Online Data Tracking and Privacy

Online privacy is a hot button these days. Privacy advocates and lawmakers are putting a lot of pressure on several large internet companies such as Google, Microsoft and Yahoo to be transparent about how they intend to use users web surfing data (behavior). Mainly they are concerned with the companies that collect a huge amount of user data and then engage in Behavioral Targeting.

However online data tracking is not limited to companies who engage in Behavioral Targeting. Any companies which collects users’ web surfing data or user provided data needs to make sure do not compromise user privacy (actual or perceived). They need to clearly state how they are collecting data and how that data will be used.
Enterprise web analytics tools like Omniture, WebTrends, Coremetrics etc and free tools like Google Analytics and Yahoo IndexTools have made it very easy for website owners of any size to track users’ online behaviors. Most of the web analytics tools use a first party anonymous cookie to track users and their behaviors on any given site.

Side Note: The data is called anonymous because it mainly uses a cookie value to indentify a user (there are other ways which I am not covering in this post) without knowing who the actual user is. Say John Doe arrives on AnilBatra.com, a web analytics tool will drop a cookie with a random id say 123ASXBA12. This cookie id is not tied to any personally identifiable information (see below) of John Doe. So Web Analytics tools (in most cases) do not know who the person is, they just know that cookie id 123ASXBA12 came to the site. They use this id to track current and future site visits.

Even if the data is anonymous the potential of it being tied to personally identifiable information is there and that can cause privacy concerns. It is critical that every company that collects any sort of consumer data, anonymous or personal, needs to clearly state its data collection and usage policy in its site’s privacy policy.

Usually Web Analysts do not tackle this issue and it is left to the legal department. However, a lot of times the web analytics tracking and any kind of targeting is implemented without getting legal involved. As a result companies sometimes do not have proper privacy policy in place. This is a huge blunder, companies need to take privacy issues seriously and pay due attention to their privacy policy.

Do we need Privacy policy even though we use Third Party Web Analytics Tool and they collect the data.

It does not matter who is collecting the data. The data is collected on your site and is collected on your behalf so you are responsible for clearly stating how you are collecting and using the data.
Those who use Google Analytics, need to be aware that Google Analytics requires such disclosures. Here is what Google Analytics states in its Terms of Service

You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.

Tracking Personally Identifiable Data

In simple terms Personally Identifiable Information (PII) can identify a particular user, example last name, first name, email address etc. Most of the commercial Web Analytics Tools have the capability to track Personally Identifiable Information. In other tools such as Omniture, Webtrends etc. you can pass the personally identifiable information either via JavaScript variables or via importing an outside file which ties the anonymous cookie with identifiable information.
If you collect or track PII data then it becomes even more important that you disclose what information you are collecting or tracking and how you intend to use that information. Before you start collecting PII information, think hard what information you need and why you need it. Once you have figure out the information then make sure to fully disclose it on your site’s privacy policy.
I am a big supporter of giving users an opt-in option before using PII data for tracking and targeting. If you do decide that opt-in is not the right for your business model then at least provide an easy way for users to opt-out from being tracked and targeted using PII information.

Note: Google Analytics does not allow any Personally Identifiable information to be tracked via Google Analytics, period. Here is what Google Analytics Terms of Service says:

You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service.

Google Analytics even considers IP address as PII. It uses IP address to populate Geo Report but will not show IP address in any report. Other tools such as Omniture, WebTrends etc. can display IP and other PII data.

Optimization and Privacy

Most of the Optimization (A/B and Multivariate Testing) tools allow you to segment users based on IP, cookie or user provided data. For examples if you want to test a page on Males, age 35-45 from Redmond, WA, then you need to collect data from users so that you can create the right segment to test. However this type of data crosses the line of PII data, even though there could be thousands of users in that segment it can be used to identify a particular user. So make sure you are clear in your privacy policy that you might be (or are) using the data to test the optimal layout of the page and provide a better experience etc.

Examples of good privacy policies
Smart Money
Amazon.com
Proflowers.com

As marketers and web analysts lets do our part, let’s make sure to be clear and forthcoming in our privacy policies.

Also see Jim Stern’s view on giving users the control on privacy.

Questions? Comments?

——————————————————————————–
Site: AnilBatra.com

Twitter: http://www.twitter.com/anilbatra

——————————————————————————–
Looking to fill your Web Analytics or Online Marketing position? Try WebAnalytics Job Board

New Position

(Web Sales) Conversion Marketing Manager at Hewlett Packard (American Fork, UT)

Opt-out from Google and Yahoo Ad Network

Online tracking and advertising based on users’ online behavior have got a lot of heat and scrutiny from privacy advocates and lawmakers.

As a result of this scrutiny Yahoo and Google/Doubleclick are now both providing an easy way for user to opt-out of ad targeting on their receptive networks. Yahoo and Doubleclick were part of Network Advertising Initiative (NAI) and allowed users to opt-out from their network via NAI’s opt-out tool.

Google

To find out more about Google network cookie and how to opt-out visit http://www.google.com/privacy_ads.html

Since a lot of you are working in the field of web analytics, you must be wondering how google opt-out will affect the data tracked in web analytics. The simple answer is that this option will not affect Google Analytics. A first party cookie from the site using Google Analytics is used for tracking user behavior on the site using Google Analytics, this cookie is separate from Google ad network cookie. According to Google

“A different cookie is used for each website, and visitors are not tracked across multiple sites…. To disable this type of cookie, some browsers will indicate when a cookie is being sent and allow you to decline cookies on a case-by-case basis. “

Yahoo

Yahoo has been offering that opt-out option for the ads the company runs on it outside partner sites in its network. Yahoo will now extend opt-out option to ads displayed on its own sites. You can read more about this option.
Below is excerpt from Yahoo Press release

Anne Toth, head of privacy and VP for policy, said, “Yahoo! understands the trust of our users is our greatest asset, so we strive to create the most trusted, compelling online experience.”
“Yahoo! strongly believes that consumers want choice when customizing their online experience and they have also demonstrated a strong preference for advertising that is more personally relevant to them,” continued Toth. “However, we understand that there are some users who prefer not to receive customized advertising and this opt-out will offer them even greater choice.”
This new opt-out capability is expected to be available for consumers by the end of August. Users will be able to access the opt-out in the Yahoo! privacy center, which is linked on the home page and nearly every page on the Yahoo! network. Users will also be able to access the opt-out through a link in the public service advertising campaign Yahoo! has been running with online ads across its network to educate users about customized advertising.

Yahoo and Google have taken the steps in right direction but they are not perfect. As I wrote before, both these models are dependent on an opt-out cookie. If you opt-out of these networks and later delete your cookies you will again be automatically opted-in. I have advocated an opt-in model for Behavioral Targeting. This model will remove this dependence on cookie for opt-out. I do realize publishers and ad-networks concern that opt-in model will limit the reach. It is possible that the opt-in model might limit the reach initially but in long run if the value proposition is strong for users then user will opt-in.

What do you think?

——————————————————————————–
Looking to fill your Web Analytics or Online Marketing position? Try WebAnalytics Job Board
New Position
Web Data Analyst at Alzheimer’s Association (Chicago, IL)
———————————————————————————

Consumer Attitude towards Behavioral Targeting

A recent report titled Behavioral Targeting Attitudes:The Privacy Issue by eMarketer, explored consumers attitude towards online tracking and behavioral targeting. There was a similar study by TRUSTe in April. This report builds on that study and few other surveys and provides an analysis of the consumers attitude toward Behavioral Targeting.

The conclusion of this report was exactly what I have been advocating. According to the report

online marketers might do well to develop transparent methods of letting the audience know when and how their Web history data will be used, the benefits they can receive in exchange for allowing it to be used and a clear, easy opt-in mechanism for informed consent.

I shared similar views in my post titles 5 Step Process to Ease Privacy Concerns Regarding Behavioral Targeting.

The key question this report tackles are

• What will encourage people to accept more ad targeting?
• Are consumer privacy concerns a deal breaker for
  behavioral targeting?
• How much transparency will marketers need to allay
  consumer concerns?
• Are all methods of behavioral targeting data collection equal?
• Will the government limit how online companies can use
  consumer data?

Some of the highlights of this report are

1. Over 87% of the respondents to TRUSTe survey said that at least three quarter of the online ads are irrelevant
2. 41% of the users are more willing to pay attention to personalized advertising
3. 75% of internet users are interested in receiving personalized ads
4. 59% of the respondents to Harris Interactive Poll responded that they are not comfortable with ads or content targeted to their personal interests based on their internet usage

The above findings create an interesting dilemma for marketers. Consumers want relevant ads but are not comfortable with being tracked. However, it also provides an opportunity for Behavioral Targeting companies to step up and innovate new ways to provide relevant ads while easing the concern about tracking.

