It would be great to see such reasonable restrictions put on US operations, but I doubt we ever will. The first (and only) authorization for private concerns to collect and maintain data was credit reporting, which was (and is iirc) limited to credit relationships. In recent years, as credit reports have been used for everything else, this distinction has blurred. I am willing to bet that we will never see these restrictions since it allows large volumes of data to be collected, which can then be selectivly requested by government agencys when they see the need. From this twisted logic, it makes sense to retain the data since one never can tell what records might show the next terror cell (an attempt to show justification that I dont personally believe but).

Hear hear, go EU, go EU!

In the Netherlands, any entity collecting personal information is subject to the privacy watch dog (CBP), that is pretty particular and has very good rules on what a company can keep and what not.

Now you can whine about evil government regulation, but the fact is that ID theft *does not exist* in the Netherlands (except for "re-use" of stolen ID documents such as passports and driver's licenses).

It's about time someone realized that this data hoarding is dangerous to say the least.
We pay for a service to be provided to us, not the other way around, I hope that the EU goes further and makes it a serious criminal offense to hoard data and attaches severe civil liability laws as well.

The European Data Protection Working Party is not addressing the most important point - consent. The amount of time that data is retained a minor point compared to the fact the average person has no clue about which enities are collecting their personal data. After individuals can only opt-in to data collection, can the consumer vote by asking colloectors about their controls and safeguards and refuse to do business when the polices - including retention periods are unreasonable. Only when adequate data safeguards become a competitive advatage will the public see improvement.

Finally! I have been arguing with the powers that be at my company on this point for years.

Yes. In general, I agree. But there is one concern about deleting information after an expiration period that deserves at least a bit of thought. Take the T.J.Maxx breach as an example. This breach went on for quite a while. If they had deleted their data after, say 90 days, it would have been impossible to discover which accounts may have been affected because record of those accounts would be gone from their records. While I agree they held onto much too much data for much too long, this did make it possible to contain the risk after the fact. What would have been done if that data was in the hands of the bad guys, but the good guys couldn't obtain it. Re-issue every credit and debit card in the country? I don't know that aswer here, but it seems a question worth considering.

Geez, why can't these proposed "data purging" rules apply to credit bureaus too!!!

They keep that late payment you made 8 years ago to a credit card for 7 - 10 years!!!

I had an employer go back in my financial history to 1984!!!!!!

Stuff I did WAAAAY back in the 80's was still haunting me. It would be nice to have that purged every six months...

I don't get it - what good is old information to thiefs? Credit card info from five years ago???

I am concerned about the fabric of our nations heritage at this time. I hope we a fulfilled in our prayers, and reconciled, as we move forward to face our own truth.

EZ-Pass data is already being (ab)used by employers to penalize their employees; by states to send out speeding tickets; and by the FBI to track the movements of private citizens they have no right to otherwise surveil.

Since we now have a Communist Congress, if one of the three Communists now campaigning for President gets into the White House, there will be literally not one single thing standing between Americans and a Totalitarian Communist police state except possibly the Supreme Court, and my guess is they'll cave pretty fast if they want to keep their cushy jobs.

Data Retention Bad. Laws preventing Data Retention Good. End of discussion.

It is insane the amount of data collected about/on individuals. OPT Outs are are used as an excuse to justify corporate retention of information. Why do corps have the right to keep this info unless we opt out? It should be an opt IN.

re: Florence, KY - In general you give permission to a company your doing business with to collect the data. If you don't like it, then don't do business with them. Any "average person" knows that.

What I don't get is that the local grocery stores use the loyalty cards and state that they won't use the data to send junk ads, or sell the info to someone else. If that is the case why would they need it? I accepted the cards but never filled out the information and submit it so it is basically blank but I still get the discounts.

Simply do not put your credit card info on the computer if you do not want it hoarded or abused. Do not put any personal info on the computer unless you are ready to risk getting robbed! I never have and never will!

