A deeper dive into behavioral advertising in Europe

A deeper dive into behavioral advertising in Europe

As mentioned in a previous blog post, we had the pleasure of speaking with nugg.ad CEO Stephan Noller last week. Nugg.ad is the German company that has just been awarded the EuroPrise Privacy Seal. nugg.ad’s new behavioral targeting system, Predictive Targeting Networking (PTN) 2.0, received the seal favored by many EU regulators after a vetting process by an independent expert which covered every aspect of their company’s business model, down to the language of their employee contracts. The success of nugg.ad’s business model testifies to a simple fact that FPF has known for a long time: that effective behavioral ads and respect for consumer privacy are not mutually exclusive goals.

The public report (https://www.european-privacy-seal.eu/awarded-seals/nuggad/nuggad-Short-Public-Report-final.pdf) identifies many of key issues which were reviewed to ensure EU privacy compliance. We discuss here a few that are of particular interest.

Cookie Expiration Dates: A number of ad networks have set limited expiration dates for the tracking cookies they use. This is generally a good practice, as for many years companies simply set a default 30 year expiration date for cookies. Although no cookie has ever survived for 30 years (how old is your computer?) the issue created consumer alarm. In fact, most cookies do not survive for even one year and many are lost sooner.  Rare is there a business use of cookies that depends on much more than a one year period. There are some who do seek to use year-to-year comparisons of campaign performance, for example comparing last year’s holiday sale campaign to this year’s, but that is probably the outer limit for the most robust business needs of tracking cookies. As such, companies such as Google and AOL have set expiration dates for their tracking cookies of 2 years. (http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html)

But here is the catch. Most ad networks will reset the date of previously placed tracking cookies each time they interact with a user. This effectively means that tracking cookies with limited expiration dates will remain on users’ computers and continue to transmit information about their browsing habits indefinitely, as long as users are surfing the web with any regularity.

In this area, nugg.ad stands out. Despite the technological hurdles involved, nugg.ad’s tracking cookies are not re-set – their cookies really do expire at the end of 26 weeks. This is certainly more in line with what users who are promised that their cookie expires expect.

With regard to expiration of opt-out cookies – those we urge companies to maintain long term and not expire quickly – kudos to Chris Soghoian who has successfully pressed ad networks to extend the expiration dates of their opt-out cookies. See Chris’s discussion of the issue here. (http://paranoia.dubfire.net/2009/07/open-letter-regarding-opt-out-cookie.html)

IP addresses: nugg.ad proudly does not log IP addresses, avoiding one of the leading flash points in the privacy debate and we credit them for this effort. A third party passes nugg.ad useful geographic information gleaned from the user IP address and then, hashes or deletes the information. However, we don’t want to make too much of this because it is important to understand nugg’s place in the ad system. They are assisting an ad network or a publisher with targeting the ads delivered by those entities. Those entities likely are logging IP addresses for important click fraud or audit purposes that are needed. So certainly nugg.ad is doing the best thing here, but they are positioned to do so because of their role in the system.

Sensitive data: US companies and trade groups have had a hard time deciding what types of profiles are too ‘sensitive’ to be used for non-personal targeting. For example, 7 or 8 years ago, most networks simply had a large category called ‘health and wellness.” But in more recent years, most have begun offering clickstream profiles labeled by specific illnesses. Asthma, diabetes, heart disease are all usually allowed. Cancer, impotence, and HIV are not permitted. But where to draw the line? What about pregnancy, that sensitive but widely marketed segment in other media? Hearing loss? Dandruff? Baldness? Unable to draw a logical line in the sand, industry groups have generally punted and restrict only pharmaceutical prescriptions and medical information about a specific individual. This is an area where continued effort to disavow use of categories that users would find discomfiting or where there is high concern about potential misuse is sorely needed.

nugg.ad, does not use any category in the health area that is more specific than “health and wellness, nor any other category addressed by the EU directive section covering sensitive data.

Notice to users: Many of our readers are likely aware of the recent IAB DMA AAAA ANA NAI agreement, (http://www.iab.net/media/file/ven-principles-07-01-09.pdf) following on the heels of firm advice from the FTC that behavioral advertising self-regulation needed to improve (http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf). The agreement requires users to get notice of behavioral ads outside of a privacy policy, by labeling ads or some other web site notice. Because EU law, in theory, already requires web sites to give users appropriate notice and consent around data use, nugg.ad like others in the EU consider this notice to be part of the publishers obligations and does not mandate this of its partners. However it does provide clients with guidance and encouragement to do so.

Opt-Out: Typically, users in the US opt-out by finding a link in a site’s privacy policy and then clicking over to the Network Advertising Initiative opt-out page (http://www.networkadvertising.org/managing/opt_out.asp) or the adserver’s optout page, where they can choose to click to get an opt out cookie. nugg.ad admirably provides code to publishers that they can use, if they wish, to let users click to opt-out from the publisher’s own page.

Of course this is an area where the bar is moving, as companies such as Google and Lotame have begun to offer an optional downloads to ensure that their opt-out cookie is not deleted. The TACO (https://addons.mozilla.org/en-US/firefox/addon/11073) Firefox plug-in which provides users with permanent opt-out cookies from every ad network has received in excess of 150,000 downloads. And here at FPF, we are in discussion with some companies about ways to avoid requiring a separate download by using a browser header or other more stable opt-out method.

FPF applauds the efforts of nugg.ad to safeguard the privacy of internet users while working to provide them with ads more pertinent to their interests. As the Federal Trade Commission kicks off an effort to re-examine the model for privacy regulation in the US (http://www.ftc.gov/opa/2009/09/privacyrt.shtm) nugg.ad’s European certification of privacy compliance is a useful guidepost.

Leave a Reply


Privacy Calendar

Apr
23
Wed
6:30 pm Behind the Headlines: NSA Surveillance and Ongoing Revelations @ The Washington Post
Behind the Headlines: NSA Survei… @ The Washington Post
Apr 23 @ 6:30 pm – 8:30 pm
Nearly a year after former government contractor Edward Snowden revealed the extent of the NSA’s surveillance system, revelations about the global programs continue to emerge. [...]
Apr
24
Thu
all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
12:00 pm Data Privacy in Education: Ensuring Student Security while Encouraging Innovation in K-12 Education @ Rayburn House Office Building, Room B-354
Data Privacy in Education: Ensur… @ Rayburn House Office Building, Room B-354
Apr 24 @ 12:00 pm – 1:00 pm
The Congressional E-Learning Caucus in cooperation with Into and the National Coalition for Technology in Education and Training presents a luncheon to discuss “Data Privacy [...]
Apr
29
Tue
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
Apr
30
Wed
5:30 pm InSecurity: Race, Surveillance and Privacy in the Digital Age @ New America Foundation
InSecurity: Race, Surveillance a… @ New America Foundation
Apr 30 @ 5:30 pm – 7:30 pm
Now more than ever, digital tools sit at a precarious tipping point, and many question whether they will be used to address pre-existing disparities, [...]
May
7
Wed
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
Jun
5
Thu
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
Jun
8
Sun
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]

View Calendar