Think Your CRM Files Are Invasive? You Ain't Seen Nothing Yet—And Neither Has Your Lawyer

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

Technology is now enabling retailers to capture data from their customers that those customers never envisioned sharing—such as the sound of their voice or the shape of their face, or using their directory assistance inquiries to determine book pitches. From a legal perspective, these interesting efforts may be inviting lawsuits and other legal challenges.

Consider a service that Google offered where you could call a toll-free number (GOOG 411) for directory assistance. Although you got a telephone number and directions, Google got information about not only what people in general were searching for (people in Piscataway picked pizza) but also what a specific person was looking for (John Smith—or John's telephone—searched for the number for an AIDS clinic, then a drug store, then life insurance). Again, because Google isn't a phone company or particularly regulated in any way, it could use or sell this information in any way consistent with whatever privacy policy it wrote. But Google got much more than that.

It could use the information to create a database of voices for use in voice-recognition software. It could also have used individual voices to create a profile of a specific person's voice and then—like the potential facial-recognition program in the retail store—sell that data. Who would buy it?

A bank, for example, wouldn't pay to authenticate its customers, because the bank could simply ask those customers to directly give them voice samples for free. But a bank very well might pay to identify the voice of the fraudster on the phone. There is little if any law preventing this.

Consider a restaurant selling a soda. The customer pays with a credit card and the restaurant now knows the person's name and what he looks like. On the soda glass is that person's fingerprint and DNA. Pretty cool. Should or could a retailer make a lucrative side business (in addition to selling soda) out of collecting and selling this information?

Most state laws on DNA relate to the creation of a DNA database by the government, and federal law prohibits discrimination in healthcare and insurance based on DNA profiling. But no law would prevent, say, your local Starbucks from creating such a database.But no law would prevent, say, your local Starbucks from creating such a database. I am not suggesting that 7-Eleven will be a proxy for DHS in creating facial-recognition databases or that Baskin-Robbins will seek to supplement its income by selling your genetic code. But it could. No law prevents it. And there may be good money in it. It just happens to be a really bad idea that may be perfectly legal.

Although most retailers consider a product as something they sell to their customers, for some retailers information about their customers is the product. Behavioral information about customers can be collected by both brick-and-mortar and online merchants, and technologies enable the capture and use of even more personal data—often in ways both merchants and their customers are only beginning to appreciate. The collection of these new data streams is often unregulated and may ultimately be lucrative, but most come at the cost of potential customer dissatisfaction and abandonment. Be careful what you collect about your customers, or they may no longer be your customers.

Retailers currently capture a bunch of information about their customers. When shoppers use credit or affinity cards, retailers can link purchases to individuals. Security cameras capture consumers' behaviors. We can know if consumers use coupons, when and where they shop, and other information. Online retailers can know what items consumers looked at and didn't buy, how they found the site, what their approximate location is, and the type and configuration of their Internet browser. All of this is just the tip of the potential iceberg, however.

The problem lies not so much with what retailers capture, but what they feel they can do with the information captured.

Take your standard video-surveillance camera. There is no problem using the camera to prevent theft, protect customers or even defend the retailer in a possible "slip and fall" case. Some retailers may use cameras to see how customers respond to ads and see what sales are garnering attention, in addition to other unidentified uses. But more sophisticated high-definition digital cameras are capable of much more. They can link faces and names (capturing the name from the credit card and linking it to a high-quality image).

Is that information "public" or "private”? Is it personally identifiable information (PII)? Is it PCI data? Legally, probably not. Does this mean that the information from these images can be used to create a vast database of names and pictures (and browsing habits) that can then be sold with impunity?

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.