• by Tobin Ireland , Op-Ed Contributor, April 13, 2017

A flurry of policy reversals under the Trump administration has started a game of regulatory Ping-Pong, most apparent in the field of data privacy.

Obama-era Federal Communications Commission privacy rules were due to be rolled out, requiring Internet Service Providers to gain “opt in” customer permission before collecting CPNI (Customer Propriety Network Information), like browsing history, app use, or location.

But these changes were halted under the FCC’s new chair Ajit Pai, who called for a level playing field between network operators and Over-the-Top players. This move has been criticized by the privacy advocacy community as a backwards step, but welcomed by network operators.

They feel it allows them to compete for ad revenue with Facebook and Google, which face less stringent consent rules under the FTC.

Does this mean advertisers won’t need to concern themselves with consent when processing user data for targeting and personalization? The short answer is no.

Data privacy regulation needs a global approach. In contrast to the FCC’s current stance, the EU’s General Data Protection Regulation (GDPR) – which comes into effect next year – emphasizes user consent.

It requires companies to gain explicit permission from users before processing personal data, ensuring the journey for giving consent is clear, not just hidden in terms of service, and has specific details about how the data will be used and by who, including the right to object to information being used for profiling.

Equally new EU legislation to ensure privacy in electronic communications is likely to require data around content, location and time of communication to be made anonymous or deleted if the user has not given consent for it to be processed for reasons other than performance of a contract, legal obligation, vital interests of the consumer, the public interest, or the legitimate interest of the business.

The distinct stances of the U.S. and the EU could be confusing for advertisers operating across borders, but it is clear user consent will form part of global de facto privacy standards.

The GDPR will apply to any company processing data about EU citizens, even if they are located elsewhere, meaning many U.S. businesses will be impacted.

Having insufficient customer consent to process data is a serious violation of the GDPR and could lead to fines of 4% of annual global revenue. It’s a clear communication to the digital advertising supply chain that it must prepare for data safety to be given equal weight with brand safety.

To stay ahead, advertisers must take a wider view of data privacy and implement technologies and strategies to ensure they comply with all legislation, no matter how often the requirements around user consent change.

One specific way to do this is to look at data pseudonymization, which has been formally recognized in the GDPR as a category of data. Unlike anonymization – which makes the user unidentifiable, prohibiting personalization and targeting – classic pseudonymization simply swaps individual identifiers with an artificial identifier or pseudonym.

In this way, and in theory, data can only be linked to a specific user with additional insight, which is stored separately. With the persistent pseudonymization of identities (such as cookies or Android Ad IDs), there is no net change in the ability to track and profile.

Regulators have been skeptical about existing approaches to pseudonymization delivering the goods.

Another, more radical and future solution is to go with artificial identifiers that are transient, changed or deleted within milliseconds to ensure data protection without sacrificing the ability to target.

This type of technology provides advertisers with high quality data that can be used beyond its original collection purpose and allows them to deliver personalized brand experiences, without the risk of breaching data regulations.   

Rather than following the game of data privacy Ping-Pong, advertisers should focus on implementing technologies and strategies that will enable compliance with global privacy standards, adopting user consent and data pseudonymization as their watchwords.

Finally, policy makers worldwide should be thoughtful about missing the “privacy concern” signals being sent out by their citizens. The growth of ad blockers is a symptom of an environment that does not prioritize customer control and transparency around data.

Marketers should always be comfortable with the notion of the “customer being in control” — privacy and data protection are no exception to this rule.