IAB: Privacy Debate Moves Beyond Cookies
Mike Zaneis: As more advertising goes online and on mobile phones, it becomes a central issue to increase the relevancy with behavioral targeting. In the past, there have been several attempts to regulate online advertising. Early on there were blunt instruments. People who didn't understand the way online advertising worked wanted to regulate cookies, because they thought regulating the technology would be the correct approach. We have begun to move away from that approach during the last few years by educating the public and Washington. People finally realize cookies are pervasive and important for a positive user experience. Now the debate is around privacy and the type of data you're collecting and using to deliver targeted ads.
MediaPost: How long should companies keep the data?
Zaneis: The industry must follow common business practices and regulations. For instance, the Federal Trade Commission, through several enforcement actions, has made it clear that every industry must have reasonable data security measures, which is a sliding scale. You have to look at the type of data you're collecting, the type of threat a business may face, how the company plans to use the information, and whether the company plans to share it. Then you must look at the sensitivity of the data. We see a refocus away from pure data retention, toward making sure information isn't misappropriated. There shouldn't be an arbitrary period of time for data retention because different types and quantities of information may pose a greater threat to consumer privacy. We are trying to protect consumers and meet their expectation of privacy and security.
MediaPost: How do you define sensitive data?
Zaneis: If for some reason a company collects consumers' Social Security numbers. Most online advertisers don't do that, but you could imagine [it] as part of a process for Web site registration. I would put medical and financial information in the same category. If you're a healthcare Web site, and provide information about medical treatments, that type of information is much more sensitive than most other types of information collected online.
We have a data security and data retention principle within our behavioral advertising principles. When we put out the principles a couple of weeks ago, there was a lot of discussion because the broadest group of online advertising-related companies came together to form these principles. These companies include marketers, advertising agencies, publishers, portals and search engines. In the past, we haven't drilled down into the principles, such as data security. Now we say, whatever type of data you collect, even though it may be truly anonymous information, you still must as a best practice implement data security because consumers expect that. And it's all about online trust.
The privacy debate, once defined by personally identifiable information, has moved toward data security and eliminating risk.