What Privacy and Marketing Counsel Need to Know About Data Onboarding
Data “onboarding”—also called “CRM retargeting,” “CRM onboarding,” or just “audience targeting”—is a relatively new way for marketers to reach highly particularized audiences online. It differs from behavioral tracking models because it uses de-identified data originally derived from personal information—such as data reflecting consumers’ demographics or transactional histories—rather than data inferred from their online activity.
Background: What Is Onboarding and How Does it Differ From Other Online Targeting Models?
Onboarding involves companies using personal data they own or license (for instance, their customer relationship management or “CRM” files) to send display media to those customers through advertising platforms (generally, demand side platforms, ad networks, trading desks, etc.). This occurs through a “matching” or “onboarding” service (prominent ones include Datalogix, LiveRamp, and Neustar). The company provides its CRM or other data to an onboarding service. The onboarding service then hashes that consumer data and matches it to hashed values received from first party websites that consumers log in to. When this “match” of hashed values occurs, the onboarding service conducts a look-up of data associated with that hashed PII, and associates that associated data (in coded form—say, “8080808” = “loyalty shopper: male, 40+”) with a cookie. This cookie is then used to target ads to consumers, often through “syncs” with third-party ad platforms and applications, anonymously. (Roughly the same process can occur using a device identifier, e.g., with the data associations being tied to those identifiers.)
The technology opens new use cases for marketers. For instance, using data onboarding, a retailer can use its de-identified CRM data to serve online display ads to its own customers as they anonymously surf the Web. Or, a data broker can use its data files to make audiences available for anonymous targeting by their own customers, through display media channels. From a marketing perspective, because the data powering the onboarding model is derived from PII, onboarding can be used to reach more precisely tailored audiences than conventional behavioral targeting, and can support “offline” analytics and attribution in a way that behavioral data generally cannot.
Important Privacy Considerations When Onboarding
Because onboarding cuts a tangent between, on the one hand, online websites (that facilitate placement of the de-identified cookies) and on the other hand, offline data sources, several important privacy principles come into play. These principles inform best practices for onboarding services, publisher data sources, and customers that often own the data and have a direct relationship with the consumer. Because onboarding often involves “offline” data being placed into an “online” channel, best practices—which are still evolving—will necessarily reflect a hybrid of those applicable to the online and offline data ecosystems.
Below is a (non-exhaustive) list of best practices to consider if you are (a) a publisher supporting onboarding through data transfer, (b) a marketer or agency onboarding data you own or license, or (c) an application integrating with an onboarding service to power display ads, analytics, attribution or other services:
1. Notice and Choice
Because onboarding is a different data model than (though analogous to) conventional behavioral targeting, web publishers and other partners supporting onboarding may wish to provide distinct language in their privacy policies describing it. This language can, for instance, generally describe how onboarding of data and hashing of PII works, and how hashed values are used to link to other data (e.g., demographic or interest-based data) to send consumers display media. It is likewise often recommended that publishers and partners provide consumers a way to opt-out of onboarding models, for instance through industry opt-out pages such as the Digital Advertising Alliance (DAA) Self-Regulatory Program and/or NAI’s consumer opt-out choices.
2. Non-Merger of PII and Non-PII
The NAI Code and DAA principles—and common privacy conventions—distinguish between PII (such as readable email addresses) and Non-PII (such as online cookie identifiers and/or third-party data about a user’s online activity). (Borrowing from standards in the NAI Code of Conduct and statutes such as HIPAA and the Gramm-Leach-Bliley Act, PII generally does not include data that has been fully and reasonably de-identified, through physical, procedural, and logical controls.)
A long-standing “third rail” of privacy conventions is that these two data types may not be merged or associated. The NAI Code prohibits merger of non-PII with PII, except in cases of heightened notice or proprietary ownership of the non-PII (see NAI Code of Conduct, pp. 3, 6, 10, 13).
Companies onboarding their own data or supporting onboarding of third-party data therefore should consider whether these conventions are being respected, in letter and in spirit. This is commonly carried out through the implementation of sometimes complex data silos that de-identify and de-correlate non-PII and PII – in other words, creating obstacles that make it very difficult for human or machine to perform the tasks needed to merge these datasets. (For an example of what can happen when non-PII and PII are merged without a privacy-sensitive basis, see our previous blog post here about the New Jersey Attorney General’s investigation into and settlement with Dataium.)
3. Rules Regarding Sensitive Data and Reliable Sources
While the above sections describe the safeguards that apply to the online channels involved in onboarding, companies involved in onboarding also need to consider the types of data and data attributes they are placing into these channels for de-identification.
For instance, the NAI Code deems as “sensitive” data segments about a consumer’s presumed sexual orientation, or a consumer’s precise and serious medical conditions, and imposes heightened standards for the collection and use of sensitive data. NAI Members (including those that perform onboarding) thus must adhere to these rules. Other data that may be subject to special laws and restrictions is voter data (subject to use restrictions in many states), credit report data (subject to marketing use and other restrictions) and data about minors (subject to marketing prohibitions in some states) and minors under 13 (potentially subject to COPPA, and often deemed sensitive on policy grounds).
If you have questions about onboarding, or similar online and offline data models, please reach out to us for assistance. Please also keep in mind that this article only addresses onboarding in a U.S. environment—European laws are likely to involve elevated standards of notice, data transfer, and definitions of what constitutes “sensitive” personal data.
Photo by Financial Times from Flickr