Best Practices for Opt-Outs

UPDATED 9-10-09

Firms following these practices can establish higher levels of consumer and advertiser trust and better demonstrate a commitment to effective self-regulation. We welcome your suggestions on how to improve these suggestions.


  • Prominently feature a direct reference to the availability of the opt-out on the top page of your corporate website and on all pages pertaining to consumer privacy.  Ideally, allow the opt-out action to be initiated directly from that page.  See example.
  • If your corporate domain is different from the domains that you use for serving advertisements, redirect users who navigate with their browser to your ad-serving domains.  Some consumers may find cookies and use the cookie domain to try to find the company writing it.
  • Your privacy policy should describe all forms of cookies that you use, whether they are traditional browser cookies, flash cookies or any other technique used to identify a single computer from session to session.  If you use non-traditional cookies only for non-tracking purposes (such as using flash cookies to maintain volume settings on a flash player), state this expressly in your privacy policy.  See example.  If you use flash cookies, include a prominent link to the Adobe page where they can be managed by the user.
  • Ideally, to remember the opt-out preference, use both a browser cookie (so users can see it) and a Flash cookie (so it is persistent). If you are using Flash cookies generally but don’t use a Flash cookie to solidify your opt-out, ask yourself if that really seems fair and in the best interests of users?
  • In your privacy policy, clearly describe the effect of the opt-out preference, including whether or not it opts the user out only of browser cookie-based tracking, or whether it also opts them out of tracking via flash cookies or pixel-based tracking. Provide the broadest scope of opt-out possible based on the browser cookie preference, since this is what opt-out consumers largely would prefer.
  • Provide a “compact privacy policy” using the P3P standard (which is necessary to avoid blocking of third-party cookies under the default settings of Internet Explorer).  Learn more.

Cookie Details

  • Opt-out cookies should always be non-unique (the exact same cookie should be written on every computer opting out).  Because unique cookies can allow continued identification of a unique computer, they undermine confidence in the opt-out process.
  • The name and values of opt-out cookies should clearly indicate their purpose.
    • Example (cookie name):  OPT-OUT
    • Example (cookie value):  YES
  • Set the cookie expiration date/time as 12:00:00 January 1, for a year that is at least five years in the future.  Do not set the expiration date based on the moment that the opt-in is selected, since that would result in the cookie being uniquely identifiable.
  • Do not use multiple opt-out cookies unless you have multiple ad serving domains, in order to avoid confusion.
  • To the extent that you continue to write any cookies other than the opt-out cookie for users who have opted out, those should be session-cookies only.  If you have any reason to maintain persistent cookies other than the opt-out cookie itself, clearly explain those purposes in your privacy policy.

Opt-out Flow

  • Use a simple URL that causes the opt-out cookie to be written, and can be called from any webpage.  Avoid non-transparent javascript.
  • Provide immediate and clear confirmation for the user that the opt-out process has been effective.
  • As part of the opt-out process, clearly explain these limitations:
    • The opt-out process is lost and must be repeated if cookies are cleared.
    • The opt-out process must be run on each computer that you use.
  • Allow your opt-out link and opt-out process to be integrated into other opt-out locations, such as the Network Advertising Initiative and privacychoice.
  • Provide links to other services where they can opt-out of other targeting and tracking networks or install a browser add-on to maintain their settings.  See example.
  • Keep in touch with those services, and let them know of any changes to your opt out policy or opt-out cookie structure.  This is especially important as opt-out cookie formats are hard-coded into browser add-ons.


  • Monitor the functioning of your opt-out process, and include it with your automated site monitoring processes.  Make sure you are included in the privacychoice wizard, since we are alerted (and will tell you) when any process we include is not writing opt-out cookies.

7 Responses to “Best Practices for Opt-Outs”

  1. […] Best Practices for Opt-Outs « Progress at Lotame […]

  2. privacychoice team Says:

    Thanks to Chris Soghoian for the good suggestion to have the expiration date of opt-out cookies set to an arbitrary date/time to avoid creating personally identifiable information in the cookie!

    • privacychoice team Says:

      Thanks to Jules Polonetsky for the reminder that opt-out scripts can break, which makes it important to set up monitoring. See new language in the last section.

  3. […] Best Practices for Opt-Outs « Burst Media and richrelevance join the NAI […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: