ADOTAS

It has been about a year since an industry coalition, consisting of the IAB, CBBB, ANA, 4A’s, NAI, and DMA, launched the Digital Advertising Alliance (DAA) and its self-regulatory program for online behavioral advertising (OBA). The program’s goals were twofold — increase transparency and choice around OBA and protect innovation against potentially damaging Congressional legislation or Federal Trade Commission regulation.

Since the DAA’s launch, hundreds of advertisers and ad platforms have joined the program; trillions of notices/icons have been served; and much of the proposed legislation in Congress now advocates self-regulation’s notice and opt-out choice model, as opposed to the European opt-in directive.

TRUSTe jumped headfirst into this effort, working with the DAA as an OBA compliance vendor from the very start. TRUSTe invested in a massive serving infrastructure, and today we serve billions of icons per month with the largest footprint of any third-party OBA compliance provider.

While the DAA’s self-regulatory program has demonstrated that it can positively influence the legislative debate, the dangers of disruptive legislation and regulation still exist. As an industry, we must put the pieces in place for a sustainable compliance model – one that can maintain value for the industry over the long haul – even as circumstances evolve. A long-term, credible OBA compliance model benefits the industry and protects consumers, and an understanding of the following three tenets are critical to get us there.

Unique Implications for the Ad Industry

First and foremost, compliance is a must-have item. It is not an option but a requirement for anyone in the digital ad ecosystem. Compliance is a necessity just to be on the ad playing field.

Second, compliance has a network effect. The more that participate, the stronger it becomes. Conversely, one rogue player — or a limited subset — can also weaken the compliance program, bringing negative media attention and regulatory scrutiny to the entire model. Subsequently, when implementing, selling, buying, developing or participating in a compliance model such as OBA self regulation, it is critical that all the players adhere to the highest standards of openness and accuracy, avoiding the temptation of using fear and exaggerated claims to compel compliance adoption.

Without such high standards, the long-term value and credibility of OBA self-regulation is reduced for the entire industry.

An Open Compliance Model Is the Most Sustainable

A successful compliance program requires a common set of conceptual principles to be adhered to by the participants. At the same time, a successful compliance program must be flexible and open, enabling alternative ways for participants to meet the principles. This open model enables businesses to work within their own particular constraints, fosters innovation, and allows for changes to address evolving technology, business, government and consumer concerns.

In its Aug. 15, 2011, letter to the Council of the Better Business Bureaus (the enforcement arm of the DAA), the FTC underscores that compliance systems such as the DAA program should not “crowd out” other approaches providing consumer transparency and choice. In other words, there can be many roads to the same compliance destination.

Open compliance ensures the long-term credibility of OBA self-regulation. Because no one party owns them, the conceptual principles are less likely to be replaced by agendas driven by specific technologies, vendors or private entities.

Compliance ‘Monopolies’ Are Counterproductive

In the fast-changing worlds of digital advertising and consumer privacy, constant innovation is a prerequisite to a successful and sustainable compliance system. Exclusive or monopolistic compliance control over the ad ecosystem stifles innovation and can lead to a situation where there is a single judge, jury and executioner for OBA compliance.

One party would control what constitutes compliance, oversee enforcement actions, and also provide compliance solutions. This one party would have all the power necessary to exact any term, any price and any technology over the entire industry. This would almost certainly lead to less innovation, not to mention higher costs for participating companies.

The remedy for this monopolistic danger is again dogged support for an open compliance model.

In just one year, the online advertising industry established a broad self-regulatory program for OBA that turned the tide against potentially harmful regulation and legislation. We need to maintain that momentum and build an enduring open compliance model that protects the industry for the future. TRUSTe’s decade-plus journey through compliance and privacy has taught us that these three tenets are essential for the long-term viability of OBA compliance and self-regulation.

We’ve covered BlueCava extensively, but once more, with feeling — originally developed as a piracy deterrent for the music industry, BlueCava’s device fingerprinting gathers non-personal data (IP address, browser version, time zone, installed fonts, browser plug-ins, etc.) shared between browser and publisher, encrypts it, analyzes it to determine its “reputation” and then gives it a unique ID that can be used for targeted advertising (including adding a device ID to consumer data from first parties) and fraud prevention.

Even if a user switches browsers or dump his/her cookies, BlueCava’s system can figure out it’s the same device and update its records. In addition, BlueCava manages the sale of behavioral and other data (such as financial transaction data for preventing fraud) associated with device IDs on its Reputation Exchange. If you’re freaked out about this, here’s a link to manage your preferences, which include opting out completely.

