Data Breach Escalates Privacy Concerns
According to the company’s own metrics it made $2 billion in revenue in 2009, helped along by Epsilon’s contracts with “2,200 global brands.” And an Alliance spokesperson confirmed that Epsilon is the world’s largest provider of permission-based email marketing of the sort used by retailers.
So why have so few people heard of the company until now?
In short, because most of the retailers don’t tell you about their relationship with the firm when you sign up to receive email updates. Take Best Buy’s privacy policy, for instance: it does not mention Epsilon or Alliance by name, only noting that “in limited circumstances, Best Buy may need to share your information with certain third parties to perform services on our behalf.” Other retailers and institutions that use Epsilon are similarly vague about the fact that an outside firm is in possession of user information.
Related Articles
“I don’t think most consumers have the expectation, when they give their email address, that that information is going to be shared with a large marketing firm,” says Paul Stephens, director of policy and advocacy for the non-profit group Privacy Rights Clearinghouse. That, he says, is due to the fact that the U.S. does not have an overarching privacy law governing these sorts of disclosures.
That said, it’s not unreasonable to expect companies large and small to contract an outside firm for its email marketing and other administrative duties. Indeed, one could even argue that it’s comforting to know that your contact information is in the hands of a third party that specializes in email list management. After all, such a specialized firm would presumably be better equipped to keep that sort of data more secure than, say, the IT department for a big-box retailer.
But Julie McNelley, a senior analyst at the Aite Group, a research and advisory firm, said that the data breach shows that Epsilon’s email database was not encrypted – a practice that she says reflects an outdated mentality toward email addresses.
“They were not treating email addresses as a valuable data element,” she says. “Email in the past wasn’t considered sensitive identifying information, but now a lot of sites use your email address as the default username for login.”