I agree with the person above me to some extent. people should refrain entirely from putting credit card information on the internet or any other valuable source of information. the internet is accessed by billions of people around the world. even when the site says that your information will never be shared it can still be accessed by many other people. for example, many sites have what is called a backdoor. im sure you've heard the term before. a backdoor is another entrance into the site but this entrance allows whoever is entering to access all the files stored in the sites bank. unless of course they have it stored in a seperate hard drive. but even then u can find enough information to access that drive too. i know a lot about computers and breaking into them for fun, and i suggest that the companies stop saving this information for so long, or at least try harder to make it inaccessible.

search engines should be PROHIBITED from using IP addresses AT ALL to collect info on users' searches.. they have no need or reason for doing this.. except if they want to make money w/our info that is.. for this reason they should simply NOT BE ALLOWED to collect any info at all on users' searches..

In most cases the reason for keeping all that data is not for some sinister purpose. The trivial truth - it costs money to put a good data management procedures and software in place and usually this is the place the companies look for quick savings. They will not spend any money for the software people to go beyond basic functionality and the answer about what to do with the accumulation of the data is usually: "We will worry about it, when it becomes a problem."

Well, with modern database systems being good with fast access and processing of large data sets and 500GB hard drives to boot it may not become a problem for many, many years.

I don't understand business' compulsive need to obtain and retain personal information. I tried to open a safety deposit box at a bank where I have done business for over 20 years. They demand a credit report...for what? They said it was a Homeland Security requirement but it seems a little excessive (and assinine) to me. Having a credit history doesn't prove/disprove anything. It's our information, why can't we be in charge of who gets information (and what information) and how long they can keep it? It seems to me that we have no control over our own personal information so why call it 'personal information'?

how many of you posted 'real' information just to give your opinion and therefor were put on another list? oh and by the way, they said they will keep it private. Any one have any info on google people? I mean if they need OUR info to do business with us, why don't we need their info to do business with them?

Ha-a! Ha! This blog's administrator says He's going to keep our information private. Honourable Blog administrator, did you really read these comments above? I don't think so. Anyway, You guys are freeking me out of cybernetics with these types of comments. Being in a third world country has its interesting challenges. I'm awed by your topic, its contents and responses from other readers. Woe be unto us in the third world, we stand no chance at all in this game. But its good to learn from your guys already in the first world?

Any website that requires you to give personal information - lie. Supermarket loyalty cards - lie. EZ pass - don't use it or at least not all the time. Computer cookies - don't accept them or make sure you delete them often. It isn't the most convenient way to go but it beats letting everyone know everything about you.

Its funny how the government "of the people, by the people, for the people" isn't listening to the people it represents wishes. More like of the corporation, by the corporation, for the corporation

Yes the TJ max issue seems to lead us to think retention could help when there are security breaches, however, fixing after 5 years of data is breached is a lot bigger fix than a 90 day amount of data. People know where they shop, so it would mean being open to the public if your records have been compromised if you had already deleted them - So I must lean towards the lesser of 2 evils.

Who cares about an EZ pass system? That fancy telephone in your picket broadcasts your location 24/7... that is if you leave the battery attached.

The internet is a public network. Get over it.

Everyone of US are locked inside a million-bazillion databases already if you count all the backup tapes; A billion miles of magnetic tape degrading as we speak.

It's not going to get any better, at least any time soon. Just try to keep an eye on things.

I think we should all go home and watch some television and forget all about this important informative article. :)

_Mike
Kansas

US Businesses are required to retain data on business transactions for a number of years - there are both federal and state laws that affect how long data is to to be held. In texas, it's 3 years, in federal cases its effectively 7 years. You delete that data and you will loose tort cases by default.

The EU is doing something that the US should have done 20 years ago. Retaining information and ISP sites speaks loudly of citizen oversight. Our country promised "freedom" not surveillance overtones from a regime existence. US corporations and their databases have stretched beyond the natural limits of public domain acceptance.

Who are you kidding? This isn't going to change here in Amerika the Corpocracy, home of the fee & land of the slave. Not until the sheeple take up arms & revolt (aka; no time soon.)