Privacy Gourmet

Comments to the Federal Trade Commission about Behavioral Advertising are due today and groups have been submitting their opinions.  Chuck Curran, AOL Chief Counsel for Policy and Regulatory, and I worked hard to lay out AOL's point of view which you can read here. Download aolftccomments041108_2.pdf .  We believe that this area is best regulated by a mix of company best practices, industry self-regulation and enforcement of current law.  The FTC has been effective at bringing actions against companies that cause harm to consumers and commit deceptive practices and their technical expertise about the online advertising business continues to grow.  The Network Advertising Initiative has proposed enhanced rules restricting ad network behavioral targeting on sensitive health sites and kids sites, among other requirements.  And different companies have been experimenting with new ways to improve practices relevant to their unique services.  Ebay is delivering banner ads that have privacy notices alongside the ad itself.  Google is posting videos on YouTube explaining their use of data.  AOL is running a campaign using an animated penguin and looking for ways to do more.

Since cookies are the basis for much of the data correlation about consumers online, I have been focused on what AOL can do to make sure our cookies are "kosher".  In our comments, we address a few steps that we think everyone using cookies in a robust manner can implement.  First of all, we are attempting to limit the common practice of allowing cookies to default to a 30 year lifespan.  No cookie has ever lived for 30 years.  Computers don't last that long, people delete cookies, anti-spyware programs remove them and web browsers can only handle a limited number of cookies before they toss the older ones.  So why set a 30 year cookie?  We propose setting a maximum two-year lifespan and are encouraging many of our developers to expire their cookies on a far shorter time-table when they can.

As the parent company of Netscape, the "inventor" of the cookie, we think we have a particular responsibility to press a number of additional points that can ensure companies are privacy and consumer friendly when using cookies.  The following measures could help consumers more easily elicit information about the practices associated with cookies set by a party other than the Web site operator.

    - Any company that primarily interacts with consumers via secondary browser requests, such as an ad network, could use its home page to provide consumers with more easy-to-find information (in addition to the current corporate information for business partners).  Although a privacy link at the bottom of the page may be appropriate for consumers visiting a site to check email or the weather, consumers visiting the Web site of an ad network provider may be specifically seeking privacy or opt-out information.  Such links could be provided more prominently.  On the home page for TACODA, for example, an opt-out link for network advertising cookies is prominently displayed.  Similarly, for AOL's Advertising.com, the link to privacy information and opt-out is placed at the top, rather than the bottom, of the page.

    -Consumers should be able to obtain cookie-related privacy information from Web servers associated with domains whose principal purpose is to set cookies as a result of a user's secondary browser request. (For example, an adserver or analytics server, where a user's request for a primary domain results in requests to adserving or other tracking servers.)  This could enable a consumer examing a cookie on their computer to discover the practices relevant to the cookie by visiting the domain address.  (When the domain is obvious such as tacoda.net or doubleclick.net, users can easily find the "cookie owner".  But often cookies are set in domains that aren't obvious and users visiting those domains see a blank page.)  For an example of how to address this, see http://atwola.com.  Vistors here are advised that this domain is used by AOL for adserving and directed to privacy information.

    -A consumer's choice to opt-out must be maintained.  Consumers are suprised to learn that deleting cookies means their opt-out cookie is deleted and they are again assigned a unique ID cookie the next time they visit a site using that ad-server.  In order to better preserve consumer choice, AOL's TACODA division has implemented a technique using ETags and a browser's Web cache to ensure a user that opted-out is not tracked after deleting cookies.  As Professors Swire and Anton point out, it would be better if browsers helped maintain opt-out cookies, and we have urged Microsoft to consider this in the Internet Explorer 8.0 release.  Until then, we invite companies to contact us to learn how to license this technology on a royalty free basis for use exclusively in consumer privacy protection programs.

-

The Network Advertising Initiative, a self-regulatory group for ad networks that do behavioral targeting, has just finalized updated rules for companies that tailor ads across a network of sites.  AOL's ad networks, Advertising.com and TACODA, are part of our Platform A advertising division and offer advertisers the opportunity to have their ads delivered to consumers who have been to auto sites or other types of sites in their networks.  These ad networks are members of the NAI and their privacy leads, Ho Shin and Khan Smith, worked closely with me to help the NAI update the standards and close some important gaps.  I was part of the group that drafted the initial set of rules, about 7 years ago when I was Chief Privacy Officer at DoubleClick and I have to admit that they had grown stale and needed to catch up to the current marketplace.  It took some urging by the Federal Trade Commission to get companies moving on this and there is more to do, but this was a big step forward.

The most important advance is that the rules now clearly limit ad networks from creating a "clickstream profile" that represents a sensitive category such as cancer, HIV or other sensitive health categories, unless a user explicitly opts-in.  This was in the old rules - but only if the profile was personal.  The new rules restrict such activity even when the ad is targeted based solely on cookie linked information, without a name attached to the profile.  Also covered are areas like sexual behavior/orientation/identity, mental illness, sexually related conditions, abortion related and more.  And since children can't consent to data sharing, an ad network kids profile isn't permitted, even on an opt-in basis.

AOL, Advertising.com and TACODA have for quite some time enforced a similar internal policy, considering it inappropriate to use these types of categories to tailor an ad on one Web site based on a consumers visit to another.  We are pleased to see all the major portals and ad networks coalescing around this.

Another key point in the new rules is a restriction against using a clickstream profile for a non-marketing use.  This means that the data can be used to help deliver an ad for a motorcycle to a biker, but that profile may not be used by an insurance company to turn them down for a policy.  I am not aware of anyone in the industry doing anything of the sort, but I have often seen speculation from critics that such could occur.  Hopefully this should put those concerns to rest.

I will post more on the NAI rules in the future, but one last area that should be cleared up by the rules is regarding the use of flash cookies for tracking.  HTTP cookies, with all their frailties, are subject to many controls.  You can block them with your browser settings, remove them with an anti-spyware program, or overwrite them with an opt-out cookie. In fact, your browser will only hold so many cookies, and then they will be overwritten.  Flash cookies are very useful to allow an application to remember your settings, or for example to save your high score for an online game.  But since they are not as well known, they are not as easy for consumers to delete or control with browser settings as are HTTP cookies.  My opinion is that it is not a good practice to use a Flash cookie to create an ad network behavioral profile.  The new NAI document makes it clear that the requirements are technology neutral. All Web sites that share data for behavioral targeting need to provide a link to an easy to use opt-out  - and if you can't do that with a flash cookie, then you shouldn't use it for tracking.  I do note that Macromedia has more recently built additional settings that allow some user control of flash cookies, but I agree with the concerns of privacy experts at the Center for Democracy and Technology on this one.

Jules