Monday, January 24, 2005

Some thoughts on the Better Business Bureau's rules for collecting customer information

My previous blog posting, PIPEDA and Canadian Privacy Law: Privacy Imperatives for Customer Data: Interview with Jordana Beebe, refers to the Better Business Bureau's new rules for personal privacy.

The BBB's basic rules are:

  • If you do not need it, do not collect it.
  • If you need it once, do not save it longer.
  • If you got it, but you do not need to save it, dispose of it carefully.
  • If you have to keep it, think security.
  • Do not broadcast personal information.
  • Do not use Social Security numbers as account numbers.
  • Do not give out employee or customer information to anyone whose identity cannot be positively confirmed.
  • Locks and alarms are a real deterrent.

From a consumer point of view, they seem to be a step in the right direction. They differ significantly from the Canadian Standards Association Model Code for the Protection of Persoal Information, which is the benchmark in Canada (and is now mandatory under the Personal Information Protection and Electronic Documents Act). The BBB rules appear to be entirely focused on reducing the risk of identity theft, rather than respecting a customer's right to informational self determination. There is no mention of letting customers know how you propose to use the information, nor is there any element of choice for the consumer. Both of these are fundamental to the CSA Model Code. Though the code has its share of critics, but it is reasonably balanced and probably the best one out there.

No comments: