Online Behavioral Advertising Checklist: Seeking Input

After compiling the PrivacyChoice Index and interacting with dozens of ad networks and data companies about consumer privacy, it seemed like it would be useful to publish a checklist of practices and policies applicable to companies engaged in online behavioral advertising. No doubt this is incomplete, and some of the recommendations may be controversial, but it’s a start.

Your input will be appreciated, either in the comments here or privately by email. I’m particularly interested in input from data practitioners who are on the front line implementing privacy processes. If you believe in the self-regulatory effort, I hope you agree that sharing best practices will work to benefit all players, including ad networks, data companies, advertisers and more informed and capable consumers.

View this document on Scribd

Should adult activities be out of bounds for behavioral targeting?

In the privacy debate about behavioral tracking and ad targeting, most folks agree that new rules are needed in areas that are considered “sensitive.” Some activities, like researching health conditions or financial planning, will be off limits for tracking once new rules are in place. Companies won’t be able to use information about those activities when compiling user profiles or targeting advertising, and probably will be obligated to delete such data promptly.

This will impose new policies (and probably new operating practices) on many firms engaged in tracking. A substantial majority (65%) of the tracking companies in the privacychoice database make no mention in their privacy statements of special handling for sensitive information.

The larger players are ahead of the curve. With a few exceptions, each of the top ten ad networks already exclude sensitive information from their targeting matrix in some way. In the most typical formulation, “sensitive” information is defined to include government-issued identifiers (like SSN), insurance plan and financial account numbers, your real-time geographic location (via GPS), and “precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.”

A few ad networks go further, also establishing exclusions around sexual identity and adult activities. Google, for example, says it will not associate the omnipresent DoubleClick cookie with information about “sexual orientation.” Clearsight Interactive and AlmondNet will not store information from “adult and gambling sites.” BlueKai does not collect or share data involving “adult behavior such as drinking, politics, or pornographic content.” Exelate promises not to target ads based on “adult related searches or adult content.”

It is easier for an ad network to promise not to use adult activities if they don’t serve ads or collect data on adult sites in the first place. But mainstream ad networks and measurement firms are present on adult sites. Take a look at the Network Privacy Profile for playboy.com, where you will find DoubleClick, Quantcast, Eyewonder and several others. Those networks are in a position to connect visits to adult sites with a user’s overall profile (and any personally identifiable information, if they have it).

Consumers have some privacy protection in the form of anonymous surfing tools, which are now available in all of the major browsers. But although private browsing mode cuts off access to regular browser cookies on your computer, it doesn’t mask IP addresses or block Flash cookies, which are common across all browsers and are favorite tracking tools for many ad networks. There are technical workarounds, but none within reach of an average consumer.

As regulations emerge, here are two predictions:

• Use of sexual orientation will be off-limits in behavioral targeting as a matter of law, but activities on adult sites will not. While advocates want to circumscribe targeting as much as possible, they will pick their battles. (Thus the recent proposal from a coalition of privacy advocates only suggested sensitizing information about sexual orientation and “personal relationships.”)
• In the long run, as opt-out (or even opt-in) choices become more prevalent and robust, companies will extend their definition of sensitive categories beyond non-controversial areas like finance and health. This will be an easy way to make consumers more comfortable, particularly if new rules require companies to show users what’s in their own profiles.

Lotame’s new privacy policy: incorporation by reference?

As first mentioned in an earlier privacychoice post, Lotame reports the good news that they have joined the Network Advertising Initiative, and as part of that move, is revising the Lotame privacy policy.  Lotame also has been added to the NAI opt out page.

It’s a smart move on Lotame’s part, and one that deserves praise. But as often is the case, I’m still left with a few questions, answers to which  I hope Lotame can provide.  (I’m posting these questions on their site as well.)

Here’s how the policy changes are explained in Lotame’s announcement:

In connection with joining the NAI, we have made some revisions to our privacy policy. Although our prior policy was generally consistent with the NAI’s standards, we simplified our language in some areas of the policy in deference to the more detailed coverage of these points in the NAI principles, which will govern our conduct. In addition, in order to demonstrate our leadership on issues of privacy, we have voluntarily adopted a specific time period of 9 months to limit our retention of the anonymous user data we collect. We are joining only a few other leading companies in our industry in taking on this type of specific and unqualified data retention policy.

Here are some areas requiring clarification:

1. Is Lotame incorporating by reference the NAI policies in their entirety, as written and interpreted by the NAI?  I don’t recall seeing that approach in many other privacy policies.

Substantively, it is of course helpful for consumers to know that a particular ad network is abiding by a standard like NAI’s rules.  But it is not helpful when a consumer has to undertake a research project to figure out what those policies may be. In this case, Lotame’s link to the NAI site still leaves the consumer to find and interpret the NAI’s policy document (a PDF that is, for some reason, buried in the news release section of the NAI site, rather than in the over view of principles). 

In short, incorporating the NAI principles by reference this way is a very weak way to inform consumers of Lotame’s privacy policies.  In fact, it would be hard to say that it satisfies the NAI’s requirement in the policies themselves that each member “clearly and conspicuously” post their policies on their website.

2. A change in the policy that is not mentioned specifically in Lotame’s announcement is the deletion of the following language from the previous policy statement:

In addition, we do not tailor ads based on behavioral categories that are deemed sensitive by the Network Advertising Initiative (NAI).

The NAI policy (in Section II(3)(iv) of the 2008 Principles) requires a consumer opt-in in order to use sensitive information for targeting; so the inference (see discussion above) is that Lotame is now bound by that rule. However, this is important enough to merit a specific statement in Lotame’s privacy policy, particularly in light of the deletion.

The Lotame experience highlights a few lessons when it comes to changes in privacy policies.  Most important, privacy policies should be versioned on websites (as Google now does), and marked to show changes from the prior version. This is particularly important when the date of a policy change may affect acceptable practices with information collected before or after that date, a situation expressly contemplated by the NAI.