TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust

on

  • 2,006 views

Learn about the online behavioral advertising environment and how to make sure your company is executing best practices.

Learn about the online behavioral advertising environment and how to make sure your company is executing best practices.

Statistics

Views

Total Views
2,006
Views on SlideShare
2,006
Embed Views
0

Actions

Likes
0
Downloads
44
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

TRUSTe whitepaper- A Checklist of Practices that Impact Consumer Trust Document Transcript

  • 1. T RUSTe WHITEPAPER ONLINE BEHAVIORAL ADVERTISING: A C H E C K L I ST O F P R AC T I C E S TH AT I M PAC T CO N S U M E R T R U ST FEBRUARY 2009 ©2009 TRUSTe. All rights reserved.
  • 2. Table of Contents Page Introduction 3 Online Behavioral Advertising Environment 4 Activities and Business Models 5 Practices that Impact Consumer Trust 7 Checklist for Businesses 8 Glossary of Terms 12 2 ©2009. TRUSTe. All rights reserved.
  • 3. TRUSTe’s Commitment to Protecting Privacy and Promoting Online Trust Introduction For over a decade, TRUSTe’s mission has been to advance online trust.1 We have been active in policy discussions with government, businesses and consumers groups concerning new and evolving online business models and the development “Businesses can assert leadership of best practices for managing attendant privacy and online trust risks. These policy roles in defining self-regulatory discussions include the current focus on behavioral advertising and responsible standards around behavioral information management practices. advertising data practices that promote transparency.” In a time of uncertainty in the marketplace, we believe that businesses operating online have an opportunity to step forward to demonstrate responsibility. Businesses can assert leadership roles in defining self-regulatory standards around behavioral advertising data practices that promote transparency, meet consumer expectations for fairness and assist them in making informed choices when deciding whether to share information.2 The collection of data through behavioral advertising allows trusted companies to market to the actual interests of their customers and website visitors, benefitting consumers, enhancing their online experience, and increasing advertising revenue. Surveys have shown both that many consumers appreciate targeted advertising to their interests and that many have privacy concerns about such advertising. Revenues from advertising also are chiefly responsible for permitting free internet services to consumers and an open, innovative internet environment. However, these benefits to consumers and businesses are bounded by the need for online trust in information management processes, business accountability, and respect for consumer privacy. As business models for Internet advertising change and roles between publishers and advertisers and first and third party collection and use blur, the behavioral advertising environment can be confusing for both consumers and businesses. TRUSTe is providing a general update on the evolving behavioral advertising environment. It is meant 1 TRUSTe has been active in developing privacy best practices for businesses and by setting rigorous standards for our seal programs, certifying website privacy, online children’s privacy, e-mail practices, compliance with the U.S.-EU Safe Harbor framework, and in building a white list of companies and monitoring their delivery of safe, downloadable software to consumers. We assist businesses in meeting TRUSTe seal program requirements and also use appropriate compliance and enforcement tools, as needed, including suspensions, terminations, and referrals to the Federal Trade Commission and other law enforcement agencies. TRUSTe also protects consumer privacy by providing timely, efficient, and free dispute resolution services to consumers for privacy complaints concerning TRUSTe sealholder companies. 2 TRUSTe has been surveying consumers, providing model disclosures for businesses, hosting public webinars, and sharing emerging best practices and promoting transparency, consumer control and choice mechanisms with relation to behavioral advertising since 2007. See http://www.truste.com/about/ bt_study.php. 3 ©2009. TRUSTe. All rights reserved.
  • 4. to be helpful particularly to non-technical individuals with responsibility for policy development, information management, and corporate privacy practices. With this paper, we also are providing a practical assessment tool, an information checklist for businesses to use to understand their own practices and to flag issues of concern. The information checklist can be used by privacy officers and privacy professionals, in collaboration with business and marketing program representatives, information and security officers, and privacy counsel. Online Behavioral Advertising Environment At a time when many have blamed the financial system crisis, in part, on a failure of self-regulation and a lack of transparency, it is appropriate for businesses to review their accountability processes. Businesses can begin by first scrutinizing their online practices and ensuring that they fully understand the increasingly complex data practices involved at their sites. The online advertising eco-system is evolving to include a wide range of vendors, intermediaries, networks, affiliates, exchanges and many others who may interact with user data. Ensuring that businesses understand the practices