(p.357) APPENDIX IV “There Should Be a Law!”: Questions and Answers from Real Life
(p.357) APPENDIX IV “There Should Be a Law!”: Questions and Answers from Real Life
Is it legal for a supermarket to disclose that the wife of a political candidate shops at the store?
May a merchant create an individualized consumer profile of items purchased and sell this information?
For those who shop online, it is not news that merchants create consumer profiles based on one's purchases. Some online merchants will use the information to provide new purchase recommendations to the consumer, which can be quite useful.
(p.358) However, what may be news is that merchants may sell information about your purchases if they don't promise not to. This is more troubling in the case of online purchases, as opposed to in-store purchases. Online, a merchant may collect information that cannot be gleaned from a credit-card swipe, such as a customer's shipping address, home phone number, and e-mail address.
In the case of in-store purchases, typically the only information a merchant has access to is the information contained on the face of a credit card. The information contained on the magnetic strip of a credit card contains no more personally identifiable information than appears on the face of the card.1680 The utility of associating just a name with purchases is questionable (e.g., did John Smith #1 purchase these items, or was it John Smith #2?).
Merchants may associate a customer's personal information with purchase information for chargeback purposes. No federal law seems to prevent a merchant from using this information for other purposes.
State law governs whether the merchant may request or require additional information to process the credit card. In California, for example, the merchant may not request any additional information from the card-holder for a standard point-of-sale purchase.1681
Is it legal for a public utility company to disclose a customer's Social Security number?
Federal law prohibits federal and state employees from disclosing a person's Social Security number.1682 The statute, however, does not appear to prevent municipal employees from disclosing such information. State law may also prohibit the disclosure of Social Security numbers.
At least one state court has recognized a Social Security number as “private and confidential information” protected under that state's (p.359) consumer-protection law, holding that a tenant is not required to provide a landlord this information to renew a lease.1683 If other courts followed the reasoning of this holding, a Social Security number could be more widely viewed as private information protected from disclosure.
Can a retail store sell a consumer's purchase record to a data broker?
May law enforcement use information obtained from a data broker?
Yes, and they do.1686 By using data brokers, the government is easily able to collect and use information for which it might need a search warrant to collect itself. Data collected and maintained by data brokers, however, may be inaccurate and difficult to amend.1687
May the federal government monitor the content of a citizen's e-mail?
Yes, but the monitoring procedure varies. If the messages the government seeks are downloaded from the mail server and stored on a user's computer, (p.360) the government must obtain a search warrant to access the user's computer. However, upon request, the government can require an Internet service provider to preserve evidence and maintain a copy of downloaded messages.1688 If messages are stored on a remote server, for example, through the use of Web mail or a Microsoft Exchange account, law enforcement may access the content of messages stored for over 180 days by using a search warrant, administrative subpoena, or court order. For messages stored for fewer than 180 days, a warrant is necessary. Although notice to the user is required when using an administrative subpoena or court order,1689 a district court may grant a delay of up to 90 days before the user is notified of the order.1690
In 2008, the Ninth Circuit ruled that a user has no reasonable expectation of privacy in the to and from addresses of e-mails or in the IP addresses of Web sites visited.1691 The Court reasoned that this information is analogous to phone numbers dialed, in which a person cannot maintain a reasonable expectation of privacy.1692 The Court asserted:
The court analogized to earlier cases to suggest that a person does have a reasonable expectation of privacy in the contents of e-mails and in the URLs of Web sites visited.1694 If other courts follow the Ninth Circuit's reasoning, which is likely given that the opinion relies on settled Supreme (p.361) Court precedent, a person will not have a reasonable expectation of privacy in e-mail to and from addresses or IP addresses.
[E]-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the Web sites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information.1693
May a pharmacy sell information about a customer's nonprescription purchases to a data broker?
Yes. Although HIPAA prohibits the wrongful disclosure of individually identifiable health information,1695 nonprescription purchase information probably does not qualify as protected information under the statute.1696 Therefore, information about the purchase of condoms, yeast-infection cream, or enema bags probably would not be protected.
