Businesses often request a lot of personal identifying information (PII) from their customers. Quite often, these are legitimate requests intended to facilitate a business transaction. But there are many organizations that don’t practice sound data minimization tactics and gather all sorts of unnecessary information from customers. For instance, businesses often request Social Security numbers (SSN) as a matter of routine. The question is: does the business have a legitimate need for the SSN?  If so, what policies and procedures are employed to protect this customer data?

Unless it is for a specific purpose, such as obtaining a loan or benefit, you are not required to provide certain PII, such as a SSN to a business; however, it should be noted that a company is under no legal obligation to do business with you, either, if you fail to provide the requested information. If you are uncertain, ask how the organization intends to use the information it gathers. Request a copy of the organization’s established privacy policy. If it is a SSN request, inquire about using an alternative identifier.

Tags: data minimization tactics, PII, privacy policy, SSN

Categories: Consumer ID Security.