We hear so much about protection of personal data and massive data breaches that we are mostly numb to the issue. It’s akin to the Night King’s army of White Walkers marching on Westeros for several seasons of Game of Thrones then, in the end, it had little effect on the final status quo. Be assured, personal and audience data regulation is coming.
You may be wondering when federal legislation will appear. Barring any scandals similar to Facebook’s Cambridge Analytica one doesn’t seem to be a priority for our policymakers, until after the 2020 elections.
For the moment, we wait for the proverbial battle, asking ourselves, “When will it happen, and will all be lost?” Being prepared is the best way to approach the expected data regulation.
The importance of knowing your audience
Understanding where your audience data comes from, how it’s secured and how it’s used are key to limiting regulatory surprises. Each of these questions has different implications and responsibilities for the data controller—you or your client—and third-party vendors.
Addressing these questions is the difference between good faith effort to comply and fines. In this scenario, it’s vital to understand if current sources will be usable under new regulations for interest targeting, frequency capping or geotargeting. And knowing if data will, under future regulations, be considered personally identifiable information (PII) and will require special handling/reporting or be usable at all really matters.
Opting in and determining what’s sensitive
State and federal legislators are educating themselves and putting forward proposals for consideration, which may or may not actually make it into legislation. Also on the horizon are the New York Privacy Act (currently in N.Y. state committee) and the California Consumer Protection Act (CCPA), to be effective in January 2020. What these new state laws will mean and if federal law will supersede them is an evolving situation.
GDPR, the first wide-reaching piece of legislation that addresses PII for European citizens, became effective on March 25, 2018. Any company doing business within the EU is required to comply or be penalized. So far, Google has received the largest penalty of 50 million euros for requiring personal data for services. Top line requirements are to notify users of data collection, provide complete transparency on use, allow users to opt in and have the right to be forgotten.
Will U.S. legislators borrow from GDPR to limit contravening international requirements in a medium that does not respect borders, or will they forge their own path? That is the big question.
The seven different pieces of proposed federal legislation include definitions that have implications ranging from an honor-based system to ending programmatic advertising, geo/interest targeting and effective retargeting. Defining PII, sensitive data and consent are not trivial issues.
What is PII?
The CCPA defines PII as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
A broad approach based on this language could force companies to re-identify users based on anonymized data since it can be linked for tracking. In doing so, such a requirement would be detrimental to data security as a direct connection between anonymized data to something public is currently a data safeguard.
Mostly everyone agrees that users need to control how their data is used and collected. The way that’s done is a whole different issue. Defining what constitutes PII will have wide-ranging effects for the industry—specifically, when consumers have the right to request, opt out of and delete data where no mechanisms currently exist.
Defining sensitive data
As with most things, the devil is in the details. Obvious data such as phone number, physical address, monetary transaction information, health information and biometric data will be protected by lawmakers.