On the Effects of GDPR ... and What to Do About It: Part 2

In this short series of posts, I seek to cover the history, current events and prescribed future courses of action for the U.S. and all other countries in regards to privacy protection.  In the prior post I reviewed the first U.S. self-regulatory efforts in the 1990s and opined that with cited exceptions these self-regulatory standards have held up quite well for the better part of three decades.  As a result, the U.S. government, while constantly considering privacy regulations, did not legislate any during this period.  For cultural or other reasons the EU went the other way this year with GDPR.

The following schema illustrates with color coding how the original CASIE ideas were given additional specificity by TRA and in two cases by GDPR. You can see by the color coding how most of the TRA ideas were further techniques designed to protect the consumer's anonymity.

For example, TRA decided that it was unnecessary to let Experian see set top box or purchase data; Experian would simply provide anonymous codes enabling TRA to link the same household across multiple databases.  In this way, TRA limited the release of household-level information not already in the hands of the companies with which we partnered.  That's the box for "Do Not Inform PII Holders" -- PII being Personally Identifiable Information.  If TRA had not invented this technique, it would have disseminated information to companies that had PII and this would break anonymity.

For space reasons we won't go into a detailed explanation here of all these TRA adds to the privacy protection portfolio.  (Feel free to e-mail me if you need those details.)  The point I wish to make is that industry is capable of investing effort successfully in protecting the consumer, and that the great majority of companies operating in America have gone to this trouble for years without need of laws forcing them.

Incidentally, this is not an exhaustive list of all the ways that TRA and many other companies voluntarily go out of their way to inventively protect consumer privacy.  TRA also sought and received ISO 27001 certification and paid to be continuously audited to ensure that personal as well as client and company information was kept at the highest possible level of security.

Now let's look at GDPR in the same perspective.  Two of the specifics of GDPR, Data Portability and Data Erasure, came straight out of CASIE's Right to See and Right to Edit.  But most of what GDPR added was really new.  The black color coding indicates entirely new ideas not present in the earlier American evolution of privacy protection thought.  These ideas are essentially requirements to set up departments and individual officers -- and ways of punishing those who do not follow the rules.  What they have in common is money; either money to set up internal organizations or money paid in fines to governments.

It's not our aim to be critical of GDPR.  In an atmosphere in which companies are generally behaving badly with regard to privacy protection, GDPR is necessary.  I can't speak with authority on what the situation is in the EU at present regarding self-regulation; from a distance my impression is that self-regulation appears to be working there as well, but I do not know all the facts.  

Since the heyday of TRA enormous numbers of companies in the U.S. and everywhere have emulated many of its methods for matching naturally occurring data to analyze and increase ROI.  Whereas in TRA's ascendancy (2005-2014) only two companies, Experian and Acxiom, were regarded as eminently trustable third parties with PII through whom one could do anonymized matching, today there are any number of companies with their own ID Graphs.  ID Graphs are the constantly-updated censuses of individuals, their devices and the households in which they are grouped, which enable precision targeting in addressable TV and digital.

The precision targeting and precision ROI measurement which has come out of these assorted efforts since the '90s has greatly increased the ability of marketers to optimize their use of marketing for short term sales and long term brand equity.  So far, despite the expansion of ID Graphs from TRA's Experian-only concept (later Experian+Acxiom) to many companies, this gain in advertising controllability has not caused any sort of consumer backlash (with the exceptions cited in the prior post).  Nor has it resulted in all marketers taking full advantage of the enablement: