Coremetrics primary business has been to provide site analytics for web publishers. In typical fashion, customers install Coremetrics tags on all of the pages in their website, which generate user clickstream information that the Coremetrics system turns into insights for the site operator. According to their site, Coremetrics serves over a thousand customers.
Coremetrics recently announced a significant extension to this platform, to allow their analytics customers to “syndicate” Coremetrics’ clickstream information across multiple behavioral ad networks, including Dotomi, Audience Science, OpenX, Choicestream and [x+1]. This is interesting because even if Dotomi tags are not on the publisher’s site, the user behavioral information gathered by Coremetrics can be provided to Dotomi in order for Dotomi to deliver ads to that user on any website in the Dotomi ad network.
Coremetrics explains the benefits in their whitepaper (pdf): “Better segmentation and targeting are achieved when advertisers and ad networks can leverage detailed information about web site visitor behavior. Collecting rich activity data and passing it to multiple ad networks is a complicated, expensive, and time-consuming endeavor.”
In this screenshot you can see the options for syndication of user profiles.
Presumably, no personal information is ever passed to an ad network, and to be certified to participate, an ad network must agree to limitations on how syndicated user data will be used and retained. Those limitations probably include a commitment not to add the user information into the network’s general data pool, lest its value be captured by the network’s other participants. Those limitations would also further the consumer’s interest in not having behavioral information more widely distributed than intended.
Those are probably safe assumptions, but the Coremetrics privacy policy doesn’t confirm them either way, and has not been updated since January. Here’s how the policy explains the use of collected data: “Our clients use our Services to understand more about visitors to their web sites. Clients then apply this understanding to their web sites to provide web environments that save visitors time and make the sites easier to use.” To my mind, that doesn’t capture syndication of cookie-based information for behavioral targeting. Nor does the Coremetrics opt-out disclosure really work anymore — it promises that, if you don’t opt-out, your “data will be presented as part of a pool of general, anonymous visitors.” Unless I’m reading this wrong, that’s not the case anymore. (PS I invite Coremetrics comments on this — two emails to their privacy address have yet to receive a reply.)
In addition to fixing these issues, the Coremetrics privacy statement should specify which companies may have access to syndicated profile information, and what policies they follow. You can check out our summary of those policies here.
Coremetrics no doubt will fix these issues, but there are larger lessons here. First, companies like Coremetrics who are positioned to leverage user information for targeting applications are going to do so, but they need to take care that their privacy practices stay in step.
Second, the use and syndication of user behavioral information is becoming increasingly complex as data moves between different companies in the targeting ecosystem. This calls for better consumer disclosure about these practices, particularly the inter-company agreements that govern data handling. Coremetrics has an opportunity to show the way through a robust disclosure in their privacy statement and opt-out process. In the mean time, at privacychoice we’re working on ways to make those disclosures more easily found and understood by consumers, together with the ability to opt-out for those who aren’t comfortable.
privacychoice 
June 19, 2009 at 11:02 pm
We take privacy very seriously. Consumers have a right to understand how targeted advertising works, and how they might benefit from allowing companies to gather information about them. I recently published a post—Web Analytics, Targeted Ads and Privacy—on our blog that outlines in very simple terms how we think about privacy:
Coremetrics makes money by helping our customers understand people’s online behavior and how to better market to them. Consumers let our customers collect their data in exchange for better website experiences, more relevant content, less intrusive, more tailored ads and far less spam. Consumers who don’t want our clients to collect their data (and who, by extension, are saying they don’t want their online behavior to impact what they see online), always have the option of opting out. In effect, that means opting out of every targeted ad network that our clients work with through AdTarget.
Our role in this is to act as stewards of our customers’ specific privacy policies and convey that information to our ad network partners. We also recommend that our customers enhance their existing privacy policies to explain both the benefits of personalized ad messaging and how people can opt out if they prefer.
One key point to remember about the Coremetrics AdTarget product is that the technology is used by individual clients to syndicate their onsite behavioral data, as covered under their own privacy policies, to the network of their specific choice.
I thought it might be instructive to review the portion of our privacy policy where we specifically describe how we work with our customers. I’ve copied a few paragraphs that speak to the services we provide:
Our Relationships with Our Clients.