I’ve written a few times that device fingerprinting could prove to be a simplified tool for bringing transparency to data transfer agreements between pubs and consumers — basically, the long-heralded opt-in system.

Think about it this way — a pub could corner off some of its content and tell users they have to pay with either cold hard cash or data for advertising purposes. For those that choose the data route (which would probably be the majority — pay money for online content? HA!), a company like BlueCava would identify the device and associate an ID with it. Tracking cookies for behavioral targeting? Where we’re going, we don’t need tracking cookies. It’s arguable that the device IDs could come in quite handy for internal analytics as well.

Digiday’s Jack Marshall had an interesting piece recently talking about how the lack of cookies for mobile devices has turned targeters to UDIDs, but a) Apple is cutting off that spring and b) device fingerprinting can offer a lot more consumer insight. Online, device fingerprinting might also prove a far more efficient way of handling online data for pubs, brands and consumers. BlueCava’s investors seem to think so.

“BlueCava’s technology platform is opening up new and exciting ways for brands and publishers to more smartly interact with their customers online,” commented Marsh Marshall, managing director of Putney Capital and new member of BlueCava’s board.

Released yesterday as part of a giant privacy gala in DC that featured a keynote and Q&A session with Federal Trade Commission Chair Jon Leibowitz, the report was advertised in the press release running up to the event as a paper that would debunk “the myth that digital data collection is anonymous.” Whether it achieved that goal is definitely arguable.

What’s Being Sent

I feel pretty secure that when I log into HomeDepot.com, the website is not sending a message from the login page saying to all its third-party buddies, “Hey, guitarsexgod930, who you all know is Gavin Dunaway, just showed up! He’s looking at toilets — I don’t want to think about what he did to the old one. Who’s going to show him an ad for the new America Standard model?”

No, a bunch of data (including my username) has been stuffed into the login URL, which then gets shared with third parties who have deals with the publisher. As will be mentioned many times, the research does not cover what happens when the data is received by those third parties.

Typically this ”identifying information” — which research author and Stanford graduate student Jonathan Mayer describes as “information that with moderate probability and moderate effort can be used to identify a user” – is shoved into the URL to assist with site personalization efforts and only a little work is required to strip out the identifiable meat. Mayer uses this example:

http://example.com/register?username=GoCardinal&name=Leland%20Stanford&email=leland%40stanford.edu
&…

As you can see, a site login, email address and real name can all be derived from that.

The SSL report follows a recent report (PDF) by Balachander Krishnamurthy, Craig Wills and Konstantin Naryshkin using a similar methodology that pretty much found the same results — i.e., 56% of sites studied leaked some kind of identifying information, with 48% leaking a user name in particular.

Mayer’s study expanded the number of sites from 120 to 185 (culling them from the Quantcast 250 based on whether a site offered a signup without requiring a purchase or other qualification, as well as other concerns related to the scope of the research), as well as shifting the focus to “identifying data leakage” and using a public dataset.

While a complete spreadsheet of results can be downloaded here, Mayer singled out these gems:

• Viewing a local ad on the Home Depot website sent the user’s first name and email address to 13 companies.
• Entering the wrong password on the Wall Street Journal website sent the user’s email address to 7 companies.
• Changing user settings on the video sharing site Metacafe sent first name, last name, birthday, email address, physical address, and phone numbers to 2 companies.
• Signing up on the NBC website sent the user’s email address to 7 companies.
• Signing up on Weather Underground sent the user’s email address to 22 companies.
• The mandatory mailing list page during CNBC signup sent the user’s email address to 2 companies.
• Clicking the validation link in the Reuters signup email sent the user’s email address to 5 companies.
• Interacting with Bleacher Report sent the user’s first and last names to 15 companies.
• Interacting with classmates.com sent the user’s first and last names to 22 companies.

Whose Fault Is It Anyway?

All this research shows is what data is going to third parties and what identifying information can be gleaned from it. It doesn’t show what the third parties actually do with this information on reception, which Mayer points out was out of the research’s scope.

“We did not study – and cannot study – what companies do when they receive personal information. It is likely that many of the information leaks we identified were logged. Some third parties may take precautions to prevent logging of identifying information, and we certainly laud such efforts. But for policy purposes, there is a tremendous difference between a tracking ecosystem that is anonymous and a tracking ecosystem that is suffused with identity but promises to ignore it.”

No, the data is not anonymous, but these websites are also not delivering PII right into the hands of third parties — most data collectors will argue that they wouldn’t strip out the personal identification because they don’t want the PII (it causes problems). And it’s not anonymous at the source because the publishers haven’t anonymized it — 72 pubs in this study managed to have systems in place to keep user login data anonymous.

Interestingly, Mayer seems to absolve developers (and by extension publishers) of responsibility by saying this kind of thing just happens.

“Many times, developers are not thinking about privacy issues, and it’s a fact of life that information is going to leak to third parties. I think we have to recognize that’s just the way the Web works,” he said at the press conference.

Further, in the report he writes:

“The better practice for all first-party and third-party websites would be to acknowledge that identifying information leakage is a fact of life on the web, and that identifying information may be shared with third parties.”

And then in The Wall Street Journal, he said:

“The web is suffused with identity. And it’s a fact of life that that identity will get sent to third parties at some point.”

So maybe I’ve been wrong all along — it’s not that Internet privacy is an oxymoron, but that online data security offered by publishers is an oxymoron. Wow, that makes me feel so much better. I’d love to hear industry perspective on Mayer’s suggestion.

It’s kind of an end-run argument, though not a bad one, for Do Not Track functionality (the press conference appeared to be a big pep rally for DNT efforts) — there’s no helping personal information being shared with data collectors, so if you’re worried about it, flip on DNT and cut off the cookies.

At the same time, I can’t help thinking about the Facebook privacy scandal last year in which WSJ discovered social games played within the network were sending Facebook unique IDs to third-party ad servers. It’s a pretty similar case — and WSJ couldn’t find any instances of third-party ad tech firms using the data or associating the IDs with profiles (just companies that refused to).

The ultimate shame fell on Facebook for not using anonymizing data tools when sending information to third-party data collectors — the company had cut a development corner and violated its own privacy policy. Which is pretty much what all of the 113 guilty sites in this study have done.

So shouldn’t the onus fall on the publishers to tighten up the management of personal data — including logins and user names? Not to be too repetitive, but isn’t this a site security issue being stretched into a justification for DNT?

(At the same time, I’m not saying DNT is a bad idea… I’m just being critical, which is why they pay me the big bucks. Maybe some third-party data service can tell you how much.)

A Bold Accusation

Once again, data collectors — the cyberazzi, as FTC Chair Leibowitz would call them — are being vilified without a bit proof. It’s always implied that data collectors are doing nasty things, like building profiles with PII (well, Rapleaf does that, but they’re very transparent). However, Mayer does cite an example of third-party data collectors purposefully grabbing very personal information – and it would be a damning claim if there was corroboration.

Mayer writes:

“In computer security, leakage is a term of art for an information flow – some instances of leakage are entirely intentional. For example, OkCupid, a free online dating website, appears to sell user information to the data providers BlueKai and Lotame, including gender, age, ZIP code, relationship status, and drug use frequency.”

First, Mayer seems to be confusing a data-buying agreement with data leakage. Second, BlueKai and Lotame vehemently deny this claim.

While it is contractually forbidden to disclose all the data categories it receives from a specific partner, BlueKai says it only collects general demographic and interest data (zip code, age and gender were cited) and that none of it is connected to individuals or user names. Consumers are invited to visit the BlueKai Registry to manage their interests and opt outs, as well as see what their cookies say about them.

As of press time, a representative from BlueKai said that they were “working with them to get this corrected.”

UPDATE: Oct. 12, 9:20 a.m. Mayer updated the blog posting on

[Update 10/11: The original version of this post conflated the information OkCupid provides to Lotame and BlueKai. In the interest of complete accuracy, and in response to both a deluge of questions on OkCupid's intentional leakage and a note from BlueKai seeking clarification, I have updated this section with per-company intentional leakage. I have also included the results of a leakage test (with the methodology described below) on OkCupid. My apologies to BlueKai for the incorrect implication that it collects the same sensitive profile data that Lotame does. The amibiguous discussion was solely my error.]

He gives this list of what the companies “appear” to receive — “To learn which profile information OkCupid leaks, I modified each field of a profile and observed how values sent to the two companies changed.”

• Age – Both
• Cats – Both
• Children – Both
• Country – Both
• Dogs – Both
• Drinking Frequency – Lotame
• Drug Use Frequency – Lotame
• Education – Both
• Ethnicity – Lotame
• Gender – Both
• Income – Both
• Job Sector – Both
• Language Proficiencies – BlueKai
• Relationship Status – Lotame
• Religion – Lotame
• Smoking Frequency – Lotame
• State – Both
• ZIP Code – Both

That’s where bad — in some cases, very bad — contextual adjacencies abound and opportunity for improvement lies within reach.

Most marketers and their agencies understand and accept the tradeoffs around re-targeting that led to examples shown in the article. After all, they see the direct ROI in this approach across millions of impressions, not just a few page level examples like those shown that are, well, taken out of context in the overall campaign.

While the agency brand manager would not be running down the hall to show these screenshots to her boss, she may do so with the campaign results, knowing that despite marginal contextual relevance, the conversion results were positive.

The bigger problem arises from the large percentage – in fact the majority – of display ads that are not audience-targeted. Even within the bounds of what verification companies deem acceptable, a huge amount of display ads are still served without regard to content/contextual adjacencies. Like Peer39, uKnow employees see a wide range of sites in the course of their work and found the following examples that would, at a minimum, be highly disappointing to the brand managers involved.

After regaining their composure, the brand or agency executive might be tempted to stop using intermediaries. But networks, DSPs and trading desks provide tremendous value and efficiency in the execution of media campaigns. A better solution would be to give those partners specific guidelines or directions around the non-audience based portion of the campaigns.

Why not use tools available in the market to better plan, target and optimize this portion of the buy, even when directing budget towards intermediary channels? And if you are a network, DSP or trading desk, why not employ solutions that help you optimize contextual relevance for each campaign?

Because most brands, products and services are unique, creating custom semantic channels for each campaign that carve out optimal placements within each body of inventory you access makes complete sense. Inventory supply vastly outstrips demand, so why would you ever allow your ads to be placed on irrelevant or inappropriate content adjacencies? Sadly, spray and pray is still widely seen.

Given the success of audience-based targeting and the plethora of data services that have arisen, a disproportionate amount of time is spent in this area. Equal focus should be given to proactively targeting that content which is most appropriate to each brand’s sensibilities and to its ROI objectives.

Using context as a proxy for audience is a long-standing tool, and given the Do-Not-Track initiatives underway and advent of better browser-based tracking controls, employing strategies and tools that provide better contextual planning, transparency and control – while maintaining scale – are essential.

So while Ellenthal’s points have merit, they miss the bigger problem and in it, the opportunity for agencies/brands and their distribution partners. Protect the brand and increase ROI by creating custom semantic channels for the non-audience portion of each campaign.

This is certainly the case for consumers and online privacy – particularly in the realms of behavioral advertising and mobile interactions. With the online landscape changing so rapidly, it’s challenging even for those of us involved in the Internet advertising and media industries to keep pace. For consumers, this is even more so.

In our role as the leading online privacy solutions provider, TRUSTe keeps a close eye on consumer perceptions – not only to better understand the areas of consumers concerns but also how to best alleviate them.

Together with Harris Interactive, TRUSTe recently completed two consumer research projects – one relating to issues about online behavioral advertising (OBA) and the other about mobile privacy.

Not surprising was the fact that consumers have concerns about their privacy as it relates to behavioral advertising – with an overwhelming 94% saying that privacy is an “important issue.” But our research also uncovered a few surprising consumer beliefs. Misperceptions can run both ways, and some of these findings might shatter our own industry perceptions about consumer feelings.

Most consumers believe their personal data is being shared without permission.
TRUSTe’s research has found that consumers believe data activities are more privacy invasive than they actually are. According to our OBA consumer poll, more than one in three believes that the websites they visit share their personally identifiable information (PII) with advertisers without their consent. Forty percent of those we surveyed believe, for example, that their name is shared without their consent, whereas in reality, most behavioral advertising operations only know consumers by anonymous cookies – not their names.

Similarly, our mobile privacy research revealed that 56% of consumers are concerned that their personal information is being shared with others without their permission. In the same survey, 68% of respondents said that they believe they are tracked based on their mobile activities for OBA, and 72% think that some mobile applications share their information with third parties. For all three, the reality is actually much less.

The bottom line is that sharing of personal data is a consumer hot button. When asked for their feelings about behavioral advertising when their PII was not involved, for example, consumer favorability increased by an astonishing 100%.

Consumer privacy opinions and privacy actions don’t always synch up.
Despite widespread concerns about the safety of the Internet, the OBA survey revealed that only 37% of consumers know how to protect their privacy online and consistently do so. It also showed that one in four protect their privacy by “opting out,” although the majority (53%) said that they rarely or never manage their privacy choices by opting out of OBA.