involved is essential for privacy compliance planning and to ensure consumer trust. It is also critical to recognize that consumers expect the brands and the policies of the sites they are intending to interact with to be responsible for the data exchanged, even in cases where advertisers, publishers, ad networks and affiliates may have business relationships that complicate legal and technical responsibility. Consumers, the Federal Trade Commission (“FTC”) and Congress are expressing concerns about consumer privacy and information security issues that may be raised by broad collection and sharing of PII, as well as by use of non-personally identifying data relating to individual consumers through the tracking of consumers’ online web browsing activities. Such online collections occur at many company websites that consumers visit and may be used not only by those websites but shared with a variety of third parties, such as content providers and advertisers, ad networks, and data analytics firms.3 Businesses and consumers are often confused by or are unaware of information processes at the site or sites to which data is transferred. TRUSTe believes that companies should be familiar with the advertising and data models that we outline below. Companies will benefit by understanding how they or their vendors and partners may engage in behavioral advertising activities. Furthermore, companies that conduct a review of issues flagged in this document will be better informed and well positioned to understand and react to potential guidance or changes that may be coming in 2009 from the FTC or legislators. 3 References to ‘sharing’ include data sharing directly by a first party with a vendor or other parties, as well as data collected about a user (site visitor) at a website by vendors and other parties. 4 ©2009. TRUSTe. All rights reserved.
  • 5. Self-regulation is a process often preceded by leading companies beginning to strengthen practices and chart advances that are then more widely adopted. In particular, companies should be aware of evolving industry practices in the following areas: 4 • Application of certain privacy principles to some types of non-personal data, for example, behavioral profiles, cookie IDs or IP addresses. • Notices about ad-serving and behavioral targeting being provided in banner “Ensuring that businesses understand ads or on home pages, in addition to within a privacy policy. the practices involved is essential for privacy compliance planning and to • Choice being provided not only for the sharing of ad-serving data, but with ensure consumer trust.” regard to data use by a single company to tailor ads on its own sites. • The establishment of specific data retention policies and anonymization techniques for log-file data. Activities and Business Models The following is intended to provide a non-technical, high level description of the technologies and business models involved with a range of online data uses for advertising, tracking and analysis. Since the business models and policies that may be considered behavioral advertising range widely, this document seeks to describe the underlying basics and the tools used. As data is used by different models in increasingly robust ways to tailor the user experience, those businesses should pursue opportunities to provide increased levels of transparency and use control to consumers. ____________________ 4 Also note at least two companies that we are aware of provide user access to either behavioral profile data or cookie analytics data. 5 ©2009. TRUSTe. All rights reserved.
  • 6. A range of online data exchanges with vendors or with third parties are often relied upon in order to tailor advertising for users or to understand and improve Web site usage and performance. For example, analytics companies provide services to Web sites for analyzing information about their users, including site usage on a unique visitor (or browser) basis. Data generally is used only on behalf of the primary site. Vendors may offer services that are “white label”, in that they use the domain of the primary site, allowing the vendor 1st party treatment by the browser. Data generally is used only on behalf of the primary site, and vendors may offer services that are “white label” in that they use the domain of the primary site. Vendors may also use a common platform which uses a common cookie or domain which could technically be used to correlate data across many unrelated sites, but is usually restricted by agreement. A number of companies assist Web sites in learning more about the types of users that visit their own or other Web sites. Some of these companies will also append their research data to enhance the data profiles a Web site may build about their own users. Owners of websites are often categorized as advertisers or publishers. Ad-servers are companies that provide a hosted service which enables the delivery, tracking and management of advertising inventory. An ad-server may deliver ads under a contract with a publisher, an advertiser or an ad network and the relevant data ownership issues must be addressed with each to ensure the privacy commitments made to users will be respected. Quite commonly, ads will be contextually targeted, that is delivered on pages that may be relevant to the content of the ad. At times, an ad will be shown a limited number of times to a unique browser, or in a specified sequence – on one site, across many sites that are similarly branded, across unrelated brands owned by