truste whitepaper- a checklist of practices that impact consumer trust

ONLINE BEHAVIORAL ADVERTISING:

©2009 TRUSTe. All rights reserved.

A CHECKLIST OF PRACTICES THAT IMPACT CONSUMER TRUST

FEBRUARY 2009

TRUSTe WHITEPAPER

Table of Contents

Introduction Online Behavioral Advertising Environment Activities and Business Models Practices that Impact Consumer Trust Checklist for Businesses

Glossary of Terms

2 ©2009. TRUSTe. All rights reserved.

Page

3

4

5

7

8

12

TRUSTe’s Commitment to Protecting Privacy and Promoting Online Trust

Introduction

For over a decade, TRUSTe’s mission has been to advance online trust.1 We have

been active in policy discussions with government, businesses and consumers

groups concerning new and evolving online business models and the development

of best practices for managing attendant privacy and online trust risks. These policy

discussions include the current focus on behavioral advertising and responsible

information management practices.

In a time of uncertainty in the marketplace, we believe that businesses operating

online have an opportunity to step forward to demonstrate responsibility. Businesses

can assert leadership roles in defining self-regulatory standards around behavioral

advertising data practices that promote transparency, meet consumer expectations for

fairness and assist them in making informed choices when deciding whether to share

information.2

The collection of data through behavioral advertising allows trusted companies to

market to the actual interests of their customers and website visitors, benefitting

consumers, enhancing their online experience, and increasing advertising revenue.

Surveys have shown both that many consumers appreciate targeted advertising to

their interests and that many have privacy concerns about such advertising. Revenues

from advertising also are chiefly responsible for permitting free internet services to

consumers and an open, innovative internet environment. However, these benefits to

consumers and businesses are bounded by the need for online trust in information

management processes, business accountability, and respect for consumer privacy.

As business models for Internet advertising change and roles between publishers and

advertisers and first and third party collection and use blur, the behavioral advertising

environment can be confusing for both consumers and businesses. TRUSTe is providing

a general update on the evolving behavioral advertising environment. It is meant

1 TRUSTe has been active in developing privacy best practices for businesses and by setting rigorous

standards for our seal programs, certifying website privacy, online children’s privacy, e-mail practices,

compliance with the U.S.-EU Safe Harbor framework, and in building a white list of companies and

monitoring their delivery of safe, downloadable software to consumers. We assist businesses in meeting

TRUSTe seal program requirements and also use appropriate compliance and enforcement tools, as

needed, including suspensions, terminations, and referrals to the Federal Trade Commission and other

law enforcement agencies. TRUSTe also protects consumer privacy by providing timely, efficient, and

free dispute resolution services to consumers for privacy complaints concerning TRUSTe sealholder

companies. 2 TRUSTe has been surveying consumers, providing model disclosures for businesses, hosting public

webinars, and sharing emerging best practices and promoting transparency, consumer control and

choice mechanisms with relation to behavioral advertising since 2007. See http://www.truste.com/about/

bt_study.php.

“Businesses can assert leadership

roles in defining self-regulatory

standards around behavioral

advertising data practices that

promote transparency.”


to be helpful particularly to non-technical individuals with responsibility for policy

development, information management, and corporate privacy practices.

With this paper, we also are providing a practical assessment tool, an information

checklist for businesses to use to understand their own practices and to flag issues

of concern. The information checklist can be used by privacy officers and privacy

professionals, in collaboration with business and marketing program representatives,

information and security officers, and privacy counsel.

Online Behavioral Advertising Environment

At a time when many have blamed the financial system crisis, in part, on a failure of

self-regulation and a lack of transparency, it is appropriate for businesses to review

their accountability processes. Businesses can begin by first scrutinizing their online

practices and ensuring that they fully understand the increasingly complex data

practices involved at their sites.

The online advertising eco-system is evolving to include a wide range of vendors,

intermediaries, networks, affiliates, exchanges and many others who may interact

with user data. Ensuring that businesses understand the practices involved is

essential for privacy compliance planning and to ensure consumer trust. It is also

critical to recognize that consumers expect the brands and the policies of the sites

they are intending to interact with to be responsible for the data exchanged, even

in cases where advertisers, publishers, ad networks and affiliates may have business

relationships that complicate legal and technical responsibility.

