Guest Blog: FTC’S Approach to Defining PII Challenges NAI Code of Conduct
By Gary A. Kibel, Partner, Digital Media, Technology & Privacy, Davis & Gilbert LLP
In April, I followed the advice of a former resident of my hometown to “Go west, young man,” and attended the 2016 NAI Summit in San Francisco. Little did I know that a quiet summit would erupt with fireworks when the FTC seemed to challenge the very foundation of the NAI Code of Conduct.
There has long been a disconnect between the industry and regulators regarding what constitutes personally identifiable information (PII). Without one consistent statutory definition of PII or personal data, the parties are left to push their respective agendas. The NAI Code has a clear and workable definition. The FTC, however, views persistent identifiers such as device identifiers, MAC addresses, static IP addresses or cookies that can be reasonably linked to a particular person, computer or device as PII. With the exception of the Children’s Online Privacy Protection Act (COPPA), however, this is more an aspirational approach than a legal requirement.
The FTC’s mention of this broader yet noncommittal reading of the definition of PII reveals a bit of a regulatory vacuum in this evolving area. It is therefore important for all participants in the adtech ecosystem to be engaged and continue to establish and follow best practices that respect privacy and encourage innovation in this rapidly changing environment. The need for thorough and thoughtful self-regulatory organizations such as the NAI could never be more apparent.