Posts Tagged ‘Network Advertising Initiative’

AddThis transitions to behavioral advertising, ignoring key privacy questions

August 11, 2010

Last week AddThis announced that data collected through their sharing widget, installed on 1.5 million websites, will now be used for behavioral advertising. According to the announcement, anonymous profile information for over 200 million users, including the pages they have visited on AddThis publisher sites, is now available to other ad delivery companies in real time bidding.

The new AddThis program is similar to Google’s transition of AdSense into an ad exchange platform (see prior posts). In both cases, tags placed on publisher sites for one purpose are now being used for different and more extensive purposes. And in both cases the companies should clarify answers to some important privacy questions.

Publisher Notice

Shouldn’t publishers be made aware of the change in how their users’ data will be handled, and provided with an opportunity to opt-out? Is it fair to assume that all sites with the widget already installed — including hospitals, schools, church groups, and government agencies with no other advertising — would choose the AddThis widget if they were aware that their user behavioral data will be sold?

For publishers signing up today, there’s no reference to behavioral data collection in the signup process for the AddThis widget. Is this deceptive?

Consumer Notice

Will the AddThis widget include a notice to consumers that tracking information is being collected on each page that serves the widget, regardless of whether the consumer interacts with it? (This kind of notice is required under the IAB’s guidelines and could be provided with something akin to the power “i”.)

Will AddThis also ensure that when the data are used to display an ad, the consumer will be notified that AddThis was the source and provide an opt-out?

Are AddThis publishers required to amend their own consumer privacy policies to provide notice of AddThis data collection, as is standard practice for compliant ad networks?

Will consumers be able to see what’s in their own AddThis profile, as they can on Google, Yahoo! and leading ad networks?

NAI Compliance

Neither AddThis nor its parent Clearspring is listed as a member of the Network Advertising Initiative, the industry organization charged with defining privacy standards and providing oversight for behavioral advertising.

The AddThis announcement says that the company “complies with the Network Advertising Initiative standards.” What does this mean, given that AddThis is not subject to NAI compliance reviews; they do not appear to follow the NAI’s requirement that publishers pass through disclosure in their privacy policies; and they lack NAI-required privacy disclosure as to data retention?

Why wasn’t NAI membership considered a prerequisite to launching the new program?

Conclusion

Hopefully AddThis will move quickly to remedy the privacy shortcomings in their new program. How they approach this will tell us not only about their own commitment to privacy and self-regulation, but also the commitment of any partners and advertising customers who continue to participate.

Online Behavioral Advertising Checklist: Seeking Input

June 11, 2010

After compiling the PrivacyChoice Index and interacting with dozens of ad networks and data companies about consumer privacy, it seemed like it would be useful to publish a checklist of practices and policies applicable to companies engaged in online behavioral advertising. No doubt this is incomplete, and some of the recommendations may be controversial, but it’s a start.

Your input will be appreciated, either in the comments here or privately by email. I’m particularly interested in input from data practitioners who are on the front line implementing privacy processes. If you believe in the self-regulatory effort, I hope you agree that sharing best practices will work to benefit all players, including ad networks, data companies, advertisers and more informed and capable consumers.

View this document on Scribd

NAI on Flash cookies: almost there …

January 14, 2010

The Network Advertising Initiative recently completed a comprehensive review of the practices of its members, culminating in its 2009 Annual Report. Given the recent criticism of how Flash cookies may be used to track user behavior (see prior posts), I was pleased to see the NAI cover that practice in its review, and to reiterate the rule against the practice. While this is a big step forward, the NAI should go further to fully resolve Flash cookie question as it pertains to its members.

Based on staff interviews, the report concluded that none of the evaluated companies uses Flash cookies for online behavioral advertising (see footnote 46). Since our own panel found Flash cookies being written by several NAI members (including Specific Media and DoubleClick), the NAI must have been assured that these firms have implemented internal controls about how they use Flash cookies. But without an explanation of those assurances (or even why Flash cookies need to be used in the first place), the report is incomplete. The NAI should ask those firms to update their privacy policies to explain the use of Flash cookies and disavow their use for targeting. (See an earlier post on this as it relates to DoubleClick.)

The Flash cookie issue has rightly become a focus for privacy advocates, even though (at least as to the NAI membership), it looks like it shouldn’t be. A more unequivocal statement from the NAI members who use Flash cookies for other purposes will mean that networks abusing Flash cookies have nowhere to hide.

The NAI’s Very Important Report

January 5, 2010

Kudos to the Network Advertising Initiative for completing a comprehensive compliance review of their membership, and for laying out both positive and negative results in their assessment. The report is encouraging, and ultimately points to an even more crucial role for the NAI in creating an effective self-regulatory regime for online behavioral tracking.

Here’s what I found most important in the report:

We’re on the right track. The two areas of weakness in compliance noted by the NAI — missing data retention policies and lack of disclosure on publisher sites — have been primary areas of focus for the PrivacyChoice project (see our blog posts on retention and our PrivacyWidget for sites). It looks like we’re focused in the right areas.

Retention policy is hard for the big guys. Although the report does not name the four NAI members who lack complete policies about consumer data retention (why not?), here’s my list:  Google, Yahoo!, Microsoft and Specific Media. It’s ironic that the first three are the largest and highest profile members of the NAI (the fourth being a network with “possible compliance issues” and an incomplete submission). Setting and enforcing retention policies seems to be more complex and has higher stakes for the larger networks. The report promises clear retention policies from these companies by the end of Q1 2010, so get ready to compare and contrast how the big three approach and spin this knotty problem.

On enforcing publisher disclosures, NAI members got off easy (this time). Under the NAI’s current requirements, a website publisher complies by explaining in their own privacy policy that behavioral targeting is used on their site and providing a link to the NAI opt-out page. The report concluded that many members were not enforcing this requirement, even though confirming publisher compliance is trivial; you can just use Google to check that the right words and the link appear on the publisher’s site. (See a related post on this.)

While the NAI points to publisher confusion about the requirements, the real explanation is that ad networks have been loathe to ask their website-customers to do anything, particularly when it involves revising their privacy policy (i.e. lawyer time). Since the disclosure process can now be automated and the industry has coalesced around specific publisher requirements, the NAI shouldn’t let its members off so easy next year.

The NAI report is a reminder of how self-regulation is supposed to work in practice. As a consumer, it’s good to know that each NAI member was required to make formal submissions and be questioned on each element of the NAI’s standards. To see a half dozen networks implement retention policies in time for the report is a substantive sign of progress, even if there are a few laggards.

Even more important, the NAI’s promise to focus on website-level disclosure has the potential to vastly improve industry privacy practices across the board, even beyond the NAI membership. Our research revealed that on most websites NAI members are outnumbered by non-NAI members. Firms with less protective policies and no oversight will continue to track consumers as long as websites allow them to. The prevalence of non-adherent targeting firms is the central challenge to effective self-regulation.

But if the NAI makes publisher disclosure a serious focus in 2010, websites may for the first time start to feel accountable for the ad-network choices they make. That kind of transparency can bring more targeting firms into the NAI fold and squeeze out the rest. The good news for NAI members is that this also means lower-profile competitors will face the same restrictions and costs of doing business as they do.

This leads to me to wonder if the NAI is underrated in its self-regulatory role. While the IAB/DMA/BBB efforts get much attention, they seem focused on an advertiser-driven disclosure framework that assumes ad-network adoption and does little to foster website accountability.

Websites are the real decisionmakers in this ecosystem. Perhaps it will be the NAI’s clout with them that actually makes self-regulation work.