Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected

Written by Mark Rasch
June 6th, 2013

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

Privacy policies, if written well, explain to customers exactly what data you are going to collect, and what you are going to do with it. Problem is, most retailers have no idea what data they are collecting, or what they are going to do with it. As a result, retailers end up writing privacy policies that are either false or misleading, and this can lead to big legal problems.

In fact, it may be better to have a policy that says either “we have no idea what we are collecting and what we will do with it” or “we will collect everything we can and use it in any way we want.” But that’s not good public relations.Indianapolis

What does this mean for retailers? Retailers collect, store, collate, share and use a great deal of personal information and personally identifiable information. Whether through PCI terminals, CRM databases, loyalty programs, surveillance cameras, credit checks or credit reports, website and e-commerce operations or marketing activities, they have a lot of personal information. They also share it with people that they never consider in their privacy policies. For example, they may state that they share information with vendors and suppliers to deliver goods and services. But what about lawyers, accountants, auditors, regulators, consultants and others? And how will those parties use the information? How will theyprotect it?

It’s time for retailers to revisit their inwardly and outwardly facing privacy policies to make sure that they are accurate, and that they are doing what they promise. For the most part, consumers will not punish retailers for having very broad privacy policies (at least not for the most part, and not in the United States)Angry Birds-Bouncer Banner. What they will not tolerate (nor will the FTC) is a violation of privacy policies. And while you are at it, review your agreements with vendors and suppliers – anyone who touches this data, or from whom you obtain this data. What are their privacy and security policies?


One Comment | Read Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected

  1. Shirley Says:

    The SAT application reminds me of Doctor offices that continue to have the SSN field on their forms, and ask for your Drivers License # (and more)…not so they can treat you, but so they can track you down for any outstanding payments. How many people question the fields on those forms?

    Also, what about privacy policies that change over time. When you entered your SAT data, even if they admitted who they shared the data with or how they used it, it may still change in years to come, but will they notify you? ;)


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.