Austin—Anyone who has an Evite account may be a bit wary right now: The company confirmed this month that personal data of some of its users, including names, dates of birth, and mailing addresses, were stolen.
Some folks may have changed their password (recommended!), while others may have deleted their accounts to say good riddance. For anyone in the latter group, it may not matter. Once Evite gets your information, it’s unclear if you can ever make the Los Angeles-based company delete it, according to a new report from data privacy startup Osano.
Austin-based Osano is a company that launched in March with a $3 million seed funding round led by LiveOak Ventures and a long list of other investors. CEO Arlo Gilbert previously ran Meta SaaS, which sold to Itasca, IL-based Flexera in 2018 for an undisclosed amount. Osano offers a free plug-in that helps users see how websites and other services are using their data, providing a privacy rating for each company whose policy it has examined (about 3,000 so far). The rating is like a credit score and runs from 300 (very poor) to 850 (excellent).
Osano has also started releasing a monthly “Misleader Board” report that flags unusual or troublesome phrasing in the legal documents of about eight companies, particularly their privacy and data use policies. Osano employs and contracts with about 24 attorneys nationally who pore over all the legal documents and policies we all don’t want to read but readily comply with. The attorneys are freelance workers, though Osano does have an in-house attorney.
In Osano’s latest “Misleader Board” released this morning, the startup noted that Evite’s privacy policy about a user deleting his or her account leaves a lack of clarity in its phrasing around whether the event-invitation company will ever delete that user’s data. Osano gave the company a score of 523 out of 850, which qualifies as “very poor” under Osano’s scale.
“Please note that if you close your account, we may still retain, use and disclose information associated with your account…While Evite does not give you the opportunity to remove your information from our database, you may remove your registration information from your My Account page,” the policy reads, according to Osano’s report.
Evite hasn’t responded to a request for comment. Notably, Osano had already decided to include Evite in its June report before Evite confirmed last week that the company had suffered a hack, Gilbert says. Someone stole and put on sale records of 10 million users that included names, dates of birth, mailing addresses, and other information earlier this year, according to news reports.
The “Misleader Board” report, like Osano’s plug-in, is intended to raise awareness among consumers about what data they are agreeing to give away, how it’s being used, and who is using it, Gilbert says. Osano asks 163 questions to the attorneys who review a business’s documents to determine the privacy rating for a company (along with other data it uses), and asks its attorneys to answer one additional question used to create the report:
“Did you find anything scary or sneaky in these documents?” Gilbert says.
The New York Times apparently includes something in its policies that caught the attorneys’ attention. Its policy, which Osano notes was last updated May 24, 2018, lets The Times collect information on users like age, sex, household income, and work information. But the policy also allows The Times to share users’ personal information with affiliate marketing and advertising companies and includes vague and unclear security measures, among other issues, Osano notes.
That earned The Times a 571 (very poor) rating from Osano. The rating comes after Publisher A.G. Sulzberger published a piece in April commenting on the juxtaposition of The Times using these data-tracking methods, while its journalists have simultaneously been reporting “aggressively on the erosion of digital privacy.”
“We are committed to the privacy of our readers and protection of their personal data. Like other media companies, The Times collects data on its visitors when they read stories. You can see our publisher’s description of The Times’s practices and its continuing efforts to increase transparency and protections. The Times privacy policy can be found here. It is updated as needed,” wrote Danielle Rhoades Ha, vice president of communications for The New York Times Company. Rhoades Ha declined to provide further comment.
(Xconomy has not been rated by Osano. You can find its privacy policy here.)
Meanwhile, Enterprise Holdings, which is based in St. Louis, MO, had the highest score of the group published in this most recent report: a “fair” rating of 630. Osano notes that many rental cars come with telematics systems, which “use, disclose, or access a vehicle’s location information, crash data, mileage, and performance,” as well as systems that can report on driving behavior. Enterprise spokesperson Laura Bryant says those telematics tools are used in a limited set of vehicles, including exotic and luxury cars, its car-sharing fleet, and some trucks within a fleet management plan.
Enterprise’s policy also says it isn’t responsible for any data that is left in a vehicle, and that drivers should wipe any data the vehicle has recorded, which Osano notes the average driver may not know how to do or remember to do. Bryant says that’s something the company is talking about with automakers, consumers, and others in the industry.
“This issue is on our radar and as a technology-forward company, we rolled out employee training for clearing data as part of our normal cleaning procedures and developed best practices and supporting information to remind customers to attend to their data when returning a car, as they should with anything else they may leave behind,” Bryant writes in an e-mail.
Other businesses named in the report, which you can find here, were:
—Chicago-based hotel operator Hyatt (NYSE: [[ticker:H]]) (very poor rating: 530), which tracks your internet use, of course, but also what you watch on closed circuit TV, Osano says.
—Norwegian Cruise Line (NYSE: [[ticker:NCLH]]) (very poor rating: 563), which discloses the Miami-based company may share your info with marketing partners but doesn’t disclose which data it shares or why it shares it, according to Osano.
—Japan-based sales app Mercari (very poor rating: 566), which recommends users check the privacy policy every time they use the service because it could change from time to time, Osano says.
—Gallup of Washington, DC (fair rating: 606), which doesn’t disclose which non-sensitive and sensitive personal information it collects (and also uses third-party targeting cookies for advertising), Osano says.
—Redbox (very poor rating: 443), which Osano says includes in its policies that it may not fully purge your information, respect do-not-track requests, or keep information out of the hands of third-party advertisers or analytics companies.
Redbox also notes that its policy doesn’t cover information collected through its website or elsewhere by Redbox, which Osano flagged as potentially worrisome.
“If you’re creeped out by this statement, we understand,” Osano writes in its report. “Where else does Redbox