"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.
In the past, if you mentioned personally identifiable information (PII) to someone in the ad tech ecosystem, they might cringe and emphatically state that they do not collect or process PII.
The common belief was that if PII were included within the service, it would require the service provider and the customer to take significant extra steps to ensure that all privacy, self-regulatory and other legal obligations were met. These might include opt-in consents, increased data security measures, additional consumer disclosures and limitations on the ultimate use of the data.
While that is true, times are changing for many reasons, including disagreement over what is considered PII, new products and services and that four-letter word: General Data Protection Regulation (GDPR).
In the EU, there is one definition under applicable law for “personal data,” the European term for PII: any information relating to an identified or identifiable natural person. This definition includes common ad tech tools, such as tracking cookies.
In the US, ask three people to define PII and you may get three different answers. To those in the ad tech industry, tracking cookies are certainly not PII. However, the Federal Trade Commission has stated “we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer or device. In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses or cookies, meet this test.” Yikes!
This uncertainty has led to confusion and uneasiness in the ad tech world.
Products and services
Providers are offering new ways for brands to exploit their first-party data, including through lookalike modeling and segment building. While it used to be challenging to get brands to part with their first-party data, that hesitancy has begun to wane.
If everyone is scrambling to put in place policies and procedures to comply with GDPR anyway, and EU law defines personal data as virtually everything under the sun, then ad tech companies may by default have no choice but to prepare themselves to handle more PII.
Therefore, the silver lining of GDPR may be less hesitancy on the part of ad tech companies to use PII in the US, leading to opportunities to exploit valuable data.
Not to be discounted, using PII in the US will still come with certain challenges and compliance obligations, but it may be time for ad tech companies to turn their GDPR compliance burdens into an opportunity.