Consumers, the Federal Trade Commission (“FTC”) and Congress are expressing

concerns about consumer privacy and information security issues that may be raised

by broad collection and sharing of PII, as well as by use of non-personally identifying

data relating to individual consumers through the tracking of consumers’ online web

browsing activities. Such online collections occur at many company websites that

consumers visit and may be used not only by those websites but shared with a variety

of third parties, such as content providers and advertisers, ad networks, and data

analytics firms.3 Businesses and consumers are often confused by or are unaware of

information processes at the site or sites to which data is transferred.

TRUSTe believes that companies should be familiar with the advertising and data

models that we outline below. Companies will benefit by understanding how they

or their vendors and partners may engage in behavioral advertising activities.

Furthermore, companies that conduct a review of issues flagged in this document will

be better informed and well positioned to understand and react to potential guidance

or changes that may be coming in 2009 from the FTC or legislators.

3 References to ‘sharing’ include data sharing directly by a first party with a vendor or other parties, as

well as data collected about a user (site visitor) at a website by vendors and other parties.


Self-regulation is a process often preceded by leading companies beginning to

strengthen practices and chart advances that are then more widely adopted. In

particular, companies should be aware of evolving industry practices in the following

areas: 4

• Application of certain privacy principles to some types of non-personal data,

for example, behavioral profiles, cookie IDs or IP addresses.

• Notices about ad-serving and behavioral targeting being provided in banner

ads or on home pages, in addition to within a privacy policy.

• Choice being provided not only for the sharing of ad-serving data, but with

regard to data use by a single company to tailor ads on its own sites.

• The establishment of specific data retention policies and anonymization

techniques for log-file data.

Activities and Business Models

The following is intended to provide a non-technical, high level description of the

technologies and business models involved with a range of online data uses for

advertising, tracking and analysis. Since the business models and policies that may

be considered behavioral advertising range widely, this document seeks to describe

the underlying basics and the tools used. As data is used by different models in

increasingly robust ways to tailor the user experience, those businesses should

pursue opportunities to provide increased levels of transparency and use control to

consumers.

“Ensuring that businesses understand

the practices involved is essential for

privacy compliance planning and to

ensure consumer trust.”


____________________

4 Also note at least two companies that we are aware of provide user access to either

behavioral profile data or cookie analytics data.

A range of online data exchanges with vendors or with third parties are often relied

upon in order to tailor advertising for users or to understand and improve Web site

usage and performance. For example, analytics companies provide services to Web

sites for analyzing information about their users, including site usage on a unique

visitor (or browser) basis. Data generally is used only on behalf of the primary site.

Vendors may offer services that are “white label”, in that they use the domain of the

primary site, allowing the vendor 1st party treatment by the browser. Data generally is

used only on behalf of the primary site, and vendors may offer services that are “white

label” in that they use the domain of the primary site. Vendors may also use a common

platform which uses a common cookie or domain which could technically be used to

correlate data across many unrelated sites, but is usually restricted by agreement. A

number of companies assist Web sites in learning more about the types of users that

visit their own or other Web sites. Some of these companies will also append their

research data to enhance the data profiles a Web site may build about their own users.

Owners of websites are often categorized as advertisers or publishers. Ad-servers

are companies that provide a hosted service which enables the delivery, tracking and

management of advertising inventory. An ad-server may deliver ads under a contract

with a publisher, an advertiser or an ad network and the relevant data ownership issues

must be addressed with each to ensure the privacy commitments made to users will

be respected. Quite commonly, ads will be contextually targeted, that is delivered on

pages that may be relevant to the content of the ad. At times, an ad will be shown a

limited number of times to a unique browser, or in a specified sequence – on one site,

across many sites that are similarly branded, across unrelated brands owned by one

company or across unrelated sites. This practice known as ‘sequencing’ or ‘frequency

capping’ is most often not considered behavioral advertising.

A web site or group of sites owned by one company may work with an ad-server or

analytics company to mine its respective log files of user activity to target ads for

advertisers. A number of leading companies now provide users with the opportunity to

opt-out of advertising targeted to activity on their site or related sites.

