Should consumers be notified when their personal data is collected, sold, or disclosed?

From the pages of In Business magazine.

Welcome to "Political Posturing," featuring opposing views on current issues important to Wisconsin's business community. In this column, small business owner Brad Werntz and manufacturing manager Steve Witherspoon offer their opinions from the left and the right, respectively.

Sure, but it’s not realistic to lock down every piece of personal data.

By Brad Werntz

Yours truly’s view of cybersecurity has been a bit scatological, and the reason for that is because once your information is out there, it’s a bit like having pee in the pool. You can dilute it and filter it, but the truth is once it’s there, it will always be there.

While I know a couple people who have no digital footprint, many like me have been online since the age of dial-up bulletin boards [you can look it up]. Over the course of 25-plus years of the digital era or any era for that matter, that’s a lot of pee in the pool.

That said, I’m not cavalier about digital security. I’m just realistic. The data is out there, for most of us. While cybercrime is growing, the more data there is, the less likely that any one individual will be targeted, and so there is less to worry about than meets the eye.

For these and other reasons, I’m all for diluting the data pool. I’m also in support of filtering data and preventing individual information from getting into the wrong hands.

There needs to be very strong firewalls between personal identifying information and aggregated information. To illustrate this point, I recently did a study that surveyed a large group of people. We asked a total of 36 questions, and not one of them was designed to produce any personal identifying data.

Yet, because they came from a data set that we could examine in the aggregate, we knew the demographics of the various respondents, including where they lived by zip code, their ages, income levels, education, family status, and a host of other personally identifiable things.

I couldn’t reach out and contact any one of them if I tried, but I can describe as a group how they responded to the questions we asked. This sort of information is valuable and doesn’t put any individual at risk.

Personal information should not be shared, but if you were to ask me whether people should be notified when their personal information is shared, I’d say sure, but it’s not realistic to expect all information to be locked down, and there are things to learn when we share information in aggregate. Let’s remember that.

Brad Werntz is a small business owner in Madison.



Yes, and they shouldn’t be forced to spill it in the first place.

By Steve Witherspoon

The question implies an after-the-fact notification, so I think it’s the wrong question. Should it be legal to collect and retain basic consumer personal data? Yes, as long as the data is only used for internal use. This does not include anything beyond the basics. In other words, name, address, email, phone number, purchase history, and in some cases IP address.

Should it be legal to distribute a consumer’s personal data? No! Under no circumstances should it be legal to sell, transfer, or disclose any consumer’s personal data.

Regardless of the legality, is it ethical to distribute the personal data of consumers who are your customers? Absolutely not! Customers rely on the integrity of the companies they do business with to keep their personal information confidential. Any distribution of their personal data is a violation of that trust. Also, the golden rule applies: Do unto others as you would have them do unto you.

The problem I see is that consumers are regularly forced into agreeing to a company’s “terms of service” that include giving up their right to not have their personal data distributed. It’s highly unethical to force people to give up their right to privacy to engage in an activity such as purchasing a widget.

Where I work, we collect only the basic data from our customers that is required to place an order and properly bill for that order. We do not use or distribute any of the data for any other purpose. We take personal privacy very seriously.

In summary, distributing the personal data of others is wrong! Here is what I would propose:

1. Companies need to tell consumers exactly what basic information they will collect, and they need do it in a very simple form listing each piece of data collected. They should give the consumer the option to opt out of any part of the data collection or opt out of all of it, with the exception of basic purchase history data. Don’t bury the consumer in technical jargon or bury the information in the legalese of a terms-of-service dissertation that only experienced insurance agents and attorneys can read. Keep it simple.

2. Make it illegal to disclose or distribute collected consumer data. This is one situation where relying on industry best practices isn’t enough.

Steve Witherspoon works in manufacturing management in Oregon, Wisconsin.​

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.