Marketers and privacy officer’s need to keep in mind that the negative attitude towards tracking and targeting is not limited to Behavioral Ad networks such as Tacoda and Revenue Science etc but it also applies to content targeting and on-site targeting provided by tools such as Test&Target by Omniture, Optimost/Interwoven etc.

You can get the full report at http://www.emarketer.com/Article.aspx?id=1006407

Comments?

——————————————————————————–
Looking to fill your Web Analytics or Online Marketing position?
Try WebAnalytics360 Job Board

New Position

Mktg Web Analytics Manager at NetApp (Sunnyvale, California)
———————————————————————————

Privacy of Online Data – Debate Continues

Today a U.S. Senate committee summoned representatives of several internet companies like Google, Microsoft, Facebook and also NebuAd, and expressed its concerns about the user privacy resulting from online data collection and targeting. (Source: LATimes)

This committee was led by Sen. Byron Dorgan (D- North Dakota), who said “I don’t have the foggiest idea who’s tracking it, how they’re tracking it, how they might use it, whether that company has some scruples and might be very careful about how it handles it, or whether it’s somebody else who grabs a hold of it…. There are so many unanswered questions about information on how people navigate this Web.”

NebuAd and ISP based Behavioral Targeting

NebuAd, which has been on the hot seat lately, defended its position by maintaining that it does not violate the privacy of the consumer as it strips out any personally identifiable information from the data it uses.
“NebuAd’s systems are designed so that no one, not even the government, can determine the identity of our users”, Dykes, CEO of NebuAd said. “We do not collect or use personally identifiable information. … We do not store raw data linked to identifiable individuals. And we provide state-of-the-art security for the limited amount of information we do store.”

But Leslie Harris, president of the Center for Democracy and Technology, said the increasingly detailed profiles NebuAd and other companies keep could be linked to specific people.

Senators Understand the Benefits of Online Advertising

Dorgan and other senators said that they understand the benefits of online advertising. Their worries are with the security of the data used to deliver those ads.

Sen. Amy Klobuchar (D-Minn.) said “We’re not against advertising on the Internet, but the issue is, as it becomes more sophisticated, do we have a role here to play in making sure that consumers’ privacy is protected as companies develop more technology and are able to dig deeper into that information?”

And…debate continues….

Comments?

Death of ISP based Behavioral Targeting?

Last month Charter Communications, an internet service provider (ISP), announced that it will share it’s customers web browsing data with NebuAd, to show ads based on customer’s web browsing behavior. NebuAd has developed a product know as “deep-packet inspection boxes” for ISP to track user behavior online and then serve ads based on these behaviors.

Since announcement, Charter Communications have come under pressure from privacy advocates and Congress. According to an article in Mediapost, Charter Communications has now delayed its plans to start sharing information with NebuAd.

I wrote a blog post on NebuAd when I first heard about it. In that post I talked about the privacy issues that ISP based BT raises.There has been a lot of concern regarding privacy of user when it comes to Behavioral Targeting. ISP based BT raises this concern to even a higher level.

I wrote: “This kind of technology is beyond simply using anonymous tracking. ISP do have a lot more information than just the browsing behavior. They have name, location, age, social security number (SSN). They know what time users login to their machine, when is the internet being used, what kind of sites are visited at what times, which sites provided information before a user made a purchase etc. etc. This is far more information than companies like Revenue Science or Tacoda has.”

In response to my post I got the following response from NebuAd:

“Below are a couple of quick points from NebuAd’s CEO Bob Dykes to explain and clarify some of the information.

There is no information shard between NebuAd and the ISPs – the only involvement between the two is the agreement that lets NebuAd place the appliance in the ISPs network. To further ensure privacy, NebuAd does not collect the websites visited and map those back to the specific user. Instead it converts, via an appliance located in the ISPs network, the key user identifiers, such as IP addresses, to a one way random number so that the central servers see this and not the original identifier.

NebuAd works by listing categories (e.g. “Cars – SUV – Lexus”) and noting if random number goes to a site, or perform a search, that is related to the category. If yes, then it notes that interest mapped to the random number, but do not map the URL’s visited, just the interest. This is why, since it doesn’t even have the info on sites visited, there’s no mechanism to map the random number to specific URLs

Since NebuAd and the partner ISPs do not exchange data, the ISPs do not see the categories each random number visits, and NebuAd does not receive specific customer information, so there is no way for either NebuAd or the ISPs to match specific customer information with even the categories of information associated with the randomized numbers. NebuAd also does not retain the raw data mapped back to the anonymous user profiles.”

However, Free Press conducted an investigation of NebuAd technology and tracking and concluded

“that NebuAd’s advertising hardware monitors, intercepts and modifies the contents of Internet packets using Transmission
Control Protocol on Internet Protocol (TCP/IP). In doing so, NebuAd commandeers users’ Web browsers and collects uniquely identifying tracking cookies to facilitate its advertising model. Apparently, neither the consumers nor the affected Web sites have actual knowledge of NebuAd’s interceptions and modifications.

NebuAd exploits several forms of “attack” on users’ and applications’ security, the use of which has always generated considerable controversy and user condemnation, including browser hijacking, cross-site scripting and man-in-the-middle attacks. These practices — committed upon users with the paid-for cooperation of ISPs — violate several fundamental expectations of Internet privacy, security and standards-based interoperability. Moreover, NebuAd violates the Internet Engineering Task Force (IETF) standards that created today’s Internet where the network operators transmit packets between end users without inspecting or interfering with them. For example, the TCP protocol would normally not accept code from a source that is a third party from the client-server connection. NebuAd engages in packet forgery to trick a user’s computer into accepting data and Web page changes from a third party like NebuAd.”

In March, three British ISPs got into a similar controversy and now NebuAd.

Is this the death of ISP based behavioral targeting before it even got started?

We will have to wait and see. For now, it looks like that for ISP based behavioral targeting to live it will have to prove that it is not doing anything sinister. I have said time and again that BT companies should ask explicit permission from user i.e. they should ask them to opt-in instead of automatically opting them in.

What do you think?

——————————————————————————–
Looking to fill your Web Analytics or Online Marketing position?
Try WebAnalytics360 Job Board

New Positions
1. Director, Web/E-Commerce Analytics at World Wrestling Entertainment, INC (Stamford, Connecticut)
2. Sr. Web Analytics Manager at NY Times Company (New York, New York)
——————————————————————————–

Consumer Awareness and Attitudes about Behavioral Targeting

TRUSTe conducted a study regarding American Internet users’ knowledge, attitudes and concerns about behavioral targeting and its implications on their online privacy.

Here are the highlights of the study

• There is high level of awareness that internet activities are being tracked for purposes of targeting advertising.
• High level of concern associated with that tracking, even when it isn’t associated with personally identifiable information.
• 71 percent of online consumers are aware that their browsing information may be collected by a third party for advertising purposes, but only 40 percent are familiar with the term “behavioral targeting.”
• 57 percent of respondents say they are not comfortable with advertisers using that browsing history to serve relevant ads, even when that information cannot be tied to their names or any other personal information.
• 91 percent of respondents expressed willingness to take necessary steps to assure increased privacy online when presented with the tools to control their internet tracking and advertising experience.
• Nearly two-thirds (64 percent) would choose to see online ads only from online stores and brands that they know and trust and 44 percent of respondents would click buttons or icons to make that happen.
• To the contrary, 42 percent of the respondents say they would sign up for an online registry to ensure that advertisers are not able to track browsing behaviors, even if it meant that they would receive more ads that are less relevant to their interests.

What do these results mean for Behavioral Targeting?

1. As I have written before there needs to be education about what Behavioral Targeting is and how it impacts consumers.
2. A Brand has to build trust with consumers and then only can they venture into behavioral targeting. Amazon.com is a perfect example. I have talked to several people who don’t mind targeting by Amazon, though recognize that Amazon needs to improve on what criteria it uses for targeting.
3. 91 percent indicated willingness to take steps to control their tracking and advertising experience indicates a strong preference towards an opt-in model which I have advocated several times in previous blog posts.

So if you want to enagage in Behavioral Targeting, online advertising or On-Site, here is my quick 5 steps process

1. First build a trust with your consumers.
2. Educate them what Behavioral Targeting is and how you collect the data and use it.
3. Provide them a compelling reason to allow you to collect their data.
4. Build an opt-in model allowing users to control what data they want you to use.
5. Give users a way to easily opt-out of Behavioral Targeting.

Comments?

