Parks and Rec. & Personal Identifying Information

In its last season, the popular show Parks and Recreation has made some big changes and, although set in the near future, is dealing with an issue already debated throughout the world: personal identifying information and data mining. Set in 2017, Pawnee, IN is now host to Gryzzl, a “super chill” Google-esque tech conglomerate providing free internet, social media networks, and even tablets to Pawnee. However, even in the eyes of its habitually corporate-loving citizens, Gryzzl has gone too far.

In order to gain favor with the Pawnee citizens, Gryzzl has been data mining their email, texts, medical records, and phone calls to send a drone to each citizen of Pawnee with personalized gifts. The citizens are outraged over this invasion of their privacy, and Gryzzl tries to make amends by throwing a concert, uploading a ticket to each person’s phone, with seating based on income-level.

Personal Identifying Information

Although Parks and Recreation is a fictional comedy, data mining for personal identifying information (PII) is no joke. Most major corporations collect vast amounts of information about the people who use their goods and services. This PII includes demographic information, marital status, if you use credit or coupons, salary estimates, browser history, job history, even your political leanings and reading habits. It is the job of “predictive analytics” departments to gather and analyze this information to more efficiently market to individuals.

The National Institute of Standards and Technology defines PII as “any information about an individual maintained by an agency, including any (1) information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” Sources of PII may include databases, shared network drives, social networking sites, and contractor sites, besides the information corporations glean from purchases and surveys. Moreover, technological developments have blurred the distinction between PII and Non-PII. Because the scope of data collection is so comprehensive, businesses are now able to combine seemingly disparate bits of “anonymous” consumer data from different online and offline sources and can tie that information to a specific person.

The FTC Report and Current Laws (or Lack Thereof)

In 2012, the Federal Trade Commission (FTC) published a report highlighting a consumers’ right to prevent websites from tracking their online behaviors and PII. The hallmark of the report was the proposal that companies include a “Do Not Track” opt-out function, which would enable consumers to prevent the collection of their PII. Spurred by the FTC report, a slew of unsuccessful legislation has been introduced in the House and Senate since 2010. Almost no states require a “Do Not Track” provision by law, though every state except Alabama, New Mexico, and South Dakota has enacted legislation requiring notification to individuals of security breaches involving PII. In practice, unfortunately, these are frequently buried deep in the “fine print.”

Best Practices

From a business standpoint, the key to protecting your company is to have a comprehensive privacy policy on your website. At minimum, such a policy should address (1) notice; (2) purpose and choice; (3) access to information; (4) security; and (5) enforcement. The policy should provide notice that information is being collected, how it will be used, when it may be disclosed to third parties, and the consequences of refusing to share information. The purpose for the information collection should be disclosed, as well as whether it may be used beyond the original purpose. A truly progressive policy would include an opt-in (to allow collection) or opt-out (to prevent collection) measure regarding PII. Consumers should be able to access the PII collected on them, and have means for correcting inaccuracies. Your privacy policy should also include security measures to protect the information and to ensure its accuracy.Lastly, it must be enforceable. The policy should include procedures to address infractions, and your website should comply with your policy. Following these tips should help reduce liability and protect both you and your customers.

From a consumer standpoint, read the fine print! Be cognizant about which companies are collecting your information and how they are using it.

We’ll have to wait to see if they discuss privacy policies on Parks and Rec., although this author doubts their comedic qualities.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s