Last week AddThis announced that data collected through their sharing widget, installed on 1.5 million websites, will now be used for behavioral advertising. According to the announcement, anonymous profile information for over 200 million users, including the pages they have visited on AddThis publisher sites, is now available to other ad delivery companies in real time bidding.
The new AddThis program is similar to Google’s transition of AdSense into an ad exchange platform (see prior posts). In both cases, tags placed on publisher sites for one purpose are now being used for different and more extensive purposes. And in both cases the companies should clarify answers to some important privacy questions.
Publisher Notice
Shouldn’t publishers be made aware of the change in how their users’ data will be handled, and provided with an opportunity to opt-out? Is it fair to assume that all sites with the widget already installed — including hospitals, schools, church groups, and government agencies with no other advertising — would choose the AddThis widget if they were aware that their user behavioral data will be sold?
For publishers signing up today, there’s no reference to behavioral data collection in the signup process for the AddThis widget. Is this deceptive?
Consumer Notice
Will the AddThis widget include a notice to consumers that tracking information is being collected on each page that serves the widget, regardless of whether the consumer interacts with it? (This kind of notice is required under the IAB’s guidelines and could be provided with something akin to the power “i”.)
Will AddThis also ensure that when the data are used to display an ad, the consumer will be notified that AddThis was the source and provide an opt-out?
Are AddThis publishers required to amend their own consumer privacy policies to provide notice of AddThis data collection, as is standard practice for compliant ad networks?
Will consumers be able to see what’s in their own AddThis profile, as they can on Google, Yahoo! and leading ad networks?
NAI Compliance
Neither AddThis nor its parent Clearspring is listed as a member of the Network Advertising Initiative, the industry organization charged with defining privacy standards and providing oversight for behavioral advertising.
The AddThis announcement says that the company “complies with the Network Advertising Initiative standards.” What does this mean, given that AddThis is not subject to NAI compliance reviews; they do not appear to follow the NAI’s requirement that publishers pass through disclosure in their privacy policies; and they lack NAI-required privacy disclosure as to data retention?
Why wasn’t NAI membership considered a prerequisite to launching the new program?
Conclusion
Hopefully AddThis will move quickly to remedy the privacy shortcomings in their new program. How they approach this will tell us not only about their own commitment to privacy and self-regulation, but also the commitment of any partners and advertising customers who continue to participate.
privacychoice 
August 12, 2010 at 4:05 am
[…] On the Privacy Choice blog, Jim Brock says that there needs to be more transparency in behavioral targeting and notes about AddThis: "For publishers signing up today, there’s no reference to behavioral data collection in the signup process for the AddThis widget." Read more. […]
August 12, 2010 at 4:14 am
Note: It has been pointed out to me that there is a recently amended reference to data collection in the 16th paragraph of the AddThis terms of service, which is linked from the last page of the widget code creation process. Judge for yourself if that suffices for notice to new publishers.
August 19, 2010 at 4:24 pm
[…] AddThis transitions to behavioral advertising, ignoring key privacy questions […]