Rubicon and YuMe step up on opt-outs

In prior posts I’ve mentioned both YuMe, a video ad network, and The Rubicon Project, one of the new intermediary firms that optimizes website ad revenue by selecting the highest yielding ad from across multiple ad networks or exchanges. After wondering out loud about YuMe’s lack of an opt-out and Rubicon’s lack of any privacy statement for consumers, it looks both have taken steps in the right direction in the last few days.

YuMe revised their privacy policy for consumers and added an opt-out cookie process. The disclosures are clear and the process is smooth. Opt-out is now mentioned on YuMe’s homepage (although not prominently).

Rubicon took a different approach, adding a “Transparency” page linked from their homepage (“Privacy” still takes you to B2B disclosures). Here a consumer can opt-out of tracking by Rubicon, and also see what interests Rubicon has associated with their profile.

Although I visited half a dozen websites where Rubicon is installed, including auto, sports and baby sites, I couldn’t get any interests to register on the Transparency page. This piece may not yet be operational, or there may be a lag, but once it is, it will put Rubicon in company with BlueKai, Google and a few others who not only provide preference choices, but also provide the consumer with the contents of their online profile.

This is worthy of praise, but Rubicon’s implementation needs improvement. Suggestions:

1. Consumers who come to Rubicon’s homepage will be looking for information about “privacy” and will end up in the wrong place. Putting the opt-out process below a label like “Transparency” won’t compute for consumers, and renders the exercise largely useless.
2. Showing interests and providing an opt-out are good steps, but they don’t substitute for an actual privacy policy that also addresses questions like data retention, sharing of information with third parties, and method of data collection (cookies, Flash cookies, IP addresses?). The TRUSTe seal appears at the bottom of the Transparency page, implying that the disclosure is covered by TRUSTe’s certification (although it seems rather thin to have qualified).
3. After pressing the opt-out button (with the unnecessary radio button choice), there’s no cue that confirms that the opt-out has been effective, even though a cookie has been written. Also, it isn’t clear whether, by opting out, any affinity profile information that has previously been created will be deleted.
4. There’s no explanation of how the opt-out cookie may be lost if cookies are deleted, nor a link to browser add-ons that can set the cookie permanently (such as those provided by Google, TACO or privacychoice).

It’s good to see more networks beefing up privacy disclosures and making opt-outs available. But for Rubicon and many other tracking companies, the implementation of consumer privacy disclosure and choice still seems half-hearted.

OthersOnline + Rubicon: no consumer policies required?

Ad optimizer Rubicon announced acquired OthersOnline, which is “an “affinity scoring” service that determines how strongly a person is interested in particular brands, products or topics.” Business Week frames this as part of an inevitable consolidation of sources of behavioral targeting data. It sounds like a good occasion to dig into their privacy practices.

Rubicon has been a puzzle for the privacychoice classifications, since like a number of companies in this field, they have no consumer-facing privacy policy. The policy linked from their homepage literally applies only to their customers and visitors to their website. Rubicon’s policy is certified by TRUSTe, which might lead a consumer to think the certification also covers their practices relative to the general public. In this case, TRUSTe certification may mean that Rubicon does not collect any user information, even though consumer browsers interact with Rubicon servers when visiting websites where Rubicon is installed.

OthersOnline doesn’t link to any privacy statement from their homepage, but with some searching you can find a blog post about privacy from February 2007. It includes assurances that personal information is never shared, but no mention of whether or how anonymous information or profiles may be shared, whether sensitive information is collected or what policies apply to deletion, assuming those concepts apply to how their service operates.

We will keep an eye out for any changes to the Rubicon privacy policy. Transactions of this sort often provide a good opportunity for some housecleaning. Even if Rubicon collects no consumer information, a statement to that effect in the privacy policy would be helpful.

UPDATE: Since this post, Rubicon has shored up its disclosures. See my post here.