Privacy Gourmet

Comments to the Federal Trade Commission about Behavioral Advertising are due today and groups have been submitting their opinions.  Chuck Curran, AOL Chief Counsel for Policy and Regulatory, and I worked hard to lay out AOL's point of view which you can read here. Download aolftccomments041108_2.pdf.  We believe that this area is best regulated by a mix of company best practices, industry self-regulation and enforcement of current law.  The FTC has been effective at bringing actions against companies that cause harm to consumers and commit deceptive practices and their technical expertise about the online advertising business continues to grow.  The Network Advertising Initiative has proposed enhanced rules restricting ad network behavioral targeting on sensitive health sites and kids sites, among other requirements.  And different companies have been experimenting with new ways to improve practices relevant to their unique services.  Ebay is delivering banner ads that have privacy notices alongside the ad itself.  Google is posting videos on YouTube explaining their use of data.  AOL is running a campaign using an animated penguin and looking for ways to do more.

Since cookies are the basis for much of the data correlation about consumers online, I have been focused on what AOL can do to make sure our cookies are "kosher".  In our comments, we address a few steps that we think everyone using cookies in a robust manner can implement.  First of all, we are attempting to limit the common practice of allowing cookies to default to a 30 year lifespan.  No cookie has ever lived for 30 years.  Computers don't last that long, people delete cookies, anti-spyware programs remove them and web browsers can only handle a limited number of cookies before they toss the older ones.  So why set a 30 year cookie?  We propose setting a maximum two-year lifespan and are encouraging many of our developers to expire their cookies on a far shorter time-table when they can.

As the parent company of Netscape, the "inventor" of the cookie, we think we have a particular responsibility to press a number of additional points that can ensure companies are privacy and consumer friendly when using cookies.  The following measures could help consumers more easily elicit information about the practices associated with cookies set by a party other than the Web site operator.

    - Any company that primarily interacts with consumers via secondary browser requests, such as an ad network, could use its home page to provide consumers with more easy-to-find information (in addition to the current corporate information for business partners).  Although a privacy link at the bottom of the page may be appropriate for consumers visiting a site to check email or the weather, consumers visiting the Web site of an ad network provider may be specifically seeking privacy or opt-out information.  Such links could be provided more prominently.  On the home page for TACODA, for example, an opt-out link for network advertising cookies is prominently displayed.  Similarly, for AOL's Advertising.com, the link to privacy information and opt-out is placed at the top, rather than the bottom, of the page.

    -Consumers should be able to obtain cookie-related privacy information from Web servers associated with domains whose principal purpose is to set cookies as a result of a user's secondary browser request. (For example, an adserver or analytics server, where a user's request for a primary domain results in requests to adserving or other tracking servers.)  This could enable a consumer examing a cookie on their computer to discover the practices relevant to the cookie by visiting the domain address.  (When the domain is obvious such as tacoda.net or doubleclick.net, users can easily find the "cookie owner".  But often cookies are set in domains that aren't obvious and users visiting those domains see a blank page.)  For an example of how to address this, see http://atwola.com.  Vistors here are advised that this domain is used by AOL for adserving and directed to privacy information.

    -A consumer's choice to opt-out must be maintained.  Consumers are suprised to learn that deleting cookies means their opt-out cookie is deleted and they are again assigned a unique ID cookie the next time they visit a site using that ad-server.  In order to better preserve consumer choice, AOL's TACODA division has implemented a technique using ETagsand a browser's Web cache to ensure a user that opted-out is not tracked after deleting cookies.  As Professors Swire and Anton point out,it would be better if browsers helped maintain opt-out cookies, and we have urged Microsoft to consider this in the Internet Explorer 8.0 release.  Until then, we invite companies to contact us to learn how to license this technology on a royalty free basis for use exclusively in consumer privacy protection programs.

-