The Universal Privacy Solution
The basic idea is to have time limits for the maintenance of customers' personal data. We can fight another day about whether data should be collected, about opt-in vs. opt-out, and about other privacy policies. For now, let's just agree that personal data will only be maintained for a defined period. You weren't planning on keeping it all forever, so this is not a major change in philosophy.
One reason this principle should be acceptable to all is because it reflects two different types of flexibility. First, it does not require absolute accuracy, completeness or timeliness. Data quality only has to meet local needs. No one is required to spend time, effort and money massaging data to some radical, irrelevant or unnecessary standard. For obvious reasons, medical records have different quality requirements than pizza delivery records.
Second, the principle contains purpose, an important weasel word. Personal information should be relevant to the purpose for which it is to be used. Who gets to define the purpose? If the record keeper defines the purpose -- and there really is no one else now -- then the flexibility of the principle is further enhanced. It might be nice to define purpose -- following a dialogue with record subjects, consumer representatives, or perhaps even a privacy office of some sort -- but that may be asking for too much.
As long as purpose is defined with a degree of good faith, then everyone can be happy. If you insist on defining your purpose as extracting every conceivable scintilla of value from information until the end of the universe, nothing will be accomplished. But with a realistic limit on data retention, the data quality principle will be well served.
Let's try applying the policy in practice. A good example is the frequent shopper data now being collected by many supermarkets. These programs collect a class of highly revealing personal information never before available. A record of purchases of food, drugs, cosmetics, magazines, and myriad other products available in a supermarket creates a detailed profile of a shopper's activities, interests, health and habits. This is one reason the programs make privacy advocates and some consumers nervous.
How long is this consumption data really useful? The value surely diminishes rapidly over time. How rapidly? I don't know off hand, but surely within a year or two at the most. The expiration date for any class of consumer data is open to discussion and debate. Industry practices are certainly relevant to the debate.
There must be a realistic time limit. The prospect that a consumer's consumption records will be available for a lifetime is unfair, unreasonable, and unnecessary. Do we want to judge politicians, job applicants, or even customers based on what they purchased five, 10 or even 20 years ago? If the records exist, this will happen eventually. Do supermarkets want to have to decide whether to provide records to police, investigators or others? Will the maintenance of lifetime consumption records enhance marketing, or will it only train people to demand anonymity?
The long-term maintenance of records may create other problems for record keepers. Do record keepers want to put themselves in a position to have to reveal this data in other, unforeseen ways? What would be the effect on a supermarket's image if it had to comply with a Senate subpoena for 10 years worth of purchasing records of the person nominated by the president to serve as head of the Food and Nutrition Service?
The Fair Credit Reporting Act includes time limits on the relevance of consumer information. For bankruptcies, data more than 10 years old cannot be reported. For other data, the statutory time limit is seven years. That suggests an outer limit for most consumer data. Supermarket data must have a much shorter shelf life.
When consumer information gets to a point of diminishing returns, erase it. This will reduce costs, save computer storage space, limit exposure, and enhance privacy. If you tell customers up front that their data will only be kept for a limited time, they might be more willing to do business with you.
Diminishing a privacy problem at no cost is not like a visit from Ed McMahon, but it's not bad. Think about it.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives' subcommittee on information, justice, transportation and agriculture. His e-mail address is firstname.lastname@example.org.