Best Practices for Opt-Outs
Firms following these practices can establish higher levels of consumer and advertiser trust and better demonstrate a commitment to effective self-regulation. We welcome your suggestions on how to improve these suggestions.
- Prominently feature a direct reference to the availability of the opt-out on the top page of your corporate website and on all pages pertaining to consumer privacy. Ideally, allow the opt-out action to be initiated directly from that page. See example.
- If your corporate domain is different from the domains that you use for serving advertisements, redirect users who navigate with their browser to your ad-serving domains. Some consumers may find cookies and use the cookie domain to try to find the company writing it.
- Ideally, to remember the opt-out preference, use both a browser cookie (so users can see it) and a Flash cookie (so it is persistent). If you are using Flash cookies generally but don’t use a Flash cookie to solidify your opt-out, ask yourself if that really seems fair and in the best interests of users?
- Opt-out cookies should always be non-unique (the exact same cookie should be written on every computer opting out). Because unique cookies can allow continued identification of a unique computer, they undermine confidence in the opt-out process.
- The name and values of opt-out cookies should clearly indicate their purpose.
- Example (cookie name): OPT-OUT
- Example (cookie value): YES
- Set the cookie expiration date/time as 12:00:00 January 1, for a year that is at least five years in the future. Do not set the expiration date based on the moment that the opt-in is selected, since that would result in the cookie being uniquely identifiable.
- Do not use multiple opt-out cookies unless you have multiple ad serving domains, in order to avoid confusion.
- Provide immediate and clear confirmation for the user that the opt-out process has been effective.
- As part of the opt-out process, clearly explain these limitations:
- The opt-out process is lost and must be repeated if cookies are cleared.
- The opt-out process must be run on each computer that you use.
- Allow your opt-out link and opt-out process to be integrated into other opt-out locations, such as the Network Advertising Initiative and privacychoice.
- Provide links to other services where they can opt-out of other targeting and tracking networks or install a browser add-on to maintain their settings. See example.
- Keep in touch with those services, and let them know of any changes to your opt out policy or opt-out cookie structure. This is especially important as opt-out cookie formats are hard-coded into browser add-ons.