Personal Privacy Action Plan

Every year I make a meaningful New Year’s resolution that has nothing to do with food, fitness, or finance. This year I resolve to reduce the spread of my personal information and shrink my privacy perimeter. This has turned into quite a project. I’m sharing why I decided to do it and the steps I recommend. Skip down to see my Entry Level and Advanced privacy protection sections if you are already convinced it’s a good idea to protect your privacy.

Why you should shrink your privacy perimeter now

Shrinking your privacy perimeter will protect you from fraud, make it harder for advertisers to extract money from you, reduce your carbon footprint, and give you greater control over your reputation. The steps outlined in Entry Level Privacy Protection below take less than 30 minutes to implement and will have long-lasting protective impacts. The steps in Advanced Privacy Protection include a mix of set-it-and-forget-it suggestions and practices that require an ongoing change in practices.

The State of Vermont asks data brokers to register which is where I pulled data for this chart. An unknown number of data brokers did not register. This chart should not be considered an accurate representation of all data brokers in the US, but even with that mandate, it is nearly impossible to know who sells consumer data (let alone the much larger list of companies that store consumer data).

The legislative landscape: GDPR and CCPA

Thanks to the great State of California and the European Union, there are pieces of legislation in place that have resulted in companies making it easier for consumers to take control of their data. Both the EU’s General Data Protection Regulation and the California Consumer Privacy Act have made it possible for consumers to ask companies what data they hold and, in many cases, to ask those companies to delete the data they hold. In California, consumers can also ask that their data not be sold, which comes in handy if you trust a particular company, but don’t necessarily trust all the places they may sell your data.

Not living in California or the EU? Keep reading!

If you aren’t from California or the EU, every suggestion except one will work for you.

Will trying to protect my privacy turn me into a contemporary Sisyphus?

Polling data about who reads privacy policies (pretty much no one) and anecdotal evidence suggests that many think clawing back data about yourself is about as effective as Sisyphus trying to roll that rock up the hill. I often hear, “there is nothing I can do. All of my data is already out there. Google knows everything.” And, truly, if you’re using Gmail, Google Calendar, an Android phone, a FitBit, Google maps, Google Chrome, and the ubiquitous Google Search, Google does know a lot. Lots of people trust Google, which is reasonable. Google provides a great deal of value to consumers in exchange for their data. I have no objection to consumers deciding that there are companies they trust.

But…there are many companies out there that hold vast amounts of valuable consumer data, with weaker security protections than Google, that may not give much of any value back to consumers, that may be so upsetting to you that you can’t imagine letting them draw value from your data, or that have a business model you find objectionable. Many of these companies are completely unknown to you, thus it is impossible to imagine you are well-informed and have offered legitimate consent to what they’re doing with your data.

The point of reducing the spread of data about you is to give you more power in the relationships you have with companies. First, forcing a company to show you the data they hold about you or deleting the data they hold about you is probably more costly to them than tweeting about bad customer service. Unless you’re famous. Then keep tweeting. But it’s also true that if you remove your data records from a bunch of data brokers and put some reasonable safeguards in place, you can take back some control over your digital identity. This may prevent you from being the victim of various cybercrimes; identity theft; receiving unwanted mail, email, and phone calls; make it harder for advertisers to profile you; and give you more control over your reputation in situations like job interviews, college admissions, and dates.

Specific reasons you may want to request to be deleted

These are tangible reasons to have your data deleted:

1. Security risk reduction
   Having things like your name, social security number, current and/or past addresses, and your phone number in many databases increases your risk of being the victim of fraud. Deleting your data from companies you no longer do business with or that are broadcasting your details to the entire internet (e.g. PeekYou, Intelius, the White Pages) improves your security posture and reduces your risk of being victimized.
2. Reputation control
   If you are out there in the world meeting new people at job interviews, on dates, in business development, giving talks, getting yourself or your children into school, or joining a new social group or executive board, you want to control the image others see. Even something as innocuous as a home address — which is highly discoverable for most people — has been known to cost people jobs, dates, and result in a bunch of unwanted direct mail. Deleting data gives you more control over how you’re perceived by others.
3. Reducing your carbon footprint
   Getting off direct mailing lists will improve your carbon footprint. Because it’s so easy to relink an email address to a physical street address, direct mail campaigns are having a resurgence and are often conducted by the same data brokers who sell your email address. The problem is, direct mail campaigns only have a conversion rate of ~2% with a significant environmental impact. The negative externalities associated with chopping down trees, using potentially toxic inks, printing mailers, driving physical mail to me….and then away from me, not to mention the effort we all have to go through to sort and recycle junk mail is significant. Direct mail, especially from companies you have never had a customer relationship with, is incredibly difficult to justify.
4. You want to have more money
   Many of the reasons your data is being collected, bought, and sold is for advertising purposes. Retailers use data science to figure out who you are, what you like, and how to sell it to you. Targeted advertising works! That may make it harder to reach your financial and ecological goals! You may prefer to spend less, as a general rule, in which case you’re better off avoiding targeted advertising.

