According to the settlement Chitika has reached with the FTC, those “opt-out” cookies will now last for at least five years. The company instituted the changes more than a year ago–as of March 1, 2010, Chitika says its opt-out system stays in users’ computers for a full 10 years. The settlement also requires Chitika to provide users a clearly marked “opt-out” link in every behavioral ad it serves.
In a statement, Chitika emphasized that it “places the utmost importance on the privacy of online users.” It describes the expiring opt-out as an “error” that it quickly fixed after being contacted by the FTC. It also emphasized that it doesn’t collect personally identifiable information, although documents in the case indicate that Chitika’s cookies do sometimes collect terms typed into search engines.
Advertisers affiliated with the National Advertising Initiative already must promise to have their opt-out cookies last at least five years. That change was instituted after privacy researcher Chris Soghoian informed them that some NAI members were proferring opt-out cookies that lasted a mere six or eight months. (Soghoian joined the FTC shortly after his NAI opt-out study, and worked on the case against Chitika, which is not an NAI member.)
The number of consumers actually affected by Chitika’s shorter opt-out period was probably quite small. Any user sophisticated enough to find Chitika’s opt-out page-or even know what Chitika does-would likely be sophisticated enough to take a more thorough step to protect his/her privacy, such as clearing all cookies regularly. (Although, that strategy would also delete any opt-out cookies.)
But with this case, the FTC is starting to demonstrate to ad networks the kind of behavior that is out of bounds. While ideas like creating a “Do Not Track” system are swirling around in public debates about privacy protection, they’re not the law of the land yet. But advertisers or analytics companies that don’t follow their own published privacy policies-whether through negligence or deliberate deceit-are in danger of getting some unwanted attention from the FTC.
“Opt-out systems can malfunction in ways that are completely invisible to consumers,” said Jim Brock, the founder of Privacy Choice, a company that monitors online tracking. “Because they say to the consumer, “you’re opted out,” it can become deceptive if technically they really aren’t.”
Expiring opt-outs isn’t the only problem, either. Brock’s company tests opt-outs regularly for more than 160 companies, and “usually finds a handful not working in any given week.” Brock added that he contacted Chitika in January 2010 about the company’s fast-expiring opt-out, a bit before the FTC contacted the company. The company acknowledged receipt of his message but did not fix the problem, said Brock.