Posts Tagged ‘Fetchback’

Two notable privacy policy updates

August 17, 2009

In the last week, we saw two interesting changes to privacy policies  that we track (and these are now updated in our database):

Fetchback formerly had no deletion requirement for user information, and now deletes all information after 1 year. It seems like there’s a lot of momentum around 1 year as the maximum retention period, at least among the minority of tracking companies that have any kind of deletion policy. See the prior post on this topic.

interclick now includes a reference to their use of Flash cookies (acknowledging that these are not deleted through normal browser privacy processes). At least their statement promises (or at least implies) that if you follow their normal process (regular cookies) you will be opted out of all tracking, including Flash cookies. (See the prior post on this important topic.)


No mention of retention (results of our policy review)

May 8, 2009

In the course of our research for privacychoice 2.0, we’ve been surprised at how hard it is to get a handle on the data retention policies of the ad and tracking networks.  This is despite the fact that data retention practices are a key disclosure point for consumer online privacy. The FTC principles called this out:

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:  Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

Here’s what the NAI guidelines (PDF) require of their members:

Each member directly engaging in [Online Behavioral Advertising], a) Multi-Site Advertising and/or Ad Delivery & Reporting shall clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices. Such notice shall include clear descriptions of the following, as applicable: …  The approximate length of time that data used for OBA, vi. Multi-Site Advertisiisiising and/or Ad Delivery & Reporting will be retained by the member company.

In reviewing the policies of 63 targeting networks, here’s what we learned:

1. Most companies don’t disclose their retention timeframe, or do so obliquely.

Suprisingly, for 41 of the companies (nearly two-thirds), we could not find an express statement of how long consumer data is retained.  In the NAI membership, we could not find such a statement for any of these companies:

24/7 Real Media (WPP) (retention provisions added 12/09)
Audience Science (added two-year retention period 12/09)
Microsoft (subsidiary Atlas discloses a 2 year timeframe)
[x+1] (retention provision added 11/09)

Two of the other heavyweights in the NAI — Google and Yahoo! — have published information about their retention practices, in the press or on their blogs. (Here’s a round up of some of these statements.)  But as far as we could tell, they have not included an express timeframe in their privacy policies, where a consumer would expect to find it.

2. Retention periods vary widely, but the trend is toward a year or less.

Of those 22 networks who have put a time frame in their disclosure policies, there’s a wide range, but with accumulation at or below one year (particularly for the larger networks).

One year or less:  13
Over one year but not more than 2 years: 6
Three years: 2
Indefinite: 1

Special mention goes to Fetchback, which is clear in their disclosures that they retain the information indefinitely. Whatever you might think about that policy, at least the disclosure is clear and where a consumer would expect to find it.

For 41 other companies:  Until your policies are more clear, consumers and (yikes) regulators can fairly assume that you are also retaining and using the information indefinitely.

Advertisers’ role in privacy policy

April 23, 2009

The privacychoice philosophy (or shall we say, working hypothesis) is that technology can provide consumers with meaningful and actionable choices when it comes to their privacy.  While inevitably there will be a regulatory layer to privacy policy, the depth of that layer depends a lot on how well the media and advertising industries embrace and apply privacy technologies.

So it’s interesting to consider whether all of the “industry players” are pulling their weigh in helping resolve privacy controversy.  The hammer comes down on ad networks, and to a lesser extent, publishers, but where are the big advertisers in all this?

The question comes from Chad Little of Fetchback, writing in MediaPost.

I think that it’s time for advertisers to step up in this privacy debate. Thus far the pressure for disclosure has been placed on networks, behavioral marketing providers and publishers. The key players in those industries have done a good job of becoming more transparent (though there is still work ahead of us), while advertisers haven’t been asked to do anything. Advertisers are clearly benefiting from behavioral marketing, and its time they disclosed what type of behavioral marketing they participate in, and allow customers to opt-out. How they do this is open for discussion: Tag each ad with an opt-out of future ads from the same company? Put a notice on manufacturer’s page with the headline “Did You Know We Are Tracking You?” that links to a kinder, gentler explanation?

It’s an excellent point, and he’s right to think about exactly how this could work in terms of disclosure that happens in the distribution of the advertising itself.  In a sense, is the problem solved in the Google Way, where the landing page explains what tracking is going on, which is naturally associated with the advertiser by virtue of the ad itself?