T RUSTe WHITEPAPER
ONLINE BEHAVIORAL
ADVERTISING:
A C H E C K L I ST O F P R AC T I C E S
TH AT I M PAC T CO N S U M E R T R U ST
FEBRUARY 2009
©2009 TRUSTe. All rights reserved.

Table of Contents
Page
Introduction 3
Online Behavioral Advertising Environment 4
Activities and Business Models 5
Practices that Impact Consumer Trust 7
Checklist for Businesses 8
Glossary of Terms 12
2 ©2009. TRUSTe. All rights reserved.

TRUSTe’s Commitment to Protecting Privacy and Promoting
Online Trust
Introduction
For over a decade, TRUSTe’s mission has been to advance online trust.1 We have
been active in policy discussions with government, businesses and consumers
groups concerning new and evolving online business models and the development
“Businesses can assert leadership of best practices for managing attendant privacy and online trust risks. These policy
roles in defining self-regulatory discussions include the current focus on behavioral advertising and responsible
standards around behavioral information management practices.
advertising data practices that
promote transparency.” In a time of uncertainty in the marketplace, we believe that businesses operating
online have an opportunity to step forward to demonstrate responsibility. Businesses
can assert leadership roles in defining self-regulatory standards around behavioral
advertising data practices that promote transparency, meet consumer expectations for
fairness and assist them in making informed choices when deciding whether to share
information.2
The collection of data through behavioral advertising allows trusted companies to
market to the actual interests of their customers and website visitors, benefitting
consumers, enhancing their online experience, and increasing advertising revenue.
Surveys have shown both that many consumers appreciate targeted advertising to
their interests and that many have privacy concerns about such advertising. Revenues
from advertising also are chiefly responsible for permitting free internet services to
consumers and an open, innovative internet environment. However, these benefits to
consumers and businesses are bounded by the need for online trust in information
management processes, business accountability, and respect for consumer privacy.
As business models for Internet advertising change and roles between publishers and
advertisers and first and third party collection and use blur, the behavioral advertising
environment can be confusing for both consumers and businesses. TRUSTe is providing
a general update on the evolving behavioral advertising environment. It is meant
1
TRUSTe has been active in developing privacy best practices for businesses and by setting rigorous
standards for our seal programs, certifying website privacy, online children’s privacy, e-mail practices,
compliance with the U.S.-EU Safe Harbor framework, and in building a white list of companies and
monitoring their delivery of safe, downloadable software to consumers. We assist businesses in meeting
TRUSTe seal program requirements and also use appropriate compliance and enforcement tools, as
needed, including suspensions, terminations, and referrals to the Federal Trade Commission and other
law enforcement agencies. TRUSTe also protects consumer privacy by providing timely, efficient, and
free dispute resolution services to consumers for privacy complaints concerning TRUSTe sealholder
companies.
2
TRUSTe has been surveying consumers, providing model disclosures for businesses, hosting public
webinars, and sharing emerging best practices and promoting transparency, consumer control and
choice mechanisms with relation to behavioral advertising since 2007. See http://www.truste.com/about/
bt_study.php.
3 ©2009. TRUSTe. All rights reserved.

to be helpful particularly to non-technical individuals with responsibility for policy
development, information management, and corporate privacy practices.
With this paper, we also are providing a practical assessment tool, an information
checklist for businesses to use to understand their own practices and to flag issues
of concern. The information checklist can be used by privacy officers and privacy
professionals, in collaboration with business and marketing program representatives,
information and security officers, and privacy counsel.
Online Behavioral Advertising Environment
At a time when many have blamed the financial system crisis, in part, on a failure of
self-regulation and a lack of transparency, it is appropriate for businesses to review
their accountability processes. Businesses can begin by first scrutinizing their online
practices and ensuring that they fully understand the increasingly complex data
practices involved at their sites.
The online advertising eco-system is evolving to include a wide range of vendors,
intermediaries, networks, affiliates, exchanges and many others who may interact
with user data. Ensuring that businesses understand the practices involved is
essential for privacy compliance planning and to ensure consumer trust. It is also
critical to recognize that consumers expect the brands and the policies of the sites
they are intending to interact with to be responsible for the data exchanged, even
in cases where advertisers, publishers, ad networks and affiliates may have business
relationships that complicate legal and technical responsibility.
Consumers, the Federal Trade Commission (“FTC”) and Congress are expressing
concerns about consumer privacy and information security issues that may be raised
by broad collection and sharing of PII, as well as by use of non-personally identifying
data relating to individual consumers through the tracking of consumers’ online web
browsing activities. Such online collections occur at many company websites that
consumers visit and may be used not only by those websites but shared with a variety
of third parties, such as content providers and advertisers, ad networks, and data
analytics firms.3 Businesses and consumers are often confused by or are unaware of
information processes at the site or sites to which data is transferred.
TRUSTe believes that companies should be familiar with the advertising and data
models that we outline below. Companies will benefit by understanding how they
or their vendors and partners may engage in behavioral advertising activities.
Furthermore, companies that conduct a review of issues flagged in this document will
be better informed and well positioned to understand and react to potential guidance
or changes that may be coming in 2009 from the FTC or legislators.
3
References to ‘sharing’ include data sharing directly by a first party with a vendor or other parties, as
well as data collected about a user (site visitor) at a website by vendors and other parties.
4 ©2009. TRUSTe. All rights reserved.

Self-regulation is a process often preceded by leading companies beginning to
strengthen practices and chart advances that are then more widely adopted. In
particular, companies should be aware of evolving industry practices in the following
areas: 4
• Application of certain privacy principles to some types of non-personal data,
for example, behavioral profiles, cookie IDs or IP addresses.
• Notices about ad-serving and behavioral targeting being provided in banner
“Ensuring that businesses understand
ads or on home pages, in addition to within a privacy policy.
the practices involved is essential for
privacy compliance planning and to
• Choice being provided not only for the sharing of ad-serving data, but with
ensure consumer trust.”
regard to data use by a single company to tailor ads on its own sites.
• The establishment of specific data retention policies and anonymization
techniques for log-file data.
Activities and Business Models
The following is intended to provide a non-technical, high level description of the
technologies and business models involved with a range of online data uses for
advertising, tracking and analysis. Since the business models and policies that may
be considered behavioral advertising range widely, this document seeks to describe
the underlying basics and the tools used. As data is used by different models in
increasingly robust ways to tailor the user experience, those businesses should
pursue opportunities to provide increased levels of transparency and use control to
consumers.
____________________
4
Also note at least two companies that we are aware of provide user access to either
behavioral profile data or cookie analytics data.
5 ©2009. TRUSTe. All rights reserved.

A range of online data exchanges with vendors or with third parties are often relied
upon in order to tailor advertising for users or to understand and improve Web site
usage and performance. For example, analytics companies provide services to Web
sites for analyzing information about their users, including site usage on a unique
visitor (or browser) basis. Data generally is used only on behalf of the primary site.
Vendors may offer services that are “white label”, in that they use the domain of the
primary site, allowing the vendor 1st party treatment by the browser. Data generally is
used only on behalf of the primary site, and vendors may offer services that are “white
label” in that they use the domain of the primary site. Vendors may also use a common
platform which uses a common cookie or domain which could technically be used to
correlate data across many unrelated sites, but is usually restricted by agreement. A
number of companies assist Web sites in learning more about the types of users that
visit their own or other Web sites. Some of these companies will also append their
research data to enhance the data profiles a Web site may build about their own users.
Owners of websites are often categorized as advertisers or publishers. Ad-servers
are companies that provide a hosted service which enables the delivery, tracking and
management of advertising inventory. An ad-server may deliver ads under a contract
with a publisher, an advertiser or an ad network and the relevant data ownership issues
must be addressed with each to ensure the privacy commitments made to users will
be respected. Quite commonly, ads will be contextually targeted, that is delivered on
pages that may be relevant to the content of the ad. At times, an ad will be shown a
limited number of times to a unique browser, or in a specified sequence – on one site,
across many sites that are similarly branded, across unrelated brands owned by one
company or across unrelated sites. This practice known as ‘sequencing’ or ‘frequency
capping’ is most often not considered behavioral advertising.
A web site or group of sites owned by one company may work with an ad-server or
analytics company to mine its respective log files of user activity to target ads for
advertisers. A number of leading companies now provide users with the opportunity to
opt-out of advertising targeted to activity on their site or related sites.
Ad networks sell ads on behalf of groups of publishers. As a result, their services must
recognize a user’s browser across many Web sites. Some companies focus on assisting
advertisers with the practice of placing pixel tags on key areas of their Web site to
enable the advertiser to show an ad specifically to previous site visitors when they are
on other unrelated Web sites. For example, if users purchase a product from Company
X, Company X may pay an ad network to show ads only to those users. Although data
is provided to the ad-server by an advertiser for use elsewhere, the ad-server or ad
network generally may not use the data for any other party other than the advertiser.
Ad networks may or may not have permission to create behavioral profiles of users
from the data they have in their ad-serving log files. That is generally a matter defined
by contract. Network advertising behavioral profiles are created when an ad network
mines its log files of user activity across unrelated sites over time and assembles user
6 ©2009. TRUSTe. All rights reserved.

profiles and interest categories that advertisers can target ads against. This is the core
activity subject to the Network Advertising Initiative (NAI) Self-Regulatory Guidelines.
Under these guidelines, sites participating in such behavioral advertising are required
to provide a link in their privacy policy that provides users with the ability to opt-out of
behavioral advertising. When personal data or certain sensitive data is used, an opt-in
may be required. Data from a user’s purchases online or off-line, or other demographic
data, may be linked to a user’s cookie to enable targeting of the user on a site where
the user has registered or transacted or across an ad network.
“As data is used by different
models in increasingly robust Behavioral profiles may also be created by advertisers working with an ad-server
ways to tailor the user experience, to collect data about the Web sites their ads are served on or by purchasers of ad
those businesses should pursue inventory via ad exchanges. At times, the data ownership and consumer privacy
opportunities to provide increased issues are addressed with contractual or other requirements in place. But of concern
levels of transparency and use
is the lack of industry consensus over the ownership of data gathered by advertiser
control to consumers.”
controlled ad delivery and the resulting effect on accountability to users when
publishers are not aware or where a privacy policy is in conflict with the advertiser or
ad network’s practices.
In an emerging business model, ISPs are collaborating with Web sites or ad networks
to target users based on clickstream data collected at the ISP. Leading ISPs have
committed to conduct behavioral advertising only with user consent.
Ad sales marketplaces, known as ad exchanges, have been created to match
purchasers of advertising with available ad inventory. Sometimes purchasers may
select ad inventory based on data about users.
Practices that Impact Consumer Trust
TRUSTe has previously conducted research and provided general guidance to our
sealholder companies involved with behavioral advertising. In addition, model privacy
policy guidance provided by TRUSTe specifies disclosures and choices related to ad
delivery, analytics and other components of data use that may be related to behavioral
advertising. 5
With this document, we intend to help identify the areas that can assist companies in
understanding the elements involved with behavioral advertising and their information
management and, in doing so, lay out a roadmap for increasing consumer trust. The
following information practices inventory tool is intended to assist advertisers and
publishers engaging in behavioral advertising who wish to ensure they are doing so
in a manner that provides transparency and consumer control. Businesses need to
ensure they are fully informed about the way data related to site visitors is being used
or shared. Web sites should review additional steps to ensure users are comfortable
____________________
5
See http://www.truste.com/about/bt_study.php
7 ©2009. TRUSTe. All rights reserved.

with the way data is being used at sites and consider mechanisms for additional
transparency and consumer control that may be feasible for the particular business
model involved.
Disclosure of tracking and targeting as part of your product or service value
proposition is good business. You may want to provide a “what is this” button to
explain how your customization works, or other means for promoting user enhanced
awareness of tracking or targeting on your site. The best examples of notice and choice
are seamlessly integrated into Web site services and functionality.
Following are detailed points to review at your site and with current and potential
partners who provide services at your site or with whom you may share data. Although
these points are of most significant concern when personal information is involved,
increasingly robust tailoring occurs with a wide range of non-personal data and such
activity should similarly be reviewed. Many of the points we raise will be relevant to
a wide range of data collection or use regardless of technology. Companies should
recognize that the more robust the type of data collection, use or sharing, the greater
the need for consumer transparency and control.
Checklist for Businesses
TRUSTe welcomes feedback on this Checklist. We intend for this tool to be a living
document that will continue to be revised and expanded in 2009. Our aim is to assist
businesses in asking the right questions that will help them understand their own
business operations and build privacy compliance and risk mitigation measures into
their design as they relate to behavioral advertising activities.
Data use: Transparency & Control
• If you are tailoring advertising on your Web site using only information related
to the user’s activity at your site, is it possible to explain the activity to the
user in an obvious manner at the point data is collected or the point it is used?
(For example: ‘These links have been selected for you based on your past
browsing at this site’)
• If not, can a link at the point of collection or use be provided?
(For example: ‘Why this ad? Or “How data about your activity here will tailor
the ads you see.”)
• If advertising is being tailored across sites owned by one company, is there
any common branding such that the user would expect the data to be
available at other commonly owned sites?
Data Sharing and User Choice
• If data is being shared with an ad network for use on unrelated sites, at a
minimum, does the privacy policy explain the sharing of data with an ad
8 ©2009. TRUSTe. All rights reserved.

network? Does the privacy policy provide a link to allow the user to exercise
choice about this sharing or the use of behavioral targeting?
• Is the type of targeting and data appending done by the network, its partners
and advertisers accurately explained?
• If a link is provided to a third party’s choice mechanism, is that mechanism
working?
• If the user is promised that exercising choice will end any tracking, does the
user continue to be assigned a unique Cookie ID that may indicate continued
tracking?
• Does the ad network resell your ad inventory and user data to other networks?
• Does it allow advertisers to pixel the ads delivered to correlate additional data
from third parties?
• Does it allow advertisers to personally recognize their registered users who
view banners at your site?
• Are advertisers permitted to create profiles of users based on the locations on
your site where ads on their behalf were delivered?
• Is this sharing consistent with your site’s privacy policy?
• If the data is not being provided to an ad network for behavioral advertising, is
data being provided to an ad-server so that you can re-target a user after they
have visited your site? Are you aware of or allowing advertisers to use web
beacons or other code in the ads they deliver on your site and thus allowing
tracking and/or retargeting of your users elsewhere? Does your policy reflect
this and provide any choice?
Personal Information
If the policy represents that personal information is not being shared:
• Is an account ID being provided?
• Have steps been taken to ensure this ID isn’t linked to identified users?
• Are efforts being made to link the anonymous ID to third party data which
identifies the user?
• Is data being linked to purchase information, online or offline which identifies
users?
• Are anonymization processes in place to support this activity? Is encryption
used or simple base 64 encoding?
9 ©2009. TRUSTe. All rights reserved

• Is later off-line purchase activity by a user being tied back to the ad
impressions a user viewed at your site?
• If your policy doesn’t allow the sharing of personal data, is there adequate
anonymization in place to support this process?
• Does your P3P policy or your vendors or partners’ policy allow for the type of
information being used or shared?
• What categories of user profiles are being created? Is any potentially sensitive,
specific health, sexuality, race, religion, ethnicity, children’s data involved?
Data Retention/ Security
• How long is user level clickstream data kept by you or your vendors? Is it
segregated or mixed with other client log-files?
• Are IP addresses logged?
• If so, can only a portion of the IP address be logged?
• Does the logged IP address have a shorter retention period than other data?
• Can they be obscured or deleted after the period they are needed? (Note that
some vendors provide such capabilities without any impact to their services.)
Cookies
• Is the expiration date of cookies that are used set at many years in the future?
Is this necessary for the purposes of the data use?
• Can the expiration be set much shorter for the period needed for the
expressed use?
• Is data stored in the cookie?
• If personal data is stored in the cookie is it encrypted?
• Are flash cookies being used? Do you provide specific guidance about how
users can control flash cookies? Note that since standard browser controls do
not relate to flash cookies, using flash cookies for robust purposes, such as
behavioral advertising, will raise concerns about consumer control and choice.
10 ©2009. TRUSTe. All rights reserved

