The history of directly identifiable personal data
Since the dawn of the mail-order catalog, directly identifiable personal data, was considered the bedrock of data-driven marketing. It included information that could be used to identify an individual, usually provided by the user themselves, such as name, email address, and phone number.
Directly identifiable personal data increased in importance as marketers shifted from approximations of people on digital channels to people-based marketing across all channels. It served as the primary record when marketers sought to bring multiple streams of data together to track the customer journey and create more personalized omnichannel experiences.
Then the world began to change. Advances in data collection and technology greatly expanded the data that was linked to a particular individual, and regulators across the globe started to enact new and impactful data privacy legislation addressing some of those realities. In response to these changes, the industry understanding of what’s considered personally identifiable information and the rules about how that data could be collected and used were no longer based on traditional standards.
A diligent approach to ensure data privacy global compliance
Most marketers today know they need to keep data ethics and privacy compliance at the heart of all they do when using data for marketing purposes. Many understand the fundamentals of how data rules change across regions and have become better educated on the general differences between how personal data is defined by GDPR, CCPA, and other state-level regulations.
For example, GDPR broadly defines personal data and includes identified/identifiable data (any information that could be used to directly identify a person, such as mobile IDs, cookies, and IP addresses), pseudonymous data (scrambled or “hashed” identifiers that could be used indirectly to identify a person), and sensitive data (such as health information).
In the state of California, under CCPA and now CPRA, the definition of personal information is also very broad and covers directly identifiable information as well as pseudonymous and sensitive data (CPRA only), and also information linked at the household or device level. As the regulatory environment evolves, the complexity of data collection and use will continue to increase.
More and more, to diligently ensure compliance across all data-driven activities, marketers must work closely with their legal teams to conduct the due diligence necessary to review the data flows and classifications at their own organizations and with partners. Together, they must also establish formal processes to ensure they always aggregate and use personal data in an ethical way in support of delivering the best customer experience.
A rapidly changing landscape
On the horizon are new technologies that may soon help strengthen trust in the safe and effective use of data, such as unique tokenization, bloom filters, and privacy-enhancing technologies. Advanced privacy-enhancing technology unifies distributed data for collaboration and analytics without the need for data to be copied or moved. In the meantime, business leaders around the world must answer the call to ensure their legal teams have the proper training and are implementing appropriate processes and policies in each individual region, and that they have access to external counsel with the right expertise for these changing times.