one company or across unrelated sites. This practice known as ‘sequencing’ or ‘frequency capping’ is most often not considered behavioral advertising. A web site or group of sites owned by one company may work with an ad-server or analytics company to mine its respective log files of user activity to target ads for advertisers. A number of leading companies now provide users with the opportunity to opt-out of advertising targeted to activity on their site or related sites. Ad networks sell ads on behalf of groups of publishers. As a result, their services must recognize a user’s browser across many Web sites. Some companies focus on assisting advertisers with the practice of placing pixel tags on key areas of their Web site to enable the advertiser to show an ad specifically to previous site visitors when they are on other unrelated Web sites. For example, if users purchase a product from Company X, Company X may pay an ad network to show ads only to those users. Although data is provided to the ad-server by an advertiser for use elsewhere, the ad-server or ad network generally may not use the data for any other party other than the advertiser. Ad networks may or may not have permission to create behavioral profiles of users from the data they have in their ad-serving log files. That is generally a matter defined by contract. Network advertising behavioral profiles are created when an ad network mines its log files of user activity across unrelated sites over time and assembles user 6 ©2009. TRUSTe. All rights reserved.
  • 7. profiles and interest categories that advertisers can target ads against. This is the core activity subject to the Network Advertising Initiative (NAI) Self-Regulatory Guidelines. Under these guidelines, sites participating in such behavioral advertising are required to provide a link in their privacy policy that provides users with the ability to opt-out of behavioral advertising. When personal data or certain sensitive data is used, an opt-in may be required. Data from a user’s purchases online or off-line, or other demographic data, may be linked to a user’s cookie to enable targeting of the user on a site where the user has registered or transacted or across an ad network. “As data is used by different models in increasingly robust Behavioral profiles may also be created by advertisers working with an ad-server ways to tailor the user experience, to collect data about the Web sites their ads are served on or by purchasers of ad those businesses should pursue inventory via ad exchanges. At times, the data ownership and consumer privacy opportunities to provide increased issues are addressed with contractual or other requirements in place. But of concern levels of transparency and use is the lack of industry consensus over the ownership of data gathered by advertiser control to consumers.” controlled ad delivery and the resulting effect on accountability to users when publishers are not aware or where a privacy policy is in conflict with the advertiser or ad network’s practices. In an emerging business model, ISPs are collaborating with Web sites or ad networks to target users based on clickstream data collected at the ISP. Leading ISPs have committed to conduct behavioral advertising only with user consent. Ad sales marketplaces, known as ad exchanges, have been created to match purchasers of advertising with available ad inventory. Sometimes purchasers may select ad inventory based on data about users. Practices that Impact Consumer Trust TRUSTe has previously conducted research and provided general guidance to our sealholder companies involved with behavioral advertising. In addition, model privacy policy guidance provided by TRUSTe specifies disclosures and choices related to ad delivery, analytics and other components of data use that may be related to behavioral advertising. 5 With this document, we intend to help identify the areas that can assist companies in understanding the elements involved with behavioral advertising and their information management and, in doing so, lay out a roadmap for increasing consumer trust. The following information practices inventory tool is intended to assist advertisers and publishers engaging in behavioral advertising who wish to ensure they are doing so in a manner that provides transparency and consumer control. Businesses need to ensure they are fully informed about the way data related to site visitors is being used or shared. Web sites should review additional steps to ensure users are comfortable ____________________ 5 See http://www.truste.com/about/bt_study.php 7 ©2009. TRUSTe. All rights reserved.
  • 8. with the way data is being used at sites and consider mechanisms for additional transparency and consumer control that may be feasible for the particular business model involved. Disclosure of tracking and targeting as part of your product or service value proposition is good business. You may want to provide a “what is this” button to explain how your customization works, or other means for promoting user enhanced awareness of tracking or targeting on your site. The best examples of notice and choice are seamlessly integrated into Web site services and functionality. Following are detailed points to review at your site and with current and potential partners who provide services at your site or with whom you may share data. Although these points are of most significant concern when personal information is involved, increasingly robust tailoring occurs with a wide range of non-personal data and such activity should similarly be reviewed. Many of the points we raise will be relevant to a wide range of data collection or use regardless of technology. Companies should recognize that the more robust the type of data collection, use or sharing, the greater the need for consumer transparency and control. Checklist for Businesses TRUSTe welcomes feedback on this Checklist. We intend for this tool to be a living document that will continue to be revised and expanded in 2009. Our aim is to assist businesses in asking the right questions that will help them understand their own business operations and build privacy compliance and risk mitigation measures into their design as they relate to behavioral advertising activities. Data use: Transparency & Control • If you are tailoring advertising on your Web site using only information related to the user’s activity at your site, is it possible to explain the activity to the user in an obvious manner at the point data is collected or the point it is used? (For example: ‘These links have been selected for you based on your past browsing at this site’) • If not, can a link at the point of collection or use be provided? (For example: ‘Why this ad? Or “How data about your activity here will tailor the ads you see.”) • If advertising is being tailored across sites owned by one company, is there any common branding such that the user would expect the data to be available at other commonly owned sites? Data Sharing and User Choice • If data is being shared with an ad network for use on unrelated sites, at a minimum, does the privacy policy explain the sharing of data with an ad 8 ©2009. TRUSTe. All rights reserved.
  • 9. network? Does the privacy policy provide a link to allow the user to exercise choice about this sharing or the use of behavioral targeting? • Is the type of targeting and data appending done by the network, its partners and advertisers accurately explained? • If a link is provided to a third party’s choice mechanism, is that mechanism working? • If the user is promised that exercising choice will end any tracking, does the user continue to be assigned a unique Cookie ID that may indicate continued tracking? • Does the ad network resell your ad inventory and user data to other networks? • Does it allow advertisers to pixel the ads delivered to correlate additional data from third parties? • Does it allow advertisers to personally recognize their registered users who view banners at your site? • Are advertisers permitted to create profiles of users based on the locations on your site where ads on their behalf were delivered? • Is this sharing consistent with your site’s privacy policy? • If the data is not being provided to an ad network for behavioral advertising, is data being provided to an ad-server so that you can re-target a user after they have visited your site? Are you aware of or allowing advertisers to use web beacons or other code in the ads they deliver on your site and thus allowing tracking and/or retargeting of your users elsewhere? Does your policy reflect this and provide any choice? Personal Information If the policy represents that personal information is not being shared: • Is an account ID being provided? • Have steps been taken to ensure this ID isn’t linked to identified users? • Are efforts being made to link the anonymous ID to third party data which identifies the user? • Is data being linked to purchase information, online or offline which identifies users? • Are anonymization processes in place to support this activity? Is encryption used or simple base 64 encoding? 9 ©2009. TRUSTe. All rights reserved
  • 10. • Is later off-line purchase activity by a user being tied back to the ad impressions a user viewed at your site? • If your policy doesn’t allow the sharing of personal data, is there adequate anonymization in place to support this process? • Does your P3P policy or your vendors or partners’ policy allow for the type of information being used or shared? • What categories of user profiles are being created? Is any potentially sensitive, specific health, sexuality, race, religion, ethnicity, children’s data involved? Data Retention/ Security • How long is user level clickstream data kept by you or your vendors? Is it segregated or mixed with other client log-files? • Are IP addresses logged? • If so, can only a portion of the IP address be logged? • Does the logged IP address have a shorter retention period than other data? • Can they be obscured or deleted after the period they are needed? (Note that some vendors provide such capabilities without any impact to their services.) Cookies • Is the expiration date of cookies that are used set at many years in the future? Is this necessary for the purposes of the data use? • Can the expiration be set much shorter for the period needed for the expressed use? • Is data stored in the cookie? • If personal data is stored in the cookie is it encrypted? • Are flash cookies being used? Do you provide specific guidance about how users can control flash cookies? Note that since standard browser controls do not relate to flash cookies, using flash cookies for robust purposes, such as behavioral advertising, will raise concerns about consumer control and choice. 10 ©2009. TRUSTe. All rights reserved
