Home Data-Driven Thinking The Expanding Definition Of PII
OPINION: Data-Driven Thinking

The Expanding Definition Of PII

By AdExchanger

SHARE:

carlaholtzeData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Carla Holtze, CEO and co-founder of Parrable.

What does personally identifiable really mean? For as long as I can remember, personally identifiable information (PII) basically meant email address, telephone number and postal address.

Everyone in the advertising technology world built their platforms based on the notion that PII was essentially radioactive. Until recently, an ad tech platform could consider itself a long way toward the goal of being privacy safe by simply keeping PII off of its platform.

That is, until regulators and policymakers began taking a broad view of PII.

For the past several years, privacy professionals in the digital media space have feared that the definition of personally identifiable would expand to include IP address, cookie ID and mobile ad IDs, such as Apple’s IDFA. Unfortunately, such fears are being confirmed in several places.

For example, the European Union just ratified its new General Data Privacy Regulation that specifically defines pseudonymous identifiers such as an IP address as personal data. And in the US, the Federal Communications Commission’s recent notice of rulemaking takes a similarly broad definition of PII.

I also participated in a recent event where a senior official at the Federal Trade Commission (FTC) took the stage to explain that it too had gradually moved toward a broad definition of personally identifiable.

Moving The Goal Posts

Maybe we need to rethink privacy standards, as many of them were written a long time ago.

The Network Advertising Initiative Code was created 16 years ago over fears of ad tech companies merging personally identifiable information with ad-serving information. At the time, the NAI Code was applauded by the FTC.

But if the FTC and others are now changing their tune, and if all information collected is now considered personally identifiable, how does a good ad tech platform comply with the NAI Code? And perhaps more importantly, is there still an incentive for ad tech companies not to collect email addresses and telephone numbers?

Some of my industry colleagues have suggested that ad tech might as well start collecting everything – maybe even Social Security numbers. I respectfully disagree.

There are privacy-enhancing benefits to limiting ad tech to pseudonymous information.

Why are certain pseudonymous identifiers considered personally identifiable? If we can better understand the rationale for declaring certain data points as PII, perhaps we can find a solution that addresses those concerns.

EU And IP Addresses

The EU started down this path a few years ago when the Article 29 Working Party opined that IP addresses should be considered personal data. The Article 29 Working Party is an influential group of EU data protection regulators that advise the EU Commission.

Their analysis may be summarized as follows: Some IP addresses may be used by some companies, such as Internet service providers, as personal data. In other words, an Internet service provider may know that a particular IP address corresponds to a particular subscriber account number. Thus, an IP address should also be considered personal data to anyone because anyone could theoretically get to the physical address with the help of the Internet service provider.

Following the logic, one can make the same argument about the mobile operating system advertising IDs. If IDFA #123 corresponds in Apple’s systems to bill@hotmail.com, anyone theoretically could get to bill@hotmail.com via IDFA #123 with the help of Apple.

To their credit, Apple and Internet service providers have demonstrated that they are unwilling to assist companies to re-identify subscribers. But no matter, the fact that they might be able to facilitate re-identification seems to be enough.

Are All IDs The Same?

So does that mean that any pseudonymous identifier has to be treated like personal data? Maybe not. If one could use a cookie ID that wasn’t connected to an IP address, that might be viewed as more privacy-safe because it would be impossible – not just improbable – for the cookie ID to be used to identify someone.

There are a few things that might help ad tech companies continue to provide ad delivery and reporting in a pseudonymous way without regulators jumping to claim that the collected information is PII. First, identifiers should be resettable by the user, which is an area where Apple and Google have led the way. Second, identifiers should not be linked to personally identifiable information without user consent.

These steps are crucial for any ad tech company that seeks to stay out of the PII world. Hopefully, regulators and policymakers will agree. The alternative seems downright, well, Orwellian.

Follow Parrable (@Parrable) and AdExchanger (@adexchanger) on Twitter.

Tagged in:

Must Read

multiple sets of eyes
Technology

Amazon DSP Adds Adelaide’s Pre-Bid Attention Targeting

Advertisers can target high- and medium-attention ad inventory in Amazon DSP while filtering out low-attention placements and made-for-advertising sites.

Marketers

Marketers Are Getting Used To AI In The Ad Stack

Marketers and media buyers are gradually getting more comfortable talking about ad campaigns they’re testing on large-language models like OpenAI’s ChatGPT.

Marketers

For Video Publishers, Performance And AI Go Hand In Hand

In Connected TV Ad Land, proving performance is the priority for video advertisers. To drive more demonstrable reach and results, publishers are trying to expand their reach while wringing more data and AI features into their offerings. 

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
ad tech infrastructure

Independent Ad Tech Is Reframing Itself Around Cloud Hardware

Nowadays, programmatic vendors, and SSPs in particular, are carving new paths of differentiation based on their type of adoption of cloud infrastructure.

Marketers

Ad Performance Hinges On Kicking Fragmentation’s Butt

As performance takes center-stage in more advertising discussions, demands to solve fragmentation and cruddy measurement are reaching a fever pitch.

AdExchanger's Big Story podcast with journalistic insights on advertising, marketing and ad tech
PODCAST: The Big Story

AI Off The Rails

A word of caution to digital advertising companies, as they go all in on AI algorithms: They need to build these solutions with ownership, governance and accountability from the start – or AI could sink them with a single mistake.

Popular

  1. ad tech infrastructure

    Independent Ad Tech Is Reframing Itself Around Cloud Hardware

    Nowadays, programmatic vendors, and SSPs in particular, are carving new paths of differentiation based on their type of adoption of cloud infrastructure.

  2. square Headshot of Mohammad (Moe) Chughtai, global VP of strategy & partnerships at MiQ, against an orange and yellow gradient background
    CTV roundup

    Better Attribution Makes Live Sports A Performance Play

    To squeeze the most juice out of their live sports campaigns, many marketers are adopting programmatic buying and marketing mix modeling, both of which are also drawing more advertisers to the digital live sports cornucopia.

  3. Gaming

    Roblox Opens Up Advertising To Kids Under 13

    Roblox is making its under-13 audience available to advertisers for the first time. And it named youth-focused ad marketplace SuperAwesome as its exclusive advertising partner for under-13 users.

  4. Rotem Shaul, CEO, Primis
    OPINION: The Sell Sider

    Dynamic Take Rates Are A Market-Wide Squeeze Disguised As Innovation

    The pitch for dynamic take rates is reasonable. Total volume goes up, and the publisher sees more impressions clearing. But the problem is where the extra volume comes from. 

  5. David Kim, president, Verizon Value
    PODCAST: AdExchanger Talks

    Don’t Take Customers At Face Value

    Verizon Value President David “DK” Kim digs into the lingering stigma around prepaid wireless – and how reframing customers as “prepaid by need” versus “prepaid by choice” changes the way Verizon markets and measures its eight-brand portfolio of prepaid plans.