By NATASHA SINGER / NYTimes – Published: August 20, 2011
THE marketing pitch came by e-mail: Would you like to make an appointment with your dentist to have your teeth cleaned? And while you’re at it, how about recommending him to a friend, or posting a review of your dental care?
I had given my e-mail address and mobile phone number to my dentist’s office a couple of years ago, for those rare occasions when he might need to communicate with me. Now, here I was receiving what I deemed unwanted promotional e-mail — and a text message — about the dentist’s services via Demandforce, a firm in San Francisco that handles customer communications for some 11,000 small business including dentists, spas and automotive shops. (Demandforce describes such messages as appointment reminders.)
Of course, some people may not mind receiving automated, unsolicited birthday greetings or thank-you e-mails on behalf of their health care providers. But I felt that the conditions under which I had provided my contact information had been violated. I wanted the dentist’s office and Demandforce to erase my information.
That proved easy enough — in this instance. But, as I looked into the matter, I discovered that I, as an American, did not actually have an automatic right to demand that a company erase personal information about me.
Even as Congress and agencies like the Federal Trade Commission propose new privacy measures, it turns out that the United States still lags behind Europe in ensuring some controls. And, as my colleague Suzanne Daley recently reported, Europeans are hotly debating whether to do more.
Already, under the data protection directive of the European Union, people who have contracted with a company generally have a right to withdraw their permission for it to keep their personal data. Under this “right to be forgotten,” Europeans who terminate frequent-flier memberships, for example, can demand that airlines delete their flight and mileage records, says Lukas Feiler, a lawyer who specializes in information technology and privacy law.
“If I withdraw my consent to the storage of my personal data, they would not have the right to store it,” says Mr. Feiler, an associate at Wolf Theiss, a law firm with headquarters in Vienna. But there are exceptions, he says — for example, when a company has a legitimate reason to store the data that supersedes an individual user’s interest.
In the United States, however, personal information about a consumer generally may be kept by the company that processes it — except for certain regulated industries like credit. Individual companies in many sectors set their own policies on data retention. Some agree to delete information; others don’t.
“As a general matter, companies in the United States don’t have to recognize your right to be deleted,” says Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a research group in Washington. “They may choose to accommodate you, but they are not required to.”
Certainly, there are many legitimate reasons for that. Businesses often keep records for tax or auditing purposes. Lawyers’ and doctors’ offices maintain records for a certain period to protect themselves against malpractice suits.
Now, however, some politicians, regulators and companies want to give Americans more control over their personal information — with limits on data use and retention, says Christopher Wolf, a lawyer who specializes in privacy and the co-chairman of the Future of Privacy Forum in Washington.
“We need to move more toward that regime in order to empower consumers,” Mr. Wolf says. But any limits, he emphasizes, would have to carefully balance personal privacy against the right to free speech and public access to information.
A bill introduced in the House last May, called the Do Not Track Kids Act of 2011, includes an “eraser button” provision for children and parents. It would require companies, when feasible, to allow users to delete publicly available personal information about minors from a Web site. (So far, there is no proposed equivalent covering grown-ups.)
But in a preliminary report, the F.T.C. has endorsed a related idea — that companies collect only the data they need about people and keep it no longer than necessary. If businesses minimize data collection from the get-go, there may be less need for an eraser button later, says Jessica Rich, deputy director of the F.T.C.’s bureau of consumer protection.
For now, she suggests that people read company privacy policies and “figure out ahead of time whether you have the ability to delete your data.”
Mr. Feiler in Vienna says the best hope is market innovation. With people attuned to data proliferation, he says, businesses with enhanced privacy options should prosper. Social networking sites, for instance, could differentiate themselves by offering automatic erasure, giving users the choice to delete their entire records, say, every six months.
“Some consumers would find that very useful,” Mr. Feiler says. “Others may want all their data to be available at least as long as they live.”
In the meantime, Americans like me, who would like companies to delete certain personal information, may find themselves depending on the kindness of strangers — or, at least, acquaintances.
My dentist said his office started using updated, automated communications to keep up with increasingly mobile patients who enjoy social networking but often change their contact information. He immediately agreed to delete some of my details from the system, even though I will now be harder to contact.
Demandforce, the customer communications company, was equally responsive.
Rick Berry, its president, told me that the firm didn’t send out unsolicited e-mails; it merely acts like a communications representative of a small business, transmitting digital reminders where a dentist’s office might once have mailed postcards. He adds that the firm encrypts user data and adheres to health privacy regulations. If people have privacy concerns, they can easily opt out of further contact.
I, however, shouldn’t have received a text message in the first place, said Patrick Barry, Demandforce’s vice president for marketing, since I didn’t give permission for my mobile number to be used that way.
The dentist’s front office “should have opted you out of receiving even a welcome text message,” Mr. Barry said. In a follow-up e-mail, he said Demandforce had deleted my record: “The system has officially ‘forgotten’ you.”
But in a data economy where personal information is an increasingly valuable currency, a consumer’s automatic access to a delete button remains an exception.
A version of this article appeared in print on August 21, 2011, on page BU3 of the New York edition with the headline: Just Give Me The Right to Be Forgotten.