Coremetrics is an agent for its clients. Coremetrics either collects or receives visitor information from its clients but it does not own the information it collects. Our clients use our Services to understand more about visitors to their web sites. Clients then apply this understanding to their web sites to provide web environments that save visitors time and make the sites easier to use. Each client instructs us as to what type of data it would like us to collect or receive on its behalf. This data could include search engine referral, affiliate referrals, traffic driven by banner ads or other promotions, visitor navigation around the site, popular pages, which items are placed in shopping carts and which are abandoned, conversions and what purchases were made. We may also collect or receive certain technical information, such as the visitor’s browser version and operating system. We may, upon a client’s request, collect or receive personally identifiable information such as a visitor’s email address. In each client agreement, we agree that we will not make use of any data that we collect or receive on the client’s behalf except as necessary to provide our services to that client. All information about individual visitors to a web site belongs to the client, not Coremetrics. Coremetrics does not allow individual information collected for one client to be accessed by any other Coremetrics client.
The only time that any client would see data from other client web sites is if that client is a part of Coremetrics’ benchmarking service. In that case the information shared is summary data only and contains no information that personally identifies any visitor. This benchmarking service provides Coremetrics’ clients with the ability to compare the performance of their web sites against peer groups.
We do, however, reserve a limited right to disclose any data we collect if required by law or valid order of a court or other governmental authority or to protect the health and safety of Coremetrics’ employees, a client’s employees or the general public.
Our Clients’ Use of Our Services.
We require all of our clients to abide by all applicable laws, rules and regulations, and we promise our clients that we will do the same. We also recommend that each client obtain all necessary consents from visitors to its web site during Coremetrics’ provision of any Service, post on its web site and abide by a visitor privacy policy providing each visitor with the client’s data collection and use practices; provide notice that cookies are being placed on the visitor’s computer; an explanation of the purpose and utilization of such cookies; and provide on its web site an opt-out (or a link to an opt-out) so that any visitor may choose not to have his/her data collected.
As with the points made by the writer of this blog, Coremetrics believes in the strength of an industry concerned with and proactive about privacy and confidentiality. We take privacy seriously and strive to clearly state how our unique, individual customers are using targeted advertising to benefit the consumer experience.
John Squire
Chief Strategy Officer
Coremetrics
June 19, 2009 at 11:46 pm
The comment is much appreciated, and of course I have no reason to doubt Coremetrics’ commitment to privacy; it is the implementation that I respectfully suggest can be improved in the ways described here.
A key challenge in this is the allocation of responsibility between your company and your client in terms of privacy disclosure. As an example, take a look at the privacy policy of an announced customer for AdTarget, Benchmark Brands:
http://www.footsmart.com/Page.aspx?pageId=13
Here’s what their privacy policy says about collection of information by Coremetrics:
“In addition to personal information, we collect site usage information to help in our efforts to continually improve our site. This information is IP address, browser type, the server your computer is logged into, whether you responded to a particular ad, and/or what pages you are visiting on the website. We can only review this information in aggregate for all of our customers. Our site is tracked by CoreMetrics. You should refer to the CoreMetrics Privacy Policy to learn how they collect and use information”
There’s no mention that usage data will be passed to third-party ad networks for the purpose of advertising on other sites. Nor is there any mention that the Coremetrics site provides the ability to opt-out of this kind of targeting and information sharing. Best practices here would seem to require more robust disclosure on both their site and yours.
June 20, 2009 at 12:21 am
In the context of that singular paragraph mentioned above, the Benchmark Brands privacy policy statement is incomplete. The previous paragraph on that page does state
“The only personal information that FootSmart collects is information voluntarily supplied by site visitors. This information is personally identifiable information such as name, address, email and phone number. The personal information you have provided us and information about your order may be shared with third parties. This information may be combined with other personally identifiable information (such as demographic information and past purchase information) available from our records and other sources. This information will be used to make our future marketing efforts more efficient. It may also be used by our marketing partners to bring you offers of interest.”
That is only a small portion of their entire policy, but I believe it is important to note their explicit disclosure of how they may share the information with other third parties.
We do agree with the assertion as a community, we should strive to provide clear and robust disclosures of how consumer information is being utilized. I will make it a point to reach out to the Benchmark Brands team so they can review their current policy in light of the comments and suggestions submitted here.
We do appreciate your comments and suggestions on how to improve disclosure and expand the use of best practices.
John Squire
Chief Strategy Officer
Coremetrics
June 26, 2009 at 3:35 am
John — my opinion is that you should stop allowing the sale of the clients data while you are aware their notice to users is defective. Sloppy practices like this by your client will blow up your new business model – perhaps you are aware of the serious FC scrutiny in this area and congresional activity?
http://www.futureofprivacy.org/2009/06/25/dear-john-letter/