So, despite warning users, and many tweets explicitly asking for contact information but not account information, it seems like Citi is making a good effort to communicate with users where they spend their time (Twitter), but this convenience comes at the risk of a confused customer sending a public reply rather than a DM or Citi's account getting hacked. Even if it's just name, phone number and/or address info, isn't that a risk not worth taking? Or, reading between the lines of the disclaimer, it's almost as if Citi doesn't consider your phone number or address "confidential or financial information." I consider where I live confidential. And that could shed light (or assumptions) on my financial information. Of course, that's assuming I mistakenly Reply rather than DM (if Anthony Weiner could mix up the two, likely that the Joe Shmoes of the world can), or their account gets hacked. Take a look at the headlines, doesn't seem so far fetched considering how easily many corporate systems have been infiltrated recently, let alone their accounts on third party services. Who knows, maybe it's better to have groupings of "confidential" or "financial" rather than just "PII" as opposed to "anything else." Then again, PII is usually defined, not left to the user to decide.
Further, who monitors and responds? Some nebulous consumer service bureau? Outsourced in another country? Either way, access is via the Internet, meaning there are passwords floating around that could provide access anywhere. If it were a corporate intranet and Citi's proprietary CRM system, then employees' or contractors' access could be limited much more easily, via IP address, VPN password, etc. On the other hand, employees often have email access at home which introduces potential security issues the company cannot control. More stuff for corporate compliance departments to worry about.
Here's the final tally of credit card offers per company:
- Citi - 16
- Chase - 13
- Bank of America - 3
- Misc. (trade associations, local) - 4
- Discover - 3
pdf). The DMA notes that, "In 2008 advertising mail contributed more than $702 billion in increased sales to the US economy and played a critical role in the success of our country’s businesses and nonprofit organizations – It all can be gone if Do Not Mail bills become law."
https://www.optoutprescreen.com which allows you to opt out of credit and insurance "firm offers" for five years. They really need to hire an SEO. The site is run by the major credit reporting companies and it block companies from running credit checks and sending you pre-qualified "firm offers" of credit. So, it doesn't stop all promotional mail, but given that it's mostly (for me) from credit card companies, seems like one step among a few you can take to reduce the junk. The Direct Marketing Association (DMA) list at dmachoice.org seems to be the more frequently referenced one for broader marketing opt-outs as the FTC notes.
The terms on the DMA site are pretty sparse, but the key one stands out: "All personally identifiable information collected by registration for these services is used to implement your preferences only. The DMA does not sell consumer mailing or emailing lists." OK, good enough. Simple ToS are good. And there needs to be a registration mechanism to change preferences, ensure you don't opt someone else out (hey, some people might collect the stuff to see how much it weights), etc. And now we're back to the perennial policy questions of whether it should be the government managing these things, industry self-regulation is enough and who should manage the data. A quick Google search pulled up a lot of info, yet it seems better awareness and simpler mechanisms would be more useful for consumers.