This is page 3 of:
NSA Phone Data Grab Raises Frightening Retail Questions. Can Complying With A Lawful Warrant Still Violate A Chain’s Privacy Policy?
Most entities have some sort of privacy policy – sometimes express, sometimes implied. These can relate to online activities only (browsing, surfing and online purchases) or to offline activities as well. Some data is gathered (and used) without any express privacy policy – e.g. surveillance videos. These privacy policies typically say things like “while we will not share your data with anyone, we will respond to lawful
demands or subpoenas.” I know. I write these policies. But what exactly does that mean? How far does an entity have to go to determine whether a demand or subpoena is “lawful?” Does it simply have to be on an official letterhead? Does it just need a raised seal of a court?
Also, does the retailer or other entity have a duty to notify a customer that it received the demand or request? If I were writing a privacy policy, I would say yes. Why not tell your customer that someone has demanded information about them? The problem is that, under the law, much of the information held by retailers belongs to the retailer, NOT the consumer. What the consumer buys or doesn’t, how they pay, what time of day they shop and in which location are all the retailer’s information. The retailer may have no good way of contacting the consumer to let them know about the demand or request. The demand or request may involve dozens, hundreds, thousands or millions of records, making the costs of notification astronomical. Moreover, the retailer itself may be the subject or target of an investigation – and may not want to commit to informing its customers that the investigation is ongoing.
If the cost of compliance with a subpoena or demand by the government is very high, the government may offer to pay for such compliance – particularly where, as in PRISM, the government may pay to install a pipe into your data stream. Retrieving records about your customers may become a profit center for you. This would be dangerous from a privacy perspective.
If a consumer learns that you have been giving out data about them (particularly without them knowing about it, and without a fight) they may (A) shrug their shoulders and say “Hey, I’m not doing anything wrong, what do I have to worry
about?” (B) take their business elsewhere, assuming that there is another entity that has a more consumer-friendly privacy policy; (C) grumble and complain, but ultimately do nothing; or (D) file a multimillion-dollar class-action lawsuit.
For most people, the answer will be (C). But for a few, it may be the litigation route. When Verizon turned over its entire database to the government (albeit with a court order) one could reasonably ask whether this was a “reasonable” and “narrow” warrant. Ditto for banking, credit and merchant records. If you want to know whether a search or demand for records is reasonable, ask a simple question – if this demand was made by the Staasi, or the North Korean regime, you might have a different answer.
So ask yourself the question – do your customers REALLY know what you are doing with their data? I mean your data. I mean your data about them. Probably not. If you get a subpoena or demand for their data, I mean your data, do you tell your customers about it and give them an opportunity to challenge the demand? Do you resist the demand yourself to protect your customers’ privacy? Or do you just give the documents to any shyster with a subpoena?
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
