Posts Tagged ‘Audience Science’

It’s a good time to clean house (and get a retention policy)

December 1, 2009

Update: On 12/17 Audience Science adopted a 2-year retention policy. The housecleaning continues …

Update: 24/7 Real Media, the WPP subsidiary, now also has a retention policy we first logged on 12/09. They’ve chosen 13 months across the board.

We’ve seen a number of upgrades to ad network privacy policies in the last couple of weeks, which may indicate that networks are starting to clean up missing and non-typical provisions in their privacy policies. The timing is good, since the FTC Roundtables on privacy that commence next week will no doubt raise attention around ad-network privacy policies.

One notable recent policy improvement comes from x+1, which added a retention policy, stating that log file information is only kept available for 90 days from the date of collection. Accordingly, I’ve removed them from the list of NAI members lacking a specific retention policy, leaving only three four NAI members left without published data retention policies: Audience Science, Microsoft, and SpecificMEDIA and 24/7 Real Media.

As part of the PrivacyChoice submission to the FTC Roundtables on privacy, we will be providing a set of overall statistics on privacy policy provisions and practices, based a snapshot from our database later this week.

PS Apologies to regular readers for the silence on this blog in the last month. While it hasn’t been a great month for writing, it has been a terrific month of meetings with industry and thought leaders, and a ton of product design and development, which we will be unveiling very soon. Stay tuned!

Coremetrics data syndication: unfinished business

June 19, 2009

Coremetrics primary business has been to provide site analytics for web publishers.  In typical fashion, customers install Coremetrics tags on all of the pages in their website, which generate user clickstream information that the Coremetrics system turns into insights for the site operator. According to their site, Coremetrics serves over a thousand customers.

Coremetrics recently announced a significant extension to this platform, to allow their analytics customers to “syndicate” Coremetrics’ clickstream information across multiple behavioral ad networks, including Dotomi, Audience Science, OpenX, Choicestream and [x+1]. This is interesting because even if Dotomi tags are not on the publisher’s site, the user behavioral information gathered by Coremetrics can be provided to Dotomi in order for Dotomi to deliver ads to that user on any website in the Dotomi ad network.

Coremetrics explains the benefits in their whitepaper (pdf): “Better segmentation and targeting are achieved when advertisers and ad networks can leverage detailed information about web site visitor behavior. Collecting rich activity data and passing it to multiple ad networks is a complicated, expensive, and time-consuming endeavor.”

In this screenshot you can see the options for syndication of user profiles.


Presumably, no personal information is ever passed to an ad network, and to be certified to participate, an ad network must agree to limitations on how syndicated user data will be used and retained. Those limitations probably include a commitment not to add the user information into the network’s general data pool, lest its value be captured by the network’s other participants. Those limitations would also further the consumer’s interest in not having behavioral information more widely distributed than intended.

Those are probably safe assumptions, but the Coremetrics privacy policy doesn’t confirm them either way, and has not been updated since January. Here’s how the policy explains the use of collected data:  “Our clients use our Services to understand more about visitors to their web sites. Clients then apply this understanding to their web sites to provide web environments that save visitors time and make the sites easier to use.” To my mind, that doesn’t capture syndication of cookie-based information for behavioral targeting. Nor does the Coremetrics opt-out disclosure really work anymore — it promises that, if you don’t opt-out, your “data will be presented as part of a pool of general, anonymous visitors.” Unless I’m reading this wrong, that’s not the case anymore. (PS I invite Coremetrics comments on this — two emails to their privacy address have yet to receive a reply.)

In addition to fixing these issues, the Coremetrics privacy statement should specify which companies may have access to syndicated profile information, and what policies they follow. You can check out our summary of those policies here.

Coremetrics no doubt will fix these issues, but there are larger lessons here. First, companies like Coremetrics who are positioned to leverage user information for targeting applications are going to do so, but they need to take care that their privacy practices stay in step.

Second, the use and syndication of user behavioral information is becoming increasingly complex as data moves between different companies in the targeting ecosystem. This calls for better consumer disclosure about these practices, particularly the inter-company agreements that govern data handling. Coremetrics has an opportunity to show the way through a robust disclosure in their privacy statement and opt-out process. In the mean time, at privacychoice we’re working on ways to make those disclosures more easily found and understood by consumers, together with the ability to opt-out for those who aren’t comfortable.

No mention of retention (results of our policy review)

May 8, 2009

In the course of our research for privacychoice 2.0, we’ve been surprised at how hard it is to get a handle on the data retention policies of the ad and tracking networks.  This is despite the fact that data retention practices are a key disclosure point for consumer online privacy. The FTC principles called this out:

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:  Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

Here’s what the NAI guidelines (PDF) require of their members:

Each member directly engaging in [Online Behavioral Advertising], a) Multi-Site Advertising and/or Ad Delivery & Reporting shall clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices. Such notice shall include clear descriptions of the following, as applicable: …  The approximate length of time that data used for OBA, vi. Multi-Site Advertisiisiising and/or Ad Delivery & Reporting will be retained by the member company.

In reviewing the policies of 63 targeting networks, here’s what we learned:

1. Most companies don’t disclose their retention timeframe, or do so obliquely.

Suprisingly, for 41 of the companies (nearly two-thirds), we could not find an express statement of how long consumer data is retained.  In the NAI membership, we could not find such a statement for any of these companies:

24/7 Real Media (WPP) (retention provisions added 12/09)
Audience Science (added two-year retention period 12/09)
Microsoft (subsidiary Atlas discloses a 2 year timeframe)
[x+1] (retention provision added 11/09)

Two of the other heavyweights in the NAI — Google and Yahoo! — have published information about their retention practices, in the press or on their blogs. (Here’s a round up of some of these statements.)  But as far as we could tell, they have not included an express timeframe in their privacy policies, where a consumer would expect to find it.

2. Retention periods vary widely, but the trend is toward a year or less.

Of those 22 networks who have put a time frame in their disclosure policies, there’s a wide range, but with accumulation at or below one year (particularly for the larger networks).

One year or less:  13
Over one year but not more than 2 years: 6
Three years: 2
Indefinite: 1

Special mention goes to Fetchback, which is clear in their disclosures that they retain the information indefinitely. Whatever you might think about that policy, at least the disclosure is clear and where a consumer would expect to find it.

For 41 other companies:  Until your policies are more clear, consumers and (yikes) regulators can fairly assume that you are also retaining and using the information indefinitely.