Reasons you may not want to request to be deleted

There is some complexity to the idea that everyone should always avoid data profiling. There are some situations in which you may decide the benefits of participating in algorithmic profiling are good for you and for everyone else. If they’re good for you, but bad for, say, disadvantaged minorities, it’s probably best to take a stand for fairness and avoid participating.

1. Reputation control
   You may have a great online presence. By all means, if you are happy with the way you’re looking online, there’s probably more to be gained by keeping your profiles up than by deleting them.
2. Direct mail may be good
   There are times when you may want to receive direct mail, such as if you’re a high school student investigating college options. Maybe you donate to charities based on receiving direct mail. Maybe you live in rural America and you love getting catalogues from new companies because your local shopping is so limited.
3. Employment background checks
   There’s a whole set of firms that just do employment background checks. It may or may not be smart to request deletion from these firms if you work in an industry that requires background checks as a condition of employment. The firms can still put together a new file on you if you get a new job, but it’s unclear if requesting to be deleted would be seen as a black mark against you.
4. Recommender systems can be helpful
   You may enjoy having recommender systems like those in Netflix, Amazon, Spotify, and other platforms recommend what you may like to watch, read, hear, or buy next. The more data you feed into these systems, the better they get…sort of. There is, of course, the problem that they may overfit to the preferences you express early on, then drive your future preferences with their recommendations, thereby giving you an overly narrow set of recommendations that are satisfying, but not as excellent as they could have been. Still, since you are satisfied, you may prefer using (limited and limiting) recommender systems rather than having to figure out what you like on your own. Cultural discovery is time consuming!

Entry level privacy perimeter improvement

Here are four things anyone can do to shrink the spread and/or usage of data about them. These are quick steps that will protect you from fraud by making it hard for average-intelligence hackers and fraudsters to commit basic identity theft against you. Numbers 1 & 2 will also shrink your carbon footprint by reducing the amount of unwanted physical mail you get.

1. Spam stoppage
   Go to DMA opt-out to stop receiving unsolicited phone calls, email, and direct mail from most marketers.
   It costs $2 and you will have to set up an account, but it works.
2. No more credit card solicitations in the mail
   Go to Opt-out Prescreen to stop receiving offers for new credit cards and other types of pre-screened credit in the mail. It’s an easy way to add some fraud prevention to your mailbox, by making it harder to open new credit lines in your name. It’s free.
3. Get your digital dossier off the internet
   Use Delete-Me to have your name removed from the types of data brokers that make all sorts of personal details about you, your addresses, your relatives, your divorces, your crimes, and your social media accounts available on the internet (e.g. Spokeo, Intelius, radaris, mylife, White Pages, BeenVerified). They have a free guide as well as a paid service ($103.20/year for one person; $178/yr for two people). The paid service makes requests to the 125+ data brokers every quarter…otherwise you may have to make 125+ requests every quarter to keep yourself private. Full disclosure: I am a Delete Me customer. I don’t work for Delete Me, know anyone who does nor has DeleteMe ever sponsored an event at which I presented or given me any remuneration.
4. Freeze your credit
   You’ve heard it before because it is sound advice. Place a freeze on your credit accounts with the top four credit bureaus.

Experian

TransUnion

Innovis

Equifax

Freezing your credit makes it nearly impossible for anyone other than you to open new credit using your identity. Note: it also makes it slightly harder for you to open new lines of credit. You have to unfreeze your credit beforehand, which takes about 2 minutes, assuming you can find your password and pass code.

Advanced Privacy Protection in 10 steps

If you’re ready to take your privacy protection to the next level, here is my 10 step privacy protection program.