In tracking privacy behaviors, however, TRUSTe has found that the actual opt-out rate is much lower. For instance, in a 2010 pilot of TRUSTe’s TRUSTed Ads OBA platform conducted with Publishers Clearing House (PCH) only 1% of site visitors actually chose to opt out of all advertising networks. This shows an interesting discrepancy between consumer privacy opinions and privacy actions.

Yet it’s a mistake to assume that consumers don’t care about privacy just because they don’t opt out. A consumer’s perception about a website or platform definitely affects the way that they interact with it, and better privacy has been found to create more consumer trust, leading to increased interactions and openness.

Our OBA research also shows that terminology impacts consumer feelings. Words “tracking” and “targeting” have a negative impact on consumers, while the term ‘interest-based advertising’ is received much more favorably.

OBA Compliance Makes a Difference to Consumers.

Consumer awareness about the DAA’s Self-Regulatory Program for Behavioral Advertising is growing. As more ad impressions become compliant, TRUSTe expects this awareness to continue. Our research has already shown that 43% of consumers are generally positive toward advertisers who participate in the self-regulatory program.

A new report released by Forrester Research entitled “Online Advertising Data Compliance Matters” encourages marketers to “take charge” of self-regulation for the benefits of their companies’ brands as well as the overall industry. The report supports TRUSTe’s belief that the benefits of participating in the self-regulatory effort for OBA compliance far outweigh the costs.

The report also notes that companies, such as TRUSTe, are already bringing to market many of the privacy solutions that are needed for successful deployment. Finally, Forrester urges brands to take charge of their compliance obligations themselves – and not just simply rely on their ad network vendors. TRUSTe wholeheartedly agrees.

For TRUSTe, all of these findings reinforce the vital need for continued consumer education and transparency about online privacy practices – for both OBA and mobile. Consumer trust and understanding are essential to address concerns and contribute to effective usage of these online solutions.

With clear and concise information about what’s actually being done with consumer data, advertisers, publishers and media platforms can stop misperceptions from growing and begin to reap the benefits of these interactive technologies.

The question for advertisers: why retarget all your users? Why retarget those users that are unlikely to click and buy? Serving ads to users that are not in market for your products is both costly for you and annoying for the user.

One of the principal objectives for online advertisers has always been to serve a relevant ad to an in-market user who is at the point conversion. Companies offering retargeted ads professed to offer a path to this coveted scenario. They retarget users with ads after they have left an advertiser’s website to go elsewhere; the assumption being that all users who have been on an advertiser’s website must be in-market for that advertiser’s product or service.

Ideally, the user is brought back to the original website and converted. However, the reality is that a large proportion of retargeted users will not end up converting and money spent on serving ads to them is wasted.

What’s needed is a further level of precision when it comes to targeting users who have been on an advertiser’s site. Users who have the potential to convert need to be distinguished from those who will never convert regardless of how many ads you serve them.

Some providers, like my company Struq, are already doing this by predicting with 80% accuracy which users are worth targeting and those that aren’t using its WHO Engine, a complex algorithm that analyses click and conversion behaviour. Prior to the WHO Engine, even top fashion retail campaigns saw a 1.13% conversion rate on average meaning that around 99% of retargeted users were failing to convert. The WHO Engine was developed in response to what was clearly a serious problem.

Retargeting more intelligently minimises the waste inherent in the standard retargeting initiative by going one step further and identifying and targeting the profitable users within the retargeted pool. This advancement stresses how simple retargeting is no longer enough, things have moved on and advertisers thinking that standard retargeting is the best way to use their budget are being misled by their providers. Retargeting has proved itself as a valuable channel, but the way retargeting is done needs to be smarter.

The conclusion is that advertisers are wrong for thinking that they are still at the cutting edge by using standard retargeting and old-school retargeters are no longer justified in claiming that the service they offer is at the forefront of display advertising innovation. Retargeting is in need of further refinement and Struq’s technology and technology like it are not only at the vanguard of that advancement but are the new must-haves for advertisers with their finger on the pulse.

This proposed rule arises from an “FTC COPPA Rule Review” through which the FTC solicited comments about every aspect of COPPA, including whether technological advances such as social media and mobile commerce necessitated revisions. The FTC has now proposed prominent modifications to COPPA that will have a significant effect on the operation of websites, online services and mobile applications that collect personal information from children.

In the preamble to the proposed rule, the FTC states that “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.”

The first major revision to COPPA will certainly create a better online experience for children, however, the changes may also create regulatory compliance hurdles for companies that will be forced to make significant changes to their current information practices.

The FTC is proposing amendments in five areas: (1) definitions; (2) requirements in the parental notice; (3) parental consent; (4) confidentiality and security; and (5) safe harbor provisions.

First, the FTC has clarified that COPPA applies not only to websites, but also to technologies that can be considered “online services.” This includes mobile apps that permit children to play network-connected games, engage in social networking activities, and some text messages.

The definition of “personal information” has also been expanded and will almost certainly impact companies’ behavioral advertising activities. The new definition includes Internet Protocol addresses, customer numbers held in cookies, device identifiers, the linking of information across websites and geo-location information.

Next, the notices that operators must provide to parents about their information collection practices must be streamlined and clarified. Fourth, changes to the existing parental consent mechanism are required, including the removal of the “email plus” verification method and adding several new methods.

In addition, enhanced security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place. Lastly, changing the existing COPPA Safe Harbor program to require that “safe harbor programs” exercise more oversight.

The Growing Realm of ‘Personal Information’

One of the most significant proposed changes to COPPA is to the definition of “personal information.” The definition of “personal information” is important as COPPA only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen.

The proposed definition of “personal information” adds or changes the following categories of information:

• Online contact information – the FTC proposes to include not only a child’s email address but also “any other substantially similar identifier that permits direct contact with a person online,” such as an instant messenger name, a video chat name or a VOIP identifier.
• Screen names or user names – however, the FTC would not consider screen or user names that are only used to support internal operations to be “personal information.
• Persistent identifiers, including Internet Protocol addresses, customer numbers held in cookies, processor or device serial numbers, or unique device identifiers — however, the FTC would not consider these persistent identifiers that are only used to support internal operations to be “personal information.” This is a significant change from the current COPPA Rule, which requires that a persistent identifier be associated with individually identifiable information to be considered
  “personal information.”
• Identifiers that link activities of a child across different websites or online services – this category is “intended to serve as a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child.”
• Photographs, videos, or audio files that contain a child’s image or voice – the FTC proposes this change from the current standard which includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.”
• Geo-location information sufficient to identify a street name and name of a city or town.

The foregoing proposed changes will significantly expand the scope of COPPA to operators that were not previously subject to the Rule. For example, the requirement that persistent identifiers only be used for internal operations or be considered “personal information” will force any operator having services directed to children or having knowledge that it is collecting information from children under 13 that wishes to provide targeted advertising to children to receive parental consent, even where such advertising is not based on what has been traditionally considered personally identifying information.

The proposal also brings geo-location data into the definition of “personal information,” which will similarly require mobile apps or operators offering mobile apps to comply with the COPPA Rule. This proposed change will likely have the most significant effect on businesses as it would not only subject a wider array of entities to COPPA, but also may make it more difficult for a website or online service to determine whether it is subject to the COPPA Rule, at all.

Parental Consent Required

In the proposed rule, the FTC attempts to streamline the process by which operators are required to provide parents with notice of their privacy practices and the FTC tries to make the process easier for both operators and parents to understand. This change comports with the FTC’s recent efforts to encourage businesses to provide consumers with more easily understandable notice and choice about information practices.

The proposed rule requires that a link to a notice of information practices must be clearly, conspicuously, and prominently labeled and placed on a website’s homepage and at each page where personal information is collected in close proximity to the information request. The FTC both simplifies and expands the requirements for what must be included in the privacy policy, requiring they include:

• Contact information for each operator (the current rule allows multiple operators to select one operator to have their contact information listed).
• What information is collected from children, and whether the website allows children to make this information publicly available.
• How the operator uses the collected information.
• The operator’s disclosure practices for collected information.
• The fact that parents can review and delete or refuse the further collection of a child’s personal information, and the procedures for doing so.

Currently, COPPA requires operators to send parents a direct notice, which informs the parent of a website’s information practices. The proposed rule revises these provisions and includes specific information that an operator must address in different circumstances, including:

• When affirmative parental consent is needed for the collection, use or disclosure of a child’s personal information.
• When a child’s online activities do not involve the collection, use, or disclosure of personal information.
• When an operator intends to communicate with a child multiple times.
• When an operator collects a child’s personal information in order to protect a child’s safety.

