Eye on Privacy: New Year, Old Data
This may be the one thing we can know for sure. Was the data collected in such a way that it comes under FCRA, GLBA, HIPAA or COPPA? If so, treat it accordingly.
Limitations Borne of Disclosures
The earliest disclosures I can remember were the general “your data may be used for marketing purposes,” and while it isn’t very detailed, it does set boundaries.
If your data was collected in a survey, warranty, request for information or other collection device with the general “may be used for marketing” disclosure, then you actually know all you need to know about use.
When talking about legacy data, consent is not something we would expect to find, but the consumer may have been offered an opportunity to opt out, and that is something you want to know about your data. Forgetting the debate about pre-checked or unchecked boxes, having given consumers a choice about the use of their data is an important fact.
You can identify use restrictions from regulations, disclosures and contract limitations, but you can also make decisions about use based on point of collection and what a consumer might reasonably expect given the nature of the data. Are you using the data in a way that might surprise or embarrass the consumer? Was the data collected at a time where consumer expectations may have been different from what they are today?
The best thing and the worst thing about legacy data is that there are probably no limitations to retention. That doesn’t mean that we should never purge this data. It does mean that we have to be more disciplined in looking at continued value, balanced against the increased risk of having this data.
Legislators and regulators will sort themselves out soon enough and we’ll have a better idea of what 2015 will bring. In the meantime, what housekeeping could you be doing?