Tech

Iggy Azalea’s Beef with Papa John’s Is a Serious Wake-Up Call About Consumer Privacy

Iggy Azalea became the butt of many jokes this week when she ranted on Twitter about a Papa John’s pizza delivery guy giving out her phone number, but her pizza feud exposes data-privacy issues. If you’ve ever ordered food online or paid for an item with a credit card, your phone number and even the names of your children could be handed off to a third party—and it’s all legal.

Pam Dixon, founder of the World Privacy Forum, classified the leak of Azalea’s phone number as a business-ethics fuck-up, but said bigger concerns exist within Papa John’s privacy policy—and the many similar privacy policies at other companies that regularly handle our personal information.

Videos by VICE

“The privacy policy is unclear and doesn’t make it patently obvious that they are giving your personal information to third parties,” Dixon told me over the phone. “It took me about twenty minutes to find that, and I really know what I’m looking for.”

What Dixon found buried in the Papa John’s privacy policy was a subtle acknowledgment, probably never read by most customers, of the company’s data trading with third parties. If you have ever ordered a pizza from the company online, it’s likely that you signed up for a Papajohns.com account. And if you signed up for that account, you gave the company the right to sell your information to any third party, according to their privacy policy:

We also may keep track of your food preferences and restaurant choices and analyze that information in order to send you special advertisements, offers and notices regarding foods and restaurants that seem to fit with your preferences.

If you have a papajohns.com account and do not want to receive emails from us telling you about great eDeals, Contests or other promotional offers in the future, please let us know. You can change your preferences, or opt out of receiving emails from us, at any time (except when you are in the process of placing an order) by going to My Account Information on the log in page. There, you can update your email address, phone numbers, password, address and you can uncheck the “Send me special offers from Papa John’s” box. Our emails to you will stop within 5 business days and we will not thereafter provide other merchants the means to contact you by e-mail about their Contests or other offers.

According to Dixon, the vague language about “other merchants” is industry code for selling consumer information. Customers’ information can end up on marketing lists on sites like NextMark, which publishes everything from lists of people with bipolar disorder to lists of “Yuppie Investors.” Anyone can go online and buy one of these consumer-data lists.

“If people haven’t done a financial modernization opt-out, your most recent transactions are most likely on that list,” Dixon said. “It’s actually shaping people’s opportunities in life. It’s not just advertising. Whether you buy too many clothes online can affect the cost of your health care.”

Opting out is tedious, but it’s the only way to protect the privacy of personal information from data brokers. Opt-outs exist to keep your banking records from being shared, to keep telemarketers at bay, and to keep your name off marketing lists.

Washington and the media have paid attention to these issues in recent months. On Monday Senator Ed Markey issued a report on the way wireless technology in new cars poses a data-privacy risk, and earlier this month, the Daily Beast revealed how new Samsung television sets can listen to private conversations at home and sell the recordings to third parties, according to fine print in the company’s privacy policy.

Papa John’s didn’t respond to requests for comment about whether its privacy policy was deceptive or how it shares consumer data with third parties. A spokesperson, however, did offer a statement in response to Iggy Azalea’s claims: “Privacy of our customers and employees is extremely important to us. Papa John’s has taken appropriate disciplinary action with regard to the employee involved. We are reaching out directly to Ms. Azalea and hope to resolve this incident and make it right.”

If Azalea wants to sue Papa John’s because an employee gave his brother her number, she may have an uphill battle. According to attorney Carrie Goldberg of the Cyber Civil Rights Initiative, states follow varying consumer-data-breach laws.

“These laws mainly aim to prevent identity theft in a commercial context, and have limited use when it comes to protecting personal privacy, such as when intimate images, diaries, or other personal information falls into the wrong hands,” Goldberg told me over the phone. “So if the delivery guy just got her name and phone number off the receipt, these laws wouldn’t be triggered, but if the pizza was ordered online and the information was accessed along with, say, her credit card information, it could trigger a reporting requirement.”

Since Azalea has a permanent residence in California, she would struggle to sue Papa John’s using the data-breach law, Goldberg said. But the state does have a strong law barring “unfair and deceptive business practices,” which Goldberg said puts responsibility in companies’ hands when they bring harm to a customer.

“If Iggy issues a formal notification and Papa John employees are still bothering her, she could seek damages and an order demanding they stop,” Goldberg said. “In all likelihood, the hassle and expense of pursuing litigation may well outweigh the benefits that Iggy could receive from whatever harm she claims befell her from this pizza guy going rogue.”

Follow Mary Emily O’Hara on Twitter.