My company has built a social networking app that is growing very, very quickly. We have a LOT of data. We're trying to figure out what makes sense to keep - 30 days? 90 days? This is a mostly-anonymous social network so the idea of anonymity is important. Would less than 30 days be OK? Is there a legal guideline here? (i can't find one) In the absence of legal framework, what are best practices?
I say idea of anonymity because we don't prevent you from using personally identifiable information - but you're free to make up a username (or change it later) and the app doesn't show your exact location, IP address, guid, etc.
"I say idea of anonymity because we don't prevent you from using personally identifiable information - but you're free to make up a username (or change it later) and the app doesn't show your exact location, IP address, guid, etc."
I think you should change any mention of anonymity to pseudonimity in order to eliminate any misconceptions.
Try to make the data anonymous when possible (remove from log file all potential personnal data, not needed by your data process). If usernames are kept and can contain personnal data, if you don't need these data, remove them from log file.
Log only valuable data you need and only for the amout of time you need them.
> Is there any guideline here ?
In Europe, you have the obligation to retain all informations needed to identify the owner of an online publication.
"This Directive aims to harmonise Member States’ provisions
concerning the obligations of the providers of publicly available
electronic communications services or of public communications
networks with respect to the retention of certain data which are
generated or processed by them, in order to ensure that the data
are available for the purpose of the investigation, detection and
prosecution of serious crime, as defined by each Member State in
its national law." - Directive 2006/24/EC - http://bit.ly/HxZcW
If you are based in Europe, you must refer to your national law for more informations.