Posts Tagged ‘cookie’

Online Behavioral Advertising Checklist: Seeking Input

June 11, 2010

After compiling the PrivacyChoice Index and interacting with dozens of ad networks and data companies about consumer privacy, it seemed like it would be useful to publish a checklist of practices and policies applicable to companies engaged in online behavioral advertising. No doubt this is incomplete, and some of the recommendations may be controversial, but it’s a start.

Your input will be appreciated, either in the comments here or privately by email. I’m particularly interested in input from data practitioners who are on the front line implementing privacy processes. If you believe in the self-regulatory effort, I hope you agree that sharing best practices will work to benefit all players, including ad networks, data companies, advertisers and more informed and capable consumers.

View this document on Scribd

Gigya adds cookie-based opt-out (but far from best practices)

April 6, 2009

capture4Gigya, which is a widget distribution network claiming to reach 174 million users, added a reference to an opt-out feature in their privacy policy, which takes you to this opt-out page.

Opt-out processes seem to be coming on fast and furious now, following on Google’s adoption of behavioral targeting together with a robust opt-out process.  What is interesting about Gigya’s adoption is that it is another reminder that behavioral targeting technology inevitably will move beyond what we think of as traditional ad networks.  Any third-party provider that has embedded content or functionality in a primary site will likely be leveraging behavioral profiles, and should provide an opt-out process.

Some questions for Gigya on their process:

1/ I had some mixed results with the opt-out itself.  The first couple of times it didn’t seem to lay any new cookies down at all, but then seemed to work to add four different new cookies (two session cookies, two persistent cookies), none of which was identified in the cookie text as opt-outs and, by all appearances, each of which is a non-unique cookie.  Why would you need to add two persistent cookies when just one — which says “OPT OUT” and is not unique — would do the trick?

As you may know if you are following these issues, non-unique cookies are much less desireable because they provide less assurance to the consumer that they are not being tracked, and cannot be embedded as easily into browser plug-ins to retain the opt-out state.  

Also confusing:  the persistent cookies had different expiration dates, including one that expires in 2 years and one that expires in six months.  Why two different expiration periods and why so short?  It is notable that the cookie Gigya uses normally to track behavior (when you have not opted out) is a ten-year cookie.

2/ Relative to other networks, Gigya does a poor job explaining how the process works, that they are writing a cookie, when the cookie expires (is it six months or two years), or that the process needs to be repeated if cookies are cleared from the user’s computer.  Although any action is commendable, this one looks like a rushed job where the objective is to check-the-box on having an opt-out, rather than truly provide consumers with choice.

3/ Gigya indicates that their sharing feature is not available once you have opted out.  Is that truly a technical requirement — can’t you allow sharing but not store behavioral information?

4/ Gigya should provide a clean URL (not obscured within javascript) to initiate the opt-out process — to better enable aggregated services like our opt-out wizard.  An opt-out process that requires a consumer to visit every widget or ad provider is designed to fail.

5/ Last, but not least, will Gigya provide any reference to their privacy policy or the opt-out process within the widgets themselves as they appear across the Web?  This would be analogous to Google’s promise to include “Ads by Google” in all ads that use behavioral targeting, which would provide at least some clue to the consumer where to find out more about privacy and opting out.

Along the same lines, what steps is Gigya taking to ensure that their publisher network (including the likes of CNET and Disney, according to the site) is adopting privacy policies that reference Gigya’s own policies and opt-out process?  This is a best practice that Google is imposing on their own publisher network.  It would seem even more important for Gigya to take these steps, since in many cases the content the deliver on a distributed basis through other sites is not advertising, and the consumer would probably not have an expectation that their behavior is being tracked by third parties.

I would love to hear from the folks at Gigya on these questions, and would be pleased to publish their answers just as soon as I do.

Adconion adds opt-out cookie (sort of)

April 3, 2009

UPDATE:  A representative of Adconion wrote today to confirm that they have fixed the opt-out feature on Firefox (thanks!).  It is still important to integrate the opt-out action in our wizard, which I will be discussing with them and will report back.  Stay tuned.

I have had an entry in the opt-out database for Adconion for some time, but (sadly) no opt-out process.  I sent two emails to their privacy officer (2/27 and 3/11) asking about the lack of an opt-in.  No reply in either case (unlike the vast majority of privacy officers with whom I’ve corresponded).

Adconion is an interesting one, since they announced a big data sharing partnership with BlueKai, which seems to aggregate behavior data for quite a few people (142 million, they say).

capture1Now thanks to the page-change monitoring service I have started using (kudos to watchthatpage!), I was alerted that Adconion’s privacy page had changed.  Low and behold,  there’s now a page purporting to be an opt-out process, to which the main privacy policy page now links.

To make sure I didn’t miss it the first time around, I checked the Google cache page as of March 26 — no mention of an opt-out process, so this is new.

As of the date of this post, no announcement of this on their site.  But I suspect this is the impending new opt-out referred to here.  

So good news — another ad network is providing an opt-out choice.  In this case, it looks like the text of the opt-out cookie is non-unique, even better (and therefore will show up in TACO shortly, I’m sure).

Here’s the problem — the Adconion opt-out doesn’t work very well on Firefox. Although things were fine on IE and Chrome, clicking that choice in Firefox gave no response on three different computers, until I happened to first click the opt-in button and then the opt-out button, which sometimes would do the trick.  I know, stuff happens, but this would have been an easy one to spot.  (Here’s a tip:  if our server logs are any indication, people who care about privacy overwhelmingly tend to be on Firefox, so you really need to nail it for them.)

By the way, to the folks at Adconion, if you want to bother adding an opt-out process, you really should link it from your top page, rather than burying it under the “Company” section.  The name of the game here is capture-consumer-trust.  You need to believe it, and you need us to believe that you believe it.  

Along those lines, here’s an idea:  send me a clean URL that initiates the opt-out, and we will get it into the opt-out wizard lickey-split.  

BTW, it doesn’t seem like you’ve got the cycles to reply to privacy questions by email, and I actually tried calling today, only to be routed curtly to an extension voicemail with a generic greeting.  As an alternative, I’m just including the names of your officers in this post — in case any of you are listening via Google Alerts and want to send this problem over to QA.  You guys will get a better response than me, no doubt.  😉

T. Tyler Moebius

Matthias Quadflieg

Jeremy Daw

Keith Kaplan

Ben Fox