Posts Tagged ‘Exelate’

PrivacyWidgets as a platform for value-exchange

January 18, 2010

As mentioned in the release notes for the PrivacyWidget and earlier posts, PrivacyWidgets can provide a platform for the value-exchange between consumers and advertisers using behavioral advertising. In this relationship, the consumer exchanges information about themselves and their interests for more relevant advertising and content.

Some ad-delivery companies are already investing in making the value-exchange more transparent for users, by showing them information about the specific interests and preferences that have been stored about them. At least seven companies already do this: BizoBlueKaieXelateGoogleRubicon ProjectSafecount and Yahoo!

These companies are betting that, by and large, consumers will appreciate more relevant advertising and can be made comfortable with any privacy impact. They’re giving this substance by reading back something about what they know about the consumer, and inviting the consumer to engage with a process to share even more about their interests.

PrivacyWidgets facilitate this transparency. As a simple start, we had added links within the PrivacyWidget to take the user directly to their personal preference information for those companies that make it available. Check out the Sample PrivacyWidget on our site to see some examples.

This is also good for websites, who choose their ad delivery partners and provide the context for the exchange in value: ad-supported content and services. Consumers who will share more about their interests will provide more advertising value. So PrivacyWidgets offer more than just an easy way to comply with disclosure requirements; over time they can drive engagement and higher ad value. For the consumer, this virtuous circle leads to more and better free content.

Should adult activities be out of bounds for behavioral targeting?

October 4, 2009

In the privacy debate about behavioral tracking and ad targeting, most folks agree that new rules are needed in areas that are considered “sensitive.” Some activities, like researching health conditions or financial planning, will be off limits for tracking once new rules are in place. Companies won’t be able to use information about those activities when compiling user profiles or targeting advertising, and probably will be obligated to delete such data promptly.

This will impose new policies (and probably new operating practices) on many firms engaged in tracking. A substantial majority (65%) of the tracking companies in the privacychoice database make no mention in their privacy statements of special handling for sensitive information.

The larger players are ahead of the curve. With a few exceptions, each of the top ten ad networks already exclude sensitive information from their targeting matrix in some way. In the most typical formulation, “sensitive” information is defined to include government-issued identifiers (like SSN), insurance plan and financial account numbers, your real-time geographic location (via GPS), and “precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.”

A few ad networks go further, also establishing exclusions around sexual identity and adult activities. Google, for example, says it will not associate the omnipresent DoubleClick cookie with information about “sexual orientation.” Clearsight Interactive and AlmondNet will not store information from “adult and gambling sites.” BlueKai does not collect or share data involving “adult behavior such as drinking, politics, or pornographic content.” Exelate promises not to target ads based on “adult related searches or adult content.”

It is easier for an ad network to promise not to use adult activities if they don’t serve ads or collect data on adult sites in the first place. But mainstream ad networks and measurement firms are present on adult sites. Take a look at the Network Privacy Profile for playboy.com, where you will find DoubleClick, Quantcast, Eyewonder and several others. Those networks are in a position to connect visits to adult sites with a user’s overall profile (and any personally identifiable information, if they have it).

Consumers have some privacy protection in the form of anonymous surfing tools, which are now available in all of the major browsers. But although private browsing mode cuts off access to regular browser cookies on your computer, it doesn’t mask IP addresses or block Flash cookies, which are common across all browsers and are favorite tracking tools for many ad networks. There are technical workarounds, but none within reach of an average consumer.

As regulations emerge, here are two predictions:

  • Use of sexual orientation will be off-limits in behavioral targeting as a matter of law, but activities on adult sites will not. While advocates want to circumscribe targeting as much as possible, they will pick their battles. (Thus the recent proposal from a coalition of privacy advocates only suggested sensitizing information about sexual orientation and “personal relationships.”)
  • In the long run, as opt-out (or even opt-in) choices become more prevalent and robust, companies will extend their definition of sensitive categories beyond non-controversial areas like finance and health. This will be an easy way to make consumers more comfortable, particularly if new rules require companies to show users what’s in their own profiles.

No mention of retention (results of our policy review)

May 8, 2009

In the course of our research for privacychoice 2.0, we’ve been surprised at how hard it is to get a handle on the data retention policies of the ad and tracking networks.  This is despite the fact that data retention practices are a key disclosure point for consumer online privacy. The FTC principles called this out:

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:  Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

Here’s what the NAI guidelines (PDF) require of their members:

Each member directly engaging in [Online Behavioral Advertising], a) Multi-Site Advertising and/or Ad Delivery & Reporting shall clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices. Such notice shall include clear descriptions of the following, as applicable: …  The approximate length of time that data used for OBA, vi. Multi-Site Advertisiisiising and/or Ad Delivery & Reporting will be retained by the member company.

In reviewing the policies of 63 targeting networks, here’s what we learned:

1. Most companies don’t disclose their retention timeframe, or do so obliquely.

Suprisingly, for 41 of the companies (nearly two-thirds), we could not find an express statement of how long consumer data is retained.  In the NAI membership, we could not find such a statement for any of these companies:

24/7 Real Media (WPP) (retention provisions added 12/09)
AlmondNet
Audience Science (added two-year retention period 12/09)
Microsoft (subsidiary Atlas discloses a 2 year timeframe)
SpecificMEDIA
[x+1] (retention provision added 11/09)

Two of the other heavyweights in the NAI — Google and Yahoo! — have published information about their retention practices, in the press or on their blogs. (Here’s a round up of some of these statements.)  But as far as we could tell, they have not included an express timeframe in their privacy policies, where a consumer would expect to find it.

2. Retention periods vary widely, but the trend is toward a year or less.

Of those 22 networks who have put a time frame in their disclosure policies, there’s a wide range, but with accumulation at or below one year (particularly for the larger networks).

One year or less:  13
Over one year but not more than 2 years: 6
Three years: 2
Indefinite: 1

Special mention goes to Fetchback, which is clear in their disclosures that they retain the information indefinitely. Whatever you might think about that policy, at least the disclosure is clear and where a consumer would expect to find it.

For 41 other companies:  Until your policies are more clear, consumers and (yikes) regulators can fairly assume that you are also retaining and using the information indefinitely.