As everyone else said, asking for and collecting SSNs is just plain bad. I don’t know what state you’re in, but around here, SB1386 puts a heavy burden on anyone collecting personal data* in a computer system, and if any of it’s breached, you basically have to tell *all * of your customers that their personal info’s been revealed unless you can reliably determine which specific customers are affected, in which case, you only have to alert them.
If I were running the video store, I’d offer new customers two options.
A: Be limited to one item out at a time for a while - 2-4 weeks, perhaps.
B: Allowed to have more titles out at a time in exchange for a $50 deposit taken from their credit card.
To be blunt, I think you were crazy for letting any new customer walk out with ten titles on the first day. Might even be a lot for an existing customer, actually.
- personal information is defined to mean:
First name OR first initial and last name in combination with one or more of the following:
Social security number,
Or driver’s license number,
Or California identification number,
Or financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Thanks for all the advice. I guess I’m going to just have to weather this storm. Since the boss did give me the out of not losing any customers from the SSN thing, I think I’m going to exploit that loophole to the fullest, and if they give it to me when they fill out the form then fine, and if not I won’t ask for it. (God, I hope my boss isn’t a member of the SDMB!) As for the phone number thing, the consensus seems to be that it’s not that big a deal, so I guess I’ll try to get used to that as well, or at least just request a second phone number from people.