  • 11. • Can a cookie and domain unique to your site be used instead of one which potentially links to user activity across sites served by your vendor? Is a “white label” version of the service feasible for your needs? • Can the profile be made available to the user by you or by the vendor? Can the user edit or delete the profile? • Can a user who looks up the name of a particular cookie and identify the company that set it and find the privacy policy and practices related to use of the cookie? • Can the list of profile categories that are created generally be made available to provide some transparency? • Do you assist users with information on how to manage/delete cookies? • If an ad network is selling your inventory to other ad networks or via an ad exchange, what steps is it taking to ensure the purchaser respects the commitments made in your privacy policy? Additional Risk Issues • If you are purchasing ads on an ad network, does your contract address whether your banners may be delivered into adware programs? • Does your ad network employ any measures to screen and reject adware that is installed deceptively? (For example, requiring that any downloadable programs in their network are certified by the TRUSTe Trusted Download program, or by using scanning and spidering techniques to bar rogue programs that put you at legal risk in joining the network?) • If you accept advertising directly or allow ads uploaded by third parties, what policy or technical steps are taken to screen out banners placed by criminal “malvertising”companies? • Do you participate in an affiliate marketing program, offering commissions to affiliates that generate sales? • What steps does your affiliate manager take to ensure your offers do not appear in adware that is installed deceptively? (For example, requiring that any downloadable programs in their network are certified by the TRUSTe Trusted Download, or by using scanning and spidering techniques to bar rogue programs from joining the network?) • Are you paying commissions to rogue affiliates who are “cookie stuffing” or triggering invisible pop-ups at your site to illegitimately claim commissions they are not entitled to? 11 ©2009. TRUSTe. All rights reserved
  • 12. Glossary of Terms6 Technical Basics User IP Address: The numerical address assigned by an Internet Access Provider to a computer connected to the internet. The IP address assigned by an ISP to a user is often used by advertising and analytics companies for a number of secondary data purposes including; geo-targeting ads, reporting on the geographic distribution of users, some analysis or targeting of the business or business type if the IP is one assigned to a recognized company, and auditing to prove ad delivery and to eliminate false or fraudulent activity. IP addresses are generally not used for keeping track of unique users by these companies. IP addresses continue to be described as non- personal in U.S. privacy policies by businesses that do not have the ability to identify users by IP address. However, businesses should recognize that since it may be possible for some parties identify users based on IP address with the cooperation of an ISP and with legal intervention, a User IP address should be treated with more sensitivity than other non-personal data they may log. Cookie ID: A unique number assigned by a Web site or an advertising/analytics provider to recognize the user’s browser over time. Third party cookies are typically set by companies or Web servers other than the Web site the user has typed into their web browser. These cookies are set and read by companies providing services across many Web sites and therefore provide a record of a user’s activity across the sites they serve. These companies may or may not have contractual rights to correlate this data or use it other than for an individual partner. Some companies may store data about a user on the user’s computer in the cookie file, to enable quick retrieval for targeting ____________________ 6 The illustrations here do not attempt to map the specific data flows involved with behavioral advertising, as in practice they are technically complex, but rather are intended to give a consumer sense of the nature of the practice involved. 12 ©2009. TRUSTe. All rights reserved
  • 13. or tracking. Others will use the cookie number to reference data stored in a data base. While in practice cookies rarely actually last on a user’s computer for a long term, expiration dates associated with a cookies can extend for as much as 30 years. Opt-out cookie: A non-unique cookie set to zero or null so that a user will not be targeted or tracked. Ad networks involved in behavioral advertising may be subject to requirements to require the Web sites they serve to provide a link to a page allowing users to set an op-out cookie as a way of providing users a choice to opt-out of behavioral advertising. Ad tag: Code on a Web page that directs a user’s browser to present itself to servers used for ad delivery. This code may also dynamically pull information the site has about the user and insert it in the information the user’s browser provides to the ad-server. Pixel tag or Web beacon: Code on a page intended to direct a user’s browser to visit a server so that data about the user’s visit can be used. Ad Call: The request for an ad made by an advertisement, which is used to provide information about the Web site, the ad campaign, data about the user the site may have and the technical data the ad-server will log. Data the ad-server may log can include, among other items, a cookie ID, the site the user is visiting, an IP address, the referring url, or a search query that may have been entered. The ad call may also re- route the user’s browser to a third or fourth server which will also log or add data to the process. Key Value: A piece of information about a registered user that a Web site may pass to an ad-server. In some cases, account IDs corresponding to identified or registered users may be passed to an ad-server or analytics company. The ad-server or analytics company may or may not have the ability to decode the user ID. Log File: The data record stored on a web server when a user’s browser visits a Web site. Some data may be used instantly by an ad-server to deliver an ad. Other data may be mined from the stored log file in order to create reports or to create a user profile by using the consistent cookie ID to pull together information about a user across time and sites. 13 ©2009. TRUSTe. All rights reserved
