April 11, 2008 at 8:00 AM ET
Have you ever wondered why companies that collect your personal information seem to keep it forever? The European Union is wondering too.
European privacy officials published an opinion last week (in PDF format) that could have far-reaching impacts on data hoarding, stating that search engines must delete consumer information within six months.
In humans, hoarding can be a sign of mental illness. Victims feel compelled to keep everything they have, and their homes end up crowded to the rafters with piles of papers, knickknacks and other personal affects kept indefinitely "just in case." I'll bet you know a hoarder.
Use that image to imagine what computer servers look like inside a 21st century company that collects personal information about you. Supermarkets, toll collection authorities, even retailers seem to be addicted to data, and can't seem to bring themselves to ever throw anything out. Exhibit A: TJ Maxx. When hackers broke in to the clothing retailer's system last year, they found driver's license data that had been saved for five years!
The opinion published by the European Data Protection Working Party, a part of the European Commission, may change all that in Europe. It's at least a shot across the bow at data hoarding companies. While the opinion is specifically directed at search engines, it could open a wider debate over what the industry calls "data retention" policies
Data should be kept "no longer than necessary," the report says. Then, it defines the time frame. "In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months."
What they know about you
Major search engines like Google, Yahoo and MSN can construct highly detailed profiles of users with seemingly innocuous information. A simple list of search queries, for example, is often enough to glean a Web surfer's location, tastes, habits, and sometimes their name. Even when users never log in and don't provide their name, their searches can be catalogued using their IP address. Because of that, The Privacy Working Group also said in its opinion that IP addresses should be considered personal information, and should be covered by data privacy laws.
Search engines have already cut the time they hang on to personal information to about 12 to 18 months, according to privacy consultant and former Microsoft Chief Privacy Officer Richard Purcell. Nevertheless, the Working Party opinion is a "big deal," he said. It's unclear when or if it will have the force of law – the Working Party has published an interpretation of the EU Data Privacy Act, but any attempt to enforce the opinion would certainly meet a spirited legal defense.
Still, to avoid potential conflict, the search engines may start deleting or "anonymizing" huge amounts of data. That could be costly and could also hurt efforts to provide targeted ads to Web surfers.
Marketing consultant Alan Chapell, who advises Web firms on data collection, said he's concerned that the search engine ruling is arbitrary and impractical.
"In a lot of respects this is an academic argument," he said. "I'm struggling with the question: Where's the harm?" Whether Google keeps search data 6 months, 9 months, or 12 months seems inconsequential to most people's privacy, he said.
Search engines are often at the center of Web privacy debates. The "Google Earth" project, which gives map browsers a chance to see recent photographs of areas around the world, has been under a microscope recently after a Pennsylvania couple sued over privacy concerns. A recent parody of Google's invasive behaviors became a YouTube phenomenon.
'We have it, we keep it'
At least the search engines are talking about privacy. Many other firms we interact with every day haven't even put the issue on the table. Supermarkets collect data about us when we thoughtlessly swipe our loyalty cards at checkout counters; electronic toll booths track our driving habits. Credit reporting agencies and other data collectors, like ChoicePoint, hoard information about us and hang on to it indefinitely.
"They all have a set policy, which is 'we have it, we keep it,'" Purcell, who runs Corporate Privacy Group, said. "That's wrong. ... If (they) don't have a demonstrable reason for keeping it, keeping it around just in case isn't good enough."
Alessandro Acquisti, a privacy expert at Carnegie Mellon University, said he's glad European authorities are trying to turn privacy protections into law. But he's concerned that U.S. firms won't feel the need to address the retention issue any time soon.
"I do think that data should only be kept for a known and limited amount of time," he said. "(But)
my cynical view is that in the self-regulated American approach, corporations correctly realized that the issue of retention, while critical, may not be so 'visible' or clear to individuals, and therefore (they) could get away by doing away with limiting the length of data retention."
That's why it's high time we openly discussed "data expiration" in the United States. Companies have a terrible pack rat habit; they should delete our information when it's no longer necessary for them to keep it for the reason we gave it. It's reasonable that TJ Maxx collects driver's license data when customers return items in an attempt to combat fraud; but after six months, the fraud checking is over and the data should be erased.
No E-ZPass for me
I refuse to sign up for E-ZPass and other electronic toll tools, which costs me quite a bit of time waiting to give my money to human toll collectors. In some states, I am charged a 25 percent premium for my refusal. Friends tease me each time I sit at a long toll booth line and watch cars sail through the express lanes. I tell them I would happily sign up for E-ZPass and its ilk if I were assured that my car would be tracked only long enough for the toll road to take my money.
It's an obvious and reasonable rule we need to impose on entities that collect our information -- take only what you need, use it only for what you said, and keep it only as long as necessary. That's the rule the EU Data Privacy Working Group is trying to force upon search engines. It shows a decidedly different approach in Europe than the U.S. -- companies there that collect information and keep it longer than six months will have to "demonstrate comprehensively that it is strictly necessary."
It's time the rest of the Web, and in fact, all data collectors, were held to the same, reasonable standard.