Sunday, January 25, 2004

Article: Swiping driver's licenses - instant marketing lists?

A little while ago, I wrote about biometrics on drivers licenses and particularly referred to the practice of swiping driver's licenses (below). Debora Pierce, who regularly writes on law and technology issues in the Seattle Press, has an article on the topic that I just found: The Seattle Press - LAW&TECHNOLOGY: Swiping driver's licenses - instant marketing lists?:

"IN AN effort to cut down on underage drinking and smoking, many bars, clubs, and restaurants have begun to use devices that scan driver's licenses. In addition to verifying the age of the driver's license holder, the scanner also picks up all of the information in the magnetic stripe found on the backs of most driver's licenses. The obvious benefit is that underage drinking and smoking is curtailed, but that benefit comes at a price. Here is another case where technology has outpaced the law, and the casualty is privacy. "

I would suggest that the automatic swiping of driver's licenses at bars is very likely in violation of the law here in Canada. The federal privacy law, PIPEDA, requires knowledge and consent for the collection, use or disclosure of personal information. From what I understand, individuals are not being informed about why their cards are being swiped and how that information will be used. There is no "identifying Purposes", as required by Principle II. Individuals are not being given the opportunity to consent, let alone being asked to consent. If a bar refuses admission because you refuse to have your personal information harvested, they are in violation of the following sub-principles:

4.3.2 - The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.

If the collection is supposed to be to verify that the license has not been tampered with, it probably still amounts to a violation of Principle 4 - Limiting Collection because much more information is collected and used than is necessary for that particular purpose:

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

The Federal Privacy Commissioner hasn't, as far as I know, had a complaint about this practice but I am sure it is not too far off.

No comments: