“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Gary Kibel, a partner in the technology, digital media and privacy practice group at Davis & Gilbert.
Are you a data broker?
This is not the title of a Dr. Seuss book. It’s a critical question that all participants in the ad tech industry should ask themselves these days.
Last week, the Federal Trade Commission (FTC) issued its long-awaited report on data brokers called “Data Brokers – A Call for Transparency and Accountability.” In the report, the FTC criticized the fundamental lack of transparency in the industry and called upon Congress to enact new legislation. All data brokers should take note.
When regulators and legislators mention the term “data brokers,” many in the ad tech ecosystem shrug their shoulders and assume that that they are not data brokers since personally identifiable information of consumers is not used to trigger their retargeting methods and is not included in behavioral segments. It’s common to hear a company say they don’t know who the individual consumer is or they don’t have the consumer’s personal information. The comfort in that approach is rapidly eroding.
While the ad tech industry has been humming along with the belief that it only uses anonymous data, regulators and legislators have steadily and deliberately expanded the definition of personal information in recent years. As a result, many ad tech companies are sitting on vast amounts of personal information and are the very data brokers about which the FTC is concerned. In its report, the FTC stated that data brokers are “companies that collect consumers’ personal information and resell or share that information with others.” Therefore, the definition of personal information – and there are many – is the key driver that categorizes a company as a data broker.
Expanding Definition
Most FTC privacy consent orders these days include “persistent identifiers” as part of the definition of personal information. The Children’s Online Privacy Protection Act, which regulates the collection of personal information online from children under 13, was updated in 2013. Among the many changes was the expansion of the definition of personal information to include any “persistent identifier that can be used to recognize a user over time and across different websites or online services.” That sounds like a tracking cookie or other device ID.
As a result, ad tech providers had to change their practices to avoid retargeting users under 13 through cookie-based and similar technologies, since those could be deemed to be persistent identifiers and therefore could only be collected and used with the consent of the child’s parent or guardian. The recently proposed Data Broker Accountability and Transparency Act in Congress wades into this debate as well. And let’s not even get started on issues arising from the office of California’s attorney general. The point is, there is a sea change in thinking about what constitutes personal information.
The Transparency Challenge
Transparency is one of the major themes of the FTC report, along with accountability and consumer access. However, transparency is not a universally accepted concept in the ad tech industry where blind networks are common and preventing business partners and competitors from pulling back the curtain on data practices is a strategic decision.
Consider if all the restrictions and obligations that generally attach to what has historically been viewed as personally identifiable information were to apply to data in the ad tech space. Google, recently and reluctantly, enacted a system for EU residents to file requests for the removal of links to unfavorable content in order to comply with the EU Court of Justice ruling forcing Google to comply with the “right to be forgotten.”
Imagine if a DMP were required by law, and not just as a consumer-friendly practice, to set up a system that enabled every consumer to review, modify, remove or otherwise influence the use of their cookie data. It could radically change how some ad tech companies conduct business.
The ad tech industry had better pay close attention to how data brokers are defined and treated because these conversations will very likely impact how the industry conducts business in the future.
So the next time you hear someone mention the term data broker, the response should be: “You talking to me?”
Follow Gary Kibel (@GaryKibel_law), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.