User Data and Behavioral Targeting

One New York assemblyman, Richard L. Brodsky, has drafted a bill that would make it a crime — punishable by a fine to be determined — for certain Web companies to use personal information about consumers for advertising without their consent.
There are essentially two main things in this bill

1. Opt-out for anonymous user behavior: It will force Web sites to give consumers obvious ways to opt out of advertising based on their browsing history and Web actions.
2. Opt-in for using PII data : Users would also have to give explicit permission before these companies could link the anonymous searching and surfing data from around the Web to information like their name, address or phone number.

My prediction about Behavioral targeting and privacy is coming true. Earlier this year, in my yearly predictions I said that this is year we will see a greater push for consumer’s privacy.
Here is what I said
“Behavioral Targeting will continue to grow this year; however, there will be greater push for protecting consumer privacy. The privacy concerns will result in:

1. Clear instructions (or links) on Behaviorally Targeted Ads that will allow behaviorally targeted visitors to opt-out of Behaviorally Targeted advertising
2. Opt-in system – Some networks (maybe new ones) will move towards opt-in rather than opt-out (I favor opt-in over opt-out as I wrote in past. So I am making this prediction that this year networks will pay attention to it). A new types of networks or services might come up which will allow users to be an active participant in BT and control who can use their online behavioral data and how they can use it.”

Use of customer’s data without their consent created an uproar in UK last week. In response to the mess created by Phorm and British telecom, Sir Tim Berners-Lee said that his data and web history belonged to him.
He said “It’s mine – you can’t have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I’m getting in return.”

This is just the beginning; I think, we will see greater push for consumer privacy as consumers become educated about how their data is being used to target them. I think it is time for publishers and ad networks to be proactive about educating customers on how their data is being used and give them clear options to opt-out (or better opt-in) of any targeting.

I am big proponent of Behavioral Targeting and Personalization but it has to be with user’s consent.

Comments? Questions?

Unnecessary Outcry over Adobe CS3 and Omniture Tracking

On Dec 26th a blog post on Uneasysilence.comshowed that when a user launches CS3 suite adobe calls a server on Omniture. According to the article
When you launch a CS3 application the application pings out to what looks like an IP address – and internal IP address: 192.168.112.2O7.

This created a lot of paranoia among Adobe users and led to a lot of blog posts and comments on these blog posts (Also see http://valleywag.com/338011/wear-tinfoil-hats-when-using-adobe-products). Everybody started talking about how evil adobe is and so on. It appears that we, Web Analytics community and online marketers, have a huge task of educating users about Web analytics tracking and quelling this kind of paranoia.

Finally one product manager from Adobe stepped up to clear all the confusion.

Adobe Product manager wrote a reply on Adbobe Blog. Here is what he wrote:
According to Doug Miller from the Adobe.com team, “Omniture is Adobe’s web analytic vendor for Adobe.com. There are only 3 places we track things via Omniture anywhere in or around our products.”:

• The welcome screens (these things) in some Adobe apps include a Flash SWF file that loads current news, special offers, etc. These requests hit Adobe.com servers and are logged, like regular browser-based traffic, by Omniture.
• Adobe Bridge embeds both the Opera browser and the Flash Player, both of which can be used to load Adobe-hosted content. These requests are also logged.
• Adobe apps can call various online resources (online help, user forums, etc.), and those requests are logged. [Update: To clarify, those contacts are made only if the user requests them--e.g. by choosing Help->Adobe Exchange.]

This, as far as I’ve been able to discover, is the extent of the nefarious “spying.” If I learn anything else when more people get back on email, I’ll update this post.

Let me start by saying that the kind of tracking Adobe appears to be doing is pretty harmless to you end users. Now let me ask a question to all these people, who became so paranoid about Adobe and Omniture Tracking. “Do you know that you are being tracked at a lot of places?” I am sure you have done one or more of the following

Connected to the internet – Do you know that ISP track of what you do online? You should read my blog post titled “ISP Based Behavioral Targeting.
Visited any site on the internet? – A lot of sites (and in fact they all should) track user behavior to create a better experience for users and to help them in their business goals.
Installed a toolbar – Do you know that their activity is being tracked by toolbars you install?
Used any social networking site where they volunteered all sorts of information.
Used a credit card. – Yes they have whole history of what you bought, when and where.
Bought a product on any major retail chain, used a credit card or a club card. – They keep track of what you buy, when and where too.

