Tuesday I wrote this post about Microsoft's decision to "avert" future EU regulation of search data retention by voluntarily agreeing to eliminate user data after six months. I noted that Google and Yahoo were not yet ready to make the same change. Wednesday, I received an e-mail from Yahoo spokesperson Amber Allman containing Yahoo's search data-retention policy.
Yahoo is extremely proud of [its] Data Anonymization Policy which has received wide support and affirms our commitment to help protect our users' privacy. Yahoo's policy both dramatically reduces the time we hold personal data and increases the scope of log data covered under the policy. Under the policy, Yahoo will anonymize user log data, including deletion of total IP address, after 90 days with limited exceptions to fight fraud, secure systems and meet legal obligations.
If I'm reading that correctly, Yahoo now keeps IP addresses for only half the time that Microsoft does, and it seems as if Yahoo wants its policy to be declared the "best" for protecting user privacy. However, I'm not in a position to make that call. The remaining details of each company's policy are unclear. How, for instance, does Yahoo anonymize user log data? In what form and why does Microsoft maintain cookies and session identifiers? If a company has enough "pieces" of a user's information, it seems those pieces could eventually lead to the user.
But maybe that's beside the point in this instance as long as EU regulators are satisfied with the changes.