Commentary

Sweeping Privacy Laws Are Here, But What Does Privacy Really Mean?

At the heart of GDPR and California’s Consumer Right to Privacy Act 2018 (a GDPR-like law that the state’s voters will consider in November) is a simple and appropriate concept: consumers ought to have a say in how companies use their personal information. Although still somewhat vague, supposedly GDPR places the spotlight on consumer privacy by forcing action around consent.

The proposed California regulation is focused on eliminating third-party data selling by encouraging class action remedies. But perhaps we’re putting the cart before the horse. Without a clear framework for talking about privacy, consumers, advertisers and technology companies will continue to talk past each other.

What do we mean by privacy?

Ask your friends and family who don’t work in ad tech to tell you what privacy means in the digital age. Some will say there’s no such thing as privacy. Others will mention Facebook and Cambridge Analytica or rant about the NSA spying. If anyone says advertising, you’ll get an earful about the “creepy” ads that follow them around the internet. Bottom line: privacy is more of a buzzword that sends a conversation splintering in different directions than an organizing principal. That needs to change.

What should our privacy framework look like?

Personally Identifiable Information (PII), at least as it was used in the offline context, is widely accepted as a term referring to the collection of personal information. In its original context, the personal information collection concern was framed in how PII could be used by criminals to stalk or steal the personal information of a person

A good framework for talking about privacy should include two things. First, it has to be readily understood by the vast majority of consumers. Second, it should reflect the widely held views of consumers who can distinguish between information collected to do harm versus information that could be reasonably interpreted as benefiting them. If we could manage to lower the hyperbole, maybe we can then have a meaningful conversation about privacy, user consent and permissible purpose.

We don’t have to start from scratch

HIPAA laws regarding personal health information provide a good starting point for bringing consumers into a constructive conversation about personal data. Though the laws are complex, it’s well understood that what you tell your doctor stays with your doctor.

When a doctor informs a patient that they have diabetes, that diagnosis is private information under HIPAA. The patient’s information is not being sold to Johnson & Johnson or Novo Nordisk. However, if that patient goes online to request research on their diagnosis via health sites, and they get on boarded and then followed up with by advertising for Jardiance (a diabetic support drug), it may not be a HIPAA violation, but it would likely run afoul with GDPR and California 2018.

Receiving an ad about refinancing your mortgage because you live in a ZIP code where home prices are rising isn’t something most Americans would consider an invasion of privacy. However, if that same ad is targeted to you because your bank sold the details of your mortgage to a loan broker, who sent you a direct mail offer and targeted you with online ads, is there a meaningful difference?

Is the consumer actually harmed or put at risk by either of these offers, or would a reasonable person recognize the potential for benefit to that consumer in the offer — and understand it to be data being used for permissible purpose?

While we may be inching closer toward a protectionist posture with GDPR and California 2018, it may not be too late to start a conversation about a more nuanced digital privacy. By drawing on models like HIPAA, the Fair Credit Act and other frameworks for the sensible applications of data, consumers can actually benefit from targeted online engagements without risk of harm.

2 comments about "Sweeping Privacy Laws Are Here, But What Does Privacy Really Mean?".
Check to receive email when comments are posted.
  1. Keith Huntoon from LiftEngine, July 2, 2018 at 3:42 p.m.

    I agree a framework can help, but can we as an industry create one that will pass consumer muster? Changes are coming and they are the collective fault of ad-tech, mar-tech and advertisers.  The pendulum is swinging back towards consumers and privacy and away from the wild west we've had in place for 20 years.  Today, for every benefit use case, there is an equal harm in targeting in the marketplace.  Forgetting about theft and illicit use of data, the most obvious and simple harm to consumers is price discrimination based on location or past search history.  Should consumers have to block/wipe cookies and search from different browsers in order to get the best price on airline tickets?  Should I pay more for shopping online just because I live in Connecticut vs Mississippi?  Of course not, but these use cases are legal and practiced daily by companies large and small.  Hopefully we'll come up with a framework but as an industry, it needs to be honest and painful.  Consumers are angry, politicians smell an easy win and if we're not careful, we'll be in a recession before we know it.  Fun times. 

  2. Paula Lynn from Who Else Unlimited, July 2, 2018 at 5:40 p.m.

    There will be ads with a GDPR type of law here and the rest of the world. There will be search with a GDPR type of law here and the rest of world. People will sell things and people will buy things. Other things can throw us and the world into recession, not this one.

Next story loading loading..