Re: Bill Would Force Web Sites to Delete Personal Info

[Mike Owen <kyphros () gmail com>]

On 2/9/06, Fergie <fergdawg () netzero net> wrote:
> Via C|Net News.
>
> [snip]
>
> A bill just announced in Congress would require every Web site operator to delete information about visitors, 
> including e-mail addresses, if the data is no longer required for a "legitimate" business purpose.

Well, just read that bill. It's very simple, and seems quite easy to
ignore as it stands. I'm obviously no lawyer, but this phrase sounds
like it's business as usual, and now legally sanctioned:

"An owner of an Internet website shall destroy, within a reasonable
period of time, any data containing personal information if the
information is no longer necessary for the purpose for which it was
collected or any other legitimate business purpose, or there are no
pending requests or orders for access to such information pursuant to
a court order."

Specifically, this part:
"if the information is no longer necessary for the purpose for which
it was collected"

Seems to me like if you state in your business plan, that you're
keeping data because you want to keep it, or something to that effect,
it would be within the letter of the law, and you'd be fine. "No
deletion neccessary, the purpose for keeping data is to ensure you
have a history of a user's transactions and information for fraud
prevention, and to offer personalized services". Or make up some some
other bullshit that basically states you're keeping everything
forever.


Mike

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.