Vanilla, a South African ISP, has been publicly exposing the personal details of customers who have not paid their accounts.
This was brought to the attention of MyBroadband by forum users.
Under its Terms and Conditions page, users found a link to a “Name and Shame” page which listed customers who have been labelled by Vanilla as delinquent.
The records were categorised by year and included the customers’ names and, in many cases, the companies for which they work.
When these names were clicked, various types of personal information – including ID numbers, phone numbers, VAT numbers, and the amounts owed – were made openly available to the viewer.
“The following is a list of subscribers who have not paid their subscriptions owing to us. We consider these companies and individuals as delinquent,” the webpage said.
Vanilla took the page down after it was contacted by MyBroadband.
Vanilla CEO Alan Levin told MyBroadband that publishing the personal data of their delinquent customers was the final step in a “long and arduous process.”
“We take time and care in following a repetitive process that was designed more than 12 years ago. The information about our delinquent customers has been triple-checked; we have evidence to support each claim.”
“Data was only published after a detailed process of communications, including many emails, notices, final notices, and many phone calls,” he added.
“This was a last resort to convince customers to pay their debts and it has worked for us.”
Levin added that the cost of subscribing to credit bureaus was prohibitive when it was building its systems 12 years ago.
“We did receive a legal opinion that we could publish an identifier as well as the name of delinquent creditors,” said Levin.
However, Levin said Vanilla has decided to remove the Name and Shame section from its website following the concerns that have been raised.
“We do treat our customers’ privacy with a great deal of respect and we have many processes and systems in place to protect it,” Levin added.
“We believe that the protection of your privacy is your constitutional right and it’s important to us. We also respect everyone’s right to freedom of speech and expression.”
The Internet Service Providers’ Association (ISPA) told MyBroadband that publishing a customer’s personal information without their consent could be considered a breach of clause 5 of its Code of Conduct.
The clause states the following:
ISPA members must respect the confidentiality of customers’ personal information and electronic communications.
ISPA members must only gather or retain customer information as permitted by law, and must not sell or distribute such information to any other party without the written consent of the customer, except where required to do so by law.
“Noting that the majority of POPIA is not yet in effect, publishing personal information of any sort without permission is likely to be viewed as a breach of the provisions of that legislation by the Information Regulator,” added ISPA.
ISPA said that this was despite any justification that the publication of this information was intended to warn third parties about potential payment defaulters or to create pressure for payment.
“Were POPIA in effect, an ISP found by the Information Regulator to have contravened the Act would be subject to at least a non-compliance notice from the Information Regulator, and potentially a significant fine.”
ISPA strongly advised against ISPs using this method to collect debts.
“While customers defaulting on payments for services is a serious problem for any business, publishing personal information of those customers is not the correct mechanism to address this issue.”