ADOTAS – What will happen when the European Union issues regulations requiring third parties receive overt permission from internet users to save their cookie data? Can the U.S. be far behind? Consider Monday’s FTC report on consumer privacy and the growing number of “Do Not Track” options from web browsers, independent organizations and security software — as public awareness of what happens to your data when browse the web (spiked with misinformation as that “awareness” can be, for some people) increases, so does public demand for individual user control over the sharing of data.
While nothing is certain, it appears the pendulum is swinging toward a scenario in which users can more easily opt out from sharing their data with third parties, or even (as those E.U. regulations would have it) toward one in which third parties can’t access user data unless those users opt in. This has substantial implications for the way advertisers might be able to target potential customers in the future. While, right now, the online/mobile ad industry is essentially self-regulating when it comes to data policy, this new white paper from mobile demand-side platform (DSP) StrikeAd suggests companies who rely on cookie data prepare for a time when cookie-based targeting won’t be sufficient. Here, StrikeAd looks at the process of device fingerprinting — which creates a profile for a device based on that device’s characteristics — as an alternative (though it favors the friendlier-sounding term device distinction”). StrikeAd also delves into the E.U. regulations, points to existing industry-level mandates in the U.S., Federal Trade Commission privacy regulations that might influence any future policy changes about data sharing in the U.S., Do Not Track initiatives, and how to comply with policy on both sides of the pond.
Below, you can read an excerpt of the paper, and you can read the whole thing on StrikeAd’s site.
Mobile Privacy Demystified
Tracking and Privacy – Myths, Myth busting and Solutions
It seems everybody is talking more and more about mobile advertising, and in particular Tracking and Privacy these days. It’s more than just hot air – a few companies ended up inthe spotlight and in serious trouble over the past year due to violation of these very topics.
As a result the industry has been scrambling somewhat and everybody is jumping on to the topic, often without completely understanding what it really means.
Both terms have very broad meaning in the online and mobile advertising markets and it always pays well to clarify exactly what is being discussed before jumping to conclusions.
Tracking and Privacy can mean different things to different groups. Read on to find out about the many pieces which make up the puzzle. …
PII, privacy and everything else – some background
There are a number of key principles that one needs to understand when dealing with users’ data.
The first one is PII or Personally Identifiable Information. PII is essentially any kind of data that can be tracked back to the person.
PII consists of any information that can, directly or indirectly:
1. Identify an individual, including but not limited to name, address, IP address, SSN and/or other assigned identifier, or a combination of unique or non-unique identifying elements associated with a particular individual or that can be reasonably associated with a particular individual, or
2. Permit a set of behaviors or actions to be consistently associated with a particular individual or computer user, even if the individual or computer user is never identified by name or other individual identifier. Any set of actions and behaviors of an individual, if those actions create a uniquely identified being, is considered PII because the associated behavioral record can have tracking and/or targeting consequences.
Non-Personally Identifiable information (Non-PII) is:
1. Aggregated data not associated with any individual or any individual identifier, or
2. Any individual level data that is not PII.
An anonymous user ID stored in a cookie is non-PII, since from that ID it’s impossible to work out who the real person behind it is. It’s like wearing a mask and a picture-less ID badge every time you go into a building – the doors will open for you but the guard will never know who you really are.
The other key principle one needs to be aware of in privacy is disclosure and opt out. Legislations then split into two streams – E.U. and U.S.A.
Another way to track user is to identify them from observed data, instead of tagging them. One such way is fingerprinting, or device profile based tracking. The name that has stuck is pretty unfortunate as it sounds very “big brother” and has been getting some negative press. A more appropriate name would be “Device Distinction.” As in, trying to distinguish a unique device amongst many that look the same.
When a user visits a web site server, a number of properties that describe the device and browser are communicated to help format the web site right for the device. It could be screen size, color capabilities, preferred language, browser versions (useful to avert bugs) and availability of plug-ins such as Flash, and ability to view certain types of audio and video.
The process of Device Distinction is based on using all sorts of properties from the information that comes to the advertising server from the users’ device to build a unique combination, which becomes the device identifier.
Again, there is no sinister process of recording deeply personal data about the user involved here, i.e. the swirls and curves of their fingerprint are not being secretly extracted and logged. Rather, generic and non-personal information is noted and used to form a profile.
Companies which are utilizing this method use properties such as the device time zone, country, device manufacturer name, model, OS, browser vendor and version, time locale, pre-set language and so on to build the combined device ID.
For example, one such profile may look like this:
“GMT; GB; Samsung, Galaxy Tab, Android, 4.0, Chrome 1.2; English”
As you can see, there are no surnames, passport numbers or anything else sinister.
It is a bit like using a combination of hair color, height, weight, shoe size and so on to uniquely define a person. On their own the said properties are not unique, but put together, you will probably only find 1-2 people that match out of thousands. The principle is the same with the above mobile device properties.
In a way, fingerprinting is better than cookies as it does not store anything on the user’s device. This is great, especially since some devices don’t work well with cookies – but it is not as precise as a cookie.
It also has the added benefit of being compliant with the EU regulation, which does not allow storing of data on the client device but does not say anything about storing data about users on the server. Read more about the EU regulation further in the document.
What gets companies into trouble?
With all this technology explained, what is it actually that gets companies into trouble, get them sued and portrayed negatively in the press? Typically, it is a lack of two processes within their tracking system(s):
– Opt out or difficult to execute opt-out
Pretty much all the trouble in advertising around tracking has been to do with a lack of disclosure and opt out or doing something without providing either, e.g. handling PII data without disclosure or opt out.
The simple truth is – if you clearly tell the user what’s going on and allow them to be excluded from the process – no laws are broken and the user, regulatory bodies and the government are happy.
We’ve all seen the little “i” icon in the corner of online ads.
When clicked, this icon takes the user to a page, where the whole ad preferences and matching, its intended use and benefits to the user are explained.
That’s all you need to do for “disclosure”.
On this page, the user is also allowed to opt out of the tracking by just clicking a big “don’t track me anymore” button. This sets the cookie on their device with a “do not track” flag and the next time the server reads the cookie, as soon as it sees the “don’t track me” flag – it does not do any tracking.
See also further down information about the E.U. opt out directive.
Explicit Opt In – the end of an era?
All this is soon to change and users will be required to opt into cookie-tagging. EU is about to release a regulation requiring third parties to explicitly ask the user to allow the cookie to be set, as opposed to the above opt out.
Once this goes live, many sites and apps – or advertisers and agencies themselves – will have to facilitate this or the advertiser will not be able to carry out frequency capping or retargeting any more.
There are a number of ways to go here – a header info block on sites, asking the user to allow this. A header block is extra information that a browser and server can use to pass invisible information to each other. For example, the browser passed to the server via the header block its User Agent String, which contains the browser name, version etc.
The information then would be passed to the advertiser, who would set the cookie. If the “allow tracking” information was not sent, the advertiser would not set cookies.
With apps, a similar approach would be possible – when the app is first started, the user is asked if they are happy to opt into “ad choices” which will try and show them ads which are more suitable by remembering their preference.
If the user allows this, the publisher would pass the information to the advertiser, who can then track the user.
The key things to remember are:
– If setting cookies in the U.K. or E.U. – ask the user first!
– If doing so in the USA – show this clearly and allow the user to opt out.
Read the whole StrikeAd white paper here.