FYI..

 

Brooks’ take on the PII association issue..

 

                                                                        -Jay-

 

 

My thoughts on this are that there is no sense if "fighting city hall" and that we already have extremely clear guidance on what it takes to allow this connection from a number of sources: NAI Principles, EU Data Directive and EC Directive.

 

IMHO it all comes down to...

Before you can map previously anonymous click-stream data with identified data (a unique number allowing you to identify an individual data subject) that:

1) data subject is given clear and understandable notice of data to be associated, how data will be used and with whom it will be shared

2) data subject provides opt-in consent

 

I think that there are two one-off scenarios here...

1) PII is collected and THEN linked to a cookie (where previously no cookie had existed before)

    - here NAI and EU guidance diverges slightly as to if opt-in is needed, but both are clear about the notice requirements

2) Connection of PII is part of the "primary purpose" of the transaction (e.g. shopping cart)

    - again here NAI and EU may diverge slightly, with potentially EU allowing without opt-in but NAI requiring opt-in.

 

In the end this may all be splitting hairs because under either standard (or even the FTC act) adequate notice would include all non-obvious uses of the data.  For instance if the association of an identifier to the cookie is used to recognize the individual on another site, that would need to be disclosed - particularly in an environment where such recognition is likely disclaimed in the privacy policy of the 3rd party web site.

 

Basically nothing new under the sun.  If you want to link PII to a cookie, you need to disclose it clearly (at time of collection - not privacy policy) and seek consent of the data subject.

 

-Brooks

 

From: Jay McCarthy [mailto:jmccarthy@...]
Sent: Tuesday, June 06, 2006 7:04 PM
To: Dobbs, Brooks
Subject: Notice for PII association

Hi Brooks,

 

Further to our ongoing discussions about PII collection and association. I’d like to address this issue within the WAA membership and propose a standard for notice and choicein the case where one of our customers are associating PII with the identifiers sent to service providers.

 

We (WSSI) already have some language in our contracts but I would like to address this with the other vendors in the WAA. Do you have any material or proposed contract language that I could see as a basis for this? I’d like to be in sync with what you are doing so that our efforts are consistent.

 

                                                                                                            -Jay-