3 Data Dilemmas Advertisers Must Overcome

As long as companies retain the ability to track, collect, and use consumer data for advertising, privacy tensions will remain a defining feature of the industry. Consumers are being tracked online more than ever before, and the display advertising ecosystem has built an entire economy around converting that data into revenue.

All of this opportunity comes with a real cost — one that goes beyond the dollars spent acquiring data. Advertisers must navigate a constant balancing act between delivering better-targeted ads and respecting consumer privacy, all while operating in a landscape riddled with regulatory risk.

Certain data practices are genuinely necessary to optimize campaigns and serve personally relevant ads — an increasingly central goal in an era of consumer-led marketing. But those same practices raise serious privacy concerns and create dilemmas that every advertiser eventually has to confront.

Deduplication

In ad tech, removing duplicate data entries typically refers to audience deduplication. Running a campaign across multiple platforms — ad servers, networks, DSPs — or delivering to multiple devices creates different cookie IDs for the same visitor. Deduplication stitches those IDs together to produce a true unique-visitor reach figure for the campaign. The problem is that storing multiple device and cookie IDs can result in continued tracking of consumers who intentionally deleted their cookies. Ever-cookies — cookies engineered to be undeletable — are explicitly forbidden and have been the basis of several industry lawsuits.

A universal device graph platform would be the clean solution, but it doesn't exist in practice. Facebook and Google have no incentive to expose their device graph data to outside vendors, and only those two platforms currently possess data sets large enough to deterministically map devices to individual consumers at scale. The most realistic path forward for most advertisers is to rely on first-party data and encourage users to sign in — this makes it possible to build a device graph for individual visitors. Building second-party data partnerships is another avenue, one that can extend that graph meaningfully without the privacy risks of buying third-party data wholesale.

Data Usage and Sharing

Most consumers understand in a general sense that their online activity is tracked — usually via cookies — and used for advertising. What the majority don't grasp is how much of their data is collected and how far it travels through the online advertising ecosystem.

The EU General Data Protection Regulation (GDPR) marked a significant shift here, requiring advertisers to obtain "unambiguous" consent from consumers before using their data for marketing purposes. The regulation has had a substantial effect on data providers and the exchange of data between parties, given the scale of potential fines involved.

Offering a free web or mobile app in exchange for displaying ads is a reasonable value exchange. Using collected data for marketing is also permissible — but users need to be aware of and agree to that use, understand who their data will be shared with, and know how to opt out later. Regulations require advertisers to make all of this explicit. The stronger argument, though, is to go beyond the letter of the law: use data to create genuine value for visitors and customers rather than simply slotting them into more audience segments or feeding them additional ads. It's worth asking whether you would consent to the same data practices if you were on the receiving end.

Defining PII

The meaning of "personal data" may seem obvious, but it's more nuanced than it first appears — affecting both the type and the volume of information that can lawfully be collected, stored, and processed. There is genuine industry debate about what PII actually encompasses. Personally Identifiable Information is broadly defined as any data that may lead to the identification of an individual. A single data point may not qualify as PII on its own, but when combined with other data collected about the same user, it can become PII — the classic example being year of birth, age, and postal code together.

When collecting PII, the following requirements apply:

• Identity reset: Users must have a way to "reset" their identifier and start a new identity without being linked to earlier behavioural profiles or previously used identifiers such as an email address or phone number.
• Non-identification: The set of data points collected should not, in aggregate, allow the identification of a specific real-world individual.
• Data retention: A retention policy must be in place, and it must comply with applicable privacy regulations — keeping data indefinitely is never acceptable.
• Regulatory currency: Privacy regulations are continuously evolving, and staying current with new requirements is an ongoing obligation, not a one-time exercise.

Online data privacy shows no signs of fading as a contentious issue. As more users access the web through both desktop and mobile devices, the opportunities to target them with advertising will only grow. Regardless of where one stands on data collection philosophically, the practical and regulatory challenges remain considerable — and they're going to keep evolving.

This post was originally published on Website Magazine on May 17, 2016.