Differing definitions of 'sensitive data'

There are certain bits of your online persona that you may not mind giving up to marketers. If you’re shopping for a new wardrobe, you might find an ad more useful because it’s targeted to your gender and age. But you wouldn’t want advertisers to know about your medical conditions, would you?

The definition of “sensitive data” — information that marketers need permission to obtain and use in their online campaigns — is one of the points of debate in the current push to regulate online advertising. In recent months, Congress has held hearings to explore how legislation could check the power of online marketers without strangling the industry.

Generally, sensitive data means information about children, financial, and medical records. But privacy advocates are insisting that any new laws detail the meaning of sensitive data, lest any loopholes be left open.

On July 2, industry groups including the American Association of Advertising Agencies, the Interactive Advertising Bureau and others proposed a set of guidelines for self-regulation. Representing Google, Microsoft, Yahoo, and other Internet publishers and advertisers, the document intends to stave off any new federal policy.

The industry proposed this definition of sensitive data:

The Principle calls for entities not to collect financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about specific individuals for Online Behavioral Advertising purposes without Consent.

Pam Dixon, executive director of the World Privacy Forum argues that definition is too broad. “That is quite literally the worst definition of sensitive data I have ever read in any privacy statement,” she says.

She suggests the definition address more specific ways advertisers could target individuals. She proposes this definition, drafted in 2007 in conjunction with other groups like the Center for Democracy and Technology and the Electronic Frontier Foundation:

Advertisers should not collect, use, disclose, or otherwise process personally identifiable information about health, financial activities, sexual behavior or sexual orientation, social security numbers, insurance numbers, or any government-issued ID numbers for targeting or marketing.

Should the government pursue regulation, it’s likely to turn to the Federal Trade Commission to negotiate a compromise definition. So far, that agency has stayed out of the matter — its Online Behavioral Advertising Principles, revised in February, take a pass at defining sensitive data altogether:

Sensitive data is not defined in this principle, presumably in anticipation of further self-regulatory work in this area.

What do you think? What types of information should be clearly marked hands-off to online advertisers?

Before it's here, it's on the Bloomberg Terminal.