According to the California Consumer Privacy Act (CCPA), the California State Legislature amended the definition of “personal data” adding the word “reasonably” before the word “capable” in the phrase – “information that identifies, relates to, describes, [and] is capable of being associated with…a particular consumer or household.” This one small word opened the door to a giant sigh of relief for the entire ad tech ecosystem.
Although they’ve been thwarted for their lobbying efforts, this is a win for the industry as it opens the door to a crack for anonymous tracking. Although some from the privacy side surely see a dangerous concession on clarity. The Legislature’s recent bill AB-1355 specifically exempts aggregate or deidentified consumer data from the definition of personal information. This is similar to the “de-identified” information that is deliberately processed to make it incapable of being associated with a particular individual. How does CCPA define the reasonability behind it?
Deidentified data has formed the heart of privacy debates for decades. It is identified with the risk of oversimplifying the complexity of this topic. The obvious question is to define “reasonable”? It’s clear that the richer a data set, the easier it is to reidentify using statistical methods. But, more significant in marketing is the condition where an advertiser or publisher is able to connect a deidentified record having personally identifiable information provided by customers post completion of an order form or signing up for a newsletter. In such cases, marketing platforms are reasonably capable of associating anonymous data with any particular individual with ease. For instance, this will support the position of many privacy advocates that deidentification is irrelevant to the problem of pervasive surveillance online.
With possible nuance in mind, industry advocates decamp to Brussels, Sacramento, and anywhere else privacy laws are drafted or revised explaining deidentification and its economic importance to publishers and brands. The challenge is to convince lawmakers and a skeptical public to trust the system that’s clearly full of holes.
That’s where firms need some more innovation. Here are a few ideas:
- Accelerate convergence between Consent and Preference Management Platforms (CPMPs) and Customer Data Platforms (CDPs). CDPs need to support specific, transparent rules for privacy compliance that prevent violating privacy policies or laws.
- The industry needs open standards to codify privacy rules and metadata categories to make them interoperable across marketing platforms. Organizations such as ISO and the IAB Tech Lab are developing related privacy standards, but industry-wide deidentification-related protocols need to pay more attention to compliance for marketers.
- The ISPs need to wake up and participate actively in the discussion. They’ve made large investments in advertising and content technology, but they’ve been conspicuously silent about a problem they’re in a position to solve by supplying users with network-based services with controlled exposure of their identities. Instead of lobbying for freedom, they might reasonably take this opportunity to mediate privacy with their personal network deidentification solutions.