Since you are tracked everywhere, why is there a paranoia about being tracked by Adobe? Actually the kind of tracking Adobe is doing is not even close to the information you are giving away via other activities (some of them mentioned above). The kind of tracking adobe is doing is to understand the usage of their sites and provide a better experience for the users. The way I understand, Adobe is looking at user behavior at an aggregate level and not at an individual level, most of the companies doing web analytics do not look at individual user behavior. Most of the web analytics tools, like Omniture, use an anonymous cookie to track user behavior. This anonymous tracking usually looks at aggregated data for entire user base (or few segments) instead of an individual and hence do not invade your privacy.
So I request you to stop this paranoia about tracking by web analytics tools. They are helping you to have a better experience on the web.

Note: I am not associated with Adobe in any way. I have never worked for them in any capacity and do not know anybody personally at Adobe.

Comments?

FTC Proposes Behavioral Advertising Privacy Principles

To address consumer privacy concerns associated with Behavioral Targeting FTC proposed privacy principals.

The purpose of this proposal is to encourage more meaningful and enforceable self-regulation to address the privacy concerns raised with respect to behavioral advertising. In developing the principles, FTC staff was mindful of the need to maintain vigorous competition in online advertising as well as the importance of accommodating the wide variety of business models that exist in this area,” according to its proposal “Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles. The proposal states that behavioral advertising provides benefits to consumers in the form of free content and personalized advertising but notes that this practice is largely invisible and unknown to consumers.

Below are the principal they proposed:

• Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.

  Sooner or later that is going to be almost every site that you encounter. Since there is no common definition of Behavioral Targeting any targeting (since it will uses onsite behavior, geo or any data collected from users ) can be considered behavioral targeting.

  Give consumers the ability to choose whether or not to have their information collected for such purpose – it is not clear if they mean opt-in or opt-out.

  I am in favor of providing an opt-in instead of opt-out. In my post on Google and Doubleclick privacy concerns, I wrote:
  I believe that if consumers are provided proper education (I will write about consumer benefits in one of my future posts) than they can infect benefit from Behavioral Targeting. It will be a win-win situation for all the parties involved. Proper education and disclosures by advertisers, publishers and networks will ease the concerns regarding Behavioral Targeting. Consumers have the right to opt out of Behavioral Targeting but what is lacking is proper education on how to do so. The networks currently opt-in users by default; however, in my opinion the proper process should be opt-out by default and opt-in if user chooses to opt-in, just like we do for emails and newsletters. This process will move the burden from users to the advertisers, publishers and networks.

• Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

  “Reasonable” is very vague since every company can define it’s own explanation of reasonable.

• Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.

  This is to safeguard against changing privacy policies. Since almost all the privacy policies have a clause which says something like “We reserve the right to change this privacy policy. New privacy will be posted on this page”. It is hard for consumers to keep track of what has changed since they agreed to the privacy policy.

• To address the concern that sensitive data – medical information or children’s activities online, for example – may be used in behavioral advertising, FTC staff proposes:
  • Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.
  • FTC staff also seeks comment on what constitutes “sensitive data” and whether the use of sensitive data should be prohibited, rather than subject to consumer choice.

  My opinion: Sensitive data should be prohibited. However it won’t be easy to define what constitutes sensitive data especially when it has to apply to various countries and cultures. Sensitive information in one country might not be sensitive in another country or culture.

Comments? Questions?

NebuAd’s response to my blog post Part II

In response to my post on ISP based Behavioral Targeting, I got 2 response from NebuAd, one of them was posted at http://webanalysis.blogspot.com/2007/12/nebuads-response-to-my-blog-postin.html. The latest response is for one of the issue that was not answered in previous response:

The ISPs are completely passive in NebuAd’s model. In addition, there is no pop under, and the ads NebuAd sells to do not take over the publisher’s inventory. More specifically, NebuAd’s technology does not include any type of overlays that affect publisher content or ad inventory without their knowledge.

Consumers do not see any more ads than they would otherwise see, and they are standard ad types, such as banners ads displayed only where you would expect to see them. The use of pop-ups and pop unders remains a publisher decision. With NebuAd’s solution, the ISP role is completely passive. They merely allow NebuAd’s equipment to reside on their network and are not involved in the advertising process. No data is shared between the ISP’s data systems and NebuAd’s data systems

NebuAd purchases online display inventory from publishers, mainly through leading ad networks. Targeted advertising that the consumer sees is placed there on the ad inventory that the publishers regularly sell to ad networks. These ad networks work with NebuAd to identify and deliver the right ad for the right user, allowing for the publisher to get a higher price from the advertisers who want the targeting. NebuAd’s revenue is generated by advertising sales during this process – the ISPs do not sell any of the advertising.