Douglas MacMillan blogs about the definition of “sensitive data” over on BusinessWeek. As pointed out previously, at least some privacy advocates have noted that the online behavioral advertising industry’s proposal for self-regulation does not go far enough in restricting what types of information would not be collected and used.
The definition in the self-regulatory program is:
The Principle calls for entities not to collect financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about specific individuals for Online Behavioral Advertising purposes without Consent.
MacMillan quotes Pam Dixon of the World Privacy Forum as saying:
“That is quite literally the worst definition of sensitive data I have ever read in any privacy statement.”
What do you think of the definition that a coalition of privacy groups offered in 2007:
Advertisers should not collect, use, disclose, or otherwise process personally identifiable information about health, financial activities, sexual behavior or sexual orientation, social security numbers, insurance numbers, or any government-issued ID numbers for targeting or marketing.
Also notice the use of “or” in the above definition. As Ryan Calo highlighted, the proposed guidelines talk about “collect and use” instead of “collect or use,” and that is a huge difference.