Six online advertising industry firms continued to use active tracking cookies despite promising in their privacy policies to stop tracking consumers after they opted out of targeted ads, according to a study from Stanford University Security Laboratory.
The companies “promise to stop tracking after opting out, but nonetheless leave tracking cookies in place,” according to the study from the security lab, which is part of Stanford’s computer science department. The researchers found that the tracking cookies used by 24/7 Real Media, AudienceScience, Netmining, Undertone, Vibrant Media and Wall Street on Demand actively update after a consumer opted out.
Jonathan Mayer, a member of the Stanford team, said the researchers relied on a Carnegie Mellon University study’s reading of the examined companies’ privacy policies and “tried to avoid making any judgments about what the privacy policies could be read to suggest.” He noted that “just because the tracking cookie is in place doesn’t mean the company is collecting tracking information.”
The researchers examined 64 members of the Network Advertising Initiative’s self-regulatory program over the past week, said Mayer. The group separately tested whether the companies’ tracking cookies remained active after a consumer chose to not be served targeted ads via the NAI’s opt-out program and after a consumer enabled a browser’s Do Not Track mechanism, which requests that a company not track a device’s online behavior. Thirty-three of the 64 NAI members continued to track consumers who opted out of receiving ads targeted to their online behavior, according to the study.
The NAI’s principles require companies to comply with consumers’ targeting opt-out preferences, but do not forbid companies from tracking opted-out consumers. The NAI did not immediately return requests for comment.
Jeff Pullen, CEO of AudienceScience, said his company is “not clear” how the Stanford researchers came to their results and that AudienceScience’s technology is designed to delete all cookies when a consumer opts out. He said the company hasn’t been able to duplicate the researchers’ results in its own testing of the cookies.
Wall Street on Demand updated its privacy policy July 12 after the Stanford researchers’ results were released, said Aaron Young, creative director at the company. He said the unique cookie that the Stanford researchers cite as active is “just a time stamp and an identifier of what publisher site the user would have been on.”
24/7 Real Media said in an emailed statement: “To be clear, in compliance with the Network Advertising Initiative program, 24/7 Real Media respects the decision of consumers when they opt-out of online behavioral advertising and ceases to collect or use the consumer’s data for online behavioral advertising thereafter.”
Noga Rosenthal, corporate counsel at 24/7 Media, said the cookie cited by the Stanford researchers is not a tracking cookie. She added that the company updated its privacy policy July 13 to remove language implying that opted-out consumers would not receive additional cookies from the company. According to the study, 24/7 Real Media’s privacy policy previously stated that a consumer may “opt out of receiving our ad delivery, audience management and behavioral targeting cookies.”
Undertone, Netmining and Vibrant Media did not immediately return requests for comment.
Mayer said Vibrant Media contacted the Stanford researchers and “clarified that they were not using their tracking cookie, which did remain in place, to target advertising.” He said that the company did not say whether they were collecting information via the cookie.
Jonathan Gardner, director of communications at Vibrant Media, said via email after the study was published that the Stanford researchers had identified a post-opt-out Vibrant “user ID cookie,” which “collects non-personally identifiable information on keywords a user has engaged with.” The cookie updated a user’s timestamp despite a do-not-track cookie being in place, which he said “may look like information gathering is enabled,” as the Stanford researchers concluded.
“Although the [user ID] cookie was remaining, we do not reference or use the ID in any way, and we completely delete all data, be it in logs or storage devices for that particular user ID,” he said. “Going forward, we will also be deleting that cookie.”
