As first mentioned in an earlier privacychoice post, Lotame reports the good news that they have joined the Network Advertising Initiative, and as part of that move, is revising the Lotame privacy policy. Lotame also has been added to the NAI opt out page.
It’s a smart move on Lotame’s part, and one that deserves praise. But as often is the case, I’m still left with a few questions, answers to which I hope Lotame can provide. (I’m posting these questions on their site as well.)
Here’s how the policy changes are explained in Lotame’s announcement:
In connection with joining the NAI, we have made some revisions to our privacy policy. Although our prior policy was generally consistent with the NAI’s standards, we simplified our language in some areas of the policy in deference to the more detailed coverage of these points in the NAI principles, which will govern our conduct. In addition, in order to demonstrate our leadership on issues of privacy, we have voluntarily adopted a specific time period of 9 months to limit our retention of the anonymous user data we collect. We are joining only a few other leading companies in our industry in taking on this type of specific and unqualified data retention policy.
Here are some areas requiring clarification:
1. Is Lotame incorporating by reference the NAI policies in their entirety, as written and interpreted by the NAI? I don’t recall seeing that approach in many other privacy policies.
Substantively, it is of course helpful for consumers to know that a particular ad network is abiding by a standard like NAI’s rules. But it is not helpful when a consumer has to undertake a research project to figure out what those policies may be. In this case, Lotame’s link to the NAI site still leaves the consumer to find and interpret the NAI’s policy document (a PDF that is, for some reason, buried in the news release section of the NAI site, rather than in the over view of principles).
In short, incorporating the NAI principles by reference this way is a very weak way to inform consumers of Lotame’s privacy policies. In fact, it would be hard to say that it satisfies the NAI’s requirement in the policies themselves that each member “clearly and conspicuously” post their policies on their website.
2. A change in the policy that is not mentioned specifically in Lotame’s announcement is the deletion of the following language from the previous policy statement:
In addition, we do not tailor ads based on behavioral categories that are deemed sensitive by the Network Advertising Initiative (NAI).
The NAI policy (in Section II(3)(iv) of the 2008 Principles) requires a consumer opt-in in order to use sensitive information for targeting; so the inference (see discussion above) is that Lotame is now bound by that rule. However, this is important enough to merit a specific statement in Lotame’s privacy policy, particularly in light of the deletion.
The Lotame experience highlights a few lessons when it comes to changes in privacy policies. Most important, privacy policies should be versioned on websites (as Google now does), and marked to show changes from the prior version. This is particularly important when the date of a policy change may affect acceptable practices with information collected before or after that date, a situation expressly contemplated by the NAI.