No mention of retention (results of our policy review)

May 8, 2009

In the course of our research for privacychoice 2.0, we’ve been surprised at how hard it is to get a handle on the data retention policies of the ad and tracking networks.  This is despite the fact that data retention practices are a key disclosure point for consumer online privacy. The FTC principles called this out:

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:  Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

Here’s what the NAI guidelines (PDF) require of their members:

Each member directly engaging in [Online Behavioral Advertising], a) Multi-Site Advertising and/or Ad Delivery & Reporting shall clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices. Such notice shall include clear descriptions of the following, as applicable: …  The approximate length of time that data used for OBA, vi. Multi-Site Advertisiisiising and/or Ad Delivery & Reporting will be retained by the member company.

In reviewing the policies of 63 targeting networks, here’s what we learned:

1. Most companies don’t disclose their retention timeframe, or do so obliquely.

Suprisingly, for 41 of the companies (nearly two-thirds), we could not find an express statement of how long consumer data is retained.  In the NAI membership, we could not find such a statement for any of these companies:

24/7 Real Media (WPP) (retention provisions added 12/09)
Audience Science (added two-year retention period 12/09)
Microsoft (subsidiary Atlas discloses a 2 year timeframe)
[x+1] (retention provision added 11/09)

Two of the other heavyweights in the NAI — Google and Yahoo! — have published information about their retention practices, in the press or on their blogs. (Here’s a round up of some of these statements.)  But as far as we could tell, they have not included an express timeframe in their privacy policies, where a consumer would expect to find it.

2. Retention periods vary widely, but the trend is toward a year or less.

Of those 22 networks who have put a time frame in their disclosure policies, there’s a wide range, but with accumulation at or below one year (particularly for the larger networks).

One year or less:  13
Over one year but not more than 2 years: 6
Three years: 2
Indefinite: 1

Special mention goes to Fetchback, which is clear in their disclosures that they retain the information indefinitely. Whatever you might think about that policy, at least the disclosure is clear and where a consumer would expect to find it.

For 41 other companies:  Until your policies are more clear, consumers and (yikes) regulators can fairly assume that you are also retaining and using the information indefinitely.


7 Responses to “No mention of retention (results of our policy review)”

  1. Per your inclusion of eXelate on the list of companies that do not disclose retention practices, please note that we clearly state in our Privacy Policy the following:

    “eXelate policy is to retain our anonymous log file data in the aggregate for up to ninety days. This data is kept in an anonymous form and used for analysis purposes only, not for the delivery of any targeted advertisements or other content.”

    Additionally, we have gone beyond the normal standard of transparancey by showing consumers exactly what eXelate cookies, in specific categories have been placed on their browser, and allowing them to opt-in or opt out of any/all categories from all of the networks that buy via our exchange.

    Our clear, centralized privacy management capacity is something we hope that more publishers and networks embrace.

    This is available via our preference manager located at


    Mark Zagorski
    CRO – eXelate

    • privacychoice team Says:

      My apologies — this was an error, and I very much appreciate you correcting it. Exelate has been removed from the list.

      The other counts have not changed because we did correctly count Exelate in the “under 1 year” category the first time around, but erred in the creation of the NAI list.

      If anyone sees any other errors here, I hope you will bring them to our attention!

  2. Anne Toth Says:

    Yahoo! has described the 90-day data retention policy pretty extensively but you are absolutely correct that it isn’t yet live within our privacy statement. The policy was announced late last year and we are in the process of implementing it globally. And I think you might have a sense of the complexity and scale of that implementation task. Nontrivial.

    We looked at how to describe this in the policy but since we are in the implementation process (many systems are already there but not all) we thought it best to wait until everything is baked. Privacy policies are more commonly statements of current practices/policies and mixing and matching could generate some confusion.

    For now we include links within the Privacy Center to “news” and we also posted it on our corporate blog, Yodel Anecdotal. We’re hoping to launch our own policy blog soon where we can ensure that everyone is kept up-to-date on privacy improvements, clarifications and news.

    Hope this helps explain our thinking.


    Anne Toth
    Privacy Yahoo

  3. […] at least among the minority of tracking companies that have any kind of deletion policy. See the prior post on this […]

  4. […] Acerno (Akamai) falls in line on retention August 28, 2009 Bringing their privacy policy in line with the emerging industry standard, Acerno, Akamai’s behavioral targeting company, now only allows user information to be retained for up to one year (previously three years). This brings their policy in line with Akamai’s and is a good development, but a reminder of how many tracking companies still do not have any stated retention period for user data. […]

  5. […] Top Posts Flash cookies and behavioral tracking: a proposalHall of Shame: Tracking networks without opt-outsEstimate: Google interest-based targeting reaches 25% of AdSense sitesAdSense opens up and privacy disclosure gets more complicatedNo mention of retention (results of our policy review) […]

  6. […] on publisher sites — have been primary areas of focus for the PrivacyChoice project (see our blog posts on retention and our PrivacyWidget for sites). It looks like we’re focused in the right […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: