Data Privacy Bill Introduced, Not Well Thought Out

"Bill would force Web sites to delete personal info" from is an excellent write-up on a new bill introduced to the US Congress that would require web site owners of all types and sizes -- not just search engines -- to delete data. However the bill, which was sparked out of search privacy worries, might not correct problems it's aimed aim.

One concern the bill wants to address is this:

Certain information about Internet searches or website visits conducted from a particular computer can be obtained and stored by websites or search engines, and can be traced back to individual computer users.

To solve this, the bill requires that personal information be destroyed in an undefined "reasonable" period of time:

An owner of an Internet website shall destroy, within a reasonable period of time, any data containing personal information if the information is no longer necessary for the purpose for which it was collected or any other legitimate business purpose, or there are no pending requests or orders for access to such information pursuant to a court order.

What's personal?

The term "personal information" means information that allows a living person to be identified individually, including the following:

  • the first and last name of an individual
  • a home or physical address of an individual
  • date or place of birth
  • an email address
  • a telephone number
  • a Social Security number
  • a tax identification number
  • birth certificate number
  • passport number
  • driver?s license number
  • credit card number
  • bank card number
  • or any government-issued identification number

and does not include any record of aggregate data that does not permit the identification of particular persons.

None of this information was in the search records that were requested by the Department Of Justice from search engines. Yes, some of that information can be linked to search records, if people are personally registered with a search engine. But things like IP addresses and cookies are not covered and so wouldn't likely need to be deleted.

That's good, in many respects. IP addresses and cookies are commonly logged by web servers and produce data that is extremely useful in understanding things like conversion over time. Also, IP addresses and cookies don't necessarily personally identify someone, as I've explained. If this bill has required destruction of log data, it would have posed many nightmares for web site owners. Of course, they might argue that log analysis is a "legitimate" business need, perhaps allowing the data to be kept.

Overall, the bill seems pretty knee-jerk. For one, while individual web sites have to destroy data, it's not clear that third party mining services that are given the data have to do so. Rather than a well-thought out plan to fully address search privacy, as I hoped for, it seems almost as ill informed as the initial DOJ grab for data.

Want to comment or discuss? Please visit our Search Engine Watch Forums.