When it comes to data collection, the ad tech industry has long had a hoarder mentality.
Gather up as much data as you can from as many sources as possible, store it indefinitely, and if you’re not quite sure what to do with it now, hey, you can always just figure out that part later.
But the more-is-more approach to data no longer flies, if it ever did.
A concept known as data minimization – the practice of limiting data collection and retention to only what’s strictly necessary to achieve a specific purpose – is becoming a key tenet of privacy legislation around the world.
There are specific references to data minimization in Europe’s General Data Protection Regulation, Brazil’s LGPD and a growing number of US state privacy laws.
And last year, the California Privacy Protection Agency released an enforcement advisory warning businesses that they should apply the data minimization principle “to every purpose for which they collect, use, retain and share” personal consumer information.
Regulators clearly have data minimization on their radar, said Richy Glassberg, CEO and co-founder of privacy compliance startup SafeGuard Privacy.
Problem is, Glassberg said, “the ad tech and mar tech industries are completely asleep at the switch on this.”
Less is more
Not that industry leaders aren’t ringing the alarm bells.
IAB CEO David Cohen dedicated an entire section of his keynote address at the Annual Leadership Meeting in Palm Springs last month to privacy and the importance of due diligence.
“Think hard about data minimization,” Cohen cautioned the crowd, “a concept that underpins many of the privacy conversations today.”
But businesses need to do more than “think hard” about data minimization; they need to operationalize it as part of their data privacy and protection regime. This involves many of the same steps a company should already be taking to comply with privacy laws.
For example, businesses need to inventory and categorize all of the data they collect, review why they’re collecting it (and whether they even should be) and develop a data governance plan that clearly defines data collection, usage, storage and access controls across all systems.
Sounds like a lot of work.
Very doable, though, said IAB Tech Lab CEO Tony Katsur. Embracing data minimization is more about the online ad industry changing its mindset rather than a heavy lift from a technical perspective.
“It’s hard to change behavior, but that’s what has to happen here,” Katsur said. “Rather than acting like a kid in a candy store and saying, ‘Oh my god, look at all this data I can collect!’ be like a kid at the dinner table that only takes what they’re actually going to eat.”
Does it spark performance?
Because there is a clear business case for heaping less data onto one’s proverbial plate (or “not acting like a giant Hoover sucking up everything in sight,” as Glassberg put it).
Legal requirements aside, processing and storing data isn’t cheap. If you only need X number of data points to achieve a purpose, collecting 10 times that amount is an exercise in wasting money.
“You know how expensive it is to store data?” Glassberg said. “There’s no point wasting money processing extra data, and any data scientist will tell you, ‘Get the noise out of there.’ The industry should really be looking at this as an efficiency play.”
Not to mention that being more mindful about data collection is good for performance, Katsur said.
“The fact is, not all data drives performance – if data is not recent or it’s no longer relevant, you don’t need it,” he said. “Why would you want to collect signals that aren’t driving performance anyway?”
Lots of room for interpretation
Still, there are several important unanswered – and perhaps unanswerable – questions about implementing data minimization principles.
For example, US state privacy laws don’t specify how long a company is allowed to store data and also don’t set a clear-cut limit on what constitutes the allowable amount of data to collect for a certain purpose.
This “leaves lots of room for interpretation,” said Katy Keohane, associate general counsel at SafeGuard Privacy.
Even so, data minimization as a basic and fundamental requirement in the US is coming into greater and greater focus.
The California Consumer Privacy Act, for instance, states that data collection, use, retention and sharing should be “reasonably necessary and proportionate.” Colorado, Virginia, Connecticut and several other state laws, meanwhile, include data minimization requirements that say collection must be “adequate, relevant and reasonably necessary.”
“Then along came Maryland,” Keohane said.
The Maryland Online Data Privacy Act (MODPA), which goes into effect on Oct. 1, has a tougher data minimization requirement than any other US state privacy law on the books to date.
Under MODPA, sensitive data must be “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
The law leaves the definition of “requested by the consumer” ambiguous, but it would seem to mean that a business can only collect sensitive data from a Maryland citizen if that person explicitly asks for or agrees to receive a product or service.
Appetite for enforcement
To date, there have been no publicly announced enforcement actions based specifically on a violation of data minimization principles. But as enforcers sharpen their pencils and more US states pass privacy laws, that may soon no longer be the case.
An enforcement advisory, however, like the one issued by the CPPA in California last year, is a gift.
Regulators are telling you what they’re looking for – and they’re also talking to each other.
“Don’t for one second believe that regulators across different states don’t communicate all the time,” Glassberg said. “They want companies to do the right thing, but they’re also signaling that people should take what they say really seriously.”