Ad networks sell ads on behalf of groups of publishers. As a result, their services must

recognize a user’s browser across many Web sites. Some companies focus on assisting

advertisers with the practice of placing pixel tags on key areas of their Web site to

enable the advertiser to show an ad specifically to previous site visitors when they are

on other unrelated Web sites. For example, if users purchase a product from Company

X, Company X may pay an ad network to show ads only to those users. Although data

is provided to the ad-server by an advertiser for use elsewhere, the ad-server or ad

network generally may not use the data for any other party other than the advertiser.

Ad networks may or may not have permission to create behavioral profiles of users

from the data they have in their ad-serving log files. That is generally a matter defined

by contract. Network advertising behavioral profiles are created when an ad network

mines its log files of user activity across unrelated sites over time and assembles user


profiles and interest categories that advertisers can target ads against. This is the core

activity subject to the Network Advertising Initiative (NAI) Self-Regulatory Guidelines.

Under these guidelines, sites participating in such behavioral advertising are required

to provide a link in their privacy policy that provides users with the ability to opt-out of

behavioral advertising. When personal data or certain sensitive data is used, an opt-in

may be required. Data from a user’s purchases online or off-line, or other demographic

data, may be linked to a user’s cookie to enable targeting of the user on a site where

the user has registered or transacted or across an ad network.

Behavioral profiles may also be created by advertisers working with an ad-server

to collect data about the Web sites their ads are served on or by purchasers of ad

inventory via ad exchanges. At times, the data ownership and consumer privacy

issues are addressed with contractual or other requirements in place. But of concern

is the lack of industry consensus over the ownership of data gathered by advertiser

controlled ad delivery and the resulting effect on accountability to users when

publishers are not aware or where a privacy policy is in conflict with the advertiser or

ad network’s practices.

In an emerging business model, ISPs are collaborating with Web sites or ad networks

to target users based on clickstream data collected at the ISP. Leading ISPs have

committed to conduct behavioral advertising only with user consent.

Ad sales marketplaces, known as ad exchanges, have been created to match

purchasers of advertising with available ad inventory. Sometimes purchasers may

select ad inventory based on data about users.

Practices that Impact Consumer Trust

TRUSTe has previously conducted research and provided general guidance to our

sealholder companies involved with behavioral advertising. In addition, model privacy

policy guidance provided by TRUSTe specifies disclosures and choices related to ad

delivery, analytics and other components of data use that may be related to behavioral

advertising. 5

With this document, we intend to help identify the areas that can assist companies in

understanding the elements involved with behavioral advertising and their information

management and, in doing so, lay out a roadmap for increasing consumer trust. The

following information practices inventory tool is intended to assist advertisers and

publishers engaging in behavioral advertising who wish to ensure they are doing so

in a manner that provides transparency and consumer control. Businesses need to

ensure they are fully informed about the way data related to site visitors is being used

or shared. Web sites should review additional steps to ensure users are comfortable

“As data is used by different

models in increasingly robust

ways to tailor the user experience,

those businesses should pursue

opportunities to provide increased

levels of transparency and use

control to consumers.”


____________________

5 See http://www.truste.com/about/bt_study.php

with the way data is being used at sites and consider mechanisms for additional

transparency and consumer control that may be feasible for the particular business

model involved.

Disclosure of tracking and targeting as part of your product or service value

proposition is good business. You may want to provide a “what is this” button to

explain how your customization works, or other means for promoting user enhanced

awareness of tracking or targeting on your site. The best examples of notice and choice

are seamlessly integrated into Web site services and functionality.

Following are detailed points to review at your site and with current and potential

partners who provide services at your site or with whom you may share data. Although

these points are of most significant concern when personal information is involved,

increasingly robust tailoring occurs with a wide range of non-personal data and such

activity should similarly be reviewed. Many of the points we raise will be relevant to

a wide range of data collection or use regardless of technology. Companies should

recognize that the more robust the type of data collection, use or sharing, the greater

the need for consumer transparency and control.

Checklist for Businesses

TRUSTe welcomes feedback on this Checklist. We intend for this tool to be a living

document that will continue to be revised and expanded in 2009. Our aim is to assist

businesses in asking the right questions that will help them understand their own

business operations and build privacy compliance and risk mitigation measures into

their design as they relate to behavioral advertising activities.

