IAB: Digital Advertisers Grapple with Boundaries of Sensitive Data

Digital advertisers "are still grappling with defining the boundaries of sensitive personal information, such as health data and minors’ information,” according to an Interactive Advertising Bureau survey released Monday.

Most companies (78%) believe that non-sensitive data, including browsing history and language preferences, remain non-sensitive unless actively used to infer sensitive personal information, it said. The same percentage thinks that opt-in consent is needed under state privacy laws when inferring sensitive information from non-sensitive data, IAB said. California's privacy regulator highlighted privacy risks from inferences in a February enforcement action (see 2502270023).

In addition, the IAB survey found that companies “are more inclined to adopt a unified approach instead of a state-specific approach” to complying with about 20 comprehensive state privacy laws.

The digital ad industry “remains uncertain about the types of digital advertising permitted under Maryland’s Online Data Privacy Act (MODPA)" due to the law’s unique data minimization requirements, IAB found. “For example, 46% of the respondents stated that a publisher’s and advertiser’s collection of personal information can be used for first party advertising. A lower percentage of respondents stated that publisher’s and advertiser’s collection of personal information can be used for targeted advertising.”

While most respondents don’t believe that data clean rooms can deidentify all personal information effectively, the “myth … persists among a small percentage of the market participants,” said another IAB finding.

IAB said its survey had 37 respondents, including publishers (43%), ad tech providers (27%) and advertisers, brands and agencies (17%).