Why, why, why do you need my PII?

It seems like every day we wake to a new and significant data breach in the news. Here, in Australia, in the past couple of months, we have witnessed large-scale attacks on the likes of Optus, Medibank and Latitude Financial. In each of these attacks, the perpetrators have taken the data and looked to on-sell the Personally Identifiable Information (PII) across the globe or held the businesses to ransom to not release the information publicly.

The question is ‘Why do these businesses need this information, how and where are they storing it and how secure is it?’ There is no simple answer here but, we can look at one area - how PII is used across the advertising ecosystem.

In a recent Consumer Policy Research Centre (CPRC) paper, they interviewed 1000 Australians and found that ‘There’s a major mismatch with how the digital economy currently works and what consumers want’.

Whole industries currently exist to trade in consumer data, yet 79% of Australians agree that a company should not sell people’s data under any circumstances. Even though companies commonly monitor what we do online, on their own websites as well as across the internet, 70% of people are not comfortable with companies monitoring their online behaviour.

They also commented: ‘It’s time for businesses to look at data and see how they can profit through positive outcomes for the community instead of monetising data in ways that cause community harm.’

‍

The CPRC polled 1,000 people earlier this month (March, 2023) to inform its report. Key findings include:

• Only 7% feel companies give them real choices to protect their privacy online.
• 79% agree companies should only collect information about them when they need to provide a product or service.

• 84% agree that companies should always act in the best interests of the consumer when they use their data. 84% also believe that it should be stored safely. 
• Less than 10% are comfortable with the current approach to targeted advertising with tracking of online behaviour.

• 79% agree that a company should not sell people’s data under any circumstances.
• 64% find it unfair that companies require you to supply more personal information than is necessary to deliver the product or service.
• 90% expect businesses to protect people’s information from being used in ways that leaves them worse-off.
• 52% agree that it’s time-consuming to find actions to protect their privacy online.

CPRC Paper - ‘Not a fair-trade. Consumer views on how businesses use their data.’
‍

Current issue

If you are anything like the average internet user, you have over the past couple of years, freely given or disclosed your personal information, such as your name, email, mobile phone number etc. You would have also accepted cookie pop-ups, never read a 4000-word privacy policy and freely used services from some of the biggest businesses, such as Google, Facebook etc. that have leveraged your data to target advertising at you and increase their revenue in doing so.

All of your data has been stored away for the benefit of businesses. Have a look at: https://myaccount.google.com/dashboard to see what Google is tracking.  

What you might not be aware of, is where and when businesses that you have never had a relationship with (third-parties) track you or, when they on-sell your data to additional companies so that they can target you or use your data.

Example in the physical world

The way to protect individuals and businesses alike is to implement new laws that are based on proven methods - such as those that apply within the offline world.

Entering a shop and providing information to the clerk, and then having them provide a recommendation, makes good sense. The clerk may use a third-party to help them provide this advice, yet the third-party does not obtain ownership of the information, the information is only shared with the clerk for use within the context of the services/products they provide.  

However, going into a shop to find that the clerk from the previous shop or a shop you have never visited is there trying to sell you something out of context, or that the clerk has taken the information you provided and then sold it to another party, is simply not acceptable, and is equally not acceptable for the shop owner to ask you to sign a consent form that would allow them to do so.

In this instance, the right approach should be where the clerk can freely use the information provided to enable them to better service the individual within the context of the products and services they provide and can gain assistance from third-parties to achieve this. Yet, they are not permitted to give or sell this information to a third-party to use for a purpose outside of the context in which the information was provided.
‍

Digital advertising has gone too far

Within the digital advertising space, it is widely accepted that this situation has gone too far. As an industry, slow-blocking of the third-party tracking solutions has been rolling out for a while now – with Google (i.e. Chrome) still reluctant to join Apple (i.e. Safari and Firefox) in blocking third-party cookies. Yes, Google doesn’t want to risk losing any of its $225B in annual ad revenue.

Others that have been using third-party cookies to their commercial gain are digital publishers who have found a way to combine and then segment these audiences out to market to monetise their traffic.  

So, third-party cookies are disappearing, and businesses and publishers are having to adapt to the new landscape by using methods to connect individuals to advertising spots. Most businesses have moved to a first-party and PII methodology to tackle this. We have seen a rise in the hashing of PII data (email and/or mobile number) to obtain a view of matched audiences. These are either occurring directly e.g. Facebook Custom Audiences, or via a third-party solution like identity services providers. They all work by obtaining personal information, such as email, IP addresses and browser session information. They then take this information and use fingerprinting to create an identifier that can be shared for targeted advertising. 

Back to the original statement – ‘Why, why, why do you need PII?’ This is the big question that is circulating at the moment and why governments across the globe are addressing the needs of their citizens to ensure that they are protected. Why does a publisher need to ‘know’ the individual? Why does a business need to use computational systems to infer a probabilistic match to an individual’s behaviour and identity? Why does the individual not have a say in the use of their data and how it is shared? As shown in the CPRC survey, consumers don’t want their data shared so something needs to change and with government policies being reviewed and in discussion it looks like change is coming and it will be enforced. 

‍‍

Where to next?

We, at AdFixus, are taking an active role in these wider government policy discussions. At AdFixus, we believe there is a better way to protect privacy whilst providing a seamless experience. Our Adfixus identity platform is decentralised, consumer-centric, and frictionless. Our approach is privacy-centric, meaning that we manage identities solely within the first-party context and exclusively for your brands. We allow you to match identities with other businesses (first-party to first-party) automatically, without ever sharing or exposing any information that would allow a third-party to identify one of your consumers. We also provide a ubiquitous framework for consumers to ‘opt out’, empowering them to take control of their personal data. This in turn, builds trust in your business and brand.

Do not settle for piecemeal solutions that increase privacy risks- Choose AdFixus for a reliable, comprehensive solution that puts individuals first.

‍