Is Data Disclosed by the SCA’s Digital Membership Card Vendor?

On June 23, the SCA announced the upcoming availability of “digital membership cards,” an electronic representation of the SCA’s traditional paper membership cards, delivered in formats compatible with smartphone apps such as Apple Wallet and Google Wallet.

On June 26, SCA members received email messages sent on behalf of the SCA, containing instructions on how to download their personal digital membership card. The email was sent by Cuseum.com, a vendor providing this service on behalf of Neon CRM, the service that the SCA uses for its membership data.

In the last day or so, a number of SCA members have expressed concern that the Cuseum.com privacy policy allows them to sell (“share”) user data, and thus information about SCA members might be being given to advertisers.

A couple of commenters on social media have suggested that this is already happening, saying that they’ve recently begun receiving unsolicited commercial messages to the email address used for their member account, and in a way that makes them confident that their SCA membership was the source. (Some of the social-media discussions of this issue are friends-locked, but a few threads are public, including these: Facebook, Reddit.)

I posted a comment on Cuseum’s Facebook feed asking for more information, which they deleted — in itself not a great sign — so instead I sent an email to their privacy address, and they responded to say that the above privacy policy applies only to their standalone user-facing services, and is not applicable to the membership card service that they provide to Neon CRM (and by extension to the SCA).

My correspondence with Cuseum is attached below.

I have asked several people who shared claims of unsolicited email to provide additional information that would help to demonstrate that this is actually happening, but have not yet seen any concrete evidence.

[July 1 Update:] Someone on Reddit dismissed the below statement from Cuseum’s rep, saying that despite those claims the provisions of the Cuseum privacy policy still applied and that the SCA members had “accepted” them. However, the email sent to SCA members, and the “Download Membership Card” page it linked to, did not have the Cuseum name or branding, and did not link to the Cuseum.com terms of service or privacy policy, so it seems unlikely that members could be said to have “accepted” those terms, and there is no indication that those terms are intended to apply to this interaction.

[July 1 Update:] The SCA has now updated their membership FAQ to specifically address this concern:

Cuseum does not share, sell, or lease any member data. […] We understand there has been some confusion around the Cuseum.com Privacy Policy and the statements there around Personal Information.This language is their general privacy policy as relates to Cuseum’s online properties […] that collect information directly by/for Cuseum. It does not pertain to digital membership cards.

[July 2 Update:] None of the people who suggested that they had received additional junk email as a result of Cuseum-related data “sharing” responded to my requests for additional information.

If someone can demonstrate that Cuseum is lying to us (and to the SCA), I’m entirely willing to believe it — but so far nobody has provided even a scrap of evidence to support that claim, so for now I am inclined to accept the word of the SCA and its vendors, and chalk this up to misunderstanding on the part of some members of the populace.


From: Mathghamhain Ua Ruadháin
To: privacy@cuseum.com, privacy@neonone.com
Cc: privacy@sca.org
Date: June 30, 2023

Hello,

I am writing to ask about the digital membership card service recently initiated on behalf of the Society for Creative Anachronism and delivered through Neon CRM and Cuseum.

Multiple SCA members have reported that after activating their digital membership cards, they began receiving unsolicited commercial messages to their membership email address. 

Is this a standard part of the service Cuseum provides?

Is member data subject to sharing with Cuseum partners even if the individual never clicks the “download membership card” link?

Was this aspect of Cuseum’s service disclosed to SCA members?

Thank you for any information you can provide regarding this issue.


From: Cuseum Technical Support
To: Mathghamhain Ua Ruadháin
Date: June 30, 2023

Thank you very much for your message.

Cuseum takes privacy, compliance, and security very seriously and I’m happy to help in any way that I can.

First and foremost, Cuseum does not share, sell, or lease any member data. Furthermore, Cuseum complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information. I can’t speak to the policies of Neon CRM but I’d assume they take a very similar approach to privacy.

Can you please forward me and support (support@cuseum.com) any of the unsolicited commercial messages that members are receiving at their e-mail addresses? While I’m certain that has nothing to do with our company or services, I’m happy to take a look.


From: Mathghamhain Ua Ruadháin
To: Cuseum Technical Support
Cc: privacy@cuseum.com, privacy@neonone.com, privacy@sca.org
Date: June 30, 2023

Thank you so much for your prompt reply.

I will reach out to the folks from whom I had heard this complaint and see if I can provide you with more details.

During the online discussion of this issue, a number of people have highlighted this section of the Cuseum privacy policy: “We may share your Personal Information with our affiliates and with other carefully selected companies that we believe offer services and products that would potentially be of interest to you.” https://cuseum.com/privacy-policy

That provision definitely gives the impression that Cuseum does “share, sell or lease” member data.

Can you help me understand the difference between the assurance you’ve given me and the above provision in your privacy policy?

Thanks again — I really appreciate your help in clearing up this matter!


From: Cuseum Technical Support
To: Mathghamhain Ua Ruadháin

Cc: privacy@cuseum.com, privacy@neonone.com, privacy@sca.org
Date: June 30, 2023

Thanks for the quick reply.

With specific regards to the privacy policy on Cuseum.com (https://cuseum.com/privacy-policy) and the statements around Personal Information – this is our general privacy policy as related to Cuseum’s online properties (such as Cuseum.com, Cuseum’s app (e.g. “[AR]T Museum”), newsletters, pages/forms that collect information directly by/for Cuseum,) as opposed to our customer’s (in this case: SCA) digital membership cards.

Our privacy policy is not reflective or intended to be reflective of the privacy policy that would govern the relationship between our customer and their member/constituent/user, but just to reiterate – we don’t share, sell, or lease any membership data.

I hope that is helpful. In any account, I’ll forward your message along to my team to share your feedback.


From: Mathghamhain Ua Ruadháin
To: Cuseum Technical Support
Cc: privacy@cuseum.com, privacy@neonone.com, privacy@sca.org
Date: June 30, 2023

Okay, thanks — this is a super-helpful distinction that was not obvious to myself or other SCA members.

I appreciate the clarity here; it sounds like some other channel must be the source of these additional unsolicited emails that some of our members have started noticing recently.

One thought on “Is Data Disclosed by the SCA’s Digital Membership Card Vendor?”

Leave a Reply

Your email address will not be published. Required fields are marked *