Who stole all the cookies from the cookie jar?
The US administration’s recent repeal of the Federal Communications Commission (FCC) privacy released broadband and telecommunications services from mandated privacy obligations. Internet Service Providers (ISPs) are left with a gap in regulatory privacy protection; meanwhile, advertising platforms such as Google and Facebook are still subject to the privacy controls of the FTC.
This shakeup has brought the topic of online privacy back to the headlines once again. Advertisers are unsure whether this repeal will be beneficial to them or if they should proceed with caution. While this may not directly affect advertisers (they are subject to the FTC’s privacy ruling rather than the FCC’s), many believe the repeal will actually trigger more encompassing privacy regulations by the FTC to make up for the lack of regulation over ISPs. Furthermore, we can predict that privacy will be in the hot seat here on out.
Advertisers are frequently unaware of the identifiable characteristics hiding within the data they already collect and therefore, are oblivious to their subsequent privacy obligations. For example, many of them perceive “cookie ID” and “IP addresses” as benign (not personally identifiable information, or “PII.”) However, when combined, these two parameters can instantly identify anyone’s web activity without ever requiring additional external information or sophisticated technology. Additionally, when analyzing a large enough sample of IP addresses, one can even easily identify individual’s home and work addresses. Web server log files and backend applications store these attributes on the same audit record alongside the URL of the web page the user accessed. As a result, these log files and audit records can essentially spell out what website you are visiting and your physical address.
Here are some best practices for being compliant with the FTC and other emerging privacy regulations such as GDPR - a prevalent ruling in the EU regulating internet data privacy with international implications:
- Collect consent - It’s the law and it’s also good for business: This is often particularly tricky for advertisers since some touch points with end users are done by the brands. However, ensuring that each time a user acknowledges that the site collects cookies there is an audit record both to protect advertisers from class action lawsuits, as well as help them build trust with their end users.
- Know where you store cookie IDs: This is particularly important as it allows advertisers to protect their audit records. Audit records travel across the entire IT environment and are e eventually transferred to advertiser’s partners through direct or indirect data transfers on ad networks. Knowing this path in detail allows advertisers to properly protect it. Additionally, understanding the path can provide useful information about the end user!
- Prepare for a breach: With today's alarming growth in data breaches, advertiser’s need to assume that a breach will happen at some point and subsequently, need to be prepared. In the case one takes place (and one should expect, it will at some point) advertisers must to notify impacted customers within 72 hours. And, if it’s unclear exactly who has effected (which is often the case) advertiser’s must notify their entire customer base. In turn, advertiser’s customers will also need to inform those impacted on the consumer-side in a timely manner.
- Anonymization considerations: As noted in previous, the often times, advertisers can’t even notify their end users directly. For this purpose, it’s important to anonymize the data proactively so that it can’t be used. That said, the very value of data is in its identifiability to some extent. Performing de-identification while maintaining the utility of the data is a rich topic on its own. A great resource for diving deeper into this topic is to The Future of Privacy Forum (fpf.org).)
- Know where your data is flowing to: The cookie IDs and other information quickly gets dispersed in other systems and applications that process the data, as well as unstructured reports extracted by employees. Data is sent to business partners and ad networks while a personal data transfer needs to be documented.
- You are subject to GDPR: Just by holding EU resident data, the GDPR is a consideration that warrants attention and those impacted must comply. You don’t have to do business in the EU, and it doesn't matter where you collect the data— if you have any German resident data, that resident can ask you to remove his or her data and you may need to answer to the data protection authority of Germany or any other member state, period. The penalties of noncompliance can be up to 4% of your global revenues. Know the residency of your data so that you can be compliant.
While the broadband providers may have a free pass (for now), online advertisers you are still subject to the FTC privacy controls. This might seem unfair, but it’s probably not long before the FCC regulations catch up. But privacy regulation is actually holistically positive - privacy protection of your customer and end user data is also very good for business, and encourages weary customers to take their business online. It allows advertisers to learn more about their customers while allowing for mutual consent and understanding. It is the first step to re-imagining the advertiser’s ability to act as a service for end-users, enabling customized content they want without being intrusive. It is the future of advertising, and ignoring privacy in today’s increasingly digital world is no longer a viable option.