Pounds of Mail and Corporate Twitter Policy

Since moving within the past year, I've been amazed by the amount of junkmail I get.  So, I started keeping track of it on June 20.   Last week, I looked down at the mounting pile on my floor and assumed it had to be at least one pound.  Easily, about 1.5.  Naturally, I tweeted it: "it took less than a month for me to receive one POUND of credit card offers in the mail from 3 banks. (mostly from chase & citi)."  When I weighed the pile and it clocked in at TWO POUNDS, I opened the draft of this blog post containing my plan to calculate the costs and realized it had been nearly two months - 7 weeks and 2 days - since I started collecting the junk.  Either way, a pound in over three weeks (July 20 - August 8) or two pounds in 7 weeks and 2 days (June 20 - August 8), at least the volume is consistently annoying.  Anyways, Citi had already responded to my tweet so I left it alone.  " I can help stop the offers. Pls DM the name & address as it appears on the mailings. It can take up to 30 days to complete."


I clicked on the @AskCiti profile, and as expected, there's a big ol' disclaimer reminding people not to send an @mention with or otherwise communicate their account info, SSN, etc.  You can see it in the screenshot above or the link.  It reminds you that posts are public, you shouldn't disclose information "you consider private and confidential," and no one at Citi will ask for your account PIN or access info.  OK, fair enough, makes sense.  I wouldn't be surprised to start seeing more disclaimers in the background images of corporate Twitter accounts.  And it's good to remind people of this.  But why do companies and terms or disclaimers online always assume users are sophisticated enough to know what they're doing?  In this regard, I think short disclaimers or bullet points as Terms of Use are much better communication methods than the 50-pagers no one pays attention to.

So, despite warning users, and many tweets explicitly asking for contact information but not account information, it seems like Citi is making a good effort to communicate with users where they spend their time (Twitter), but this convenience comes at the risk of a confused customer sending a public reply rather than a DM or Citi's account getting hacked.  Even if it's just name, phone number and/or address info, isn't that a risk not worth taking?  Or, reading between the lines of the disclaimer, it's almost as if Citi doesn't consider your phone number or address "confidential or financial information."  I consider where I live confidential.  And that could shed light (or assumptions) on my financial information.  Of course, that's assuming I mistakenly Reply rather than DM (if Anthony Weiner could mix up the two, likely that the Joe Shmoes of the world can), or their account gets hacked.  Take a look at the headlines, doesn't seem so far fetched considering how easily many corporate systems have been infiltrated recently, let alone their accounts on third party services.  Who knows, maybe it's better to have groupings of "confidential" or "financial" rather than just "PII" as opposed to "anything else."  Then again, PII is usually defined, not left to the user to decide.

Further, who monitors and responds?  Some nebulous consumer service bureau?  Outsourced in another country?  Either way, access is via the Internet, meaning there are passwords floating around that could provide access anywhere.  If it were a corporate intranet and Citi's proprietary CRM system, then employees' or contractors' access could be limited much more easily, via IP address, VPN password, etc.  On the other hand, employees often have email access at home which introduces potential security issues the company cannot control.  More stuff for corporate compliance departments to worry about.

Here's the final tally of credit card offers per company:
  • Citi - 16
  • Chase - 13 
  • Bank of America - 3
  • Misc. (trade associations, local) - 4
  • Discover - 3

It's time for a national "Do Not Mail" registry - it's really annoying to have to opt out of each company's promotional campaigns, let alone track down the third and fourth party data companies that provide them with targeted contact information.  A few sites are offering hope in this regard, and even DirectMail.com has a Do Not Mail registry - apparently b/c they care about their clients' costs.  There's also DoNotMail.org, an advocacy group which takes the environmental angle that it's a huge waste of paper (it is) and destructive of forestry.  There are other options, some of which are discussed below and others just a Googling away.  If you're really bored, there's a 2008 Congressional Research Service (CRS) report on proposed Do Not Mail legislation (pdf).  The DMA notes that, "In 2008 advertising mail contributed more than $702 billion in increased sales to the US economy and played a critical role in the success of our country’s businesses and nonprofit organizations – It all can be gone if Do Not Mail bills become law."

Here's an idea: create a new class of mail and jack up the rates to help fund the USPS.  If it happens to reduce companies' willingness to spend on junkmail, so be it.  The CRS report notes that based on 2007 figures, the USPS could lose between $4 and $10 billion in revenue if Do Not Mail legislation were introduced.  That's quite the range.  The report details increasing operating costs at the USPS, which have only gotten worse and recently led to the closure of many post office locations.  The report also talks about employment in the direct mail industry, the Fair Credit Reporting Act (you can get insurance and credit junkmail, you can opt out).  It also lists a few other private opt-out registries that direct mail marketers refer to.  There's also https://www.optoutprescreen.com which allows you to opt out of credit and insurance "firm offers" for five years.  They really need to hire an SEO.  The site is run by the major credit reporting companies and it block companies from running credit checks and sending you pre-qualified "firm offers" of credit.  So, it doesn't stop all promotional mail, but given that it's mostly (for me) from credit card companies, seems like one step among a few you can take to reduce the junk.  The Direct Marketing Association (DMA) list at dmachoice.org seems to be the more frequently referenced one for broader marketing opt-outs as the FTC notes.

The terms on the DMA site are pretty sparse, but the key one stands out: "All personally identifiable information collected by registration for these services is used to implement your preferences only. The DMA does not sell consumer mailing or emailing lists."  OK, good enough.  Simple ToS are good.  And there needs to be a registration mechanism to change preferences, ensure you don't opt someone else out (hey, some people might collect the stuff to see how much it weights), etc.  And now we're back to the perennial policy questions of whether it should be the government managing these things, industry self-regulation is enough and who should manage the data.  A quick Google search pulled up a lot of info, yet it seems better awareness and simpler mechanisms would be more useful for consumers.

Popular posts from this blog

A Privacy Engineer's Guide to the EU AI Act

Changing PDF Metadata with Python