Pseudonymisation: What the Ad Tech Industry Needs to Know

On 25 May 2018 the world will change. Personal data — arguably today’s most valuable currency and the lynchpin of digital advertising — will be managed by a strict new rulebook: the General Data Protection Regulation (GDPR). Writing exclusively for ExchangeWire, Tanya Field, CPO and co-founder, Smartpipe, explains how the anonymisation of data to ensure GDPR compliance doesn’t need to be the answer where, in fact, data pseudonymisation offers a viable, compliant alternative to marketers.

For the advertising industry, the GDPR’s impact will be colossal. Instead of following a directive that each country implements differently, it must abide by a single law that increases control and transparency for users, and limits what businesses can do if data policies fall short. Not to mention the penalties those who breach regulations could face, which include fines of up to €20m (£18m), or 4% of global annual turnover.

Consequently, anxiety is high; nearly one-third (30%) of marketers feel their business is unprepared and many are adopting practices, such as anonymisation, to keep user insight flowing, while remaining compliant. Yet, herein lies a problem. Anonymised data, by definition, makes users unidentifiable — a considerable hurdle for targeted advertising. So, is there a solution, or will the new law signal the end of personalisation?

Fortunately, the GDPR supports a method that allows businesses to use data with reduced risk to user privacy: pseudonymisation. Now all the ad tech industry needs to know is what this procedure entails and how to deploy it. That is easier said than done, as there is uncertainty over the exact scope and definition of pseudonymisation in the new regulatory world, how it applies to digital advertising, and confusion as the loose definitions and terms used to describe widespread practices today fail to stand up to scrutiny.

You say anonymised, I say pseudonymised

To understand the role pseudonymisation is set to play, we need to begin with a clear view of how the new laws will change the data landscape and their possible pitfalls.

Primarily, there is the fact that the GDPR law is the first to recognise the concept of pseudonymisation as an independent category that sits between personal and anonymous data. Secondly, there are the conditions for personal data processing. A key element of the GDPR is that if a business wants to use personal data they must either be able to demonstrate a ‘legitimate’ business interest for doing so, ask for ‘unambiguous consent’ – a request users can refuse or challenge if they feel it’s not legitimate – or ensure data is de-identified.

The latter choice means rendering data files anonymous by removing all items that could identify the user or be deemed ‘personal data’. This includes personally identified data, where the user is known, and personally identifiable data, where it is possible for a user’s identify to become known. It is also worth noting that the GDPR defines cookies or ‘electronic’ identifiers as personal data because they can be used to single out or target specific users and, thereby, identify them.

Given the choices outlined above, it’s easy to understand why techniques that claim to de-identify data, such as anonymisation, are likely to be seen as the most convenient option for staying compliant. But this is where it gets complicated for marketers. Anonymised data has little use in an industry where cross-device identification is essential to build tailored campaigns. More importantly, most anonymised data isn’t completely de-identified — often containing details like device IDs that can be linked to individuals — it is ‘faux’ anonymised data that still contains personal identifiers and, thus, it is effectively still pseudonymised and still identifiable.

So, is pseudonymisation a better option? The short answer is yes, if used correctly. Pseudonymisation swaps individual identifiers with an artificial identifier, or pseudonym, to create data that can’t be linked to users without additional insight, which is held separately. It’s a method that is actually in wider use than it seems — industry confusion about what pseudonymisation is has often led to the concept being employed, but mistakenly referred to as ‘anonymisation’.

Furthermore, it is cited in Recital 28 of the GDPR as a practice that can “reduce risks to data subjects”, and Recital 29 of the document refers to “incentives to apply pseudonymisation”. Although pseudonymisation won’t make data exempt, it will be easier for businesses to use data beyond original collection purposes, comply with ‘data protection by design’ legislation, adopt new codes of conduct, and meet security requirements — provided that appropriate safeguards are in place.

There are, however, questions about whether pseudonymisation, in its current form, is enough to uphold the GDPR’s new order of robust data regimes and practices. If incentives are to be offered, we might speculate that they should be championing a movement towards impenetrable processes, and pseudonymisation is not there yet.

Is pseudonymised data a ticket to better marketing?

With 18 months left on the GDPR clock, advertising technology providers have an urgent responsibility to take action and implement processes that will enable compliance and the growth of the industry. Yet, despite having the ability to take information from first-party sources and alter items that could be linked to users before it is served, most have yet to do so.

The causes of this are varied. For instance, a chief concern for brands with first-party data and customer relationships to maintain is there is a risk that pseudonymised profiles could be reused by other businesses with the pseudonym identity.

Pseudonymisation also isn’t perfect. Methods such as digital fingerprinting, cookies, and device IDs are technically pseudonymised but there are ways data can be linked to individual identifiers, such as inference, singling out, personal knowledge, and data linking. Measures like hashing, where the value is altered but not made impermanent, are insufficient. In the digital space, any pseudonyms that provide a persistent identity, such as hashing, which is used in connection with a particular profile, can still facilitate personal targeting through cross-comparison with other data sources.

To solve this problem and create sustainability, we need innovation. Marketers must not only determine how likely data is to be re-appropriated or used for personal identification, but also guard against it by selecting technology providers that ensure data identifiers are changed and depleted in milliseconds. The more the industry moves towards artificial and transient identifiers, the closer it will be to meeting the GDPR’s high privacy bar.

It may seem like the GDPR is destined to cap data usage. But, in reality, rather than restricting data, the laws are more likely to channel it in a new direction so quality can be monitored and nurtured to create the ideal mix of user privacy, and utility. It is, however, important to recognise the scale of the GDPR change. If marketers and advertisers find their data practices are the same as they have always been, chances are they will need to look again and ensure their efforts are enough. When the 25 May 2018 deadline arrives, there will be more scope for new tools and data sources that offer privacy by default – but to succeed amid regulatory transformation, the industry must do what it does best and meet the challenge by innovating.