Yes, it's time for the digital marketing industry to move on from the term "PII" ("personally identifiable information") as the defining benchmark for what information is anonymous versus what is personal when it comes to providing notice and choice to consumers.
For the past decade, following guidance from the Federal Trade Commission and other regulators, online marketers and media companies in the U.S. have been required to provide users with "robust" notice and gain their "opt-in" consent before collecting, storing or using "personal" information online about those users.
Therefore, avoiding PII data has been critical for many online companies that wanted to use consumer data for ad targeting or measurement, but didn't want to have to gain the explicit consent of their users in the process. Well, those days are over.
Demise of PII Standard. It all started a few years ago, when AOL released specific searches that some of their users had conducted, linked together by anonymous, unique IDs. While no one could argue that the information was PII, it was possible to actually link the searches to actual people by aggregating information from their various searches -- which included street addresses, etc. -- as a reporter for The New York Times subsequently did. This led to debates around the world questioning the efficacy of the PII standard to protect consumers' privacy.
The demise of the that standard was completed this February, when the FTC released an updated set of guidelines for profile-based online ad targeting -- or "behavioral targeting" -- in which they explicitly avoided using the PII standard and instead required "op-in" consent if companies used online data that could be "related to particular individuals or devices."
FTC turns up the volume. If anyone had a question on whether the omission of PII was intentional or not, the published interviews this past week in Business Week and The New York Times of FTC Chairman Jon Leibowitz and his head of consumer protection, David Vladeck, should make the answer clear. Both used their bully pulpit to let the online ad industry know that the status quo has changed and, among other things, we are all going to have to be much more transparent about what data we collect and what we do with it. The days of just "avoiding PII" are over.
What should you watch out for? In my opinion, there is at least one online marketing data technique where companies will have to be very careful: data appending. Companies need to make sure that when they append "blind" information to anonymous information -- through cookies, for example -- that they don't end up with a combination that is no longer blind, where the result could be related to a particular individual or computer.
What to do? Please, this is the time to take privacy protection seriously. You need to get involved with the efforts of your trade associations in creating and implementing a self-regulatory framework, so that we might stave off the passage of broad and onerous new privacy laws and regulation.
Working closely together with the leadership and staff of the FTC and Congress, the IAB, DMA, AAAA and ANA have been doing extraordinary work to develop an effective self-regulatory framework to help digital marketers and media companies continue to innovate -- yet also provide strong protections for consumer privacy.
Time is running out. Join and participate in these associations and protect consumers' privacy together. The alternative is not going to be pretty.
I'm sure some of you are growing tired of my soapbox stands on privacy in this column. I write about the issue because I believe that it is very important and potentially very dangerous for us to ignore. What do you think?