[IanCal]

This should be very familiar to people working with data in a lot of jurisdictions. I can speak to Europe but I think similar things exist elsewhere - data is less restricted in how and what you collect than it is how you use it. This makes a lot of sense, you should be able to have a basic record of ip addresses and access times for rate limiting, but that shouldn’t mean you can use it for advertising.

Similarly it seems reasonable that shops should be able to record for some purposes but not all.

[detaro]

I don't think "less restricted" is a good framing. How you are using it is the core, and you get to collect and store what's necessary for your legal uses, and use it for those uses. You don't get to have access logs because there is no restriction on logging IPs, you get them because you argue a justified use of them, and thus you can have them to use them for it (and not for anything else).

[IanCal]

I know what you mean but read this in context. You're less restricted in what you can collect compared to what you can do with it - any valid use case requiring video footage allows you to get video footage but that doesn't mean you can then do anything you want with it. The key is what are you using the data for.

And less restricted does not mean no restriction.

[pessimizer]

> This makes a lot of sense

I don't think it does, because it is completely unverifiable. It's like allowing people to buy drugs, but not to use them.

I'm not worried about people collecting IPs, I'm worried about people who collect IPs being able to send those IPs out and get them associated with names, and send those names out and be supplied with dossiers.

When they start putting collecting IPs in the same bag as the rest of this, it's because they're just trying to legitimize this entire process. Collecting dossiers becomes traffic shaping, and of course people should be allowed to traffic shape - you could be getting DDOSed by terrorists!

edit: I'm not sure this comment was quite clear - it's 1) the selling of private, incidentally collected information by service providers, and 2) the accumulation, buying, and selling of dossiers on normal people whom one has no business relationship that is the problem. IPs are just temporary identifiers, unless you can resolve them through what are essentially civilian intelligence organizations.

[tbrownaw]

Don't the industry-imposed rules for handling credit cards work that way (restricting use of data you already have) though?

Like, I thought a big part of why some stores do loyalty cards is because they enable tracking things that they'd get their credit card privileges revoked if they tracked that way.

[pessimizer]

Retaining credit card numbers is problematic in and of itself. Then you're just operating a skimmer.

[Retric]

Having someone else pick up (IE buy) your prescription is legal and commonplace for obvious reasons. https://legalclarity.org/can-someone-else-pick-up-my-prescri...

Thus I’m regularly allowed to buy drugs I’m not legally allowed to use. “Using a prescription medication that was not prescribed to you is illegal under both federal and state laws.” https://legalclarity.org/is-it-illegal-to-use-someone-elses-...

[geoduck14]

>It's like allowing people to buy drugs, but not to use them.

Well, since you mention it: I have prescription drugs that I am allowed to buy, but I am NOT allowed to abuse them. I must take exactly 1 each day.

[IanCal]

> 1) the selling of private, incidentally collected information by service providers, and 2) the accumulation, buying, and selling of dossiers on normal people whom one has no business relationship that is the problem.

But this is exactly what is covered - incidentally collected information cannot be used for other purposes. That's rather the point - you must collect things for a specific use case and you can't use it without permission for other cases.

> I don't think it does, because it is completely unverifiable.

It's no less verifiable than "don't collect the data", and hiding it requires increasingly larger conspiracies the larger organisation you are looking at. People are capable of committing crimes though, sure.

[consp]

You forget store. This depends a lot on the type of data. Duration, specific laws related to it and protection are very different for randomised numbers vs medical as an example.