Data use: Transparency & Control

• If you are tailoring advertising on your Web site using only information related

to the user’s activity at your site, is it possible to explain the activity to the

user in an obvious manner at the point data is collected or the point it is used?

(For example: ‘These links have been selected for you based on your past

browsing at this site’)

• If not, can a link at the point of collection or use be provided?

(For example: ‘Why this ad? Or “How data about your activity here will tailor

the ads you see.”)

• If advertising is being tailored across sites owned by one company, is there

any common branding such that the user would expect the data to be

available at other commonly owned sites?

Data Sharing and User Choice

• If data is being shared with an ad network for use on unrelated sites, at a

minimum, does the privacy policy explain the sharing of data with an ad


network? Does the privacy policy provide a link to allow the user to exercise

choice about this sharing or the use of behavioral targeting?

• Is the type of targeting and data appending done by the network, its partners

and advertisers accurately explained?

• If a link is provided to a third party’s choice mechanism, is that mechanism

working?

• If the user is promised that exercising choice will end any tracking, does the

user continue to be assigned a unique Cookie ID that may indicate continued

tracking?

• Does the ad network resell your ad inventory and user data to other networks?

• Does it allow advertisers to pixel the ads delivered to correlate additional data

from third parties?

• Does it allow advertisers to personally recognize their registered users who

view banners at your site?

• Are advertisers permitted to create profiles of users based on the locations on

your site where ads on their behalf were delivered?

• Is this sharing consistent with your site’s privacy policy?

• If the data is not being provided to an ad network for behavioral advertising, is

data being provided to an ad-server so that you can re-target a user after they

have visited your site? Are you aware of or allowing advertisers to use web

beacons or other code in the ads they deliver on your site and thus allowing

tracking and/or retargeting of your users elsewhere? Does your policy reflect

this and provide any choice?

Personal Information

If the policy represents that personal information is not being shared:

• Is an account ID being provided?

• Have steps been taken to ensure this ID isn’t linked to identified users?

• Are efforts being made to link the anonymous ID to third party data which

identifies the user?

• Is data being linked to purchase information, online or offline which identifies

users?

• Are anonymization processes in place to support this activity? Is encryption

used or simple base 64 encoding?

9 ©2009. TRUSTe. All rights reserved

• Is later off-line purchase activity by a user being tied back to the ad

impressions a user viewed at your site?

• If your policy doesn’t allow the sharing of personal data, is there adequate

anonymization in place to support this process?

• Does your P3P policy or your vendors or partners’ policy allow for the type of

information being used or shared?

• What categories of user profiles are being created? Is any potentially sensitive,

specific health, sexuality, race, religion, ethnicity, children’s data involved?

Data Retention/ Security

• How long is user level clickstream data kept by you or your vendors? Is it

segregated or mixed with other client log-files?

• Are IP addresses logged?

• If so, can only a portion of the IP address be logged?

• Does the logged IP address have a shorter retention period than other data?

• Can they be obscured or deleted after the period they are needed? (Note that

some vendors provide such capabilities without any impact to their services.)

Cookies

• Is the expiration date of cookies that are used set at many years in the future?

Is this necessary for the purposes of the data use?

• Can the expiration be set much shorter for the period needed for the

expressed use?

• Is data stored in the cookie?

• If personal data is stored in the cookie is it encrypted?

• Are flash cookies being used? Do you provide specific guidance about how

users can control flash cookies? Note that since standard browser controls do

not relate to flash cookies, using flash cookies for robust purposes, such as

behavioral advertising, will raise concerns about consumer control and choice.


• Can a cookie and domain unique to your site be used instead of one which

potentially links to user activity across sites served by your vendor? Is a “white

label” version of the service feasible for your needs?

• Can the profile be made available to the user by you or by the vendor? Can

the user edit or delete the profile?

• Can a user who looks up the name of a particular cookie and identify the

company that set it and find the privacy policy and practices related to use of

the cookie?

• Can the list of profile categories that are created generally be made available

to provide some transparency?

