Limiting Data Collection

Collecting information from customers. Every company does it; it’s simply a requirement for successful marketing. The more information to mine through, the more likely the marketing department may make a correlation and sell more stuff. This equates to profit – the reason any red blooded company is in existence.

This also opens the company to privacy violations – dependent on the industry, will you face indictment by the FCC, FTC, EU DPAs, etc.

My phone battery was on the fritz, so needed to find a replacement. I visited an electronic’s store currently trying to rebrand itself as “the Shack” looking for a new battery. They had an off brand labeled for my phone type. I explained the situation with the cashier – I tried this solution before with another battery retailer, and there’s a very real possibility would similarly fail. I paid cash, thinking why go through the hassle of having the same charge card to make the return. Maybe, I’d just have my wife stop by while running errands?

That night, my hunch was right, and a large X appeared over the phone’s status icon. I went in the following day, where the same cashier immediately recognized what must have happened. “No problem, we’ll give you a refund. We just need a little information.” This included much more than just my name – address, phone number, photo ID. All of this because I used a green piece of paper. Maybe the company is trying to combat fraud, but for less than US$50, at what cost? I didn’t ask what protections corporate had in place, and even if they had literature, I was on my way to the airport and in no shape to read it…

No matter what the rationale, this is simply too much information in the wake of the numerous network breaches sparked by TJX. Jennifer Stoddart, former privacy commissioner of Canada saying “The company collected too much personal information, kept it too long and relied on weak encryption to protect it.”

Good companies have opt-in policies, clearly define how the data will be used, and who it may be shared with. Great companies don’t collect information without a specific purpose. The ideas are not new; they fall in line with US Department of Health, Education and Welfare’s “The Code of Fair Information Practices” from the 1970′s and the Organization for Economic Cooperation and Development’s (OECD) principles laid out in 1980 for collection limitations, methods and relevance. These same ideas are echoed throughout the EU’s Data Protection Directive. Today’s Payment Card Industry’s Data Security Standard, HIPAA, and Federal Rules of Civil Procedure reemphasize collection limitation’s importance, placing specific regulations on how data are treated. PCI mandates encryption and physical access restrictions, while FRCP’s e-discovery suggests retaining volumes of data indefinitely could create massive evidentiary headaches and unexpected costs.

In all, keep in mind, if you don’t collect it, you can’t lose it.  Do you really need to log my personal information to make a $50 return?

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

  • Introduction to Privacy:  “Guidelines Governing the Protection of Privacy and Trans-border Data Flows
    of Personal Data” (Foundations: I.D.iv.1),  The European Union (“EU”) Data Protection Directive (95/46/EC) (Foundations: I.D.ii.2)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>