Keep it simple: Opt-out cookies should always overwrite tracking cookies

October 28, 2010

The renewed notice-and-choice framework being rolled out for behavioral advertising has an important shortcoming:  Opt-out cookies only serve to turn off the delivery of behaviorally targeted ads, they don’t promise to turn off data collection in the first place.

The problem is that many companies provide opt-out cookies that are written separately from their tracking cookies. This means a tracking company may be collecting data with one cookie, while being told by another cookie not to apply it. Because the user still remains uniquely identifiable to the tracking system, the risk of technical (or ethical) failure remains. In that sense, the opt-out framework doesn’t really answer a central privacy concern.

Perhaps the solution is simple:

When a user opts out, a non-unique opt out cookie should always overwrite each cookie that stores behavioral information.

When this rule is followed, an opted-out consumer can be assured that there’s no unique tracking cookie on their computer that could be used for data collection. Several opt-out cookies, notably the Google DoubleClick cookie, already operate this way by replacing the unique user “id” with the non-unique “OPT-OUT”.

Compliance with this requirement is simple to verify and monitor. Watchdogs can confirm through external sampling that opt-out cookies are being delivered on request and that they are non-unique. More often than not, opt-out failures will result from simple technical problems that cause the cookie not to be written in the first place; we’ve seen more than a dozen broken opt-outs in the last year through PrivacyChoice. Through random sampling, you can also confirm that once a company delivers an opt-out cookie, it stays in place and doesn’t revert to a unique cookie that could be used for tracking.

If an ad company still needs to use unique cookies for non-targeting purposes (like frequency caps) even on opted-out machines, they should certify and publish which cookies are which, so that behavioral cookies are always identified. Verifying accurate identification should be part of the NAI’s annual technical review, as should be confirming that no non-cookie tracking methods are used (which is also easy to monitor externally). These kinds of direct reviews or audits of backend process will be far more simple and effective than trying to determine forensically whether opted-out consumers are only being served untargeted ads.

A cookie overwriting requirement would require some technical changes for companies that currently separate their behavioral cookies from their opt-out cookie, or those that combine behavioral and non-behavioral functions in a single cookie. But this seems like a small price to pay for a significantly more effective and accountable opt-out framework, which is the heart of the self-regulatory effort.


3 Responses to “Keep it simple: Opt-out cookies should always overwrite tracking cookies”

  1. […] Keep it simple: Opt-out cookies should always overwrite tracking cookies […]

  2. […] Keep it simple: Opt-out cookies should always overwrite tracking cookies […]

  3. […] Opt-outs should block data collection, not just data use. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: