This is page 3 of:
Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected
Here’s where privacy policies get tricky. See, what the administrators of the SATs appear to do is create a detailed profile of each applicant. Then a college, university or the CIA will approach them and say, “We are interested in female students interested in engineering, who are from the Midwest, in the top 10 percent of their class, athletic, and members of their high school gun club, whose parents make less than $40,000 a year.” Or, frankly, any profile they want. The SAT administrators then “share” that student’s name and address. See? They didn’t share any personal information–just a name and address!
And that is how privacy policies get screwed up and how retailers get into legal trouble.
Imagine a hospital privacy policy that said: We will not share your diagnosis or treatment information–only your name. Then a pharmaceutical company asked the hospital for a list of asthma patients, and voila! They provide only a list of names. I call bull hockey (well, something close).
Even the Supreme Court doesn’t seem to understand how privacy works. On June 3, it ruled that when police swab the cheek of an arrestee and take DNA samples, this is not an invasion of privacy because it is a minimal intrusion which is only used to “determine the identity of the arrestee.”
First of all, DNA does not determine identity. Although most people’s DNA is unique (mine isn’t), unless your DNA is registered with your identity, your DNA says nothing about who you are. But putting that aside, the State of Maryland did not simply collect Alonzo Jay King’s DNA to make sure it had arrested the right person for assault–it wanted to see if his DNA matched the DNA from any other crime scene samples. And that’s exactly what the state did.
Now, you can debate whether the database matching of the arrestee’s DNA against crime-scene DNA is a “reasonable search” under the Fourth Amendment, but it is the database matching that implicates the right to privacy–not so much the sticking of the Q-tip in the mouth. Again, we collect data for one purpose (identity) and use it for another (matching against crime scenes).
Similarly, the Supreme Court struck down the warrantless attachment of a GPS device to a suspect’s car because the attachment of that device without a warrant invaded the suspect’s property interest in his car. But slapping a device under a bumper invades privacy no more than placing a leaflet under a windshield. It is the continuous monitoring of the GPS device to learn the suspect’s location that invades (properly or improperly) the privacy interest. Indeed, after the Supreme Court struck down the use of the GPS data, the government simply subpoenaed the same data from the suspect’s three cell phones (one for business, one for wife, one for girlfriends), and determined his location that way.
Remember, privacy can be invaded through the collection oruse (including aggregation or search) of personal data. So let’s be careful out there.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
-Marc
June 18th, 2013 at 5:49 pm
The SAT application reminds me of Doctor offices that continue to have the SSN field on their forms, and ask for your Drivers License # (and more)…not so they can treat you, but so they can track you down for any outstanding payments. How many people question the fields on those forms?
Also, what about privacy policies that change over time. When you entered your SAT data, even if they admitted who they shared the data with or how they used it, it may still change in years to come, but will they notify you? ;)