1. Write to all email addresses on the list of US data brokers to “request deletion from their databases”. These all are companies publicly registered as data brokers with the State of Vermont which has a law requiring data brokers to register. A list of 155 data brokers is provided to attendees of the CCPArty! Webinar on Jan. 13, 2020 to make it easier to make opt-out and right to know requests.
   If you are a resident of California or the EU, state your residency in the email.
   If you are not from California or the EU, these companies may or may not honor your request.
   If you get pushback, please email me. I’m curious what non-Californian, non-EU customers hear if they wish to receive the same rights as Californians and EU citizens.
2. Delete unused email and social media accounts.
   If you once had a myspace, tinder, flickr, Tumblr, Yahoo!, OkCupid, Blogger, or gaming account…you probably still do! Just because you stopped using the accounts, doesn’t mean they were deleted. Those accounts may hold a lot of data — including photos, sexual preferences, contact lists — that you don’t want to share with the world.
   Most of these accounts also hold communication capabilities, which makes it easier for someone to pose as you. Delete them for good.
3. Limit location sharing. Your location is your digital fingerprint, no two are alike.
   Go through your phone and laptop apps to restrict location sharing to apps that absolutely need it. Only allow location sharing the apps are running. Lots of apps that do not need your location will request it. This New York Times piece shows how location tracking is able to identify individuals, making it incredibly valuable to retailers and advertisers.
   Pro-tip: First, delete all the apps on your phone you aren’t using regularly. It frees up storage space and makes it easier to sort through all the location privileges.
4. Avoid posting pictures or stories about your kids
   Facial recognition is being used more widely, no need to unwittingly enter your child into a facial recognition database.
   Stories about your kids are private. Kids whose whole lives have been chronicled on their parents’ Facebook and Instagram accounts are often rather unhappy about it once they become tweens and teens.
5. Set all of your browsers to private browsing, consider using Duck Duck Go for search
   Firefox and Safari are more privacy-protecting than Google Chrome or Internet Explorer.
   No matter what browser you use, whether it’s on your computer or your phone, set the browser to reject tracking cookies
   Manually reject cookies when there’s a pop-up that gives you a chance to do so (required in the EU and recommended for companies doing business in California). This won’t prevent all tracking, but it will cut back on it in meaningful ways.
   Use Duck Duck Go for search, especially if you are searching for something you do not want to share with advertisers which could be anything from health conditions to typical shopping searches to searches for socially stigmatized content.
6. Use messaging apps with end-to-end encryption and no cross-connectivity.
   To keep your messages as private as can be, switch to apps like Signal that use end-to-end encryption and do not connect to your car or laptop.
7. Stop sharing your birth date, it’s a key piece of identifying information
   Turn off birthday sharing in Facebook, LinkedIn and other apps
   For extra protection, do not post birthday celebrations — yours or anyone else’s. Parents see number 4, please.
   Do not tell retailers your day, month, or year of birth when they ask.
   Do not use your birth date or birth year in your social media handles or email address.
8. Consider shutting down all listening devices aka “voice assistants”
   Siri, Alexa, Google Home, Ring cameras, and other listening robots (now in TVs) are often able to listen to fairly intimate conversations or activities. As time goes on, there will be more and more reliance on listening devices, but they seem to be overly fond of their wake words, often switching into record mode erroneously.
9. Set up usage alerts to get notified every time your credit cards are used.
   All the major credit cards allow you to get alerts for certain types of usage. I like to be alerted to all usage, even though it’s quite a bit. (Pro-tip: If your card issuer doesn’t have an alert-all option, set the dollar amount for alerts to $1 or higher.)
   I cheated. This is a security protection more than a privacy protection.
10. If you donate money, donate anonymously. You’re giving to help the charity, not boost your social status, right??
    Charitable giving databases often gather donor names from the public websites of charities and presumably also indigogo, gofundme, change.org, and their brethren. To avoid being targeted by all sorts of charities with physical mail, phone calls, emails, and web-based advertisements, keep your name dissociated from your charitable giving. Lots of the list building is done by hand, so even if you think they cannot find your email address, mailing address, or phone number because you didn’t provide it, they will. It’s fairly easy to find full contact information for most US citizens with full name and city only.

It’s OK to pick and choose

There are, of course, many pieces of advice about privacy out there. Some people avoid loyalty programs, never give out their email addresses, and use PO boxes for physical mail. Others avoid credit cards by paying with cash or gift cards. Some suggest never sharing a password with anyone. I didn’t include those because they may be too cumbersome for what they’re worth. Some think credit monitoring is smart, but it’s really a detection measure, not a prevention tactic. Plus, credit monitoring costs money. That’s why I recommended credit freezes, which are free. Some will certainly find my advice to avoid listening devices like Alexa unnecessarily nostalgic, even dusty. Everyone has their own comfort level.

Closing — Why you should shrink your privacy perimeter now

Completing even the Entry Level Privacy Protection list will send you into 2020 with a huge improvement in the part of your privacy perimeter that leaves you susceptible to fraud and a bloated carbon footprint. If you get through the Advanced List, you’ll have taken a huge step towards limiting your participation in digital advertising, data brokerage, and reputation management. Shrinking your privacy perimeter takes advantage of existing laws, tools, and apps to give you a little more control over the spread of your own data.