“PII” is dead, or rethinking privacy in a digital universe

March 17, 2017 by Experian Marketing Services

Recently a fellow privacy pro, Colin O’Malley, asked me to review his thoughts on the state of privacy in today’s data-driven economy. I liked his piece so much so that I wanted to share some of it with you, along with my comments.

As you read ahead, I ask you to think about your role within Experian, one of the world’s largest data companies, and how this relates to your personal experiences as a modern, empowered consumer. Whichever lens you choose to view this topic from (I hope both!), I want to convince you that you have a role in the privacy game.

You may read Colin’s full article here.

1.    We’re not in Kansas anymore

“For anyone involved in privacy in the late 90s and early aughts, ‘PII’ or ‘Personally Identifiable Information,’ had a very specific, bright line meaning. PII referred to the data that needed to be protected: email, phone number, postal address, etc. Everything else was effectively harmless. Websites and marketers could go virtually unregulated for privacy practices if they simply resisted the temptation to touch PII”.

Twenty-five years is a very short time to get us from Norton Commander to artificial intelligence-powered cognitive computing. Rapid advances in computer and information sciences have ushered in an era of unprecedented access, convenience and interconnectedness. We can now pay our bills at the scan of a thumbprint, rave about favorite restaurants on Yelp, refill our prescriptions with a voice command, and share statistics from our personal fitness tracker with our doctors and social networks. We can save time on our commutes using crowd-sourced traffic updates beamed to our cars, and pay for plane tickets with a swipe of a finger.

According to a recent study by research firm IDC, in 2013 up to two-thirds of the digital universe was “created or captured by consumers and workers, yet enterprises had liability or responsibility for 85% of the digital universe.” This universe of ubiquitously generated data will reach 44 trillion gigabytes by 2020 and will expand business opportunities for companies like Experian. In just four years, 37 percent of all that data will be ripe for analysis and utilization by businesses.

Much of this new information can become identifiable in some way when associated with other information by you, about you or concerning you as a unique individual.

2.    Data brings progress … and growing pains

“…A series of gaffes and marketing tech innovations have made it patently obvious that wide categories of data beyond PII have the potential to ‘identify’ an individual and to produce messaging so personal, that it can shake the ‘private’ sense an individual has when browsing the internet.”

The data-driven economy is rapidly shifting how businesses engage consumers and how the ecosystem brokers the issue of trust. For marketers, the digital revolution presents unique opportunities and challenges. The increasing volume, variety and velocity of data that can be collected, analyzed and made useful at relatively low cost can create new and at times unexpected insights into our personal lives. Yet the rapid pace of innovation is significantly outpacing consumers’ ability to keep up with how data about them is collected and used.

Critically, we are no longer passive consumers of products and services. The democratization of professional publishing tools and easy access to “free” cloud computing services and communities fueled the rapid growth of a content-rich, social internet. In many important ways, we as individuals are now an integral part of the Internet of Things and People. Our valuable creative energy and attention are currency in the digital economy.

What is personally identifiable is no longer just limited to your name or email address. We share our precise or closest location when uploading a photo to Instagram. We personalize our favorite news site and streaming video library. We react to friends and businesses in real time while on the go, and are becoming increasingly aware that personalization and convenience is driven by advanced tracking and analytics capabilities by publishers and advertisers.

3.    Converging global privacy sentiment … with teeth

“When viewed with this history in mind, we really should not have been surprised when the FTC began to declare (1, 2) that all manner of device IDs and associated data were also ‘PII.’ Or rather … Maybe we should have been surprised that they used the term at all, as it has largely outlived its usefulness.”

With the Federal Communications Commission announcing new rules that appear to require opt-in for a telecom’s use of your web history data, U.S. privacy law is steadily tilting towards a broader, European-style regime. Another key development is the Federal Trade Commission recently expanding its definition of PII to include things like static IP addresses and loyalty card numbers. The European Union continues to be one step ahead, however, where dynamic IP addresses are in fact deemed “Personal Information.”

When speaking about the expanded treatment of “personally identifiable” data, FTC Chairwoman Edith Ramirez explained how “many consumer devices and appliances — from your Fitbit to your fridge to your thermostat — are silently talking to one another, collecting data, and transmitting that information to various third parties…”

These disparate and oftentimes proprietary digital IDs may hide your real-world identity. Yet, consolidations in communication, media and data analytics industries are making it easier for organizations to connect the dots across the engagement silos of the past. For example, you may now see the same kinds of targeted ads on your digital TV as on your tablet when streaming videos.

4.     Responding to the rise of pseudonymity

“Now that [PII] is leaking all over the place, we can either expand the term to be inclusive of an ever increasing list of data categories, bounded only by the creativity of next month’s industry innovations or a privacy researcher’s experiments, or we can stop the madness and give the term a proper burial.”

The mix of personal but seemingly anonymous information creates a new kind of “pseudonymous” data that is notoriously difficult to manage. How does one opt out from a statistical device ID exactly? The Future of Privacy Forum describes this grey area as “an intermediate category or categories of data that can be subject to some but not all privacy restrictions.”

For data companies, simply trying to shoehorn privacy safeguards into digital products or services after the fact often is insufficient. Marketers and analysts, and the technology companies that support them, need to take a mindful and proactive approach to data governance and consumer-privacy management.

Helpful frameworks such as Privacy by Design (PbD) have emerged in recent years to further help data-driven businesses balance their competitive needs against the security and privacy expectations of individuals. For example, the PbD core principle of “user-centricity” could mean that campaign performance data should be aggregated before sharing with a client so as to prevent reverse-identification of anonymous users.

5.    Building trust by engaging on privacy

“Don’t expect consumers to understand privacy assurances that are limited to your use of ‘PII,’ because that doesn’t map to their current conception of personal privacy.”

We are in the kind of privacy-anxious future authors Arthur C. Clark and Neil Stephenson speculated about 25 years ago. Gone are the days when “personal” information is indexed in a phone book or town records. Our footprints can be measured, almost literally, using beacon technology. Our in-store purchases can be linked to our email addresses and associated with interest categories. Our phones will ring when our credit card company detects suspicious activity in another part of the world. Increasingly, companies are learning how to interpret our on-the-go activities and track our location over time.

Despite a patchy history with regulators, online advertising is an immediate example of an industry proactively trying to engage consumers on “privacy.” Recent DAA/FTC guidance on cross-device tracking and related “Beyond Cookies” guidance by the NAI are paving the way for the next generation of privacy safeguards. As electronic communications become more personalized and context-aware, new privacy controls and technologies will be innovated in this space first.

Given the complexity of our digital universe, the overarching trend in privacy is to openly and clearly communicate about data practices. Merely securing information is no longer enough. Powering opportunities across borders and industries also means ensuring that consumers are not caught off-guard by new ways of doing business. Educational resources, privacy tools and enterprise risk frameworks exist and can help. And more are on their way.

All in all, engaging on privacy is not a retardant to innovation — it’s just part of our collective evolution. The least we can do is change our understanding of “PII.”

Alex Krylov is seasoned privacy and digital compliance pro helping Experian Marketing Services navigate complex internet policy and international marketing compliance issues.

Colin O’Malley is “functional privacy” advisor for startups including Experian’s AdTruth business, and is the Cofounder, Corporate Strategy, and Privacy Advisor of Evidon (now Ghostery).