It’s a good time to clean house (and get a retention policy)

Update: On 12/17 Audience Science adopted a 2-year retention policy. The housecleaning continues …

Update: 24/7 Real Media, the WPP subsidiary, now also has a retention policy we first logged on 12/09. They’ve chosen 13 months across the board.

We’ve seen a number of upgrades to ad network privacy policies in the last couple of weeks, which may indicate that networks are starting to clean up missing and non-typical provisions in their privacy policies. The timing is good, since the FTC Roundtables on privacy that commence next week will no doubt raise attention around ad-network privacy policies.

One notable recent policy improvement comes from x+1, which added a retention policy, stating that log file information is only kept available for 90 days from the date of collection. Accordingly, I’ve removed them from the list of NAI members lacking a specific retention policy, leaving only three four NAI members left without published data retention policies: Audience Science, Microsoft, and SpecificMEDIA and 24/7 Real Media.

As part of the PrivacyChoice submission to the FTC Roundtables on privacy, we will be providing a set of overall statistics on privacy policy provisions and practices, based a snapshot from our database later this week.

PS Apologies to regular readers for the silence on this blog in the last month. While it hasn’t been a great month for writing, it has been a terrific month of meetings with industry and thought leaders, and a ton of product design and development, which we will be unveiling very soon. Stay tuned!

Microsoft privacy policy changes: mostly housecleaning

Last week Microsoft made a few changes to their privacy policy pertaining to advertising. Nothing too dramatic, but since we’re tracking these things, here are the relevant bits with commentary from yours truly.

Display of Advertising

Many of the Web sites and online services we offer, as well as those of our partners, are supported by advertising. Through the Microsoft Advertising Platform, we may display ads on our own sites and the sites of our advertising partners.

When we display online advertisements to you, we will place aone or more persistent cookiecookies on your computer in order to recognize your computer each time we display an ad to you. The cookies we use for advertising have an expiry date of no more than 2 years. Because we may serve advertisements on many different Web sites, we are able to compile information over time about where you, or others who are using your computer, saw and/or clicked on the advertisements we display. We use this information to make predictions about your characteristics, interests or preferences and to display targeted advertisements that we believe may be of interest to you. We may also associate this information with your subsequent visit, purchase or other activity on participating advertisers’ Web sites in order to determine the effectiveness of the advertisements.

While we may use some of the information we collect in order to personalize the ads we show you, we designed our systems to select ads based only on data that does not personally and directly identify you. For example, we may select the ads we display according to certain general interest categories or segments that we have inferred based on (a) demographic or interest data, including any you may have provided when creating an account (e.g. age, zip or postal code, gender), demographic or interest data acquired from other companies, and a general geographic location derived from your IP address, (b) the pages you view and links you click when using Microsoft’s and its advertising partners’ Web sites and services, and (c) the search terms you enter when using Microsoft’s Internet search services, such as Live Search. For more information about how we personalize ads, and the segments we use, visit Personalized Advertising Segments.

When we display personalized ads, we take a number of steps designed to protect your privacy. For example, we store page views, clicks and search terms used for ad personalization separately from your contact information or other data that directly identifies you (such as your name, e-mail address, etc.). Further, we have built in technological and process safeguards designed to prevent the unauthorized correlation of this data. We also give you the ability to opt-out of personalized ads. For more information or to use the opt-out feature, you may visit our opt-out page.. In addition, you can go to the Network Advertising Initiative, which offers a single location to opt-out of ad targeting from member companies.

We also provide third party ad delivery through our Atlas subsidiary, and you may read. For more information, visit the Atlas privacy statementwebsite at: http://www.atlassolutions.com/privacy.aspx/.

Although the majority of the online advertisements on Microsoft sites are displayed by Microsoft, we also allow third-party ad serving companies, including other ad networks, to display advertisements on our sites. These companies currently include, but are not limited to: 24/7 Real Media, Advertising.com, BidclixBlueStreak, BlueStreakBurst Media, Burst MediaDoubleClick, DoubleClickEuroClick, EuroClickEyeblaster, EyeblasterEyeWonder, EyeWonderInterpolls, FalkKanoodle, InterpollsMediaplex, KanoodlePointroll, MediaplexTangoZebra, PointrollYahoo! Publisher Network, TangoZebra, Yahoo! Publisher Network, andZedo Zedo.

These companies may offer you a way to opt –out of ad targeting based on their cookies., and some of them are also members of the Network Advertising Initiative. You may find more information by clicking on the company names above and following the links to the Web sites of each company. Some of these companies are members of the Network Advertising Initiative, which offers a single location to opt out of ad targeting from member companies.

Two notes:

1. Looks like some spring cleaning on the list of third-party ad networks that Microsoft uses in its role as a site publisher. Nice to see that all of them are already in the privacychoice database. Every publisher should have such a list in their privacy policy, and it should be automatically and continuously updated (stay tuned!).
2. As for the two-year cookie lifetime, I suppose this is helpful in the sense that if the cookie is deleted and never heard from again, there is an outer limit on the duration of any any associated profile (unless it is also associated with an IP address perhaps). But since the two-year period renews every time the cookie is seen, this should not be confused with a server-side deletion policy. It would be ideal if Microsoft could provide a deletion time frame  for the data collected with these cookies, even if it needs to acknolwedge that different policies apply to different services in their network based on unique business needs.

