"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Alan Chapell, president at Chapell & Associates.
Until very recently, most ad tech companies based their entire privacy programs on the notion that they don’t collect personal data.
As noted elsewhere, that premise has started to deflate for several reasons. First, EU policymakers began digging in their heels around a more expansive definition of personal data that includes pseudonymous identifiers, such as IP address, cookie ID and mobile advertising identifiers, including Apple’s IDFA.
Perhaps some in ad tech thought, “Well, that's only in the EU. They are in the minority and will eventually come to their senses.”
And then the Federal Communications Commission (FCC) announced its Notice of Proposed Privacy Rules, which also includes a broad definition of personal data.
Not to be outdone, Jessica Rich of the Federal Trade Commission (FTC) took the stage at a Network Advertising Initiative event and dropped a bit of a bombshell: The FTC was also adopting a broad definition of personal data. The FTC made a similar comment in May at the Digital Advertising Alliance Summit.
No Longer Just An EU Issue
With the FCC and FTC both advocating for an expansive definition of personally identifiable information (PII), this is no longer just an EU issue.
And it begs the question: How should the ad tech community respond? Perhaps the industry should continue to embrace pseudonymization. Perhaps ad tech should consider a move to bring PII onto their platforms.
In any event, it seems as if the US ad tech community is now in the minority in how it views personal data. Many other constituencies, including Canada’s chief regulator and even California’s attorney general, long ago jumped on the bandwagon to define personal data broadly.
At the end of the day, it might be helpful to remember that it's the regulators and legislators who have final say regarding the definition of personal data – not the ad tech community. But if we’re going to embrace a broad definition of personal data, we need to ensure that the ramifications of such a move are considered.
Case in point: There’s a gentleman named Paul-Olivier Dehaye, a resident of Zurich. Dehaye has petitioned technology firms for access to personal data over the past year. Specifically, he has requested that companies “provide [him] with all of [his] personal data that [Company X] has collected via cookies and other tracking technologies.”
EU privacy law grants certain rights to users, including the right to access their personal data. If IP address and cookie ID are now considered personal data, then EU law would require technology companies to hand over their log files in response to such requests.
By making these requests, Dehaye raises an important question about the nature of personal data.
Is All Personal Data Really The Same?
On a practical level, there is a significant difference between an IP address and an email address. Email addresses and telephone numbers can be authenticated relatively easily. If I request any information that you have attached to “firstname.lastname@example.org”, you can first send an email to that address to authenticate that I’m the owner. And if I don’t respond to the email authenticating who I am, you are unlikely to be willing to grant my access request. In fact, it may be illegal for you to do so.
Conversely, if you send me IDFA “0E5D34-RAF7-309-X8EB-6340TF523328” or IP address 184.108.40.206, I have absolutely no way of knowing that these IDs belong to you. They could belong to your spouse or roommate, or you could have written them down incorrectly. You can sign a notarized attestation that these identifiers are yours, but short of getting your ISP or Apple to certify that they belong to you (good luck with that) the reality is that you’d be asking that I take your word for it that these identifiers have anything to do with your computer or device.
So under EU privacy law, data subjects have the right to access their personal data but EU law also states that companies that hold personal data have a responsibility to safeguard that information. That means companies need to ensure that personal data doesn’t fall into the wrong hands.
If the data is considered personal data when it comes to “access rights” then it’s also personal data for other privacy rights, correct?
Irresistible Force, Please Meet Immovable Object
This has all the makings of a law school exam question. Should technology companies honor data access requests that they can’t authenticate and risk violating the privacy and security rights of other data subjects?
Perhaps the Article 29 Working Party in the EU will offer an opinion here. I don’t doubt that Dehaye has a legitimate interest in privacy. But in my view, there are no easy answers to the questions he is posing.