Recommendation from the Usage Log Retention Policy Workshop 

In the course of operation, web servers gather and store voluminous data about site visitors. In the typical default configuration, this includes the IP address, last page visited, and browser used, among other information. This log data is useful for security, improving usability, and marketing purposes, but contrary to the operating assumptions of many organizations, it typically includes personally identifiable information (PII), or information that can be used to generate PII. PII is governed by a complex set of state, federal, and European laws, and mismanagement of this information can result in potential civil liability or regulatory action by state or federal agencies.>This liability may arise from one of the many laws governing PII, or from inadvertent variance from stated privacy policies. For example, an organization subject to Family Educational Rights and Privacy Act may be inadvertently retaining or failing to safeguard PII that is an education record. At other times, an organizations privacy policy may incorrectly state that no PII is being collected. In addition, organizations concerned with healthcare, financial services, or educational records face additional requirements as a result of the Graham-Leach-Bliley Act, Health Information Portability and Accountability Act, and the Family Educational Rights and Privacy Act. These rules make it necessary for organizations to know what data they collect, and to manage it effectively. While simply turning off all logging features may be a reasonable option for some organizations, it is not an option for many, and those that choose to retain data need tools that can accurately describe what data is collected, and eliminate unwanted PII.

Because issues of data logging and retention are complex, and site operators generally wish to balance these needs, the following policy guidelines and the associated log management tool have been developed with help and advice of representatives from commercial, academic, and advocacy organizations at a meeting held at the Computers, Freedom, and Privacy Conference in New York City in April, 2003.

These guidelines have been informed by the Logging, Monitoring, and Privacy (LAMP) Project funded by the National Science Foundation (see, various fair information practice standards (e.g. that serve as the basis for European and U.S. regulation, as well as laws specifically applicable to usage logs.


To gain widespread adoption, usage log policies must provide substantial benefits to the organizations that implement them.Such benefits include complying with applicable laws and reducing legal exposure, improved security practices, and improved understanding of user behavior. To be effective, a usage log policy must describe:

  • what data is logged
  • how it will be managed
  • when it will be retained or destroyed
  • what is disclosed to site visitors

  • For organizations that wish to implement this policy quickly and simply, compliance may be achieved by ensuring that the final octet of logged IP addresses, and all form data (generally, everything after a ? in a URL), will be deleted or obscured within 30 days or other appropriate, stated, fixed time period. Organizations that are unable or unwilling to do this may implement their log retention policies using the framework described in the LAMP study(see, which defines three levels of logging based on the type and purpose of data gathered, and calls them Level I, Level II, and Level III. These roughly correspond to non-personally identifiable information, derivable PII,and personally identifiable information. Recommendations regarding the gathering, use, management, and disposal of this data are in the following table, which can be used as the basis for organizational log policies. Many of these recommendations have been incorporated into the design of the Electronic Frontier Foundation's log management tool, which allows administrators of Apache to automatically implement these recommendations. This tool also serves as a reference implementation for organizations that operate other types of web servers.


    Level I

    (No personally identifiable information)

    Level II

    (Derivable PII)

    Level III

    (Personally identifiable information)


    Level I data is gathered mainly to assist in design, or  network and systems management. 

    Level II data is used for network and systems management, as well as security.

    Level III data is mainly used for security, and for transaction systems.

    Data gathered

    Browser type

    Usage trails within the site

    Referring pages


    Time and date stamps


    Level II data may be combined with other information to create personally identifiable information.

    IP addresses

    User IDs

    Email addresses

    Form data



    Level III data is directly traceable to individuals.

    Management and access control


    Access controls should be applied to Level II data. 

    Access controls should be applied to Level III data.  Individuals with access do this data should have the authorizations necessary for access documented in their positions.



    Level II data may be scrubbed in various ways to reduce its sensitivity. For example, cookie data may be set to expire within a day.

    Level III data may be scrubbed in various ways to reduce its sensitivity. For example, IP addresses may be truncated. 

    Retention and disposal


    Level II data should be disposed of as soon as practically possible. 

    Level III data should be disposed of as soon as practically possible, e.g. 30 days after the period allowed for returns and exchanges has passed. 

    Labeling and disclosure


    Notice that Level II data is being gathered should be disclosed in a web site's privacy policy.

    Notice that Level III data is being gathered should be disclosed in a web site's privacy policy.

    Modifications to web server default settings


    Modifications to default settings are needed to enforce retention settings and access control.

    Modifications to default settings are needed to enforce retention settings and access control.