Blog Post

FTC Slaps Ad Network For Deceptive Privacy Policy, Puts Industry On Notice

There may well be action on Capitol Hill this year in online privacy, with bills being introduced by members of both parties. But the Federal Trade Commission (FTC) apparently plans to take action against some perceived bad actors right away rather than wait for legislation. Chitika, an online advertising company, has been hit with sanctions after the FTC accused it of deceiving consumers in its privacy policy. The sanctions aren’t harsh and they don’t include any financial penalties, but the move is clearly a shot across the bow to ad networks, reminding them that whatever opt-out options they offer consumers need to be straightforward, and function as they promise to.

Chitika is one of many companies that serve up behavioral advertising by tracking the websites that consumers visit and the searches they perform, to get a better sense of what they’re interested in. In the fine print at the bottom of its site, Chitika offered consumers a link to the site’s privacy policy and the ability to “opt out” of all behavioral ads from the network. But there was a big problem with Chitika’s opt-out, according to the FTC-it only lasted 10 days, and it didn’t tell consumers their “opt out” decision would only last 10 days.

According to the settlement Chitika has reached with the FTC, those “opt-out” cookies will now last for at least five years. The company instituted the changes more than a year ago–as of March 1, 2010, Chitika says its opt-out system stays in users’ computers for a full 10 years. The settlement also requires Chitika to provide users a clearly marked “opt-out” link in every behavioral ad it serves.

In a statement, Chitika emphasized that it “places the utmost importance on the privacy of online users.” It describes the expiring opt-out as an “error” that it quickly fixed after being contacted by the FTC. It also emphasized that it doesn’t collect personally identifiable information, although documents in the case indicate that Chitika’s cookies do sometimes collect terms typed into search engines.

Chitika’s opt-out page doesn’t appear to have offered users a specific period of time their opt-outs will last. The FTC just found that 10 days was a deceptively short time frame given that Chitika’s privacy policy flatly said “you can opt-out of receiving Chitika cookies.”

Advertisers affiliated with the National Advertising Initiative already must promise to have their opt-out cookies last at least five years. That change was instituted after privacy researcher Chris Soghoian informed them that some NAI members were proferring opt-out cookies that lasted a mere six or eight months. (Soghoian joined the FTC shortly after his NAI opt-out study, and worked on the case against Chitika, which is not an NAI member.)

The number of consumers actually affected by Chitika’s shorter opt-out period was probably quite small. Any user sophisticated enough to find Chitika’s opt-out page-or even know what Chitika does-would likely be sophisticated enough to take a more thorough step to protect his/her privacy, such as clearing all cookies regularly. (Although, that strategy would also delete any opt-out cookies.)

But with this case, the FTC is starting to demonstrate to ad networks the kind of behavior that is out of bounds. While ideas like creating a “Do Not Track” system are swirling around in public debates about privacy protection, they’re not the law of the land yet. But advertisers or analytics companies that don’t follow their own published privacy policies-whether through negligence or deliberate deceit-are in danger of getting some unwanted attention from the FTC.

“Opt-out systems can malfunction in ways that are completely invisible to consumers,” said Jim Brock, the founder of Privacy Choice, a company that monitors online tracking. “Because they say to the consumer, “you’re opted out,” it can become deceptive if technically they really aren’t.”

Expiring opt-outs isn’t the only problem, either. Brock’s company tests opt-outs regularly for more than 160 companies, and “usually finds a handful not working in any given week.” Brock added that he contacted Chitika in January 2010 about the company’s fast-expiring opt-out, a bit before the FTC contacted the company. The company acknowledged receipt of his message but did not fix the problem, said Brock.