Alex Krylov

“PII” is dead, or rethinking digital privacy in the GDPR era

Posted on Written by 6 Comments

Cartoon by Dana Summers

Last September, a friend and privacy leader, Colin O’Malley, wrote an excellent piece urging us to jettison the dated notion of Personally Identifiable Information (“PII”). The thesis? PII’s narrow application no longer holds water in the context of today’s technologies and global regulatory interests.

I liked Colin’s piece so much that, after rereading it, I wanted to share some of it with you along with my thoughts.

1.   We’re not in Kansas anymore

“For anyone involved in privacy in the late 90s and early aughts, ‘PII’ or ‘Personally Identifiable Information,’ had a very specific, bright line meaning. PII referred to the data that needed to be protected: email, phone number, postal address, etc. Everything else was effectively harmless. Websites and marketers could go virtually unregulated for privacy practices if they simply resisted the temptation to touch PII”.

Twenty-five years is a very short time to get us from Norton Commander to artificial intelligence-powered cognitive computing. Rapid advances in computer and information sciences have ushered in an era of unprecedented access, convenience and interconnectedness. We can now pay our bills at the scan of a thumbprint, rave about favorite restaurants on Yelp, refill our prescriptions with a voice command, and share statistics from our personal fitness tracker with our doctors and social networks. We can save time on our commutes using crowd-sourced traffic updates beamed to our cars, and pay for plane tickets with a swipe of a finger.

According to a study by research firm IDC, in 2013 up to two-thirds of the digital universe was “created or captured by consumers and workers, yet enterprises had liability or responsibility for 85% of the digital universe.” This universe of ubiquitously generated data will reach 44 trillion gigabytes by 2020 and will expand business opportunities for data-driven companies. In the right hands, much of this new information can become identifiable in some way when associated with other information by you, about you or concerning you as a unique individual.

The incoming EU General Data Protection Regulation (GDPR) recognizes this shift and extends protections to a broad range of information “relating to an identified or identifiable natural person… directly or indirectly”. As such, in some contexts seemingly anonymous identifiers such as IP addresses, hashes, cookie and mobile advertising IDs, including statistically derived ‘fingerprints’, may need to be treated like ‘traditional’ PII. 

2.   Personal data brings progress … and growing pains

“…A series of gaffes and marketing tech innovations have made it patently obvious that wide categories of data beyond PII have the potential to ‘identify’ an individual and to produce messaging so personal, that it can shake the ‘private’ sense an individual has when browsing the internet.”

Critically, we are no longer passive consumers of products and services. The democratization of professional publishing tools and easy access to “free” cloud computing services and communities fueled the rapid growth of a content-rich, social internet. In many important ways, we as individuals are now an integral part of the Internet of Things and People. Our valuable creative energy and attention are currency in the digital economy.

In this digital universe what is personally identifiable is no longer limited to our names — not even our email addresses. We share our precise or closest location when uploading a photo to Instagram. We personalize our favorite news site and streaming video library. We react to friends and businesses in real time while on the go, and are becoming increasingly aware that personalization and convenience is driven by advanced tracking and analytics capabilities by publishers and advertisers.

In response to these maturing capabilities, the EU’s proposed updates to its ePrivacy rules will extend GDPR-level protections to emerging technologies (and metadata!) that make all of this possible. The ePrivacy Regulation (ePR) is expected to cover a wide range of issues ranging from the confidentiality of online data traffic to the express (opt-in) consent for activities driving people-marketing.

3.   Converging privacy sentiment … with teeth

“When viewed with this history in mind, we really should not have been surprised when the FTC began to declare (1, 2) that all manner of device IDs and associated data were also ‘PII.’ Or rather … Maybe we should have been surprised that they used the term at all, as it has largely outlived its usefulness.”

Those of us in the Sates don’t need to look to far afield to see a shifting perspectives on digital privacy. When speaking about the expanded treatment of “personally identifiable” data, FTC Chairwoman Edith Ramirez explained how “many consumer devices and appliances — from your Fitbit to your fridge to your thermostat — are silently talking to one another, collecting data, and transmitting that information to various third parties…”  In and of themselves, these disparate and oftentimes proprietary digital IDs may hide your real-world identity.

Yet, consolidations in communication, media and data analytics industries are making it easier for organizations to connect the dots across the engagement silos of the past.

Given the consumer-first aspirations of the GDPR and ePR, it is not surprising that European lawmakers have paid close attention to automated decision-making arising from the tracking and profiling of our online selves. With identity-based services becoming commonplace (think single sign-on using your Facebook account) and content tailored to our interpolated interests (think of Google using your whereabouts to personalize results), the questions of transparency and control remain paramount.

