Some state legislatures are pushing some potential laws aimed at giving consumers—and their heirs—more control over their digital lives. But in doing so, some are preparing to impose rules on merchants that neither the merchant—nor the merchant’s payment facilitator—are likely to be able to obey.
The thrust of the rules—under consideration in states such as Oregon and Connecticut—are honorable. They are intended to avoid the heart-wrenching stories of a parent or other next-of-kin unable to access a deceased loved one’s e-mails or social media interactions. But the legislation goes beyond that in some cases, granting consumers much more control over their digital footprints.
In Connecticut, for example, the bill “would allow consumers to ask stores you no longer do business with to delete your personal information so that your personal information would not be compromised in the event that the company is hacked,” according to a report from NBC Connecticut. That’s where things get dicey.
The problem is that many merchants—and the larger the merchant, the bigger the problem—do not themselves have full control over all copies of payment information and related files such as CRM/Loyalty. Setting aside the fact that such information often also exists within the databases of key partners—including processors and PFs, among many others—there is plenty of difficulty inside the databases of that merchant.
A retailer can delete the official copy in their records (after enough time has passed to resolve any refund issues), but what about backups? Let’s say the merchant deletes all official copies and then has an IT incident and must restore from backup. If the merchant that gets breached, the data that they said was gone could be stolen.
What if the data at issue was being examined by someone in marketing or store operations? What if they had copies on a mobile device or a thumbdrive, potentially to help with data analysis to be done at home over the weekend?
The truth is that such data is often copied—without IT’s or retail senior management’s knowledge—and spread throughout the company. Abiding by a law to absolutely remove all copies of one customer’s digital footprints may be impossible.
This wouldn’t take much to fix, though. If legislation simply added wording that limited such changes to information under the control of the merchant or data that can be reasonably accessed by the merchant, that would solve much of the problem.