Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is CollectedWritten by Mark Rasch
Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.
Privacy policies, if written well, explain to customers exactly what data you are going to collect, and what you are going to do with it. Problem is, most retailers have no idea what data they are collecting, or what they are going to do with it. As a result, retailers end up writing privacy policies that are either false or misleading, and this can lead to big legal problems.
In fact, it may be better to have a policy that says either “we have no idea what we are collecting and what we will do with it” or “we will collect everything we can and use it in any way we want.” But that’s not good public relations.
What does this mean for retailers? Retailers collect, store, collate, share and use a great deal of personal information and personally identifiable information. Whether through PCI terminals, CRM databases, loyalty programs, surveillance cameras, credit checks or credit reports, website and e-commerce operations or marketing activities, they have a lot of personal information. They also share it with people that they never consider in their privacy policies. For example, they may state that they share information with vendors and suppliers to deliver goods and services. But what about lawyers, accountants, auditors, regulators, consultants and others? And how will those parties use the information? How will they protect it?
It’s time for retailers to revisit their inwardly and outwardly facing privacy policies to make sure that they are accurate, and that they are doing what they promise. For the most part, consumers will not punish retailers for having very broad privacy policies (at least not for the most part, and not in the United States). What they will not tolerate (nor will the FTC) is a violation of privacy policies. And while you are at it, review your agreements with vendors and suppliers – anyone who touches this data, or from whom you obtain this data. What are their privacy and security policies?