Attorneys general of 10 states ended a 30-month investigation into DoubleClick Inc.’s ad-serving practices after inking an agreement that commits the New York company to following specific requirements regarding disclosure, data storage and data use.
The deal calls for using DoubleClick’s clients’ privacy policies to make its tracking activities more visible and to give consumers access to their online profiles.
“When an online contractor can invisibly track nearly every online consumer, consumers deserve to know the privacy cost of surfing the Web,” New York attorney general Eliot Spitzer, who led the investigation, said in a statement.
DoubleClick collects consumer data while displaying online banner ads. It also serves as an e-commerce technology services provider to other Web sites. The company’s network of online clients allows DoubleClick to use cookies to track people’s surfing activity through their computers.
DoubleClick will pay $450,000 to meet the costs of the investigation and consumer education. But the deal with the states is not an admission of guilt by DoubleClick, nor will it require the company to change the core services it offers clients.
At the crux of the settlement are establishing standards for consumer privacy in data collection and tracking across a range of networked Web sites.
Most of DoubleClick’s obligations have no expiration, Spitzer said. But the more technology-specific terms remain in effect for four years.
One requirement is that DoubleClick continue to post a privacy policy that discloses its user data practices.
Second, the company has to offer a first-party Web site notice. It has to ensure that clients follow contract provisions regarding the disclosure of the type of information DoubleClick does or does not collect.
Another requirement is that after three months, data collected in connection with DoubleClick’s DART ad serving will be moved offline. This is an important change in the data minimization and purging policy.
Another change is in the data sharing policy. DoubleClick will not share user data obtained on behalf of one of its clients with any person other than that client or as told by the client.
Access and other disclosures was another issue that worried the states’ lawyers.
“If DoubleClick employs targeting based on anonymous user profiles, the company will use reasonable efforts to develop technology that allows a user to securely view any categories associated with that user’s ad-serving cookie,” the company said in a prepared statement.
DoubleClick also will offer users the ability to opt-in to an e-mail notification system. This e-mail alert will inform users about changes within DoubleClick’s privacy statement.
Finally, DoubleClick agreed to be monitored by an independent third-party company, which will conduct three compliance reviews to verify DoubleClick’s adherence to the agreement. DoubleClick will pay for the reviews. The verifying company was undisclosed yesterday.
DoubleClick yesterday declined comment. A copy of the settlement is available at www.oag.state.ny.us. Attorneys general from New York, Arizona, California, Connecticut, Massachusetts, Michigan, New Jersey, New Mexico, Vermont and Washington were parties to the investigation.
The states’ probe resulted from fears over DoubleClick’s Web profiling, which is enabled by sharing data collected by cookies — files that identified visitors of a Web page and stored their online preferences and identity.
This settlement ends a round of legal trouble that began with DoubleClick’s plans to merge online and catalog databases when the company bought the then-Abacus Direct in 1999. That plan — to use personally identifiable profiles to boost the appeal of banner ads — was never followed through after the Federal Trade Commission, state attorneys general and private litigants objected.
It was only in May of this year that DoubleClick again had to pay $1.8 million to settle class-action lawsuits about privacy disclosure standards. That amount went toward paying claimants’ legal fees. In the same case DoubleClick’s obligations were negotiated to expire in two years.
But while all the other legal wrangling played out in the media and with the lawyers, a key worry always remained: DoubleClick’s practice of assigning anonymous but unique cookie identifiers to the computers of online consumers.
“It’s hard for consumers to trust e-commerce when they can’t see the practices behind the promises,” Spitzer said in the statement. “Consumers need reliable privacy verification — either firsthand or through an independent and publicized review.”
