Commentary
PII (Personally Identifiable Information), R.I.P.
- by Dave Morgan , Featured Contributor, August 6, 2009
Yes, it's time for the digital marketing industry to move on from the term "PII" ("personally identifiable information") as the defining benchmark for what information is anonymous versus what is personal when it comes to providing notice and choice to consumers.
For the past decade, following guidance from the Federal Trade Commission and other regulators, online marketers and media companies in the U.S. have been required to provide users with "robust" notice and gain their "opt-in" consent before collecting, storing or using "personal" information online about those users.
Information was personal if it could be used to "uniquely identify, contact, or locate a single person." Phone numbers, names with addresses, social security numbers and email addresses constituted personal information. On the other hand, if a company only used "anonymous" data -- information that was not PII -- it only had to provide users with "passive" notice (in a privacy policy, for example), and the opportunity to "opt-out" of the online data collection, which was a much lower standard.
advertisement
advertisement
Therefore, avoiding PII data has been critical for many online companies that wanted to use consumer data for ad targeting or measurement, but didn't want to have to gain the explicit consent of their users in the process. Well, those days are over.
Demise of PII Standard. It all started a few years ago, when AOL released specific searches that some of their users had conducted, linked together by anonymous, unique IDs. While no one could argue that the information was PII, it was possible to actually link the searches to actual people by aggregating information from their various searches -- which included street addresses, etc. -- as a reporter for The New York Times subsequently did. This led to debates around the world questioning the efficacy of the PII standard to protect consumers' privacy.
The demise of the that standard was completed this February, when the FTC released an updated set of guidelines for profile-based online ad targeting -- or "behavioral targeting" -- in which they explicitly avoided using the PII standard and instead required "op-in" consent if companies used online data that could be "related to particular individuals or devices."
FTC turns up the volume. If anyone had a question on whether the omission of PII was intentional or not, the published interviews this past week in Business Week and The New York Times of FTC Chairman Jon Leibowitz and his head of consumer protection, David Vladeck, should make the answer clear. Both used their bully pulpit to let the online ad industry know that the status quo has changed and, among other things, we are all going to have to be much more transparent about what data we collect and what we do with it. The days of just "avoiding PII" are over.
What should you watch out for? In my opinion, there is at least one online marketing data technique where companies will have to be very careful: data appending. Companies need to make sure that when they append "blind" information to anonymous information -- through cookies, for example -- that they don't end up with a combination that is no longer blind, where the result could be related to a particular individual or computer.
What to do? Please, this is the time to take privacy protection seriously. You need to get involved with the efforts of your trade associations in creating and implementing a self-regulatory framework, so that we might stave off the passage of broad and onerous new privacy laws and regulation.
Working closely together with the leadership and staff of the FTC and Congress, the IAB, DMA, AAAA and ANA have been doing extraordinary work to develop an effective self-regulatory framework to help digital marketers and media companies continue to innovate -- yet also provide strong protections for consumer privacy.
Time is running out. Join and participate in these associations and protect consumers' privacy together. The alternative is not going to be pretty.
I'm sure some of you are growing tired of my soapbox stands on privacy in this column. I write about the issue because I believe that it is very important and potentially very dangerous for us to ignore. What do you think?
... and just when behavioral targeting was really starting to take off...
These are relevant and important considerations. Like the AOL case showed, data pieces can be put together to create an individual profile. I'm not sure that's practical for many businesses, but to avoid that ability could be costly. How many degrees of separation do you need for data before it would be considered safe? The ripple effect of this could be wide.
Looking beyond cost, you have impact on people doing their jobs. I'm sure there's little empathy for marketers, but the product and support people that rely on data sharing would also be at risk.
Truly anonymous behavioral targeting won't be threatened here, only techniques that seek to combine anonymous data with information that's not so anonymousby appending multiple data sources at the cookie level. Companies that do that are going to need to exercise a lot of care and foresight to insure that their users' privacy is protected.
The key points Dave misses here are permission as it pertains to data appending and the personal nature of the data. If you are granted permission, this becomes a moot issue. Data appending is an approved marketing tactic across numerous marketing channels. Most companies that are involved in data appending services do so with compliance with CAN-SPAM regulations that provide for permission-based standards. If you append permission-based data source, you have nothing to worry about.
Furthermore, when it comes to the data you choose to append, if you go down the path of applying ZIP+4 profile data versus trying to define an individual, you are going to be okay. Companies attempting to develop individual profiles on users should re-think their practices and move to community clusters.
The issue here is individual identification, and to suggest data appending will be an issue, in and of itself, is misguided. Everyone interested in appending needs to focus on permission-based data sources and appending data that is predictive without invading privacy of the user. This is what the FTC is asking of us and such requests are reasonable. We as an industry need to move in this direction with self-regulatory guidelines that embrace this.
In the end, every company engaged in behavioral targeting needs to ensure that they don't hold the keys to individual identification. This will likely require a middleman approach that keeps the two parties interested in appending the data separated from one another and having someone in the middle that does the links. For example, if there are 3 data elements and 3 companies are engaged in the appending, each participant must hold 2 of the 3 keys, therefore no one company can figure out the individual themselves. This is how the practice is applied offline for pharmaceutical and financial data products and we in the internet industry need to follow this same practice.
Tim, your points are very good and accurately reflect how the issue has been dealt with in the past, primarily in the offline world. However, I believe that the online world is evolving differently, and that avoiding "creepy" is the new standard. Appending offline data to cookies thru a "blind" intermediary may not be tolerated online, by consumers or regulators. We will learn that answer prett soon I suspect. For sure, we are entering a world where complete transparency will control, and consumers will decide.