The FTC proposes removing one of the most popular parental consent mechanism under the current Rule – email plus. Currently, operators who collect personal information and do not disclose this information to external parties can utilize this consent mechanism by sending a parent an email and then using another step – such as another email at a later date– to confirm the consent.

However, in the proposed rule, the FTC suggests that this consent mechanism is prone to abuse (such as when a child simply provides his or her own email address) and has inhibited the development of better, more reliable parental consent mechanisms. Therefore, the FTC has proposed the elimination of the email plus method of parental consent.

The FTC has also proposed new methods of parental consent, including allowing parents to send electronic scans of signed consent forms, using video-conferencing to signal consent, and providing government-issued ID numbers that the operator can check against a database. If an operator collects government-issued ID numbers, the FTC proposes that this information must be promptly deleted after the verification is complete.

Almost every experienced Internet attorney will tell you that the changes proposed by the FTC to the parental consent process could have a major impact on operators. Many websites currently rely on email plus to obtain consent from parents when the website will only be using the personal information collected from a child for internal purposes. The email plus method is often preferred as it is the easiest parental verification method.

The FTC proposal would require all operators to implement more complicated parental verification methods. This change could mean that all of the operators currently using email plus will have to overhaul their parental verification practices. While these proposed provisions may ultimately make compliance with the notice provisions easier for covered operators, these changes could require operators to expend valuable resources to adjust current practices and regulatory requirements.

Clearly, the FTC has been enforcing the COPPA Rule much more broadly than it has in the past. Any media that is targeted at children under the age of 13 will have to analyze whether it can be considered an “online service” and take appropriate steps to comply with COPPA if necessary.

Special thanks from the editor to Gail Gardner of Growmap.

ADOTAS: So why turn AlmondNet’s Data Division into a standalone company?

BENEDEK: AlmondNet develops technology and operates a number of different businesses. While the businesses are media-related, they operate in different markets and therefore it no longer made sense to operate them under the same corporate entity. Obviously, the growth of the online data market, and the explosive growth of Datonics in particular, warranted the spin-off of Datonics as a stand-alone business entity.

What’s up with the name Datonics, which sounds like it wouldn’t be a bad name for an 80s synthpop revivalist act?

While some of us were around and old enough to remember the 80s, we were not thinking about a revivalist act when the name “Datonics” was chosen. The name connotes our commitment to a scientific approach to data and more specifically our commitment to leveraging the best available resources and methods to analyze, classify, and optimize the collection, categorization and distribution of non personally-identifiable consumer data in a manner that benefits all participants in the advertising ecosystem, starting with the consumers who view the relevant, privacy-sensitive advertisements that we help our partners to deliver.

More seriously, how will dealing with Datonics the spinoff differ from when it was an internal unit? What are the operational advantages?

Because the AlmondNet Data division had effectively been operating as an independently run division of AlmondNet, the transition to Datonics has been extremely smooth.  Nevertheless, Datonics will be more focused and even more responsive to market needs than the AlmondNet Data division was.  We look forward to investing in and serving the entire growing ecosystem!

How will the spun-off company work with parent AlmondNet and its affiliate IntentIQ?

AlmondNet develops technology and operates a number of different businesses. AlmondNet’s technological and business acumen, which is reflected in the extensive suite of industry-leading targeted advertising solutions and products developed by the company and its focus on R&D, is expected to supplement Datonics solutions. While there are synergies between Datonics and IntentIQ, the companies operate independently.

What kind of strange experiments are being conducted in the Datonics Data Lab? Will they cause the villagers to come marching with pitchforks and torches?

Because our NYC office is in Soho, we are well-positioned to keep close watch on both the East and West Village and all their villagers.  The only time we recall seeing pitchforks was during the Halloween parade. In all seriousness, our data lab is tasked with the mission of analyzing, classifying and optimizing the collection, categorization and distribution of incoming and outgoing non personally-identifiable information that is collected by Datonics from data provider partners and distributed onward to platform partners and their marketers.

What in your mind differentiates Datonics’ data from its third-party data peers? Segmentation? Collection methods?

We prefer to keep our secret sauce secret for now, but stay tuned for some announcements in the not too distant future.

I think sniffing is a better term because stealing connotes actually hijacking a user’s history folder. But like most things in online behavioral advertising, it’s painted several thick shades of gray — and anti-tracking advocates are likely to use the more damning term to plead their case.

You can imagine that Epic Marketplace was nonplussed when Jonathan Mayer of the Stanford Security Lab (SSL) within the Stanford Law School Center for Internet and Society claimed he caught Epic history stealing (his phrase) on websites Flixster and Charter.net.

