On Tue, 14 Feb 2006, Hyunseog Ryu wrote:
I guess the question is how to read "legitimate" word. ^.^ I guess the bill was written in mind of privacy concern. But also there is some requirement for security/law-enforcement viewpoint. I received the request from some law-enforcement about actual user of IP address 3 year ago or older. Without all log info, how can I tell it?
In the context of the legislation in question, if the user is still a current customer, you have a legitimate business use for the data. If the user was no longer a customer, I would surmise that you should have purged it, as you would no longer have a need for that user's personal data.
I'm really curious whether this was a kind of post-action to the cell-phone use log business such as locatecell.com or something like that.
An exploration of the side effects would be interesting. I think it'll provide a legal cudgel for mailing lists and opt-in tracking, as well as ensuring that your information is purged when/if you opt-out. It may also have dampening effects on the sale/trade of personal information, as it would now be questionably criminal to possess the personally identifying information of a person you have engaged in zero business with.
From the text of the bill, there are some pretty loose points that'll give lawyers a lot of vine to swing from, including the definition of 'legitimate business practice'. Associating all of it to 'Internet website', as defined, is another loophole waiting to happen.
I think the single best element of the bill is the declaration that consumers have an ownership in interest in their personal information. Owndership implies control, and by extension, some amount of control in who gets to have it. I'd like to see what happens when the final bill is mated with US Federal CAN-SPAM law. - billn