top | item 15769819

(no title)

dnt404-1 | 8 years ago

Can one collect data without "personal data" by anonymizing those specific attributes (ip, phone number)?

Also, say, I want to collect data about the performance of the web application. Can that be collected, or does it require explicit consent as well?

discuss

hjnilsson|8 years ago

Yes. If the data cannot be tracked to one person, it is not regulated. So anonymous tracking cookies are still OK, but attaching it to an IP/name/phone number etc. is not.

etherealG|8 years ago

I don’t believe that’s true. “Anonymous” tracking cookies are still unique to the individual and such can easily contribute to identifying them, and so are included as personal.

e12e|8 years ago

Only if you can/do meaningfully anonymize the data. Eg, knowing the subnet of most/all Norwegian isps, it's trivial to recover ips that are simply hashed (probably even with salt), similarly Norwegian phone numbers are only eight digits, so any kind of deterministic mapping is likely to be too trivial to actually amount to anonymization.

Also rember that one of the goals is to avoid illicit linking - so being able to verify that ip n.n.n.n is the same as slow_hash(salt+other-ip) won't fly as "not storing".

In general, anonymizing data in sparse populations is tricky - where "small" can be quite large. Just imagine building a bitfield of variables like: sex,age +/-50;2 bits. Rough location (easily 6 bits), browser (2 bits), mobile? 1 bit - that's already 12 bits etc. See also NYC taxi dataset, eg (not the article I had in mind, but seems to cover similar points):

https://research.neustar.biz/2014/09/15/riding-with-the-star...