Google made it official last week: Any site in the vast AdSense network may now carry ads placed by third-party ad companies, which Google calls “certified ad networks.” This is an important privacy development, as it means that more than 80 new companies may now use or collect user behavioral information through Google ad tags that are already installed on millions of web pages. (To learn how this works, see the video embedded at the end of this post.)
Because these companies are hungry for access to the AdSense network, Google’s certification requirements may have more immediate impact on prevailing ad-industry privacy practices than any new regulation or industry initiative. By setting and enforcing standards on participating networks and AdSense publishers, Google has the opportunity to catalyze a truly effective self-regulatory system for interest-based advertising.
To do so, Google should answer three key questions:
1. How does Google confirm compliance with certification standards?
Google’s policies do not require that certified networks be members of the Network Advertising Initiative, the group of leading ad companies (including Google) that sets standards and provides compliance reviews. But Google does require certified ad networks to abide by the NAI’s 2008 Guidelines. These rules require a consumer-facing explanation of what kind of information is gathered and how it is used, as well as:
- Disclosure of how long consumer data is retained;
- A consumer opt-out process (such as an opt-out cookie); and
- Assurance that sensitive behavior (i.e. health, personal finance) will not be used for ad targeting without prior user consent.
A review of selected privacy policies from certified ad networks shows that quite a few do not meet these requirements (as of 3/19/10). Some examples (with links to the PrivacyChoice Index):
- No deletion policy: Adchemy, Brightroll, NetSeer, Red Aril, RocketFuel, TellApart, and others.
- No working opt-out process: AdReady, CPM Advisors (broken), Media Innovation Group (notified of fix 5/3/10), OpinMind, QuinStreet Media (4-day opt-out lifetime).
- No assurance as to sensitive information: Less than half of Google’s certified networks promise in their policies to stay out of sensitive areas.
Google also should clarify these technical and operational points:
- Do certified ad networks have access to behavioral data, even if they have agreed not to collect such information when serving ads through AdSense?
- Does the network see the site or page visited, an IP address or the network’s cookie? If so, does each certified ad network need to engineer their backend systems to segregate AdSense data from data gathered elsewhere?
- Will compliance be subject to review by Google personnel or any independent organization?
2. Will Google provide AdSense publishers with privacy-related information about certified networks, in order to enable them to make better decisions?
Google puts AdSense publishers in control by allowing them to turn off certified networks individually or entirely, but does not yet provide any privacy-related information to inform those decisions. Some AdSense publishers might want to allow only companies that are subject to oversight through the NAI; others might want to review retention or other specific privacy policies.
Google could improve website decision-making by showing publishers information about the privacy practices and oversight for each certified ad network. Website operators ultimately must be accountable to their own users for the practices of companies who have access to their user information. Google can make it easier for publishers to make good decisions, and thereby support higher standards across the industry.
3. Will Google provide AdSense publishers with a way to disclose third-party networks and their privacy policies to consumers visiting their sites?
For good reason, both the NAI Guidelines and those adopted by the IAB-led coalition require such disclosure not only when behavioral data are being collected, but also when behavioral data are being used to target ads (which is when the consumer may be most curious). This means that even if certified networks follow the rules against collecting behavioral information through AdSense, if they use other behavioral data to target ads, then enhanced disclosure is required on the website or page where the ad appears.
The process of providing this disclosure can be automated. The free PrivacyWidget service demonstrates one method to automatically present the right list of ad networks (and related opt-outs) on the fly, with minimal publisher effort.
When Google launched interest-based advertising across AdSense last year, their transparent consumer privacy approach raised the bar for other ad networks. Google’s launch of certified ad networks in AdSense should reflect the same commitment. By following through on the questions outlined here, Google can seize the opportunity to set best practices for the industry and accelerate consumer understanding (and informed acceptance) of interest-based advertising.