Using PII in a DMP: What Are the Implications?
Author Ian Simpson
Author Ian Simpson
In case you hadn’t heard – data management platforms (DMPs) are all the rage these days. Optimizing media buying and monetizing audience data is more important than ever and a big part of that is personalization.
But when it comes to using personal data – or Personally Identifiable Information (PII) – things get a bit tricky.
Many advertisers, marketers and publishers too would like to be able to use it, but they are unsure of the implications.
In order to understand what the consequences are, it’s good to examine three factors:
Let’s explore each one in more detail.
As a quick reminder, PII (Personally Identifiable Information) – or Personal Information as it is referred to in the European Union – is data which may be used to actually identify a person (a.k.a. a data subject).
The obvious piece of information that comes to mind is a customer’s name and address. But there are a host of other data points that may be labeled as PII or Personal Data. Because the definition of Personal Data as laid out in EU directive 95/46/EC states that it may also be considered that data which can indirectly identify a data subject, the range of data covered by the law is actually quite wide.
Therefore, it is important for DMP users to be aware of which data points they are considering storing and using in their platform – whether it be a single data point that may identify a user or several data points which, when combined, may end up being subject to PII regulation.
While the European Union has implemented a more unified set of legislation (the General Data Protection Regulation), the United States has a more diversified system.
Regulations regarding different kinds of potentially sensitive and identifiable data are governed by individual bodies and their rules at both the federal and state level – the Federal Trade Commission (FTC) and its Department of Consumer Protection, the Federal Communications Commission (FCC) and local Departments of Consumer Affairs, as well as industry-specific ones such as HIPPA (the Health Insurance and Portability Act governing patient privacy) for health-related data.
Not only should DMP users be aware of what kind of PII they plan to store and use in their application, but also where the data is stored and used.
When talking about location, we can actually mean two things:
Actually the two are interrelated. Why?
If a DMP vendor offers a cloud model, then its users (brands, agencies, etc.) will need to be even more concerned about geographic location of the vendor’s servers as well as where their digital campaigns may be reaching.
Again why, you ask?
Consider again factor number one – what kind of PII is being stored. If a DMP vendor or user is located in the United States and wishes to target customers in the EU (or vice versa), he or she automatically must deal with two different sets of regulation (and definitions of PII/Personal Data).
Furthermore, the EU’s GDPR imposes specific restraints on passing data across international borders. This can have important implications for vendor and clients alike.
Of course, the most important point is how the data in a DMP is actually being used.
For one thing, this will determine whether the DMP user and/or the DMP vendor is defined as a data processor or a data controller.
Usage also involves whether PII in a DMP will be used exclusively help with media-buying and -selling via a DSP or whether it will be used for cross-channel, cross-device attribution (mobile, email campaigns) and whether it will be used only once or more than once.
For linked data in a DMP – in other words, data that in and of itself is personally identifiable – the main implication is that it must be anonymized in order to be used without explicit consent.
This means that as soon as a social security number, full name, phone number or other linked data point is transferred to a DMP it must undergo anonymization before it can be used in any way.
When it comes to linkable information – things like IP address, purchase history, gender, etc. – a DMP user will need to make sure that the profiles which are created by combining this information with linked information and/or behavioral data are also anonymized.
Because a DMP (especially one using deterministic matching) works on the principle of creating user profiles and placing those profiles in audience segments for activation on various media-buying and -selling platforms, the entire profile must also be anonymized and data sets aggregated in such a way that it is not possible to work out the identity of the data subject.
Additionally, provisions must be made for consent for both online PII and offline PII because all PII – linked or linkable – carries with it the responsibility of gaining explicit consent from the data subjects when the data is collected.
Closely tied to the implications of data types, the way a DMP user plans to take advantage of PII is also very important.
For one thing, collectors of PII who wish to use it, must clearly state any and all partners that this data may be shared with.
So a publisher (such as The New York Times) that wanted to monetize its audience data by offering anonymous profiles of its subscribers to interested brands would have to make it clear at the point of collection which DSP/ad exchanges and which brands may be using the data.
In a digital advertising scene overflowing with programmatic platforms, this is rather impractical.
Advertisers may have it a bit easier – since they could potentially limit themselves to one or two DSPs or ad networks, but many would not want to do this, since they are always wanting to increase their reach by tapping into as much inventory as possible.
The side effect of this is that many DMP users look to use PII within their own ecosystem – in other words on their own site or in their own mobile app – for content personalization. This way they only have to gain consent for PII to be used for marketing activities.
If a DMP user chooses to use a cloud-based platform, then location can have significant implications for storing and using PII.
As mentioned above, data passed across international borders may be subject to different regulations depending on the country. If a brand is using a DMP to target customers who are EU citizens – even if the DMP and its servers are located outside the Union, then EU regulations apply.
This means making sure that regulations are adhered to both in the country where the DMP vendor is located as well as where the data is being used. Knowing this, brands have to be especially careful about choosing where their DMP is physically located.
Using an on-premises DMP gives its users somewhat more flexibility as they have more control over where their data is stored and where it will eventually be used.