• Do you assist users with information on how to manage/delete cookies?

• If an ad network is selling your inventory to other ad networks or via an

ad exchange, what steps is it taking to ensure the purchaser respects the

commitments made in your privacy policy?

Additional Risk Issues

• If you are purchasing ads on an ad network, does your contract address

whether your banners may be delivered into adware programs?

• Does your ad network employ any measures to screen and reject adware

that is installed deceptively? (For example, requiring that any downloadable

programs in their network are certified by the TRUSTe Trusted Download

program, or by using scanning and spidering techniques to bar rogue

programs that put you at legal risk in joining the network?)

• If you accept advertising directly or allow ads uploaded by third parties, what

policy or technical steps are taken to screen out banners placed by criminal

“malvertising”companies?

• Do you participate in an affiliate marketing program, offering commissions to

affiliates that generate sales?

• What steps does your affiliate manager take to ensure your offers do not

appear in adware that is installed deceptively? (For example, requiring that

any downloadable programs in their network are certified by the TRUSTe

Trusted Download, or by using scanning and spidering techniques to bar

rogue programs from joining the network?)

• Are you paying commissions to rogue affiliates who are “cookie stuffing” or

triggering invisible pop-ups at your site to illegitimately claim commissions

they are not entitled to?


Glossary of Terms6

Technical Basics

User IP Address: The numerical address assigned by an Internet Access Provider to a

computer connected to the internet. The IP address assigned by an ISP to a user is

often used by advertising and analytics companies for a number of secondary data

purposes including; geo-targeting ads, reporting on the geographic distribution of

users, some analysis or targeting of the business or business type if the IP is one

assigned to a recognized company, and auditing to prove ad delivery and to eliminate

false or fraudulent activity. IP addresses are generally not used for keeping track of

unique users by these companies. IP addresses continue to be described as non-

personal in U.S. privacy policies by businesses that do not have the ability to identify

users by IP address. However, businesses should recognize that since it may be

possible for some parties identify users based on IP address with the cooperation of an

ISP and with legal intervention, a User IP address should be treated with more

sensitivity than other non-personal data they may log.

Cookie ID: A unique number assigned by a Web site or an advertising/analytics

provider to recognize the user’s browser over time. Third party cookies are typically

set by companies or Web servers other than the Web site the user has typed into their

web browser. These cookies are set and read by companies providing services across

many Web sites and therefore provide a record of a user’s activity across the sites they

serve. These companies may or may not have contractual rights to correlate this data

or use it other than for an individual partner. Some companies may store data about

a user on the user’s computer in the cookie file, to enable quick retrieval for targeting


____________________

6 The illustrations here do not attempt to map the specific data flows involved with

behavioral advertising, as in practice they are technically complex, but rather are intended

to give a consumer sense of the nature of the practice involved.

or tracking. Others will use the cookie number to reference data stored in a data base.

While in practice cookies rarely actually last on a user’s computer for a long term,

expiration dates associated with a cookies can extend for as much as 30 years.

Opt-out cookie: A non-unique cookie set to zero or null so that a user will not be

targeted or tracked. Ad networks involved in behavioral advertising may be subject to

requirements to require the Web sites they serve to provide a link to a page allowing

users to set an op-out cookie as a way of providing users a choice to opt-out of

behavioral advertising.

Ad tag: Code on a Web page that directs a user’s browser to present itself to servers

used for ad delivery. This code may also dynamically pull information the site has about

the user and insert it in the information the user’s browser provides to the ad-server.

Pixel tag or Web beacon: Code on a page intended to direct a user’s browser to visit a

server so that data about the user’s visit can be used.

Ad Call: The request for an ad made by an advertisement, which is used to provide

information about the Web site, the ad campaign, data about the user the site may

have and the technical data the ad-server will log. Data the ad-server may log can

include, among other items, a cookie ID, the site the user is visiting, an IP address, the

referring url, or a search query that may have been entered. The ad call may also re-

route the user’s browser to a third or fourth server which will also log or add data to

the process.

Key Value: A piece of information about a registered user that a Web site may pass

to an ad-server. In some cases, account IDs corresponding to identified or registered

users may be passed to an ad-server or analytics company. The ad-server or analytics

company may or may not have the ability to decode the user ID.

