Spend some of that cash on EU privacy researcher / legal and get the site compliant. One trip out on the wrong person and legal takedown really likely.
This is from a May 2014 EU opinion on anonymization techniques like hashes. The determinant of whether the anonymized data (in the case of Fraud Record, the "hash" that is stored in the database) is considered personally identifiable information is the following:
(i) is it still possible to single out an individual,
(ii)is it still possible to link records relating to an individual, and
(iii) can information be inferred concerning an individual?
The answer to all 3 of those questions is a definitive yes where FraudRecord is concerned because all anyone has to do is a plain text search on the hashed data in the database and all 3 of those criteria are met.
TL;DR: EU hosts who transmit PII (the hashed data) to FR are most probably not compliant with EU data protection laws...especially the majority who fail to even state on their privacy policies that they transmit data to FR. .
ISO29001 says basically the same thing the EU opinion said: in order for anonymized data like a hash to be considered truly anonymous and not PII it must be anonymized in a way that it can't be traced back to a single individual (an example of true anonymized data would be aggregated traffic data that is collected from multiple people but can't be traced back to an individual).
anonymisation is also defined in international standards such as the ISO 29100 one being the “Process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other party” (ISO 29100:2011)
FraudRecord's use of hashes also fails the ISO29001 standard because the hashed data in the database is used to single out an individual and bring up a report on them whenever any Tom, Dork, or Harry runs a plain text search.
TRUSTe's opinion that hashes when used like FR uses them constitute PII is based on the same concepts as the EU opinion and ISO290001:2011 standard.
For tomorrow's lesson: why it is a violation of credit card industry rules to allow hosts to submit to FraudRecord (
which isn't even a legal entity so legally they are submitting the customer's info to Harzem Y), and other to search on, the following two data fields:
ccname Name on credit card ccnumber Credit card number.
