<columbo>I just wanna ask one more question.</columbo>
Let's say I own two domains: veryniceresearch.com and actauallysprained.net
I'm saying that because I own both of those. Nothing is hosted at the moment. But whatever. Don't bother either clicking or DDoS-ing. They are both empty right now.
Let's say I own both of those, and I have completely different web apps hosted on each of them and they both do completely different things. Let's say that veryniceresearch.com hosts a company site, and actuallysprained.net hosts my personal blog. And they both have completely unconnected database servers.
Any time someone goes to either site, I capture everything I can about the visitor. IP address, whatever else the browser is willing to tell me. I capture all of that on both websites. I use that information to make a guess about which visitors to each website are the same person.
I'm hearing from Captain Ridiculous that this is illegal. Because <reasons>. Because PII. Because of all that stuff.
Does anyone really think this is illegal? No. No one thinks this is currently illegal. There are probably people who think it should be illegal. Great. Make it illegal. But it isn't currently illegal.
Are there legitimate reasons to do this? I think the answer is yes. I want to know how many people are reading my blog and subsequently going to my business page. Or vice versa. That's a meaningful metric.
Over time it's far more important to know these kinds of metrics because direct referrals don't tell the whole story. Where did this specific hit on one of my sites come from is good to know. But it isn't the only thing I need to know.
I need to know if you visited my site 10 or 100 times before you started reading my blog. I need to know if you read my blog a thousand times before you signed up.
This is what's going on in cross-domain tracking. We are not looking at you as an individual. We are looking for aggregate data that tells us a story about how people are using interconnected websites.
That use of ip addresses is absolutely not prohibited by law. Not by PII law, not by any other kind of law.
And before someone chimes in and says, "No, you do not need to know that." Umm, fuck you. I run a business (a hypothetical one). Is your face or your presence at a physical store PII that I can't use? Am I allowed to video tape everyone who comes into my store? Am I capturing PII by doing that?
Yes. I am capturing that in a physical way. I am claiming PII every time you come into my Condom Sense, and I'm capturing it whether or not you buy anything.
You come into my web store, and yes, I will get everything I can about you. For all the same and good reasons.
At a very basic and, I think non-objectionable level, this kind of thing is okay in just the same way that it's okay to have video surveillance in physical stores.
PII all around. How it is used is what's important.