Ad Tracking Gets More Personal

One of the ad industry’s main arguments against tougher privacy regulation has often been the claim that they are not really targeting people but the devices they use.

The argument goes that a user profile is based on a cookie placed in a particular browser – and therefore the ads you see are not so much personal to you, but to the browser, and by extension the device you are using to access the web.  Therefore if the same device is used by different people – it is an aggregate profile. 

This has long been a weak argument, not least because many users on shared computers have separate login identities, which creates unique browser profiles for each person.  Now, the emergence of a new business claiming to be able to connect profiles across devices has really destroyed it.

Drawbridge is a US based company which says it has developed the ability to pair up a tracking profile collected from a mobile device with one built up on a desktop, using unique cookie-based identifiers, without the use of any additional personally identifiable information (PII) – like a name, address or email.

Central to their business model is giving advertisers the ability to reliably target an individual across either device they might be using. 

This is highly invasive, not least because it suddenly becomes much harder for ordinary people to prevent this kind of tracking.  Once two (or more) devices have been paired for the first time, it becomes relatively easy to create mechanisms to circumvent user privacy actions like deleting the cookies on one of their devices.

There is no suggestion that Drawbridge is doing this, and they go so far as to state that they can honour a Do Not Track request on both connected devices.  However, once that kind of cross-device connection has been made – it may be technologically possible for someone else to do it.  And even if no-one is doing that now – it is likely to be only a matter of time.

So if you can target someone with a particular advert, across any number of internet devices they may have – that profile may not technically be deemed personal data in the eyes of the law, but the experience will seem very personal indeed.  I for one would not like it to be happening to me without being able to have some control over the collection and use of such data.

At least some EU regulators agree on this score. One proposed version of the new EU Data Protection Regulation that I have seen includes defining the kind of unique cookie identifier that makes this possible as personal data, which would therefore require explicit user consent.

There are other interests arguing that unique identifiers are not personal data, because they contain no information about the individual.  However, what this new approach to tracking demonstrates very clearly is that it is possible to use identifiers to connect data together from multiple sources.  When you do that, you can collect ever more data, and it becomes more personal.

If it is not only possible, but probable that this will happen, then surely the individual identifier itself, which is the only bit of the data chain that the end user could be in control of, should also be classified as personal data.

Given that technology always moves faster than regulation, and that EU regulators are trying to create legislation that will have a long life span, it would seem important for any new legislation to draw some kind of line in the sand about this now, otherwise new technology developments could leave consumer’s online privacy no better protected than under the current rules, which are widely acknowledged to be out of date.