Should 3rd Parties get your OK before getting your data from others?

I recently received a request from Carta (day 0) to sign up for an account with them because they were holding a security that I recently purchased. They never asked me whether I wanted them to hold my certificate. They simply assumed that if their client created an account for me, that I should be overjoyed to have the simplicity of a digital representation of my holdings. It is so much more convenient than paper after all. I responded “I would prefer that you not have my information. How do I get you to send me the certificate and close my account?”

Three (3) days passed and I received a response from the support team that “1 - 5 printed certificates are $500 per certificate. Plus tax.” I explained “I am not willing to pay more than the cost of the paper to simply print a certificate ($2) and I do not agree to your terms of service.” They apologized that the charges are fixed. (I didn’t bother to argue again that I never agreed to them when they received my data.) I explained that because we did not have an agreement and they are holding my property, there are two issues. First, I wanted to know if they will continue to hold my property on my terms. Second, I wanted to know if I could get my property from them without agreeing to their terms.

I did not initially get a response from Carta. On day 6, the transfer agent sent me a PDF of the security for no cost. While I appreciated getting a copy of the certificate, this was only one part of the problem. I was working toward a resolution with Carta regarding my personal information. Rather than continue to engage, they simply punted to the transfer agent as though that would address my privacy concern. I made my continued concern clear to the transfer agent and subsequently received an email from a Carta ‘Customer Success’ team member.

I explained that I do what I can to protect my personal information. My first step was to get my property and the second step was “to either erase my information from your system or have you agree to my terms to protect my information. I do not agree to your terms. They are inadequate.”

The Customer Success agent and I started our conversation by trying to figure out what personal data Carta held about me. It took another day, but I was pointed to this information on the Carta website “We may collect your name, postal address, email address, phone number, username, password, demographic information (such as your occupation), social security number, tax ID number, bank account information, as well as other information you directly give us on our Services, which may include marketing, promotions and when communicating to you about new features." I explained that “The problem with this statement is that I have given you no information and yet you still have my information.” At that point, contacting the privacy team seemed like the best place to go next.

I started that inquiry with: “I recently received an email from Carta to obtain my documents from your service. This is the first I learned that you have my personal information. Since I did not share any data with you, I wish to know: what personal data elements and metadata, including addresses, names, identifiers, IP addresses and anything that is associated with [me], does Carta have or have access to Please provide a comprehensive list.” I did not ask Carta to share any of my data, just a description of my data. I would welcome them sharing any opinions on any of the issues raised in this article or this series of articles but, I would consider it a breach if they shared any of my data publicly in this or any other venue. (In advance of this post, I shared this article with Carta and after a day they indicated that they had no comments, at least at that point.)

In a series of email communications they eventually shared (on day 12) that they have and have access for their own purposes to: company name, company address, company website, person name, phone number, and email address. On day 14 they finally shared they also held information about the security: number of shares, issue date, price per share.

As I write this, I am still not sure how I feel about the data they are holding. I do not agree to their terms and they apparently are not interested in hearing mine, so we are not in agreement but they still have my data. I am encouraged that the personal information they hold is minimal, but I still have several questions.

First, I want to state explicitly that I have no reason to believe that Carta has violated any legal requirements or privacy protections. This article and this series is not about what is currently legal, but rather it is about what policies, corporate and public, should be considered to improve privacy protections and personal autonomy over the data that defines us.

Second, why did this process take two weeks? It feels like rather than pushing back against transparency, they could have directly answered the questions I originally asked on day 1. Explaining what data they held about me should take an hour or less. I am guessing that their initial attitude was that they weren’t legally required to answer my question and they didn’t have a plan or process for doing so. I suspect that most people who are asked to create the offered Carta account simply do so and move on. How many people would put this much effort into getting these answers? My guess is somewhere between very few and none.

Third, why do third parties accept information about people with whom they have no relationship without getting opt in agreement from the parties whose data it is? I am guessing because it is cheaper than asking and nothing prohibits this activity. Why is it OK that they do this? My guess is because most people don’t seem to care. Unless people value their identity and take efforts to preserve their privacy, more of it is taken from us every year. We (collectively) let it happen.

Fourth, does anyone examine how their data may be used in the terms of service? Is the service low cost or free because the third party service can monetize your data in other ways? Should it be a hurdle for you to decide whether you are OK with the terms, then have to reject the terms, then have to work with the person or entity who shared your data to get them to not take this type of action? The person or entity sharing your data did it for their convenience at your expense.

Prior articles: Why you should Fight - My context for fighting

What do you think? What questions do you have? What should we be doing to ensure that third parties get our permission before they accept our personal data from someone other than us?