Coremetrics primary business has been to provide site analytics for web publishers. In typical fashion, customers install Coremetrics tags on all of the pages in their website, which generate user clickstream information that the Coremetrics system turns into insights for the site operator. According to their site, Coremetrics serves over a thousand customers.
Coremetrics recently announced a significant extension to this platform, to allow their analytics customers to “syndicate” Coremetrics’ clickstream information across multiple behavioral ad networks, including Dotomi, Audience Science, OpenX, Choicestream and [x+1]. This is interesting because even if Dotomi tags are not on the publisher’s site, the user behavioral information gathered by Coremetrics can be provided to Dotomi in order for Dotomi to deliver ads to that user on any website in the Dotomi ad network.
Coremetrics explains the benefits in their whitepaper (pdf): “Better segmentation and targeting are achieved when advertisers and ad networks can leverage detailed information about web site visitor behavior. Collecting rich activity data and passing it to multiple ad networks is a complicated, expensive, and time-consuming endeavor.”
In this screenshot you can see the options for syndication of user profiles.
Presumably, no personal information is ever passed to an ad network, and to be certified to participate, an ad network must agree to limitations on how syndicated user data will be used and retained. Those limitations probably include a commitment not to add the user information into the network’s general data pool, lest its value be captured by the network’s other participants. Those limitations would also further the consumer’s interest in not having behavioral information more widely distributed than intended.
Those are probably safe assumptions, but the Coremetrics privacy policy doesn’t confirm them either way, and has not been updated since January. Here’s how the policy explains the use of collected data: “Our clients use our Services to understand more about visitors to their web sites. Clients then apply this understanding to their web sites to provide web environments that save visitors time and make the sites easier to use.” To my mind, that doesn’t capture syndication of cookie-based information for behavioral targeting. Nor does the Coremetrics opt-out disclosure really work anymore — it promises that, if you don’t opt-out, your “data will be presented as part of a pool of general, anonymous visitors.” Unless I’m reading this wrong, that’s not the case anymore. (PS I invite Coremetrics comments on this — two emails to their privacy address have yet to receive a reply.)
In addition to fixing these issues, the Coremetrics privacy statement should specify which companies may have access to syndicated profile information, and what policies they follow. You can check out our summary of those policies here.
Coremetrics no doubt will fix these issues, but there are larger lessons here. First, companies like Coremetrics who are positioned to leverage user information for targeting applications are going to do so, but they need to take care that their privacy practices stay in step.
Second, the use and syndication of user behavioral information is becoming increasingly complex as data moves between different companies in the targeting ecosystem. This calls for better consumer disclosure about these practices, particularly the inter-company agreements that govern data handling. Coremetrics has an opportunity to show the way through a robust disclosure in their privacy statement and opt-out process. In the mean time, at privacychoice we’re working on ways to make those disclosures more easily found and understood by consumers, together with the ability to opt-out for those who aren’t comfortable.