When Can You Use PII for Online Advertising and Marketing?

,

Written by Michael Sweeney

Published September 30, 2016

The way companies conduct their advertising and marketing activities has changed a lot since the popularization of the Internet.

Previously, companies would collect consumer information such as name, address, age, etc. The Internet created new pieces of user data and information and companies now collect items (in addition to basic user data) like cookies, device IDs, and IP addresses, among others.

However, the increase in data collection has also brought about an ever-growing concern over user privacy.

In particular, online users are becoming concerned about how personally identifiable information (PII) is being collected, shared, and used. Many ask whether it is even legal to use PII for online marketing and advertising.

The answer to this question lies behind a list of legal acts and regulations.

Can You Use PII For Online Marketing?

Both online and offline companies collect large amounts of personal information; think about the times you’ve signed up for a customer rewards card in a store or downloaded an ebook from a website.

This information is extremely useful, as marketers can use the information they collected from you to promote and sell their products and services. But the question is: can companies use PII and personal data (e.g. an email address) for marketing purposes?

The answer is yes, as long as they have consent from the consumer.

Free Cheat Sheet: PII, Personal Data or Both?

Learn the main differences between personally identifiable information (PII) and personal data. Get to know the types of information that are the subject of the new European data privacy regulation (GDPR).

Consent can be given in a couple ways, generally by clicking an opt-in or opt-out box when a consumer supplies their email address, or agreeing to the privacy policy and terms of service upon signup.

However, there are certain privacy laws that control what you can do with emails obtained from consumers, e.g. you can’t sell your email list to third-party companies unless you’ve received consent from the consumers, which can be given when they provide you with their email address.

There is also the matter of adhering to a country’s anti-spam laws, e.g. the U.S CAN-SPAM Act of 2003.

Companies that collect PII or personal data from consumers also need to decide whether they are a data controller or a data processor, especially if they operate in countries bound by the European data-protection law.

Can You Use PII For Online Advertising?

Short answer: yes, you can.

There are no laws preventing companies from collecting and using PII for online advertising and marketing, but do most companies use PII for online advertising?

No, they don’t.

The reasons why advertising companies don’t use PII, and marketers do, is because in order to conduct an online display-advertising campaign, user data needs to be shared with third parties (ad networks, DSPs, ad exchanges, etc). Also, as companies need to get consent from a consumer to collect PII and personal data, they would need to get consent before a consumer viewed a page containing ads, which is completely impractical.

While there aren’t laws permitting the use of PII in online advertising, there are laws, policies, and regulations policing the collection and proper usage of PII.

Here are just a few examples:

In addition to the above acts, you also have government and non-government organizations that regulate the use of PII, including the Federal Trade Commission, the National Institute of Standards and Technology (NIST), and the self-regulatory organization Network Advertising Initiative (NAI).

The fact is that it’s simply not worth it, from a cost and resources perspective, for companies to collect and use PII for online advertising due to all the legal frameworks and policies in place.

So if companies don’t use PII for online advertising, what do they use?

They either use non-PII (e.g. cookies) or they anonymize (or de-identify) the data by hashing the data (turning an email address into a random combination) or by removing PII completely.

Staying Privacy Compliant

The definition of PII and personal data is changing all the time. Currently, IP addresses and unique user IDs stored in cookies are not considered PII or personal data, however, both the FTC and the European Article 29 Data Protection Working Party (Art. 29 WP) view these pieces of information as personally identifiable.

For this reason, it’s vital that companies which collect, share, and use user data take steps to comply with various data and user-privacy laws in the countries and states they operate in, and stay up to date with the latest changes and inclusions.

For the most part, this will involve working with a qualified legal expert who will be able to guide them through the legal mazes and ensure they aren’t on the wrong side of a messy, and costly, legal case.

Free Cheat Sheet: PII, Personal Data or Both?

Learn the main differences between personally identifiable information (PII) and personal data. Get to know the types of information that are the subject of the new European data privacy regulation (GDPR).