• by Ray Schultz , Columnist, November 7, 2016

Opt in, opt out. Marketers have wasted time and money trying to make sense of those words. But they’re outdated. The real issue is who is accountable when data is misused. So says Martin Abrams, executive director of the Information Accountability Foundation.   

Just back from the International Privacy Conference in Marrakech, Morocco, Abrams sat down with MediaPost to discuss privacy in the digital age and how the issue affects cross-channel attribution.  

What’s the new thinking about privacy?
Marketing that is observation-driven is in bounds, but when it crosses the line to surveillance, it’s out of bounds. And marketing is having difficulty determining where that line is.

Where is the line?
If I have so much observational knowledge on you that I begin to control your behavior instead of influencing your choices, that’s surveillance. And that leads to control.

How do you define control?
When you go to a certain site to look for credit products, your browser is linked to your server and they do an assessment to determine which three products to make visible to you. You’re channeled into a box of appropriate products based on probability. But the purpose is to limit your knowledge rather than expand the opportunities.

And this is a privacy issue?
Marketers are not yet thinking about that line in the U.S., but it will grow in importance. In Europe, the new data protection rule takes effect in 2018. And European regulators will increasingly create rules that limit observation in marketing. For example, the European E-privacy directive requires that a pop-up comes up when I track you or post cookies. But regulators are disappointed with that.

So we really are freer in the United States ...
You can think with data and draw insights in the U.S. That’s a competitive advantage because thinking with data is an unregulated activity. Outside the U.S., you have to have a justification even to process data. So observational marketers have an adjustment to make when they go out of the country.

What’s driving the shift toward greater regulation?
Data just flows. And that flow is part of the Internet of Things and the systems that support everything. It’s an awkward position for privacy regulators. Look at their work on consent. Consent has a role in privacy, but it is not the basis for governance. You have to move to the idea of organizations acting in responsible fashion, where they’re answerable for their behavior. That’s a challenge as data use becomes more robust.

Didn’t the FCC just issue a rule saying that consumers have to opt in to be observed?
Those rules are dated. They will stifle our ability to think with data generated off the Internet.

Where should regulators draw the line — at personally identifiable data?
That idea is also outdated. When you buy online or register at a Web site, you’re fully identifiable. And at that point, some of the cookies are rejiggered based on the information you gave. So I can take an action based on the huge amount of knowledge that is linkable to you. Even if I don’t know your name, it’s inevitable that the shadow you and the real you will come together. And whether it’s personal information becomes less relevant.

What impact does privacy have on cross-channel attribution?
Marketers want to know how people shop, the flow of data, the use of devices, where the decision point comes, and whether they make the purchase in person in the store or via mobile. They can say, ‘I understand this individual. I have real-time knowledge of where they are, and I’m going to take action based on that and the artificial intelligence systems in play.’

Is that in bounds?
It’s in bounds to have a model based on the probability of a person acting in a certain way.

So what’s the problem?
If I want to touch you at every touchpoint, I want your phone numbers and fixed information about your mobile device and PC. I use third-party feeds to help me link those devices. So the question becomes: Who is accountable when data is used in an inappropriate fashion? The FTC says it’s the party with the connection with the individual. But what about the intermediary?