No mention of retention (results of our policy review)

In the course of our research for privacychoice 2.0, we’ve been surprised at how hard it is to get a handle on the data retention policies of the ad and tracking networks.  This is despite the fact that data retention practices are a key disclosure point for consumer online privacy. The FTC principles called this out:

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:  Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

Here’s what the NAI guidelines (PDF) require of their members:

Each member directly engaging in [Online Behavioral Advertising], a) Multi-Site Advertising and/or Ad Delivery & Reporting shall clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices. Such notice shall include clear descriptions of the following, as applicable: …  The approximate length of time that data used for OBA, vi. Multi-Site Advertisiisiising and/or Ad Delivery & Reporting will be retained by the member company.

In reviewing the policies of 63 targeting networks, here’s what we learned:

1. Most companies don’t disclose their retention timeframe, or do so obliquely.

Suprisingly, for 41 of the companies (nearly two-thirds), we could not find an express statement of how long consumer data is retained.  In the NAI membership, we could not find such a statement for any of these companies:

24/7 Real Media (WPP) (retention provisions added 12/09)
AlmondNet
Audience Science (added two-year retention period 12/09)
Microsoft (subsidiary Atlas discloses a 2 year timeframe)
SpecificMEDIA
[x+1] (retention provision added 11/09)

Two of the other heavyweights in the NAI — Google and Yahoo! — have published information about their retention practices, in the press or on their blogs. (Here’s a round up of some of these statements.)  But as far as we could tell, they have not included an express timeframe in their privacy policies, where a consumer would expect to find it.

2. Retention periods vary widely, but the trend is toward a year or less.

Of those 22 networks who have put a time frame in their disclosure policies, there’s a wide range, but with accumulation at or below one year (particularly for the larger networks).

One year or less:  13
Over one year but not more than 2 years: 6
Three years: 2
Indefinite: 1

Special mention goes to Fetchback, which is clear in their disclosures that they retain the information indefinitely. Whatever you might think about that policy, at least the disclosure is clear and where a consumer would expect to find it.

For 41 other companies:  Until your policies are more clear, consumers and (yikes) regulators can fairly assume that you are also retaining and using the information indefinitely.

How relevant is TRUSTe to behavioral targeting?

TRUSTe has established itself as the leading independent organization certifying the privacy practices of online providers. This list of companies that have obtained TRUSTe certification is indeed large, 2,400+ according to their site, and includes heavyweights like Yahoo! and Microsoft/MSN. TRUSTe certification is said to be something like the Good Housekeeping seal for consumer privacy.  In TRUSTe’s own words:

The TRUSTe seal means that the company whose Web site you are visiting takes your privacy seriously. We monitor the compliance of member businesses, provide an arena for you to file privacy violation complaints, and make sure these complaints are heard.

So, if behavioral targeting is a frontier for consumer privacy, you would expect ad networks and other BT companies to see TRUSTe certification as an important badge of honor, and also be prepared to submit to some oversight.

As it turns out, in our research on over 70 different tracking networks, far fewer than I expected have actually gone to the trouble to step up for TRUSTe certification. Among the larger players, Yahoo! and Microsoft appear to be certified by TRUSTe as to their ad network activities. Although AOL is TRUSTe certified as to the aol.com service, they maintain separate policies for their several ad networks, like advertising.com, Platform-A and Quigo, and there’s no mention of TRUSTe in those brands (other than Tacoda). Recent heavyweight entrant to behavioral targeting, Akamai, has not been certified, nor has Quantcast (which is amassing quite a footprint across its network).  (By the way, among other tracking research companies, Omniture and Coremetrics have been certified, while Nielsen appears not to be.)

And among the smaller ad network players, only a handful (including among others AudienceScience, Fetchback, Nextag, RealMedia.com and Media6degrees) are TRUSTe certified. Notable uncertified small players:  BlueKai, Collective Media, Adify, Fox Interactive Media, Turn and dozens of others.

Of course, the elephant in the room is (always) Google (including the massive DoubleClick and AdSense ad networks). Interestingly we found no mention of TRUSTe certification mentioned in their privacy policies or on TRUSTe’s list. Speaking cynically, I guess you wouldn’t expect behemoth Google to humble itself to a pesky third-party watchdog, even though Yahoo and Microsoft were willing to do so. 

For privacychoice 2.0, we’re still planning to allow users to opt-out only from networks that are not TRUSTe certified, since for many consumers, it’s good enough to now that a watchdog is involved. Unfortunately, it looks like that opt-out list will be a pretty big.  

For an industry claiming to be able to regulate itself, this doesn’t exactly inspire confidence.

IE sez

Here’s a capture of the Microsoft help entries on cookies.

 

Balanced?

IE

 

Here’s a blog suggestion.  I need to make a movie of someone trying to use IE to find the cookies on their machine.  It would be laughable (if it weren’t so sad).