Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

Privacy policies, if written well, explain to customers exactly what data you are going to collect, and what you are going to do with it. Problem is, most retailers have no idea what data they are collecting, or what they are going to do with it. As a result, retailers end up writing privacy policies that are either false or misleading, and this can lead to big legal problems.

In fact, it may be better to have a policy that says either "we have no idea what we are collecting and what we will do with it" or "we will collect everything we can and use it in any way we want." But that’s not good public relations.

What does this mean for retailers? Retailers collect, store, collate, share and use a great deal of personal information and personally identifiable information. Whether through PCI terminals, CRM databases, loyalty programs, surveillance cameras, credit checks or credit reports, website and e-commerce operations or marketing activities, they have a lot of personal information. They also share it with people that they never consider in their privacy policies. For example, they may state that they share information with vendors and suppliers to deliver goods and services. But what about lawyers, accountants, auditors, regulators, consultants and others? And how will those parties use the information? How will they protect it?

It's time for retailers to revisit their inwardly and outwardly facing privacy policies to make sure that they are accurate, and that they are doing what they promise. For the most part, consumers will not punish retailers for having very broad privacy policies (at least not for the most part, and not in the United States). What they will not tolerate (nor will the FTC) is a violation of privacy policies. And while you are at it, review your agreements with vendors and suppliers – anyone who touches this data, or from whom you obtain this data. What are their privacy and security policies?A few years ago, my son was going through that rite of passage known as the SATs. He signed up to take the standardized test on a webpage, which asked dozens of intimate questions about age, income, parents’ income, grades, high school courses taken, hobbies, interests, etc. All this to take a standardized test. You could bypass these by indicating that you didn’t want to answer, and the website would tell you that your application was "only 10 percent complete."

Some questions, like Social Security number and name of high school and high school counselor, were mandatory, as was the requirement that you upload a photograph. Knowing a 16-year-old kid had been asked all these questions, I wondered, what is the privacy policy? What will this merchant do with this information?

The website notes that it offer a voluntary (opt-in) program "that allows students to receive information about educational and financial aid opportunities from colleges, universities, scholarship programs, and educational organizations." If the student opts in, then "the following information is sent … name, postal address, gender, birth date (if provided), school, grade level, ethnic identification (if provided), intended college major (if provided), and email address (if provided)." Ah, what is left unsaid.

First, "scholarship programs" and "educational organizations" include the U.S. Department of Defense, the CIA, the NSA, and other government agencies that maintain scholarship programs or that have educational programs.

By opting in to a college search program, you are opting in to giving your information to the U.S. government. Although there may be some guidelines on how the DoD can use this information, they certainly could, with a grand jury subpoena or other legal process, obtain the database and match it with, for example, names of people who did not register with the Selective Service (a crime). Betcha didn’t know that when you registered for the SATs.

The other problem is that the website claims that only a very limited amount of information–name, address, gender, school, grade level and intended major–are shared with these institutions. If that is truly the case, then why do they ask for information like "parent’s level of education" or "parents' combined income" or "what language did you learn to speak first" or "what language do you speak best" or grade point average and class rank?

Then there's self-rating in math, science and writing, advanced placement classes expected, citizenship, religion, disabilities, types and locations of schools of interest, employment history or intention in school, extracurricular activities, sports, clubs, honor societies, and a host of other questions. OK. If they share only name, address, gender and intended major with these institutions, then why are they collecting all of this other information? What do they do with it, and how do they protect it?

Here’s where privacy policies get tricky.Here’s where privacy policies get tricky. See, what the administrators of the SATs appear to do is create a detailed profile of each applicant. Then a college, university or the CIA will approach them and say, "We are interested in female students interested in engineering, who are from the Midwest, in the top 10 percent of their class, athletic, and members of their high school gun club, whose parents make less than $40,000 a year." Or, frankly, any profile they want. The SAT administrators then "share" that student’s name and address. See? They didn’t share any personal information–just a name and address!

And that is how privacy policies get screwed up and how retailers get into legal trouble.

Imagine a hospital privacy policy that said: We will not share your diagnosis or treatment information–only your name. Then a pharmaceutical company asked the hospital for a list of asthma patients, and voila! They provide only a list of names. I call bull hockey (well, something close).

Even the Supreme Court doesn’t seem to understand how privacy works. On June 3, it ruled that when police swab the cheek of an arrestee and take DNA samples, this is not an invasion of privacy because it is a minimal intrusion which is only used to "determine the identity of the arrestee."

First of all, DNA does not determine identity. Although most people’s DNA is unique (mine isn’t), unless your DNA is registered with your identity, your DNA says nothing about who you are. But putting that aside, the State of Maryland did not simply collect Alonzo Jay King’s DNA to make sure it had arrested the right person for assault–it wanted to see if his DNA matched the DNA from any other crime scene samples. And that’s exactly what the state did.

Now, you can debate whether the database matching of the arrestee’s DNA against crime-scene DNA is a "reasonable search" under the Fourth Amendment, but it is the database matching that implicates the right to privacy–not so much the sticking of the Q-tip in the mouth. Again, we collect data for one purpose (identity) and use it for another (matching against crime scenes).

Similarly, the Supreme Court struck down the warrantless attachment of a GPS device to a suspect’s car because the attachment of that device without a warrant invaded the suspect’s property interest in his car. But slapping a device under a bumper invades privacy no more than placing a leaflet under a windshield. It is the continuous monitoring of the GPS device to learn the suspect’s location that invades (properly or improperly) the privacy interest. Indeed, after the Supreme Court struck down the use of the GPS data, the government simply subpoenaed the same data from the suspect’s three cell phones (one for business, one for wife, one for girlfriends), and determined his location that way.

Remember, privacy can be invaded through the collection oruse (including aggregation or search) of personal data. So let’s be careful out there.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.