With the FTC in the vanguard, the US’s privacy ‘approach’ is steadily tilting towards a broader, European understanding. With its incoming privacy regime the EU continues to be well ahead. But for how long? And how do we adapt?

4.    Responding mindfully

“Now that [PII] is leaking all over the place, we can either expand the term to be inclusive of an ever increasing list of data categories, bounded only by the creativity of next month’s industry innovations or a privacy researcher’s experiments, or we can stop the madness and give the term a proper burial.”

The mix of personally but seemingly anonymous information creates a new kind of “pseudonymous” data that is notoriously difficult to manage. How does one opt-out from a statistically-derived mobile ID exactly? The Future of Privacy Forum describes this grey area as “an intermediate category or categories of data that can be subject to some but not all privacy restrictions.”

Thankfully, helpful frameworks such as Privacy by Design (PbD) have emerged in recent years to help innovators balance their competitive needs against the security and privacy expectations of individuals. For example, the PbD core principle of “user-centricity” could mean that campaign performance data should be aggregated before sharing with an advertiser so as to prevent reverse-identification of anonymous users.

So while Article 25 of the GDPR covers embedding privacy throughout the organization, it does not prescribe any one specific framework. Regardless, it is clear that there is now a stronger impulse for organizations will need to ask themselves “We say we are and we think we are, but do we really practice privacy ‘by design’?” I agree, simply trying to shoehorn privacy safeguards after the fact will miss the converging global mark. Operationally and spiritually.

Which brings us to my final point.

5.   Don’t be afraid to engage on privacy

“Don’t expect consumers to understand privacy assurances that are limited to your use of ‘PII,’ because that doesn’t map to their current conception of personal privacy.”

We are in the kind of privacy-anxious future authors Arthur C. Clark and Neil Stephenson speculated about 25 years ago. Gone are the days when “personal” information is indexed in a phone book or town records. Our footprints can be measured, almost literally, using beacon technology. Our in-store purchases can be linked to our email addresses and associated with interest categories. Our phones will ring when our credit card company detects suspicious activity in another part of the world. And we will be able to access an increasing number of digital services using our preferred online persona.

As such, merely securing the personal data in custody is no longer enough. New products and ways of doing business means ensuring that, as consumers, you and I ought not be caught off-guard. In the GDPR era, this also means we, as professionals, take all of our medicine. As Colin rightfully points out, the least we can do is change our dated notions about “PII”.

‘Abandonment’ Campaigns Trigger Online Tracking Rules in Canada too!

Posted on Written by Leave a Comment

Globalization affects online retailers in different ways. One compliance blind spot that doesn’t get a lot of attention has to do with sending  ‘shopping cart abandonment’ emails into Canada.  (Or into the European Union for that matter.)  I’m often asked, how exactly are abandonment emails covered under Canada’s stringent Anti-Spam Law (“CASL”)?  Can I even send abandonment emails there? This is one of those areas where marketers can easily miss the forest for the trees and create risk for their company.

But let’s back up a bit… ‘Abandon cart’ is an email re-engagement technique that tries to influence an online shopper to complete an abandoned order. They bailed in the heat of the moment and you want to get them back!  You set up your website analytics, drop session and tracking cookies, tie the cookie to the shopper’s email address,  and create rules to automatically trigger an email when they jump overboard.

To answer the Canada compliance question fully we need to give equal attention to what happens before the email is sent. And we need to be clear about what abandonment messages really are – – cross-channel remarketing campaigns triggered by a consumer’s online behavior. 

Email marketing perspective:

Abandonment messages fall into a gray area but are almost always ‘commercial’. That is, they encourage the continuation of a commercial activity instead of providing factual information about the activity. Under CASL, marketers would need to ensure abandonment messages are not unsolicited, and that a CASL compliant consent agreement exists for the customer.

Opt-out compliance obligations would also need to be considered, and this is true under CASL as under the US CAN-SPAM Act.

Online tracking perspective:

Abandonment campaigns rely on marketers tracking customers online and tying online behavior back to the an email address. This means that email senders will need to manage compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers notice and choice obligations with online tracking.

Under PIPEDA, marketers will need to (i) clearly and conspicuous inform website visitors that their online activities may result in personalized marketing, (ii) offer a way to opt-out of such tracking, and (iii) ask for individuals’ prior express consent with tracking involving sensitive personal information such as health data.

Ultimately, Canada-facing marketers need to treat abandoned cart campaigns as cross-channels exercises — they must try their best to satisfy all seven Privacy Principles, of which CASL is but a subset.