Where your personal data goes when you're not looking

What businesses know about any given individual is a lot. But what are companies doing with that data? Not as much as you might think -- at least not yet. Companies are getting more sophisticated, however.

1 2 Page 2
Page 2 of 2

Just a few decades ago businesses knew very little about their customers beyond name, address and what they bought -- if they used a credit card. Data aggregators like Acxiom and Experian provided personalized demographic data to marketers -- that you are 42 years old, own a truck, like to golf, are married and so on -- to help companies better target advertising and marketing dollars to customers and prospects. That offline data was -- and still is -- culled from public records, surveys and what Acxiom chief global privacy officer Jennifer Barrett Glasgow calls "summarized or aggregated purchase information."

The data about you is personally identifiable information (PII), but gets transformed into generalized, but still personally identifiable, demographic data before it's used. For example, Acxiom might license the subscriber list from a golfing magazine as an input into its scoring mechanism, but the data aggregator agrees not to identify you as a subscriber. Instead, it uses the information and data points from many other sources -- your golf club purchases, for instance -- to determine that you fit into its list of people who like to golf.

Businesses buy these buckets of consumer demographic data to match up with their own customer records for direct marketing and upselling, and they can buy a prospect list of people assigned to an interest group that presumably will be more likely to buy a given product. The advertising message then gets disseminated either through direct mail, telemarketing, email or text messages.

The evolution of online data has led to different practices for gathering data, but with the same objective, says Mike Zaneis, executive vice president and general counsel for the Interactive Advertising Bureau (IAB), an industry trade association. "Consumers don't care if you send them relevant ads, but they don't want you to know their browsing history," he says. So advertisers use cookies to track online activity of website visitors, and that activity is linked to a cookie ID tied to a specific browser on a specific device. The activity is not tied to the individual -- unless the individual has self-identified by registering with a given website.

In the mobile world there's a recognition that access to more sensitive data -- such as apps that want to access the user's location, friends list or address book -- requires a higher level of consumer consent, says Zaneis. The industry has attempted to address that by extending the Digital Advertising Alliance's privacy principles to mobile advertising. "I'm not sure that business practices are as advanced as we're led to believe in the mobile space," he says. "But because that data is available, whether it's really being utilized or not is not as important as the perception that it will be."

The offline and digital worlds have been converging for some time, says Leigh Feldman, chief privacy officer at American Express Co. "Over the next two to five years the distinction between offline and online will for all intents and purposes go away." And as those worlds converge, more information is becoming available for businesses to collect than they know what to do with. The analysis is more complicated, but the end game is the same: To get ads and offers in front of the people who are most likely to buy a given product or service. "The old-fashioned direct marketing ...has moved online, but it's the same activity," Barrett Glasgow says.

But those two worlds have very different rules as to how consumer data may be used. "The offline world is all personally identifiable data. The online world is either anonymous or identifiable [if the user has self-identified by creating an account]," says Barrett Glasgow. Advertising networks track online activity and build interest profiles that link to cookie IDs rather than PII - as required by the code of conduct put forth by the Network Advertising Initiative, an industry trade association.

The ad networks have behavioral advertising data (browsing histories) linked to cookies. Data aggregators have interest and purchase data linked to your PII. If existing customers have self-identified on a business' website, Web publishers and advertising networks can match up both data sets to predict more accurately who is most likely to respond to an ad.

But combining data from offline and online resources to deliver targeted advertising requires an elaborate dance, called cookie syncing, to ensure that a third-party advertising network does not receive any PII, says Barrett Glasgow. First the publisher sends the data aggregator, such as Acxiom, the PII data for its registered customers so it can be matched with the aggregator's profile data.

Acxiom then places cookie on the user's computer and gives a code to the ad network, which uses it to read the Acxiom cookie and pull the relevant demographic and interest data associated with it. It then uses both data sets to determine the most appropriate ad to send to the user. "In the online space there's this whole added dimension of complexity around anonymity," Barrett Glasgow says.

-- Robert L. Mitchell

This story, "Where your personal data goes when you're not looking" was originally published by Computerworld.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2