As everyone else said, asking for and collecting SSNs is just plain bad. I don’t know what state you’re in, but around here, SB1386 puts a heavy burden on anyone collecting personal data* in a computer system, and if any of it’s breached, you basically have to tell *all * of your customers that their personal info’s been revealed unless you can reliably determine which specific customers are affected, in which case, you only have to alert them.
If I were running the video store, I’d offer new customers two options.
A: Be limited to one item out at a time for a while - 2-4 weeks, perhaps.
B: Allowed to have more titles out at a time in exchange for a $50 deposit taken from their credit card.
To be blunt, I think you were crazy for letting any new customer walk out with ten titles on the first day. Might even be a lot for an existing customer, actually.
- personal information is defined to mean:
First name OR first initial and last name in combination with one or more of the following:
Social security number,
Or driver’s license number,
Or California identification number,
Or financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.