[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pmrm] Groups - Privacy Policy Must-Haves (Strawman PrivacyPolicy Template.doc) uploaded
Actually the recent California ruling was very narrow. It upheld a 1971 law on credit cards, specifically a provision (Civil Code sec. 1747.08) limiting the collection of personal information by merchants accepting payment by credit card for a consumer purchase (for personal, family or household use). The Court held that zip codes met the definition of personal information for the purpose of this provision (only). b) For purposes of this section "personal identification information," means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number. Joanne McNabb, CIPP, CIPP/G, CIPP/IT Chief California Office of Privacy Protection 915 Capitol Mall, Suite 200 Sacramento, CA 95814 Phone: 916-651-1057 Fax: 916-653-3815 joanne.mcnabb@scsa.ca.gov www.privacy.ca.gov Stay connected! Join us on Facebook and Twitter. -----Original Message----- Thanks for that reminder, Susan. Seems to me the stickiest part of defining PII is the disjointed legal and judicial hodgepodge of definitions. As an example, just a couple of weeks ago a judge in California ruled that zip codes are PII. Probably the second stickiest part is the 'aggregation of data' issue. I think in the end we're going to need lawyers. -----Original Message----- From: Susan Landau [mailto:susan.landau@privacyink.org] Sent: Sunday, March 20, 2011 12:19 PM To: pmrm@lists.oasis-open.org Subject: Re: [pmrm] Groups - Privacy Policy Must-Haves (Strawman Privacy Policy Template.doc) uploaded On 3/18/11 1:53 PM, peter.alterman@nih.gov wrote: > The document named Privacy Policy Must-Haves (Strawman Privacy Policy > Template.doc) has been submitted by Dr. Peter Alterman to the OASIS Privacy > Management Reference Model (PMRM) TC document repository. > > Document Description: > This one-pager is my attempt to summarize the considerations any privacy > policy must address. Would love comments, additions, revisions, etc., on > this. What you have seems reasonable, with one caveat. One problem I have --- and this is a problem of the field, not the document --- is that PII is really undefined. In particular, it is increasingly possible to take minimal sets of data from two networks and combine them to deidentify users. Thus the set of PII seems to increase. I don't know how you want to handle this, but it seems to me that this is an important aspect of any Privacy Policy statement. Susan --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
CA Sup Court on Zip-CC 1747.08.pdf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]