IE 11 is not supported. For an optimal experience visit our site on another browser.

Data collection: Just say 'I know my rights'

The questions are all too familiar, and all too intimate:

"Can I see your driver's license?"

"Can I have your phone number?"

"Do you have another form of ID?"

But how do you answer? It seems that to shop is to be interviewed. Everywhere you go, you are asked invasive questions. And every time you look at the news, you see another company is losing consumers' data.

So you would probably rather not answer those kinds of questions, but can you say “no”?

Yes, say legal experts. In fact, sometimes of those questions are against the law or violate credit card association terms and conditions.

Of course, if you refuse to provide the requested information, a company can refuse to do business with you. Sticking up for yourself is almost certain to lead to a small scene at the store, something I call "data bickering." And since it seems like everyone asks questions like these all the time, it's not practical advice to “just say no.” But it helps if you can say, “I know my rights.”

First in an occasional series, "What do you do if ... ?"

Well-placed complaints can be surprisingly effective. But hitting a store where it counts -- at the cash register -- is more effective than complaining through government agencies. Here are some tips:


Recently, I shopped at a small furniture store that requires a driver's license for credit card purchases. The clerk even enters the number into a computer. When I balked at this, she cited company policy.

It turns out, the store’s policy violated Visa policy. On page 28 of Visa's merchant agreement (available here as a .pdf file), the association informs merchants that they are not permitted to require additional identification for credit card purchases.

Complaining is simple. Call your credit card issuer (your bank) and tell them. They will in turn pass the complaint along to the acquiring bank (the store's bank). That might sound like a meaningless paper trail exercise, but it isn’t. Violation of Visa terms can actually get a merchant knocked off the credit card network, which is nearly the death penalty in today's retail world. Visa officials wouldn't discuss this, because the company is in a quiet period prior to its upcoming initial public offering of stock. But from prior interviews about another common violation of Visa rules – requiring a minimum purchase amount for using a credit card -- I know it doesn't take many complaints for Visa to get on a retailer's back.

Of course, few store owners know about the alternative identification rule, and clerks probably won’t believe you when you tell them. But even if you can't talk a clerk out of a demand to see and copy your license, your complaint can still call in heavy hitters after the fact. So you might get some satisfaction from saying simply, "Asking me for this information is in violation of your merchant agreement. Keep doing it and you might not be able to accept credit cards."

There are some exceptions to this rule you should know about. The key one -- if you hand a clerk a credit card that's not signed, the clerk is obliged to ask for an alternate ID.


The problem is much broader than phone number or license number requests by retail clerks. Unfortunately, there aren’t many rules governing other data bickering situations.

Betsy Broder, assistant director of the privacy and identity theft division at the Federal Trade Commission, says consumers who refuse to give up personal information don't really have any special legal protections. There is no overriding privacy law that limits the information businesses can collect.

There are a couple of narrow laws that give consumers limited protection. The Gramm-Leach-Bliley Act governs certain kinds of financial information, and essentially makes it illegal for banks to share your account information with other entities. The Health Insurance Portability and Accountability Act (HIPAA) offers similar protections about sharing of health information. But that doesn't stop medical offices from asking for your Social Security number within earshot of other patients, or from using it cavalierly as an identifier on basic forms.

When a nurse asks for your SSN, it's hard to say “no.” Here’s how one federal worker I spoke with addressed that situation recently: she refused to give her SSN to a nurse, who subsequently insisted the staffer couldn't get treatment without placing a number on the form. Eventually, the staffer took that request literally and filled in a random 9-digit number and informed the nurse that she had used dummy data on the form. She got her treatment. (She also refused to let me use her name, for obvious reasons).

Without taking such extreme measures -- note, the staffer doesn't endorse supplying fake SSNs -- there are FTC directives that you can invoke. Any entity that collects information like Social Security numbers (including you, if you hire a nanny or some such) must properly dispose of that information. Failure to do so could result in an FTC lawsuit. In other words, if a store writes your driver's license number on a piece of paper and leaves it on a counter, it could be in violation of the FTC data disposal rule. Broder said the agency has yet to file a case of that nature, but you might get the attention of a clerk simply by asking, "Is your company in compliance with the FTC data disposal rule?"

As a follow-up, you might ask how long the company plans to keep the information on file. For fun, tell the clerk that TJ Maxx ended up losing driver's license numbers it had collected five years earlier, and it recently ended up paying nearly $100 million to settle lawsuits surrounding the incident. That was an expensive mistake.


As a last resort, you might also announce to the clerk that he or she may very well be breaking state law by asking for personal information in credit card transactions.

Chris Hoofnagle, a privacy law expert at the University of California, Berkeley, points out that California law expressly prohibits companies from requiring additional information when accepting credit cards. Stores can't make note of your phone number or address. They can't even hint to consumers that such information is required. Here's the relevant section of law:

Companies cannot "require as a condition to accepting the credit card as payment ... the cardholder to write any personal identification information upon the credit card transaction form or otherwise," the law says. And companies cannot "utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information."

Note: A retail company can ask to see a photo ID card, but it cannot write down or store this information.

The California law has teeth. Consumers can sue companies that require additional information with credit card transactions and win big money. Civil penalties of $250 for the first violation and $1,000 for subsequent violations are awarded to consumers when companies break this law.

So here's a pretty effective thing to tell a clerk who's about to violate your privacy:

"If you write down that number, you might as well reach into your cash register and give me $250, because it's going to cost you."

If you don’t live in California, check with your state’s consumer protection statutes before invoking this language. If you don’t know where to begin, call your state attorney general’s consumer protection office.

Unfortunately, there are few other laws to protect consumer privacy. Ditto on rules to discourage over-collection of information, or to provide "expiration dates" on data that is collected and stored far beyond its usefulness to the company.

"That's why companies are not really thinking about what they are gathering, or how long they are keeping it," said Rob Douglas, a privacy expert who operates "And we've become such sheep giving it away. It's a rarity that consumers object to data collection.”

Share your data self-defense stories

It doesn't have to be that way. When asked for data, just say “no” – at least initially. If you're told you will have to leave the store or medical office, then you'll have to make a choice, and often you will decide to surrender the information. But before you do, put up a bit of a fight. The more you complain, the more uncomfortable you make a clerk or a company, the more you'll make the folks at headquarters reconsider their need to know everything about you.

Have you made a scene when asked to divulge personal information? What has worked for you? Share your stories of privacy self-defense with other Red Tape Chronicles readers.