Home Data-Driven Thinking The Expanding Definition Of PII
OPINION: Data-Driven Thinking

The Expanding Definition Of PII

By AdExchanger

SHARE:

carlaholtzeData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Carla Holtze, CEO and co-founder of Parrable.

What does personally identifiable really mean? For as long as I can remember, personally identifiable information (PII) basically meant email address, telephone number and postal address.

Everyone in the advertising technology world built their platforms based on the notion that PII was essentially radioactive. Until recently, an ad tech platform could consider itself a long way toward the goal of being privacy safe by simply keeping PII off of its platform.

That is, until regulators and policymakers began taking a broad view of PII.

For the past several years, privacy professionals in the digital media space have feared that the definition of personally identifiable would expand to include IP address, cookie ID and mobile ad IDs, such as Apple’s IDFA. Unfortunately, such fears are being confirmed in several places.

For example, the European Union just ratified its new General Data Privacy Regulation that specifically defines pseudonymous identifiers such as an IP address as personal data. And in the US, the Federal Communications Commission’s recent notice of rulemaking takes a similarly broad definition of PII.

I also participated in a recent event where a senior official at the Federal Trade Commission (FTC) took the stage to explain that it too had gradually moved toward a broad definition of personally identifiable.

Moving The Goal Posts

Maybe we need to rethink privacy standards, as many of them were written a long time ago.

The Network Advertising Initiative Code was created 16 years ago over fears of ad tech companies merging personally identifiable information with ad-serving information. At the time, the NAI Code was applauded by the FTC.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Daily Roundup

Daily News Roundup

IAS To Go Private Under New PE Backer; Retail Sails On AI Referrals

But if the FTC and others are now changing their tune, and if all information collected is now considered personally identifiable, how does a good ad tech platform comply with the NAI Code? And perhaps more importantly, is there still an incentive for ad tech companies not to collect email addresses and telephone numbers?

Some of my industry colleagues have suggested that ad tech might as well start collecting everything – maybe even Social Security numbers. I respectfully disagree.

There are privacy-enhancing benefits to limiting ad tech to pseudonymous information.

Why are certain pseudonymous identifiers considered personally identifiable? If we can better understand the rationale for declaring certain data points as PII, perhaps we can find a solution that addresses those concerns.

EU And IP Addresses

The EU started down this path a few years ago when the Article 29 Working Party opined that IP addresses should be considered personal data. The Article 29 Working Party is an influential group of EU data protection regulators that advise the EU Commission.

Their analysis may be summarized as follows: Some IP addresses may be used by some companies, such as Internet service providers, as personal data. In other words, an Internet service provider may know that a particular IP address corresponds to a particular subscriber account number. Thus, an IP address should also be considered personal data to anyone because anyone could theoretically get to the physical address with the help of the Internet service provider.

Following the logic, one can make the same argument about the mobile operating system advertising IDs. If IDFA #123 corresponds in Apple’s systems to bill@hotmail.com, anyone theoretically could get to bill@hotmail.com via IDFA #123 with the help of Apple.

To their credit, Apple and Internet service providers have demonstrated that they are unwilling to assist companies to re-identify subscribers. But no matter, the fact that they might be able to facilitate re-identification seems to be enough.

Are All IDs The Same?

So does that mean that any pseudonymous identifier has to be treated like personal data? Maybe not. If one could use a cookie ID that wasn’t connected to an IP address, that might be viewed as more privacy-safe because it would be impossible – not just improbable – for the cookie ID to be used to identify someone.

There are a few things that might help ad tech companies continue to provide ad delivery and reporting in a pseudonymous way without regulators jumping to claim that the collected information is PII. First, identifiers should be resettable by the user, which is an area where Apple and Google have led the way. Second, identifiers should not be linked to personally identifiable information without user consent.

These steps are crucial for any ad tech company that seeks to stay out of the PII world. Hopefully, regulators and policymakers will agree. The alternative seems downright, well, Orwellian.

Follow Parrable (@Parrable) and AdExchanger (@adexchanger) on Twitter.

Must Read

Platforms

Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.

antitrust

DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

Court is back in session. And the fate of  the open internet is in the balance.

Chris Mufarrige, director, Bureau of Consumer Protection, FTC
Data Privacy Roundup

FTC Consumer Protection Chief: No Easy Answers On Privacy, ‘Only Trade-Offs’

Privacy isn’t black-and-white, says the FTC’s Chris Mufarrige, promising evidence-driven consumer protection cases under the Trump administration.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Publishers

How Encryption Keys Could Resolve The TID Furor

Rather than sharing universal TIDs that any DSP or curator can access, Raptive says publishers should instead share encrypted TIDs with an encryption key provided only to trusted demand-side partners.

Digital Out-Of-Home

Clear Channel Brings Mid-Flight Measurement To Its OOH Network

Clear Channel will provide advertisers weekly, mid-flight reports on outcomes driven by its inventory in order to bring OOH measurement closer to the speed of digital.

FTC Commissioner Mark Meador speaking at the NAD's annual conference in Washington, DC on Sept. 16, 2025. (Photo: Brian O'Doherty)
Federal Trade Commission

FTC Commissioner Mark Meador: ‘No Human Society Can Long Survive Without Consumer Trust’

Keeping American kids safe in what FTC Commissioner Mark Meador calls “an increasingly complex and fast-paced technological environment” is a top priority for the agency.

Popular

  1. Monopoly Man looks on at the DOJ vs. Google ad tech antitrust trial (comic).
    Online Advertising

    DOJ v. Google: Judge Brinkema Calls For Less Ad Tech “Window Dressing” In The AdX And DFP Divestiture Debate

    Day Two of the remedies phase of the Google ad tech antitrust trial was a grueling back-and-forth about the future of Google Ad Manager.

  2. antitrust

    DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

    Court is back in session. And the fate of  the open internet is in the balance.

  3. Inside the Stack

    How AI Helped Tatari Double Revenue Without Adding (or Losing) Staff

    Tatari CEO Philip Inghelbrecht explains how AI doubled revenue without adding staff, why direct deals beat programmatic, and why publishers must focus on data.

  4. Paul Frampton-Calero, CEO, Goodway Group
    OPINION: Data-Driven Thinking

    Beyond The Hype: How Agentic AI Can Finally Unite Marketing’s Creative And Scientific Sides

    Marketing has long struggled to prove itself as a growth engine. What if agentic AI isn’t the threat many fear but the breakthrough marketing always needed?

  5. feedback loop
    attribution

    The Trade Desk and Acxiom Deepen Their UID2 Collaboration With An AI-Powered Measurement Solution

    The Trade Desk and Acxiom have a new product that plugs into Kokai to create a live feedback loop between UID2 IDs and real-world outcomes.