PII May No Longer Be The Third Rail Of Ad Tech

"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.

In the past, if you mentioned personally identifiable information (PII) to someone in the ad tech ecosystem, they might cringe and emphatically state that they do not collect or process PII.

The common belief was that if PII were included within the service, it would require the service provider and the customer to take significant extra steps to ensure that all privacy, self-regulatory and other legal obligations were met.  These might include opt-in consents, increased data security measures, additional consumer disclosures and limitations on the ultimate use of the data.

While that is true, times are changing for many reasons, including disagreement over what is considered PII, new products and services and that four-letter word: General Data Protection Regulation (GDPR).

Defining PII

In the EU, there is one definition under applicable law for “personal data,” the European term for PII: any information relating to an identified or identifiable natural person. This definition includes common ad tech tools, such as tracking cookies.

In the US, ask three people to define PII and you may get three different answers. To those in the ad tech industry, tracking cookies are certainly not PII. However, the Federal Trade Commission has stated “we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer or device. In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses or cookies, meet this test.” Yikes!

This uncertainty has led to confusion and uneasiness in the ad tech world.

Products and services

Providers are offering new ways for brands to exploit their first-party data, including through lookalike modeling and segment building. While it used to be challenging to get brands to part with their first-party data, that hesitancy has begun to wane.

GDPR 

If everyone is scrambling to put in place policies and procedures to comply with GDPR anyway, and EU law defines personal data as virtually everything under the sun, then ad tech companies may by default have no choice but to prepare themselves to handle more PII.

Therefore, the silver lining of GDPR may be less hesitancy on the part of ad tech companies to use PII in the US, leading to opportunities to exploit valuable data.

Not to be discounted, using PII in the US will still come with certain challenges and compliance obligations, but it may be time for ad tech companies to turn their GDPR compliance burdens into an opportunity.

Follow Gary Kibel (@GaryKibel), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.

1 Comment

  1. Marc Groman

    I think your conclusion is dead on, ad tech companies can and will "turn their GDPR compliance burdens into an opportunity." Once a company obtains consent consistent with GDPR and satisfied the other requirements of GDPR, it will not make sense to continue to focus on the outdated distinction between PII and non-PII that has been at the center of discussions in the ad tech industry. Frankly, the black-and-white, narrow definition of PII often referenced by Ad Tech in the US is outdated and does not make sense given today's tech. The clear lines are helpful for compliance, but they fail to take into account context and new tech. That ship has sailed, and not just at the FTC. Look at the definition of PII from the US National Institute of Standards and Technology: "‘Personally identifiable information’ means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual." Federal Government guidance for US Government agencies then provides that, "[b]ecause there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. To determine whether information is PII, the agency shall perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available – in any medium and from any source – that would make it possible to identify an individual." And so, I think you are correct that once a company meets the burdens of complying with GDPR, "PII" will be leveraged more in ad tech and other business models.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>