Home Data-Driven Thinking The Expanding Definition Of PII

The Expanding Definition Of PII

SHARE:

carlaholtzeData-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Carla Holtze, CEO and co-founder of Parrable.

What does personally identifiable really mean? For as long as I can remember, personally identifiable information (PII) basically meant email address, telephone number and postal address.

Everyone in the advertising technology world built their platforms based on the notion that PII was essentially radioactive. Until recently, an ad tech platform could consider itself a long way toward the goal of being privacy safe by simply keeping PII off of its platform.

That is, until regulators and policymakers began taking a broad view of PII.

For the past several years, privacy professionals in the digital media space have feared that the definition of personally identifiable would expand to include IP address, cookie ID and mobile ad IDs, such as Apple’s IDFA. Unfortunately, such fears are being confirmed in several places.

For example, the European Union just ratified its new General Data Privacy Regulation that specifically defines pseudonymous identifiers such as an IP address as personal data. And in the US, the Federal Communications Commission’s recent notice of rulemaking takes a similarly broad definition of PII.

I also participated in a recent event where a senior official at the Federal Trade Commission (FTC) took the stage to explain that it too had gradually moved toward a broad definition of personally identifiable.

Moving The Goal Posts

Maybe we need to rethink privacy standards, as many of them were written a long time ago.

The Network Advertising Initiative Code was created 16 years ago over fears of ad tech companies merging personally identifiable information with ad-serving information. At the time, the NAI Code was applauded by the FTC.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

But if the FTC and others are now changing their tune, and if all information collected is now considered personally identifiable, how does a good ad tech platform comply with the NAI Code? And perhaps more importantly, is there still an incentive for ad tech companies not to collect email addresses and telephone numbers?

Some of my industry colleagues have suggested that ad tech might as well start collecting everything – maybe even Social Security numbers. I respectfully disagree.

There are privacy-enhancing benefits to limiting ad tech to pseudonymous information.

Why are certain pseudonymous identifiers considered personally identifiable? If we can better understand the rationale for declaring certain data points as PII, perhaps we can find a solution that addresses those concerns.

EU And IP Addresses

The EU started down this path a few years ago when the Article 29 Working Party opined that IP addresses should be considered personal data. The Article 29 Working Party is an influential group of EU data protection regulators that advise the EU Commission.

Their analysis may be summarized as follows: Some IP addresses may be used by some companies, such as Internet service providers, as personal data. In other words, an Internet service provider may know that a particular IP address corresponds to a particular subscriber account number. Thus, an IP address should also be considered personal data to anyone because anyone could theoretically get to the physical address with the help of the Internet service provider.

Following the logic, one can make the same argument about the mobile operating system advertising IDs. If IDFA #123 corresponds in Apple’s systems to [email protected], anyone theoretically could get to [email protected] via IDFA #123 with the help of Apple.

To their credit, Apple and Internet service providers have demonstrated that they are unwilling to assist companies to re-identify subscribers. But no matter, the fact that they might be able to facilitate re-identification seems to be enough.

Are All IDs The Same?

So does that mean that any pseudonymous identifier has to be treated like personal data? Maybe not. If one could use a cookie ID that wasn’t connected to an IP address, that might be viewed as more privacy-safe because it would be impossible – not just improbable – for the cookie ID to be used to identify someone.

There are a few things that might help ad tech companies continue to provide ad delivery and reporting in a pseudonymous way without regulators jumping to claim that the collected information is PII. First, identifiers should be resettable by the user, which is an area where Apple and Google have led the way. Second, identifiers should not be linked to personally identifiable information without user consent.

These steps are crucial for any ad tech company that seeks to stay out of the PII world. Hopefully, regulators and policymakers will agree. The alternative seems downright, well, Orwellian.

Follow Parrable (@Parrable) and AdExchanger (@adexchanger) on Twitter.

Must Read

Pacvue Enters The Next Chapter Of Retail Media With New CEO Rahul Choraria

Pacvue has promoted COO Rahul Choraria to chief executive.

Comic: What Else? (Google, Jedi Blue, Project Bernanke)

Project Cheat Sheet: A Rundown On All Of Google’s Secret Internal Projects, As Revealed By The DOJ

What do Hercule Poirot, Ben Bernanke, Star Wars and C.S. Lewis have in common? If you’re an ad tech nerd, you’ll know the answer immediately.

shopping cart

The Wonderful Brand Discusses Testing OOH And Online Snack Competition

Wonderful hadn’t done an out-of-home (OOH) marketing push in more than 15 years. That is, until a week ago, when it began a campaign across six major markets to promote its new no-shell pistachio packs.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Google filed a motion to exclude the testimony of any government witnesses who aren’t economists or antitrust experts during the upcoming ad tech antitrust trial starting on September 9.

Google Is Fighting To Keep Ad Tech Execs Off the Stand In Its Upcoming Antitrust Trial

Google doesn’t want AppNexus founder Brian O’Kelley – you know, the godfather of programmatic – to testify during its ad tech antitrust trial starting on September 9.

How HUMAN Uncovered A Scam Serving 2.5 Billion Ads Per Day To Piracy Sites

Publishers trafficking in pirated movies, TV shows and games sold programmatic ads alongside this stolen content, while using domain cloaking to obscure the “cashout sites” where the ads actually ran.

In 2019, Google moved to a first-price auction and also ceded its last look advantage in AdX, in part because it had to. Most exchanges had already moved to first price.

Thanks To The DOJ, We Now Know What Google Really Thought About Header Bidding

Starting last week and into this week, hundreds of court-filed documents have been unsealed in the lead-up to the Google ad tech antitrust trial – and it’s a bonanza.