes that many rental cars come with telematics systems, which “use, disclose, or access a vehicle’s location information, crash data, mileage, and performance,” as well as systems that can report on driving behavior. Enterprise spokesperson Laura Bryant says those telematics tools are used in a limited set of vehicles, including exotic and luxury cars, its car-sharing fleet, and some trucks within a fleet management plan.
Enterprise’s policy also says it isn’t responsible for any data that is left in a vehicle, and that drivers should wipe any data the vehicle has recorded, which Osano notes the average driver may not know how to do or remember to do. Bryant says that’s something the company is talking about with automakers, consumers, and others in the industry.
“This issue is on our radar and as a technology-forward company, we rolled out employee training for clearing data as part of our normal cleaning procedures and developed best practices and supporting information to remind customers to attend to their data when returning a car, as they should with anything else they may leave behind,” Bryant writes in an e-mail.
Other businesses named in the report, which you can find here, were:
—Chicago-based hotel operator Hyatt (NYSE: H) (very poor rating: 530), which tracks your internet use, of course, but also what you watch on closed circuit TV, Osano says.
—Norwegian Cruise Line (NYSE: NCLH) (very poor rating: 563), which discloses the Miami-based company may share your info with marketing partners but doesn’t disclose which data it shares or why it shares it, according to Osano.
—Gallup of Washington, DC (fair rating: 606), which doesn’t disclose which non-sensitive and sensitive personal information it collects (and also uses third-party targeting cookies for advertising), Osano says.
—Redbox (very poor rating: 443), which Osano says includes in its policies that it may not fully purge your information, respect do-not-track requests, or keep information out of the hands of third-party advertisers or analytics companies.
Redbox also notes that its policy doesn’t cover information collected through its website or elsewhere by Redbox, which Osano flagged as potentially worrisome.
Oakbrook Terrace, IL-based Redbox doesn’t tell you what information they’re collecting and who they’re sharing it with, Gilbert says. If you go to a Redbox kiosk, it raises the question of what Redbox is learning about you, he says.
“Redbox is an example of doing everything wrong,” Gilbert says. Redbox, Hyatt, Norwegian, Mercari, and Gallup haven’t responded to requests for comment.
Many big companies are crossing marketing, legal, engineering, and other teams with one another to develop quality policies. Gilbert says Mountain View, CA-based Symantec (NASDAQ: SYMC), a cybersecurity software company, has an 802 rating from Osano.
“As for what makes them better, we treat our algorithm with a great deal of secrecy in order to avoid anybody gaming the system,” Gilbert says. “But generally, the types of things that can make a company do well are around transparency, ease of readability, whether they collect data that they don’t need to collect, how long they store data, and how easy they make it to remove the data that they have about you.”
Some businesses, including many startups, don’t have the resources or personnel to do that, and that’s where Osano makes its money. It sells a software-as-a-service product that helps advise companies on maintaining their own privacy policies—helping them determine what rules and technical measures a business should or must follow, Gilbert says.
Osano also sells products, including access to more granular privacy scores, to help IT executives pick vendors and service providers that have high-quality privacy policies and secure data management systems like cloud storage or customer relationship management systems, Gilbert says. The company charges between $50 to $250 per month, depending on the features you select.
Gilbert says Osano’s plug-in and monthly “Misleader Board” reports are efforts for the public good, and notes that Osano is a public benefit corporation. Whereas sharing data was unheard of 20 years ago, it’s common practice now, and consumers often lack the know-how to control it.
“People feel very powerless,” Gilbert says. He shares an example: Anyone can walk into a grocery store, look at a can of tuna fish, and use consumer information on the can to determine if the fish was line-caught or net-caught and how much sodium is in it, and then decide which can to buy. The same isn’t always true for data privacy. “Our hope is that we’ll get somewhere with federal privacy laws, [so] that it’s that easy for a consumer to make that same decision.”