Not confirming email addresses can put your customer in physical danger, and can cause you legal liability if they are harmed. We’ve written before about how not confirming email addresses can potentially create real-world, real legal liability, because in certain settings, and particulately in ecommerce, it can actually lead to your customer suffering physical harm; maybe even death.
When you share a customer’s personally identifiable information (PII) with a third party, in addition to breaking or potentially breaking all sorts of laws, you are also potentially exposing them to physical danger. Because you owe a duty of care to not share their PII with third parties without their permission (often a duty spelled out explicitly by law), when you breach that duty, and as a result of that breach they come to harm, you can be held legally liable. And even if at the end of the day you ‘win’ the lawsuit that is filed to hold you legally liable, the financial and PR damage that will be done will likely be immense.
In our earlier cautionary tale on the subject, Hidden Legal Dangers in Not Confirming Email Addresses include Liability for Injury or Death, we shared a real-life situation in which two different women engaged with two different businesses, neither of which did email address confirmation. As a result, a complete stranger received each of these women’s complete PII, including name, address, phone number and, in one case, information about the woman’s drug use and where she worked. More than enough for even a casual stalker to find these women. All because the businesses did not confirm the email addresses. You see each woman had made a mistake when entering their email address (given the circumstances it is highly unlikely it was intentional). As we explain in some length in that previous article, this often happens at places like Gmail, where, for example, when someone first signs up for an email address, if the username they pick isn’t available the system will tell them that it’s not available and will suggest similar username. And sometimes the system will even autofill the form with the suggested username, so if the person isn’t paying attention and just clicks on ‘submit’, they will get the suggested username but they will think that they are getting the email address that they originally entered and so they start giving out that email address, which of course goes to someone else.
This is almost certainly what recently happened when someone intended to provide their own email address, but accidentally provided one of the Gmail addresses of our own CEO. Our CEO in turn attempted to reach the ecomm business in question, to advise them of the issue, and not receiving any response, ultimately posted an open letter to the company in hopes of eliciting a response to this alarming situation. To date neither our CEO nor we have heard back from them. Here is the letter, explaining the dangers.
An Open Letter to Oroton on the Dangers of Accidentally Sharing a Customer’s Personally Identifiable Information Because You Don’t Confirm Email Addresses
Oroton, you are putting your customers in danger!
Because you don’t do email confirmation, you enabled someone to place an order with you and accidentally give you one of my email addresses, which in turn means that I am now in possession of a whole lot of that individual’s PII such as her name, home address, and telephone number, as well as the contents of what she ordered from you. And you continue to send email to me, both transactional with PII included, as well as marketing email.
I attempted to reach out to you at all addresses that I could find, but have had no response (hence my posting this here), and the email continues (and of course sending me the PII of someone else violates all kinds of laws – including the Australian privacy laws, which is where she lives (which I know because of course I have her address), and where you are headquartered).
This doesn’t just violate all sorts of laws, TOSs, and other privacy-related regulations and practices, it’s dangerous to your customer. If I were not who I am, if I were some stalker type of guy, I now know this woman’s name, her phone number, her home address, and even what clothing she ordered, more than enough to socially engineer her meeting me, or my just laying in wait for her when she gets home.
In order for me to disclose to you the identity of that customer, I’ll need to hear directly from your legal department (whom I’ve tried in vain to reach).
Anne P. Mitchell,
Email Law & Policy Attorney at Law
CEO Institute for Social Internet Public Policy (ISIPP)
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law)
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)