Data Privacy Bill Introduced, Not Well Thought Out
“Bill would force Web
sites to delete personal info” from News.com is an excellent write-up on a
new bill introduced to the US Congress that would require web site owners of all
types and sizes — not just search engines — to delete data. However the bill,
which was sparked out of search privacy worries, might not correct problems it’s
aimed aim.
One concern the bill wants to address is this:
Certain information about Internet searches or website visits conducted
from a particular computer can be obtained and stored by websites or search
engines, and can be traced back to individual computer users.
To solve this, the bill requires that personal information be destroyed in an
undefined “reasonable” period of time:
An owner of an Internet website shall destroy, within a reasonable period
of time, any data containing personal information if the information is no
longer necessary for the purpose for which it was collected or any other
legitimate business purpose, or there are no pending requests or orders for
access to such information pursuant to a court order.
What’s personal?
The term “personal information” means information that allows a living
person to be identified individually, including the following:
- the first and last name of an individual
- a home or physical address of an individual
- date or place of birth
- an email address
- a telephone number
- a Social Security number
- a tax identification number
- birth certificate number
- passport number
- driver?s license number
- credit card number
- bank card number
- or any government-issued identification number
and does not include any record of aggregate data that does not permit the
identification of particular persons.
None of this information was in the search records that were
requested by
the Department Of Justice from search engines. Yes, some of that information can
be linked to search records, if people are personally registered with a search
engine. But things like IP addresses and cookies are not covered and so wouldn’t
likely need to be deleted.
That’s good, in many respects. IP addresses and cookies are commonly logged
by web servers and produce data that is extremely useful in understanding things
like conversion over time. Also, IP addresses and cookies don’t necessarily
personally identify someone, as I’ve
explained. If
this bill has required destruction of log data, it would have posed many
nightmares for web site owners. Of course, they might argue that log analysis is
a “legitimate” business need, perhaps allowing the data to be kept.
Overall, the bill seems pretty knee-jerk. For one, while individual web sites
have to destroy data, it’s not clear that third party mining services that are
given the data have to do so. Rather than a well-thought out plan to fully
address search privacy, as I
hoped for, it
seems almost as ill informed as the initial DOJ grab for data.
Want to comment or discuss? Please visit our
Search Engine Watch Forums.