ellipsis flag icon-blogicon-check icon-comments icon-email icon-error icon-facebook icon-follow-comment icon-googleicon-hamburger icon-imedia-blog icon-imediaicon-instagramicon-left-arrow icon-linked-in icon-linked icon-linkedin icon-multi-page-view icon-person icon-print icon-right-arrow icon-save icon-searchicon-share-arrow icon-single-page-view icon-tag icon-twitter icon-unfollow icon-upload icon-valid icon-video-play icon-views icon-website icon-youtubelogo-imedia-white logo-imedia logo-mediaWhite review-star thumbs_down thumbs_up

How to deal with the privacy problem

How to deal with the privacy problem Tom Hespos

When is the best time to reveal an ad targeting initiative to advertisers that has the potential to creep out consumers in new and exciting ways?

I'll give you a hint. It's not while there's draft legislation on the table for consumer internet privacy in the U.S.

Don't get me wrong. I'm not suggesting that any questionable data practices simply be tabled until this whole privacy mess works itself out. Questionable practices shouldn't be a part of the picture at all. But as I hear more and more about where certain companies are steering their targeting initiatives, I can't help but think that the timing couldn't be worse.

While the IAB floats self-regulation as an actual, viable solution to the privacy problem with a straight face, some of the companies that support it are undermining its efforts -- or at least they would be if consumers knew more about how they were obtaining the information they use to target ads, as well as how they're marrying it to consumer profiles.

I haven't heard of any reputable organizations simply taking personally identifiable information (PII) and sharing it outside their organization for targeting at the individual level.  But the following practices are fairly commonplace and result in essentially the same effect:

  1. Using PII not to target ads, but to pivot from acquired data to desired external data. "Appending" is commonplace in the DM industry. But it doesn't take much to figure out that if a consumer volunteers a name, postal address, or other PII, they probably would be creeped out if you then take that PII and use it to track down everything known by a third party that's associated with that PII. If you're using PII as the thing that links relevant data together, either in one database or in an entire distributed network of data assets, isn't that precisely what most consumers intend to avoid?

  2. Using data that's not classified as PII, but might as well be. There are ways to use information that might not personally identify somebody but does drill down to an individual household or small group of households. Combine that information with other information that can be piped in from external databases and you've in effect identified an individual. This approach can allow a media company to say "We don't use PII" to advertisers and comply with that notion in letter, if not in spirit. But we know that it really only skirts around the real issue, which is that consumers don't wish to be targeted at the individual level with information they consider to be private.

Regardless of how you feel about whether the consumer is entitled to this protection, the truth is that the U.S. government cares enough about this issue to draft legislation. And there's nothing written in stone that could result in a rejection of self-regulation and the adoption of new laws that could restrict our business in unforeseen ways. A great way to help that along is to step things up on the ad targeting side.

Tom Hespos is the chairman and president of Underscore Marketing and blogs at Hespos.com.

On Twitter? Follow Hespos at @THespos1 or @_MarketingLLC. Follow iMedia Connection at @iMediaTweet.

Tom Hespos is President of New York agency Underscore Marketing. He is a frequent contributor to industry trade publications and has been writing a regular column about online marketing and advertising since March of 1998. His clients include Wyeth...

View full biography


to leave comments.

Commenter: Jim Brock

2010, July 11

Thanks for pointing out those two practices as ones that, while perhaps permitted under the literal terms of many companies' privacy policies, would not be consistent with consumer expectations about how PII should be handled. I'm not aware that NAI or IAB guidelines address those points specifically, but they should.

FYI, as part of the PrivacyChoice project we have created a checklist of privacy practices for behavioral targeting, which you can see here:


Comments are much appreciated. Your two points will be added to the next draft.