Nuts & Bolts: Eye on Privacy
When the Democrats gained control of the House and the Senate, there was speculation about what they might do by way of privacy legislation. On Jan. 5, they introduced HR 1, the “Implementing the 9/11 Commission Recommendations Act of 2007.” Although not a privacy bill per se, HR 1 indicates the Democrats’ focus leans more toward restraining government intrusion in intelligence gathering than on marketers’ collection and use of information about their customers. Sprinkled throughout the bill, however, are references to the “private sector” and the recognition that private sector organizations “possess valuable information that when ‘fused’ with law enforcement data and properly analyzed … can provide law enforcement officers with specific and actionable intelligence about terrorist and related criminal activity.” As this bill makes its way through the legislative process, marketers may find that their customers’ records, which the federal government already views as a rich and as-yet-not-fully tapped source of information, may be regulated as a result of efforts to improve the coordination of government intelligence.
An unintended consequence of this effort may be that marketers’ existing privacy policies will not provide for this use of the information they collect. Since the passage of the USA PATRIOT Act, many marketers have added statements to their Web site privacy policies that they may provide personally identifiable information (PII) about Web visitors and customers in response to a court order or government subpoena. Other marketers, however, have not. It would be in every marketer’s interest to review its public-facing privacy statements to ensure they cover the provision of customers’ PII in such situations, or “as required by law.”
And while marketers have to keep an eye on the federal government’s lust for their customers’ information, they may also need to comply with the data breach notification laws that are popping up at the state level. Thankfully, most state laws limit the definition of PII to data points that many marketers don’t collect, for example, a name associated with a financial account number along with the PIN to access it. For the marketers that do maintain the types of information that trigger notification, many states’ laws relieve them of the notification requirement in the event of a breach if one of the requisite data points is encrypted.