  • 14. Sample Business Models and Related Services Analytics: Services that analyze information about users, including metrics such as unique visitors and site usage. Data generally is used only on behalf of the primary site, and vendors may offer services that are “white label” in that they use the domain of the primary site. Vendors may also use a common platform which uses a common cookie or domain which could technically be used to correlate data across many unrelated sites, but is usually restricted by agreement. Research: Services that describe types of users that visit Web sites. Some of these companies will also append their research data to enhance the data profiles a Web site may build about their own users. Ad-Server: Provides a hosted service which enables the delivery, tracking and management of advertising inventory. An ad-server may deliver ads under a contract with a publisher, an advertiser or an ad network and the relevant data ownership issues must be addressed with each to ensure the privacy commitments made to users will be respected. Ad Network: Sells ads on behalf of groups of publishers and as a result must recognize user’s browser across many Web sites. Ad network’s may or may not have permission to create behavioral profiles of users from the data they have in their ad-serving log files. Behavioral Ad Network: Requires publishers to allow the network to re-target users for advertisers and/or to created behavioral profiles of users. Re-Targeting Network: Places pixel tags or other code on key areas of client Web sites to enable the advertiser to show an ad specifically to previous site visitors when they are on other unrelated Web sites. For example, if users purchase a product from Company X, Company X may pay an ad network to show ads only to those users. Data Append: Advertisers, Publisher or Ad networks may add data to a user profile by overlaying behavioral profile data, purchase or demographic data or other third party data. Ad Exchange: Marketplaces that match purchasers of advertising with available ad inventory. Sometimes purchasers may select ad inventory based on data about users. 14 ©2009. TRUSTe. All rights reserved
  • 15. Behavioral Targeting Activities Sequencing, frequency capping: An ad will be shown a limited number of times to a unique browser, or in a specified sequence – on one site, across many sites that are similarly branded, across unrelated brands owned by one company or across unrelated sites. This practice is most often not considered behavioral advertising. Data Appending: Data from a user’s purchases, online or offline, or other demographic data may be linked to a user’s cookie to enable targeting of the user on a site where the user has registered or transacted or across an ad network. Re-targeting: A pixel tag or other code or web beacon on an advertiser’s site enables their ad-server or an ad network to recognize particular users visiting that advertiser’s site and to show an ad on behalf of the advertiser when those users are on other unrelated sites. Data ownership is usually not shared with a third party Cookie Matching: Clickstream data (i.e. web sites visited) linked to one company’s cookie may be matched and added to data from another company’s cookie linked data. For example, a research company which has cookie linked user profiles may overlay the data an ad network has linked to its cookies. Behavioral profile development Single company: A web site or group of sites owned by one company may mine its log files of user activity to assemble user profiles. A number of leading companies now provide users with the opportunity to opt-out of advertising targeted to activity on their sites or sites. 15 ©2009. TRUSTe. All rights reserved
  • 16. Multiple company: Network advertising behavioral profiles are created when an ad network mines its log files of user activity across unrelated sites over time and assembles user profiles and interest categories that advertisers can target ads against. This is the core activity subject to the Network Advertising Initiative (NAI) Self- Regulatory Guidelines. Sites participating in such behavioral advertising are required to provide a link that provides users with the ability to opt-out of behavioral advertising. When personal data or certain sensitive data is used, an opt-in may be required. Such profiles may also be created by advertisers working with an ad-server to collect data about the Web sites their ads are served on or by purchasers of ad inventory via ad exchanges. ISP behavioral advertising: In an emerging business model, ISPs are collaborating with Web sites or ad networks to target users based on clickstream data collected at the ISP. 16 ©2009. TRUSTe. All rights reserved