Gigya, which is a widget distribution network claiming to reach 174 million users, added a reference to an opt-out feature in their privacy policy, which takes you to this opt-out page.
Opt-out processes seem to be coming on fast and furious now, following on Google’s adoption of behavioral targeting together with a robust opt-out process. What is interesting about Gigya’s adoption is that it is another reminder that behavioral targeting technology inevitably will move beyond what we think of as traditional ad networks. Any third-party provider that has embedded content or functionality in a primary site will likely be leveraging behavioral profiles, and should provide an opt-out process.
Some questions for Gigya on their process:
1/ I had some mixed results with the opt-out itself. The first couple of times it didn’t seem to lay any new cookies down at all, but then seemed to work to add four different new cookies (two session cookies, two persistent cookies), none of which was identified in the cookie text as opt-outs and, by all appearances, each of which is a non-unique cookie. Why would you need to add two persistent cookies when just one — which says “OPT OUT” and is not unique — would do the trick?
As you may know if you are following these issues, non-unique cookies are much less desireable because they provide less assurance to the consumer that they are not being tracked, and cannot be embedded as easily into browser plug-ins to retain the opt-out state.
Also confusing: the persistent cookies had different expiration dates, including one that expires in 2 years and one that expires in six months. Why two different expiration periods and why so short? It is notable that the cookie Gigya uses normally to track behavior (when you have not opted out) is a ten-year cookie.
2/ Relative to other networks, Gigya does a poor job explaining how the process works, that they are writing a cookie, when the cookie expires (is it six months or two years), or that the process needs to be repeated if cookies are cleared from the user’s computer. Although any action is commendable, this one looks like a rushed job where the objective is to check-the-box on having an opt-out, rather than truly provide consumers with choice.
3/ Gigya indicates that their sharing feature is not available once you have opted out. Is that truly a technical requirement — can’t you allow sharing but not store behavioral information?
4/ Gigya should provide a clean URL (not obscured within javascript) to initiate the opt-out process — to better enable aggregated services like our opt-out wizard. An opt-out process that requires a consumer to visit every widget or ad provider is designed to fail.
5/ Last, but not least, will Gigya provide any reference to their privacy policy or the opt-out process within the widgets themselves as they appear across the Web? This would be analogous to Google’s promise to include “Ads by Google” in all ads that use behavioral targeting, which would provide at least some clue to the consumer where to find out more about privacy and opting out.
Along the same lines, what steps is Gigya taking to ensure that their publisher network (including the likes of CNET and Disney, according to the site) is adopting privacy policies that reference Gigya’s own policies and opt-out process? This is a best practice that Google is imposing on their own publisher network. It would seem even more important for Gigya to take these steps, since in many cases the content the deliver on a distributed basis through other sites is not advertising, and the consumer would probably not have an expectation that their behavior is being tracked by third parties.
I would love to hear from the folks at Gigya on these questions, and would be pleased to publish their answers just as soon as I do.
Now thanks to the page-change monitoring service I have started using (kudos to 
privacychoice 