Log File: The data record stored on a web server when a user’s browser visits a Web

site. Some data may be used instantly by an ad-server to deliver an ad. Other data may

be mined from the stored log file in order to create reports or to create a user profile

by using the consistent cookie ID to pull together information about a user across time

and sites.


Sample Business Models and Related Services

Analytics: Services that analyze information about users, including metrics such as

unique visitors and site usage. Data generally is used only on behalf of the primary site,

and vendors may offer services that are “white label” in that they use the domain of the

primary site. Vendors may also use a common platform which uses a common cookie

or domain which could technically be used to correlate data across many unrelated

sites, but is usually restricted by agreement.

Research: Services that describe types of users that visit Web sites. Some of these

companies will also append their research data to enhance the data profiles a Web site

may build about their own users.

Ad-Server: Provides a hosted service which enables the delivery, tracking and

management of advertising inventory. An ad-server may deliver ads under a contract

with a publisher, an advertiser or an ad network and the relevant data ownership issues

must be addressed with each to ensure the privacy commitments made to users will

be respected.

Ad Network: Sells ads on behalf of groups of publishers and as a result must recognize

user’s browser across many Web sites. Ad network’s may or may not have permission

to create behavioral profiles of users from the data they have in their ad-serving log

files.

Behavioral Ad Network: Requires publishers to allow the network to re-target users for

advertisers and/or to created behavioral profiles of users.

Re-Targeting Network: Places pixel tags or other code on key areas of client Web

sites to enable the advertiser to show an ad specifically to previous site visitors when

they are on other unrelated Web sites. For example, if users purchase a product from

Company X, Company X may pay an ad network to show ads only to those users.

Data Append: Advertisers, Publisher or Ad networks may add data to a user profile by

overlaying behavioral profile data, purchase or demographic data or other third party

data.

Ad Exchange: Marketplaces that match purchasers of advertising with available ad

inventory. Sometimes purchasers may select ad inventory based on data about users.


Behavioral Targeting Activities

Sequencing, frequency capping: An ad will be shown a limited number of times to

a unique browser, or in a specified sequence – on one site, across many sites that are

similarly branded, across unrelated brands owned by one company or across unrelated

sites. This practice is most often not considered behavioral advertising.

Data Appending: Data from a user’s purchases, online or offline, or other demographic

data may be linked to a user’s cookie to enable targeting of the user on a site where

the user has registered or transacted or across an ad network.

Re-targeting: A pixel tag or other code or web beacon on an advertiser’s site enables

their ad-server or an ad network to recognize particular users visiting that advertiser’s

site and to show an ad on behalf of the advertiser when those users are on other

unrelated sites. Data ownership is usually not shared with a third party

Cookie Matching: Clickstream data (i.e. web sites visited) linked to one company’s

cookie may be matched and added to data from another company’s cookie linked

data. For example, a research company which has cookie linked user profiles may

overlay the data an ad network has linked to its cookies.

Behavioral profile development

Single company: A web site or group of sites owned by one company may mine its

log files of user activity to assemble user profiles. A number of leading companies now

provide users with the opportunity to opt-out of advertising targeted to activity on

their sites or sites.



Multiple company: Network advertising behavioral profiles are created when an

ad network mines its log files of user activity across unrelated sites over time and

assembles user profiles and interest categories that advertisers can target ads against.

This is the core activity subject to the Network Advertising Initiative (NAI) Self-

Regulatory Guidelines. Sites participating in such behavioral advertising are required to

provide a link that provides users with the ability to opt-out of behavioral advertising.

When personal data or certain sensitive data is used, an opt-in may be required.

Such profiles may also be created by advertisers working with an ad-server to collect

data about the Web sites their ads are served on or by purchasers of ad inventory via

ad exchanges.

ISP behavioral advertising: In an emerging business model, ISPs are collaborating with

Web sites or ad networks to target users based on clickstream data collected at the

ISP.

truste whitepaper- a checklist of practices that impact consumer trust

Technology

federal trade commission

emerging business model

privacy compliance planning

considered behavioral advertising

network advertising initiative

unrelated brands owned

previous site visitors

privacy commitments made