I think the idea is that the company could take steps so that they never had access (either physically or cryptographically) to the data in the first place, making a subpoena useless.

There are a few industries which are obligated by statute to keep certain types of data at hand in case the government wants it, but I'm sure that wouldn't apply here.

Your idea presents two problems: 1. Automatic cannot do any expansion of capabilities using customer data without first changing their policy so that they can access that data.

2. If/when Automatic changes their policy it will create a negative reaction from customers that the policy is being changed.

It's a lot easier to promise protection of the data and let the customer decide whether they believe the promise or not before they sign up.

OK. I wasn't making a recommendation for Automatic, I was just trying to explain to pc86 how dsr_'s preferred strategy (that Automatic keep no data) was very plausible and, in fact, is used by many companies.