• Can a cookie and domain unique to your site be used instead of one which
potentially links to user activity across sites served by your vendor? Is a “white
label” version of the service feasible for your needs?
• Can the profile be made available to the user by you or by the vendor? Can
the user edit or delete the profile?
• Can a user who looks up the name of a particular cookie and identify the
company that set it and find the privacy policy and practices related to use of
the cookie?
• Can the list of profile categories that are created generally be made available
to provide some transparency?
• Do you assist users with information on how to manage/delete cookies?
• If an ad network is selling your inventory to other ad networks or via an
ad exchange, what steps is it taking to ensure the purchaser respects the
commitments made in your privacy policy?
Additional Risk Issues
• If you are purchasing ads on an ad network, does your contract address
whether your banners may be delivered into adware programs?
• Does your ad network employ any measures to screen and reject adware
that is installed deceptively? (For example, requiring that any downloadable
programs in their network are certified by the TRUSTe Trusted Download
program, or by using scanning and spidering techniques to bar rogue
programs that put you at legal risk in joining the network?)
• If you accept advertising directly or allow ads uploaded by third parties, what
policy or technical steps are taken to screen out banners placed by criminal
“malvertising”companies?
• Do you participate in an affiliate marketing program, offering commissions to
affiliates that generate sales?
• What steps does your affiliate manager take to ensure your offers do not
appear in adware that is installed deceptively? (For example, requiring that
any downloadable programs in their network are certified by the TRUSTe
Trusted Download, or by using scanning and spidering techniques to bar
rogue programs from joining the network?)
• Are you paying commissions to rogue affiliates who are “cookie stuffing” or
triggering invisible pop-ups at your site to illegitimately claim commissions
they are not entitled to?
11 ©2009. TRUSTe. All rights reserved

Glossary of Terms6
Technical Basics
User IP Address: The numerical address assigned by an Internet Access Provider to a
computer connected to the internet. The IP address assigned by an ISP to a user is
often used by advertising and analytics companies for a number of secondary data
purposes including; geo-targeting ads, reporting on the geographic distribution of
users, some analysis or targeting of the business or business type if the IP is one
assigned to a recognized company, and auditing to prove ad delivery and to eliminate
false or fraudulent activity. IP addresses are generally not used for keeping track of
unique users by these companies. IP addresses continue to be described as non-
personal in U.S. privacy policies by businesses that do not have the ability to identify
users by IP address. However, businesses should recognize that since it may be
possible for some parties identify users based on IP address with the cooperation of an
ISP and with legal intervention, a User IP address should be treated with more
sensitivity than other non-personal data they may log.
Cookie ID: A unique number assigned by a Web site or an advertising/analytics
provider to recognize the user’s browser over time. Third party cookies are typically
set by companies or Web servers other than the Web site the user has typed into their
web browser. These cookies are set and read by companies providing services across
many Web sites and therefore provide a record of a user’s activity across the sites they
serve. These companies may or may not have contractual rights to correlate this data
or use it other than for an individual partner. Some companies may store data about
a user on the user’s computer in the cookie file, to enable quick retrieval for targeting
____________________
6
The illustrations here do not attempt to map the specific data flows involved with
behavioral advertising, as in practice they are technically complex, but rather are intended
to give a consumer sense of the nature of the practice involved.
12 ©2009. TRUSTe. All rights reserved

or tracking. Others will use the cookie number to reference data stored in a data base.
While in practice cookies rarely actually last on a user’s computer for a long term,
expiration dates associated with a cookies can extend for as much as 30 years.
Opt-out cookie: A non-unique cookie set to zero or null so that a user will not be
targeted or tracked. Ad networks involved in behavioral advertising may be subject to
requirements to require the Web sites they serve to provide a link to a page allowing
users to set an op-out cookie as a way of providing users a choice to opt-out of
behavioral advertising.
Ad tag: Code on a Web page that directs a user’s browser to present itself to servers
used for ad delivery. This code may also dynamically pull information the site has about
the user and insert it in the information the user’s browser provides to the ad-server.
Pixel tag or Web beacon: Code on a page intended to direct a user’s browser to visit a
server so that data about the user’s visit can be used.
Ad Call: The request for an ad made by an advertisement, which is used to provide
information about the Web site, the ad campaign, data about the user the site may
have and the technical data the ad-server will log. Data the ad-server may log can
include, among other items, a cookie ID, the site the user is visiting, an IP address, the
referring url, or a search query that may have been entered. The ad call may also re-
route the user’s browser to a third or fourth server which will also log or add data to
the process.
Key Value: A piece of information about a registered user that a Web site may pass
to an ad-server. In some cases, account IDs corresponding to identified or registered
users may be passed to an ad-server or analytics company. The ad-server or analytics
company may or may not have the ability to decode the user ID.
Log File: The data record stored on a web server when a user’s browser visits a Web
site. Some data may be used instantly by an ad-server to deliver an ad. Other data may
be mined from the stored log file in order to create reports or to create a user profile
by using the consistent cookie ID to pull together information about a user across time
and sites.
13 ©2009. TRUSTe. All rights reserved

Sample Business Models and Related Services
Analytics: Services that analyze information about users, including metrics such as
unique visitors and site usage. Data generally is used only on behalf of the primary site,
and vendors may offer services that are “white label” in that they use the domain of the
primary site. Vendors may also use a common platform which uses a common cookie
or domain which could technically be used to correlate data across many unrelated
sites, but is usually restricted by agreement.
Research: Services that describe types of users that visit Web sites. Some of these
companies will also append their research data to enhance the data profiles a Web site
may build about their own users.
Ad-Server: Provides a hosted service which enables the delivery, tracking and
management of advertising inventory. An ad-server may deliver ads under a contract
with a publisher, an advertiser or an ad network and the relevant data ownership issues
must be addressed with each to ensure the privacy commitments made to users will
be respected.
Ad Network: Sells ads on behalf of groups of publishers and as a result must recognize
user’s browser across many Web sites. Ad network’s may or may not have permission
to create behavioral profiles of users from the data they have in their ad-serving log
files.
Behavioral Ad Network: Requires publishers to allow the network to re-target users for
advertisers and/or to created behavioral profiles of users.
Re-Targeting Network: Places pixel tags or other code on key areas of client Web
sites to enable the advertiser to show an ad specifically to previous site visitors when
they are on other unrelated Web sites. For example, if users purchase a product from
Company X, Company X may pay an ad network to show ads only to those users.
Data Append: Advertisers, Publisher or Ad networks may add data to a user profile by
overlaying behavioral profile data, purchase or demographic data or other third party
data.
Ad Exchange: Marketplaces that match purchasers of advertising with available ad
inventory. Sometimes purchasers may select ad inventory based on data about users.
14 ©2009. TRUSTe. All rights reserved

Behavioral Targeting Activities
Sequencing, frequency capping: An ad will be shown a limited number of times to
a unique browser, or in a specified sequence – on one site, across many sites that are
similarly branded, across unrelated brands owned by one company or across unrelated
sites. This practice is most often not considered behavioral advertising.
Data Appending: Data from a user’s purchases, online or offline, or other demographic
data may be linked to a user’s cookie to enable targeting of the user on a site where
the user has registered or transacted or across an ad network.
Re-targeting: A pixel tag or other code or web beacon on an advertiser’s site enables
their ad-server or an ad network to recognize particular users visiting that advertiser’s
site and to show an ad on behalf of the advertiser when those users are on other
unrelated sites. Data ownership is usually not shared with a third party
Cookie Matching: Clickstream data (i.e. web sites visited) linked to one company’s
cookie may be matched and added to data from another company’s cookie linked
data. For example, a research company which has cookie linked user profiles may
overlay the data an ad network has linked to its cookies.
Behavioral profile development
Single company: A web site or group of sites owned by one company may mine its
log files of user activity to assemble user profiles. A number of leading companies now
provide users with the opportunity to opt-out of advertising targeted to activity on
their sites or sites.
15 ©2009. TRUSTe. All rights reserved

Multiple company: Network advertising behavioral profiles are created when an
ad network mines its log files of user activity across unrelated sites over time and
assembles user profiles and interest categories that advertisers can target ads against.
This is the core activity subject to the Network Advertising Initiative (NAI) Self-
Regulatory Guidelines. Sites participating in such behavioral advertising are required to
provide a link that provides users with the ability to opt-out of behavioral advertising.
When personal data or certain sensitive data is used, an opt-in may be required.
Such profiles may also be created by advertisers working with an ad-server to collect
data about the Web sites their ads are served on or by purchasers of ad inventory via
ad exchanges.
ISP behavioral advertising: In an emerging business model, ISPs are collaborating with
Web sites or ad networks to target users based on clickstream data collected at the
ISP.
16 ©2009. TRUSTe. All rights reserved