What does personally identifiable information really refer to? For most of this century's history, personally identifiable information (PII) basically meant email address, telephone number and mailing address. Everyone in the advertising technology world built their platforms based on the concept that PII was essentially to be avoided. Until recently, an ad tech platform could consider itself a long way toward the goal of being privacy safe by simply keeping PII off of its platform. However, regulators and policymakers are now taking a much more broad view of PII.
For the past several years, privacy professionals in the digital media space have feared that the definition of personally identifiable would expand to include IP address, cookie ID and mobile ad IDs, such as Apple's IDFA. Unfortunately, such fears are being confirmed in several places. For example, the European Union just ratified its new General Data Privacy Regulation that specifically defines pseudonymous identifiers such as an IP address as personal data. And in the US, the Federal Communications Commission's recent notice of rulemaking takes a similarly broad definition of PII. What PII will really refer to, both now and in the future, is up to debate.
Maybe we need to rethink what PII really refers to. The Network Advertising Initiative Code was created 16 years ago over fears of ad tech companies merging personally identifiable information with ad-serving information. At the time, the NAI Code was applauded by the FTC. But if the FTC and others are now changing their tune, and if all information collected is now considered personally identifiable, how does an ethical advertising technology platform comply with the NAI Code? And perhaps more importantly, is there still an incentive for ad tech companies not to collect email addresses and cell phone numbers and any other bit of data that they can gather? Does the future become a lot less private with this extreme data collection and machine learning as well?
Perhaps going down the road of some kind of pseudonymity might be the best course of action? So does that mean that any pseudonymous identifier has to be treated like personal data? Maybe not. If one could use a cookie ID that wasn't connected to an IP address, that might be viewed as more privacy-safe because it would be impossible – not just improbable – for the cookie ID to be used to identify someone.
Apple and some other browser companies have demonstrated that they are unwilling to assist marketers to re-identify people. Safari 14 is notably taking big steps to protect users from extra trackers and ad retargeting. Blocking tracking and the collection of your data browsing patterns is a good first step for many people to keep their private information (PII) out of corporate hands.
We hope you enjoyed reading this guide and learned something new! Check out our Learning Center to learn more about online privacy and security or consider subscribing to our Online Privacy Service to remove your phone number, name, and address from Google, Bing, Yahoo, and DuckDuckGo search results and hundreds of data broker sites.