What constitutes crossing the privacy boundary line?

Recently, I received a piece of direct mail that caused me to take notice. It was a letter from a local car dealership, a Lexus dealership. The letter began, “Dear Allan, this is an important notice concerning anyone who may own a (specific year) (specific car make and model).” First of all, I don’t often read direct mail, let alone open it. But this piece was different.

On the outside envelope, there was a URL with my name included in the URL – so I was curious. And in the letter, my current vehicle was referenced: the year as well as the make and model were all correct. Also note, the letter was addressed to me with my (correctly-spelled) first name (unfortunately, it is misspelled more often than not), middle initial, and last name – and also included my accurate full mailing address. By now, you are probably shaking your head, as I was too.

Lastly, the call to action was an offer to buy or lease a new Lexus with a $1,500 discount – a discount that could only be obtained by visiting a website that was created just for me and included my full name as part of the URL. The sentence in the letter stated, “Visit your personal website to view more information on your exclusive offer and to register.” On the landing page that included my name, two things were requested: my email address and phone number. Sorry, Lexus, this tactic is not the way to get these two pieces of personally identifiable information (PII).

I shared this with Rebecca Herold, internationally-known privacy expert and fellow privacy advocate, and she said, “Looks like a new marketing scheme, and the way they are doing it appears to be skirting CAN-SPAM violations.  I suspect we’ll be seeing more of these incredibly invasive types of marketing activities.”

Did Lexus purchase a list of current customers from my existing dealer? Or did Lexus purchase the addresses of local residents with the details about their vehicles from the Department of Motor Vehicles (DMV)? While I have attended the annual Los Angeles Auto Show in the past, I have never given my name to Lexus – so did Lexus purchase a list of all attendees from another manufacturer where I might have provided my details?

Any way you look at this, it’s disturbing. At the very least, it appears that Lexus has crossed the privacy boundary line. Have you ever seen anything like this?


About Allan Pratt

Technology and cybersecurity professional with focus on tech news, cybersecurity, networking, infrastructure, data protection, consumer electronics, and social media.
This entry was posted in Online Privacy, Privacy Rights. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s