The SSL was testing the JavaScript instrumentation in its new web measurement platform when it found the violations. The crew reverse-engineered the history-sniffing script and reported the following features:

• The script is fast. Thousands of links are tested per second.
• Links are added in an invisible iframe; there is no apparent effect on the page layout.
• The script dynamically loads lists of URLs and associated interest segments using JSONP.
• Progress is stored in a cookie so the script can resume where it left off.
• The script sets a cookie indicating when it was last run; it will not history steal more than once every twenty-four hours.
• If history stealing is still in progress when the window is closed (e.g. the user navigates to another page) the script sends its findings before ending execution.
• The script slows down if a URL list takes over two seconds to process.
• To prevent multiple history stealing attempts in parallel, the script uses a mutex cookie.
• The script does not directly report the URLs that it detects the user has visited; it sends a deduplicated list of the interest segments associated with the visited URLs.

Epic has fired back:

The practice described in the blog, better labeled as “segment verification” (indeed, as admitted in the blog, no URLs or URL history is actually collected) provides companies with a way to measure the accuracy of the data that a company purchases from data vendors without compromising consumer privacy. NO data obtained from segment verification is personally identifiable information (PII), nor is that data ever merged with other data points that are, or may be, personally identifiable.

Mayer and his Stanford Security Lab team are building a platform for measuring dynamic web content, which also may serve as an automated enforcement tool for the Do Not Track universal web tracking opt-out app that detects third-party tracking via methods such as cookies and fingerprinting.

Last week the team caused a stir in the behavioral targeting world — testing out this platform, the Stanford researchers identified beacons for 64 of the 75 companies signed up for the Network Advertising Initiative’s self-regulated online behavioral advertising program. After loading content featuring the beacon, the researchers opted out of OBA tracking via the NAI website and reloaded the content. Then they enabled the Do Not Track app and reloaded the content again. The team discovered that half of the NAI companies left their tracking cookies in place while 10 companies deleted their cookies.

But the industry responded that Mayer and his crew were seriously missing the nuance of the situation — not all tracking cookies are for behavioral targeting. Networks like Vibrant Media and Undertone argued that their practices were in line with NAI guidelines, which allow cookies to remain for collection of non-OBA data used in frequency capping and other practices unrelated to behavioral targeting.

NAI Executive Director Chuck Curran echoed these claims and while arguing that the Stanford study was unfairly blurring the lines between industry self-regulatory behavioral targeting initiatives and across-the-board tracking roadblocks:

[It's] important to draw a fair distinction between existing industry self regulatory commitments to limit ad targeting based on user interests, and the views of proponents of newly emerging “Do Not Track” technologies who argue that advertising companies should be stopped from collecting any data. We’ve been following with interest the recent introduction by browser manufacturers of “Do Not Track” features that promise in various degrees to limit browser data collection. A robust debate is going on about how these browser features might be integrated with the existing industry self-regulatory programs, but for now there is no universally agreed upon definition of what “Do Not Track” means.

These two incidents certainly suggest that Do Not Track initiatives and industry self-regulatory efforts are at loggerheads, and an already muddy issue is getting increasingly messier. Consider in addition that people have recently noticed that websites are under no obligation to respect Firefox’s Do Not Track feature — it’s not really in publishers’ interest regarding their own data collection.

Is a compromise between DNT and industry opt-out realistic? Or should we start taking bets on which side will win? I.e., better sweet-talk government regulators and legislators.

Spun off from Expert System last year and launched from beta in March, ADmantX claims to detect reader emotions, behaviors and even intent from its page-level analysis. How’s that? Through semantic technology from its parent, natural language processing and social collaboration. In addition, ADmantX offers ad-blocking capabilities to keep brands away from questionable or discordant content.

Most interesting, ADmantX plays up the fact that it practices “cookie-less” targeting, marketing itself as an alternative to behavioral targeting once Washington gets around to passing online behavioral advertising legislation.

“ADmantX has proven its ability to successfully support a brand’s psychological positioning by displaying deep understanding of the emotions evoked by adjacent content, and we are well positioned to offer publishers an alternative to cookie-based ad targeting should there be legislation that curbs its appeal,” comments Chief Marketing Officer J. Brooke Aker, who has written a few excellent columns for Adotas.

Aker adds that the funding will be used to boost ADmantX sales staff and marketing presence.