Can a data broker or credit-reporting agency sell information to a landlord or prospective employer?
In enacting the Fair Credit Reporting Act, Congress made the finding that “[t]here is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy.”1697 However, there are many exceptions. The credit-reporting agency can sell information to any party if the subject of the credit report authorizes the release of the information in writing.1698 But in order for a prospective employer to use the information, the employer must provide additional disclosures.1699 Most concerning, however, is that a credit-reporting agency may provide a report to any business that has a “legitimate business need for the information” either in connection with (p.362) a transaction initiated by the consumer or for account-review purposes.1700 Thus, according to FTC commentary, “a consumer report may be obtained on a consumer who applies to rent an apartment, offers to pay for goods with a check, applies for a checking account or similar service, seeks to be included in a computer dating service, or who has sought and received over-payments of government benefits that he has refused to return.”1701
(1679) See Benita A. Kahn & Heather J. Enlow, The Federal Trade Commission's Expansion of the Safeguards Rule, 54 FED. LAW., Sept. 2007, at 39 (discussing the FTC's enforcement of unfair trade practices regarding the protection of personal information).
(1680) The ISO 7813 standard, which defines the data fields for credit cards, states that the magnetic information contains the account number, the name of the account holder, and the expiration date, among other nonidentifiable information. Wikipedia, ISO 7813, http://en.wikipedia.org/wiki/ISO_7813 (last visited May 20, 2008).
(1681) CAL. CIV. CODE § 1747.08(a) (Deering 2007). Exceptions to this statute include transactions in which a credit card is used to make a deposit to secure future payment, to make a cash advance, and to make a purchase that requires shipping, delivery, or installation of the purchased goods. Id. § 1747.08(c).
(1682) 42 U.S.C. § 405(c)(2)(c)(viii)(I), (III) (2007).
(1683) Meyerson v. Prime Realty Servs., LLC, 796 N.Y.S.2d 848 (Sup. Ct. 2005).
(1685) Id. at 536–37 (discussing the possibility of “data reidentification”).
(1687) See, e.g., Dennis v. BEH-1, LLC, 504 F.3d 892 (9th Cir. 2007) (discussing the plaintiff's difficulty in having inaccurate information in his credit report corrected after a state court misreported a judgment against the plaintiff in public records); see also CHRIS JAY HOOFNAGLE, PRIVACY SELF REGULATION: A DECADE OF DISAPPOINTMENT (2005), available at http://epic.org/reports/decadedisappoint.pdf (including a letter from a data broker to a data subject brazenly stating that the subject has no rights). Data aggregators rely on the accuracy of data from underlying sources.
(1688) 18 U.S.C. § 2703(f) (2007).
(1689) Id. § 2703(b)(1)(B).
(1690) Id. § 2705. Further extensions of the delay of notification may be granted by the court. Id. § 2705(a)(4).
(1691) United States v. Forrester, 512 F.3d 500, 510–11 (9th Cir. 2008). The Court explained IP addresses: “Every computer or server connected to the Internet has a unique IP address. A website typically has only one IP address even though it may contain hundreds or thousands of pages.” Id. at 510 n.5.
(1692) Id. at 510. In Smith v. Maryland, 442 U.S. 735, 745–46 (1979), the Supreme Court stated that the use of a pen register, which records the numbers dialed from a phone, does not constitute a search for Fourth Amendment purposes. The Court asserted that “[a]ll telephone users realize that they must ‘convey’ phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed.” Id. at 742.
(1693) Forrester, 512 F.3d at 510.
(1694) Id. at 511, n.6.
(1695) 42 U.S.C. § 1320d-6 (2000).
(1696) 42 U.S.C. § 1320d(6) states:
The term “individually identifi able health information” means any information, including demographic information collected from an individual, that: (a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and(b) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and:
(1697) 15 U.S.C. § 1681(a)(4) (2000).
(1698) Id. § 1681b(a)(2).
(1699) Id. § 1681b(b).
(1700) Id. § 1681b(a)(3)(F).
(1701) 16 C.F.R. § 600 app. (2007).