Home Data-Driven Thinking The Expanding Definition Of PII
OPINION: Data-Driven Thinking

The Expanding Definition Of PII

By AdExchanger

SHARE:

carlaholtzeData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Carla Holtze, CEO and co-founder of Parrable.

What does personally identifiable really mean? For as long as I can remember, personally identifiable information (PII) basically meant email address, telephone number and postal address.

Everyone in the advertising technology world built their platforms based on the notion that PII was essentially radioactive. Until recently, an ad tech platform could consider itself a long way toward the goal of being privacy safe by simply keeping PII off of its platform.

That is, until regulators and policymakers began taking a broad view of PII.

For the past several years, privacy professionals in the digital media space have feared that the definition of personally identifiable would expand to include IP address, cookie ID and mobile ad IDs, such as Apple’s IDFA. Unfortunately, such fears are being confirmed in several places.

For example, the European Union just ratified its new General Data Privacy Regulation that specifically defines pseudonymous identifiers such as an IP address as personal data. And in the US, the Federal Communications Commission’s recent notice of rulemaking takes a similarly broad definition of PII.

I also participated in a recent event where a senior official at the Federal Trade Commission (FTC) took the stage to explain that it too had gradually moved toward a broad definition of personally identifiable.

Moving The Goal Posts

Maybe we need to rethink privacy standards, as many of them were written a long time ago.

The Network Advertising Initiative Code was created 16 years ago over fears of ad tech companies merging personally identifiable information with ad-serving information. At the time, the NAI Code was applauded by the FTC.

But if the FTC and others are now changing their tune, and if all information collected is now considered personally identifiable, how does a good ad tech platform comply with the NAI Code? And perhaps more importantly, is there still an incentive for ad tech companies not to collect email addresses and telephone numbers?

Some of my industry colleagues have suggested that ad tech might as well start collecting everything – maybe even Social Security numbers. I respectfully disagree.

There are privacy-enhancing benefits to limiting ad tech to pseudonymous information.

Why are certain pseudonymous identifiers considered personally identifiable? If we can better understand the rationale for declaring certain data points as PII, perhaps we can find a solution that addresses those concerns.

EU And IP Addresses

The EU started down this path a few years ago when the Article 29 Working Party opined that IP addresses should be considered personal data. The Article 29 Working Party is an influential group of EU data protection regulators that advise the EU Commission.

Their analysis may be summarized as follows: Some IP addresses may be used by some companies, such as Internet service providers, as personal data. In other words, an Internet service provider may know that a particular IP address corresponds to a particular subscriber account number. Thus, an IP address should also be considered personal data to anyone because anyone could theoretically get to the physical address with the help of the Internet service provider.

Following the logic, one can make the same argument about the mobile operating system advertising IDs. If IDFA #123 corresponds in Apple’s systems to bill@hotmail.com, anyone theoretically could get to bill@hotmail.com via IDFA #123 with the help of Apple.

To their credit, Apple and Internet service providers have demonstrated that they are unwilling to assist companies to re-identify subscribers. But no matter, the fact that they might be able to facilitate re-identification seems to be enough.

Are All IDs The Same?

So does that mean that any pseudonymous identifier has to be treated like personal data? Maybe not. If one could use a cookie ID that wasn’t connected to an IP address, that might be viewed as more privacy-safe because it would be impossible – not just improbable – for the cookie ID to be used to identify someone.

There are a few things that might help ad tech companies continue to provide ad delivery and reporting in a pseudonymous way without regulators jumping to claim that the collected information is PII. First, identifiers should be resettable by the user, which is an area where Apple and Google have led the way. Second, identifiers should not be linked to personally identifiable information without user consent.

These steps are crucial for any ad tech company that seeks to stay out of the PII world. Hopefully, regulators and policymakers will agree. The alternative seems downright, well, Orwellian.

Follow Parrable (@Parrable) and AdExchanger (@adexchanger) on Twitter.

Tagged in:

Must Read

Comic: Causal Meets Casual
Measurement

Jones Road Beauty Is Using A New Type Of MMM To Reset Its Media Measurement

Inside how Jones Road Beauty is trying to turn messy, conflicting measurement signals into a single testing roadmap for its media mix.

Comic: America's Mext Top AI Model
Data Privacy Roundup

AI Is Moving Fast. The Law, Not So Much

IAPP’s Global Summit in DC was a reminder that AI is moving fast – and judges, privacy lawyers and practitioner are racing to keep up.

Programmatic

CIMM Is Out To Prove That All Media Isn’t Equal

An upcoming paper from CIMM doesn’t just demonstrate that differences in media quality can be measured. It also argues that tying media value to short-term outcomes has perpetuated longstanding industry challenges.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Platforms

TikTok On Why Brands Can’t Buy Its New Ad Formats Programmatically

Not unlike last year, the mood during TikTok’s NewFronts presentation last week felt like cautious optimism, if not outright relief.

Platforms

Meta’s NewFronts Message To Advertisers: Embrace The Noise

Can a good sales presentation offset the impact of a very bad news week? That’s a question for Meta, which collected two guilty verdicts in court this week for failing to protect children and creating additive products.

Marketers

AI Helps Manscaped Trim Social Chatter Down To The Bare Essentials

Meet Clamor, a new social listening product that pulls cultural insights from online conversations in real time. Clamor helped Manscaped freshen up its marketing, including for this year’s Super Bowl.

Popular

  1. Programmatic

    CIMM Is Out To Prove That All Media Isn’t Equal

    An upcoming paper from CIMM doesn’t just demonstrate that differences in media quality can be measured. It also argues that tying media value to short-term outcomes has perpetuated longstanding industry challenges.

  2. Platforms

    TikTok On Why Brands Can’t Buy Its New Ad Formats Programmatically

    Not unlike last year, the mood during TikTok’s NewFronts presentation last week felt like cautious optimism, if not outright relief.

  3. AI

    The Agentic Marketplace Is Here. Where Does That Leave DSPs and SSPs?

    Swivel and Olyzon’s new partnership brings buy-side and sell-side agents together as early examples of an agentic marketplace.

  4. Comic: In The Media Mix
    AI

    Basis Wants To Help Marketers Bring Agentic AI Into Media Planning

    A new solution from Basis puts campaign planning into the (figurative) hands of AI agents. But it’s just a starting point.

  5. Comic: Causal Meets Casual
    Measurement

    Jones Road Beauty Is Using A New Type Of MMM To Reset Its Media Measurement

    Inside how Jones Road Beauty is trying to turn messy, conflicting measurement signals into a single testing roadmap for its media mix.