Consumer Privacy Bill of Rights
Some codes of privacy say that the holder of personal data must take steps to ensure the “integrity” or “accuracy” of the data.
Why? Such a requirement seems to interrupt the privacy of individuals.
Data Integrity Requirement
Consider Section 303, the “Data Integrity” section of the “Commercial Privacy Bill of Rights” announced April 12, 2011 by US Senators John Kerry and John McCain: “(a) IN GENERAL – Each covered entity shall attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.” (emphasis added)
This Section 303 would give the holder of data an affirmative duty to keep its information about an individual up-to-date. To fulfill that duty the data holder would need to pester or check up on – or search for or track -- the individual. Pestering, checking, searching or tracking seems antithetical to an individual’s desire to be left alone.
In this age of information, each individual has relationships with thousands of commercial entities – merchants, websites, clubs, charities, magazines, advertisers, social networks, mobile app operators, online game impresarios and many others. Technology is causing the number commercial entities having a relationship with any given individual to grow rapidly. The growth will continue as new technologies like social media are invented.
Let the Relationship Come to an End
Very often, after establishing the relationship the individual is no longer interested in it and just forgets about it. The individual desires to take no steps to terminate or opt-out of the relationship because those steps take too much time and attention. And very often today, the individual never hears about the relationship again. The individual and the commercial entity just leave one another along . . . which achieves the goal of privacy.
Until now, in the US, the commercial entity has no obligation to keep its records accurate and up-to-date.
Still, the commercial entity maintains a record of the relationship. The reasons for maintaining the record are numerous, including compliance with tax, warranty, customer service and consumer protection interests.
As a holder of the record of the relationship, the entity is ready to acknowledge the relationship and support it should the individual ever return. “Hello, Ms. Smith!” says the online game host. “Our records show that you have played cyberspace bingo with us in the past. We are so glad you have returned to test your skills and luck.”
Proactive Updating of Records
But look what Section 303(a) purports to do. It says the commercial entity must keep its records accurate, which means up-to-date. To do that, the entity must be proactive. It must do something, such as send a periodic email, or place a phone call, or conduct some kind of Internet search. Imagine the automated phone call that says, “We are calling you today to update our files.” Are not inquiries like this an annoyance and an encroachment on privacy?
Inaccuracy Promotes Privacy!
Oftentimes for an individual, outdated/inaccurate records actually promote privacy. If Ms. Smith changes her email address and fails to notify a merchant with which she has a relationship, then the merchant cannot bedevil her with emails offering “discounts” and “sales” and “membership privileges.”
Granted, Section 303(a) does have limitations. One of the limitations is that it only applies if the inaccurate information would cause the individual to be denied consumer “benefits.” Yet that is a meaningless limitation. Most any commercial entity will believe that the relationship it has with the consumer provides her “benefits.” Among other things, the relationship enables the entity to reach out (via email, text message, postal mail, Skype chat or who-knows-what-is-the-next-medium-of-communication) to Ms. Smith and urgently notify her that next week cyberspace bingo winners will be given Kewpie Doll avatars that they can post on their Myspace pages!
The drafters should rethink Section 303.
Mr. Wright teaches the Law of Data Security and Investigations at the SANS Institute.
Related: Influence of consumer privacy bill of rights on professional investigators