"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Alan Chapell, president at Chapell & Associates.
The rules around the merger of personally identifiable information (PII) with ad-serving data are perhaps the most oft-referenced privacy rules in ad tech. Over the past 15 years, if you asked any ad tech CEO about privacy, the first words out of his or her mouth would have been: “We don’t collect PII.”
Even where senior execs didn’t know much about digital privacy, the one thing all of them did know is that PII was the third rail of digital privacy. As a result, the mere appearance of touching PII has been a non-starter in ad tech for as long as anyone can remember.
The core privacy rules were created 15 years ago when the marketplace looked very different. I believe it’s time to revisit some of those rules – and for ad tech companies to reconsider leveraging PII.
The Initial Visceral Reaction to PII merger Vs. Marketplace Growth
When DoubleClick bought Abacus Direct back in 1999, many worried it would combine Abacus’ personal information with DoubleClick’s online browsing data. Many things drove the reaction to the privacy scandal – not the least of which was an emotional response. Advocates lamented that DoubleClick/Abacus was creating a “surveillance database of Orwellian proportions,” and a constant stream of criticism rained down on DoubleClick for months. Collectively, advocates, regulators and the press drew a line in the sand indicating that ad networks must be kept as far away from the personally identifiable as possible.
Yet during the past 15 years, companies in the digital media marketplace continued to inch closer to PII. This begs the question: Has time softened the perspective of advocates and regulators? One thing is clear: Marketplace growth has clearly outpaced anything DoubleClick may have been contemplating.
Consider this: In March of 1999, DoubleClick’s US network boasted more than 120 of the web's most recognized sites, and DoubleClick as a whole delivered a “whopping” 30 billion ads every month.
By today’s standards, the scope and scale of information collected by DoubleClick during the Abacus acquisition seems almost quaint; I’m certainly not the first person to make this observation. Heck, even Merkle’s new deal with News Corp. will impact more consumers and serve more ads than DoubleClick/Abacus ever did.
But this goes far beyond Merkle’s people-based marketing program or Experian’s OmniView multichannel ID or Facebook’s merger of PII with the behavioral data it collects from 90% of the Internet or Google’s new program enabling marketers to buy on YouTube with email addresses. Across the spectrum, the Chinese wall separating PII and non-PII in digital media has narrowed during the past decade to the point where we can practically see through it.
In light of all this, why is the ad tech community clinging to these rules? Is there either a business or privacy advantage to maintaining the current pseudonymous data approach? (Some background is available here.)
Moving To An IOT-Enabled World
The Internet of Things (IoT) will exponentially increase the amount of digital data collected through watches, fitness devices, thermostats, automobiles, major appliances and dozens of other things that we haven’t even thought of yet. Marketers will need to be able to structure all of this data if they want to draw user-centric insights. As of today, there are really only two viable paths to structure IoT data.
Marketers could take a platform approach using pseudonymous identifiers. This is the approach currently utilized widely in mobile advertising and relies on a pseudonymous ID provided by the mobile operating systems. In an IoT-enabled world, an identifier could be provided by an OS, wireless carrier, browser and a social networking platform.
Marketers could also take a PII approach, which is practiced by many retailers that use customers’ email address or telephone number to tie all of this information together.
The platform approach works relatively well where the advertiser wants to understand what a particular piece of media cost, how many impressions it generated and what the audience looks like. But most platforms don’t allow third-party verification of their numbers or enable advertisers to understand the impact of cross-platform advertising. Answering simple questions such as, “How do users respond when they’ve seen my ad twice on Facebook and twice more on YouTube?” is nearly impossible with a platform approach.
As the number of customer touch points increases exponentially in an IOT-enabled world, advertisers are incented to move away from the platform approach, which they don’t control, to a PII approach, which they can control.
The Privacy Argument
I’m sure the mere mention of merging PII with digital data bits will give many privacy professionals fits. Nonetheless, the current regulatory climates in the EU and US aren’t currently focused on reigning in PII merger practices.
The European Union arguably has the world’s strictest privacy rules. Over the past several years, EU policymakers have grown increasingly reticent to draw distinctions between personal data and pseudonymous data. There are many different things at play in the EU as we head into 2016, and the EU’s knee-jerk response to every privacy problem boils down to one word: consent.
Ultimately, if EU policymakers continue down the path of requiring consent for the collection and use of a cookie ID, they are essentially signaling to the marketplace that it should obtain consent as broadly as possible. By requiring an expansive consent, you create incentives to collect as much data as possible.
In the US, it’s worth noting that in the 15 years since the DoubleClick Abacus scandal the Federal Trade Commission (FTC) has publicly said little about merger of PII with ad-serving data. If anything, the FTC has seemingly shifted its focus away from the merger of PII with online profiling information. In 2010, it acknowledged that the “distinction between PII and non-PII continues to lose significance.” And there’s no mention of PII merger concerns in the recent FTC IoT staff report (PDF).
More Questions Than Answers
Facebook and Twitter have used email as a targeting ID both on and off their respective platforms for some time now, with nary a peep from the FTC.
If those entities are tacitly allowed to do that, is it a big deal for Merkle to use PII to target ads within the four corners of News Corp. sites? What are the distinctions we’re drawing as we head into 2016? Are larger entities really “more privacy protective because it’s all within one company” or are there other considerations?
In other words, what is the current rationale for the distinctions that are being drawn today?
To be clear, I’m not advocating any policy in particular. I’m simply noting that the industry came together and created a set of rules in 2000. And since that time, the industry has changed drastically – heck the whole world has changed. Given all this transition, it’s worth asking whether some of these old rules still make sense.