The Network Advertising Initiative (NAI) has some very useful info in their 2015 Code of Conduct, that you should be aware of regarding SaaS privacy if you are in the online third party ad business. The NAI is a self regulatory governing body of third parties in the online advertising ecosystem. This group may be useful group not only for ad networks, but for anyone dealing in third party ads (for example, platforms, aggregators, yield optimization firms, etc).
The most interesting issue to me after reading their Code of Conduct is in their definitions.
- Personally Identifiable Information (PII) means data used to identify an individual.
- Non–PII data that is not linkable to an individual, but is linkable to a device.
- De-Identified Data is data that is not linkable to an individual or device.
So what I found fascinating is that these definitions do not only focus only on identifying a person (which is how the world use to work), but now it is all about identifying a computer or device, or person. So before we all thought that if you don’t or can’t identify a person with your information then it was not a big deal, but now you have to be more careful if you are tracking or identifying a computer or device, especially across platforms. What is even more interesting, is that I am also hearing that the Federal Trade Commission (aka FTC) is very interested tracking devices and computers, as they are concerned about what are called ‘persistent identifiers.’ See this page.Examples
- Sensitive Data is PII (examples, SS#, insurance plan #, fin acct #, medical conditions, sexual orientation).
- Precise Location Data location data using a GPS.
So the takeaway here for every third party ad network company is to read this Code of Conduct, as SaaS privacy it is not simply about disclosure, choice, etc, but it is now very about tracking devices and computer.