Posts Tagged ‘privacy policy’

Missing privacy policies: a proposal

August 18, 2009

In the course of analyzing and excerpting privacy policies for Network Privacy Profiles, we’re sometimes left with a problem: an ad-related company serves content across many sites and is in a position to collect tracking information, but the company doesn’t seem to have a privacy policy relevant to those activities. In some cases they don’t have a privacy policy at all, and in others they have a privacy policy which, as written, only covers visitors to their corporate website and not visitors to other sites where they serve content.

At last count, 22 companies in our database fit into this category (see links and summaries):

IAC Advertising Solutions
Lifestreet Media
Rubicon Project
Tatto Media

Here are some potential reasons why a company on this list might not have a consumer-facing privacy policy:

  1. The company doesn’t collect user information at all in the course of serving content or providing a service on the other sites. For example, web optimization firms use scripts that select ads from different ad networks, which may not involve the collection of any user information by the optimizing firm.
  2. The company collects user information across sites (even if just clickstream data), but doesn’t associate the activities of the same individual across different websites. This could be true for companies that provide site-specific analytics or research. While they may set cookies and associate behaviors on a single site, because they don’t associate across sites and only share information with the site of collection, their view may be that their activities are already covered by the site’s own privacy policy.
  3. The company does collect user information across sites, but hasn’t yet posted a privacy policy for consumers. Or the company has a corporate policy that is intended to also cover consumers, but is literally written in a way that does not extend beyond the corporate site.

Given the potential for consumer confusion, here’s a proposal:

  • If your company is in a position to collect user information about users across websites, you should always include a statement in your own privacy policy that explains whether you do and how that information is used. Even if you provide an opt-out for consumers, you still need to explain how information is handled for those consumers who do not opt out.
  • Make sure the language in your policy is clear about which provisions apply to the corporate website and which provisions apply to users of other sites where you serve content or gather information.

And, of course, if you do collect user information across websites and you don’t have any privacy policy at all, you should get one, pronto.

PS If your company is on this list and you think we got it wrong, please send us a note or post a comment. We monitor all of these pages for changes and will update our lists promptly when we see clarifications.