UPDATE 1-18-10: Some rapid progress on improvements: There is now an opt-out link on Teracent’s homepage and the CAPTCHA requirement has been removed. Hopefully improvements are also in the works to make the opt-out cookies unique and longer-lived (although just as likely, you might expect Teracent’s entire process to be assimilated into Google’s consumer disclosures and opt-out interface). In the mean time, here’s Teracent’s entry in the PrivacyChoice Index (still showing no opt-out available, given the remaining uncertainties).
In November of last year, Google announced the acquisition of Teracent, a company specializing in dynamic ad creative that is customized on the fly based on factors like the user’s interests and location. A review of Teracent’s consumer privacy experience shows that Google has much work to do in order to bring it up to industry norms. Unfortunately, it also provides a reminder of the challenges to self-regulation for ad-targeting.
“We retain the Non-[Personally Identifiable Information] collected via our Technology for up to 6 months in order to ensure that our Technology is functioning properly. After 6 months, we render this information anonymous and store it for up to three years.”
But wait, if the information you collect is “Non-Personally Identifiable” then why would you need to render it “anonymous” after six months? Isn’t it already anonymous?
Of course, they probably mean that after six months they will disassociate individual log entries from IP addresses, but can a consumer possibly understand what this means?
1. The process is not easy to find because it’s not linked from Teracent’s homepage. An interested consumer needs to click the “About” link from the homepage to then see anything about privacy or an opt-out.
2. The opt-out cookies themselves store unique strings (destroying any semblance of anonymity) and are not named in a way to be identified by the user as an opt-out cookie. (The vast majority of networks include the phrase “opt out” in the cookie name or text to make this clear.) Also Teracent appears to use three different domains in the opt-out process (teracent.net, smtad.net, ytsa.net) but you can’t tell if all three are necessary for the opt-out to be effective. If all three aren’t necessary, the ones that aren’t shouldn’t even be written as part of the process.
3. The opt-out cookies have a six-month lifespan, far short of the five-year minimum now required by the NAI.
4. This is really unusual: the user has to complete a CAPTCHA in order to get the opt-out cookie(s). And it’s a fussy one, at least in my experience. I’m not sure I’ve seen an opt-out process that is less consumer friendly.
No doubt Google is working to assimilate Teracent into its own (much better) consumer privacy practices. But Teracent’s shortcomings provide a good reminder of the chasm in quality between the best and worst consumer privacy practices of ad-targeting companies. Until websites and advertisers start to attend to these matters in their own choices, this disparity in commitment to best practices will remain a central challenge to effective self-regulation.