INtelligent Data: Privacy, PII and Marketing … Oh My!

In the United States, there is still a lot of gray area when it comes to Personally Identifiable Information (PII). PII privacy laws like the EU’s GDPR have clarity and put citizens in control by requiring their consent to use/process their personal information.

In the U.S., we have older federal legislation (HIPAA – health data, Data Protection Act – Social Security data) and information security standards by councils (PCI – Credit Card data) but little to no PII or online privacy laws protecting some of your identifiable information from being used without your expressed consent by marketers.

And by expressed consent, I don’t mean visiting a website with privacy policy small print that buries language like “by visiting our website you give us consent to use big data to identify you and market to you,” as if a real human would ever seek out the privacy policy and read that. I mean a cookie policy you are served and forced to express your consent with an action/click to agree/disagree before entering a website, which is ideally how it should be done, but rarely is. See example below.

Do you use Gmail for email, Google as your search engine or Chrome as your browser? Well, then you have given Google permission to identify you, use your information and build a pretty robust profile on you, including behaviors that marketers can take advantage of to market to you. I’m not saying that is a bad thing at all. I’m a marketer. I love data. I love using data. I don’t love when data is misused.

In the U.S., marketers have access to and can use data that wasn’t provided directly to their organization. Shoot, our own credit bureaus aggregate your data (Equifax, TransUnion and Experian) and sell it to marketers. You can append a postal address to your email file, append an email to your direct mail file. These marketing tactics to build a more robust database have been common play for a long time.

What is Privacy?
In the digital world, privacy barely exists, but it pertains to the collection and use of data. Any system that collects information on a person is required to have a Privacy Policy so you know what information they have access to and how they use it.

What is PII?
Personally Identifiable Information (PII) are fields of data (e.g., First Name, Last Name, Email, Postal Code, IP Address) that build out a data profile on a person. Certain fields are not personally identifiable on their own, like “First Name,” but when used in combination with other fields can identify an individual and be considered personally identifiable.

Q: What data, that wasn’t provided directly to their organization, can marketers use to market their products/services without getting in trouble?

A: A lot.

Marketing Automation (MA) platforms like Marketo, Hubspot, Act-On, Pardot and SharpSpring all require an organization to add tracking codes to their websites and you can see how anonymous website visitors are interacting with your website. If anonymous visitors are viewing at work, the technology can identify the organization domain the web visitor works for. It’s only when an individual chooses to submit their information on a form or opens an email from an organization that uses MA that a cookie is served, data collected and identifies a person.

That cookie allows returning visitors to have their information pre-populate on your other forms, but also to aggregate other behaviors like web pages they visit on your website and how often. All of this is pretty standard and no PII information is made available to the marketer unless the contact/lead takes action to provide it to you. Assuming you have a solid cookie policy in your Privacy Policy, you’re golden and will stay squeaky clean.

It’s when programmatic display or remarketing platforms come into play that you need to be very careful on your choice of partner. These platforms allow marketers to identify anonymous website visitors/cart abandoners and programmatically deliver an offer via email, display advertising in browser or social, or send a direct mail piece to them. Read The Wild West of Digital Marketing for more.

In order to do these programmatic activities, you need to have additional data points to accomplish this, like an IP address or other PII that may not have been provided to your organization. Some programmatic providers are getting into hot water for illegal wiretapping by tracking website viewers then continuing to collect keystrokes and search history long after they visited an organization’s website.

Takeaways for Marketers:

• Make sure your organization has a Privacy Policy without any holes for how your organization collects and uses data. Make sure this policy includes a cookie policy if you serve cookies. Make sure this policy includes using an IP address if you use a platform that identifies visitors by IP location.
• Marketers for your organization can use a programmatic display ad, social ad, direct mail provider that never lets any party have access to that data directly. Data transfer must be encrypted/decrypted, bi-directionally and not possible to be intercepted via web by any other party. Marketers will see de-identified metrics but can identify conversions.