Missing privacy policies: a proposal

August 18, 2009

In the course of analyzing and excerpting privacy policies for Network Privacy Profiles, we’re sometimes left with a problem: an ad-related company serves content across many sites and is in a position to collect tracking information, but the company doesn’t seem to have a privacy policy relevant to those activities. In some cases they don’t have a privacy policy at all, and in others they have a privacy policy which, as written, only covers visitors to their corporate website and not visitors to other sites where they serve content.

At last count, 22 companies in our database fit into this category (see links and summaries):

IAC Advertising Solutions
Lifestreet Media
Rubicon Project
Tatto Media

Here are some potential reasons why a company on this list might not have a consumer-facing privacy policy:

  1. The company doesn’t collect user information at all in the course of serving content or providing a service on the other sites. For example, web optimization firms use scripts that select ads from different ad networks, which may not involve the collection of any user information by the optimizing firm.
  2. The company collects user information across sites (even if just clickstream data), but doesn’t associate the activities of the same individual across different websites. This could be true for companies that provide site-specific analytics or research. While they may set cookies and associate behaviors on a single site, because they don’t associate across sites and only share information with the site of collection, their view may be that their activities are already covered by the site’s own privacy policy.
  3. The company does collect user information across sites, but hasn’t yet posted a privacy policy for consumers. Or the company has a corporate policy that is intended to also cover consumers, but is literally written in a way that does not extend beyond the corporate site.

Given the potential for consumer confusion, here’s a proposal:

  • If your company is in a position to collect user information about users across websites, you should always include a statement in your own privacy policy that explains whether you do and how that information is used. Even if you provide an opt-out for consumers, you still need to explain how information is handled for those consumers who do not opt out.
  • Make sure the language in your policy is clear about which provisions apply to the corporate website and which provisions apply to users of other sites where you serve content or gather information.

And, of course, if you do collect user information across websites and you don’t have any privacy policy at all, you should get one, pronto.

PS If your company is on this list and you think we got it wrong, please send us a note or post a comment. We monitor all of these pages for changes and will update our lists promptly when we see clarifications.


One Response to “Missing privacy policies: a proposal”

  1. […] has been a puzzle for the privacychoice classifications, since like a number of companies in this field, they have no consumer-facing privacy policy. The policy linked from their homepage […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: