• by Dave Morgan , Featured Contributor, August 11, 2005

As an industry, we have spent much of the past month writing, talking, and blogging about the propriety of using browser cookies that track consumer behaviors to manage online advertising. We have also spent much of that time challenging commentators, such as The Wall Street Journal's Walt Mossberg, for the audacity to demand that our industry adopt a level of transparency and consumer consent that is far more stringent than the offline world follows, where highly personal information is routinely bought, sold, and lost by banks, credit card companies, grocery stores, and telephone companies.

While I would love to continue the academic discussion, I am ready to move on. Walt Mossberg has convinced me. It is time that we are straight with consumers. We should give them full transparency not because we have to, but because we should. It will strengthen the bond that online media and advertisers have with consumers, and it will serve us well over the long term.

We should take the same approach to consumer privacy that we are taking to ad measurement. This week, we have seen the first major online publishers comply with the IAB's new ad measurement guidelines, with the announcement that Yahoo!, CNET, Univision, and Weather.com will now only count ad impressions when they can verify that the consumer received the full download of the ad. They didn't have to do this--they did it because it will make the advantages of online advertising even better for advertisers. How will we go straight here? I am not sure, but I know that it won't be easy. Let me explain why.

I have talked to dozens of publishers over the past 10 years about how to better communicate their cookie practices to consumers. While most publishers either want or are willing to communicate more, the complexity of today's content and ad delivery systems makes the accomplishment of that goal quite onerous.

Most large content sites today deliver dynamic content from multiple servers distributed across the Internet, with many of those servers operating in different domains. This is one reason cookies are used--to keep the various bits of content "in state" with each other and with the user's browser. For example, a site's primary content may come from servers in its "newspaper.com" domain, which will set or read several cookies from its content servers and related Web services that use the same domain. The site may also publish syndicated content--maybe from Weather.com--which will set cookies from their domains as they deliver content.

At the same time, the site's ad server will set several cookies to manage the delivery and coordination of creatives for each ad position, in its own domain. That's where the ad content comes from, and the ad's deliveries must be coordinated across dozens of sites for each campaign. The site's traffic statistics and analytic system will set a cookie, out of its domains, in an attempt to accurately determine the number of page views and unique visitors that the site has. Each advertiser and agency involved in each campaign may have its own ad server, which could mean that there will be four or five per page. Each will likely set its own cookie, so that they can each determine the unique reach of their campaigns or to cap the frequency of their different creative units. Finally, the site may be using a behavioral targeting system, which will deliver a cookie to filter the ads that are delivered to the user according to make them relevant.

The challenge is to communicate what is happening to consumers without annoying them. While it is true that most users do not read privacy policies--where they are informed of these policies--it is virtually impossible to prompt the user each and every time one of these cookies is set.

One response to the issue could be to provide all users with a one-time notice to explain all of this--not unlike the type of information provided when requiring users to register--but it would need to be done with a pop-up or interstitial, which are unpopular with users. Plus, the only way to know if the user has already seen and consented to the notice, so that they are not bothered multiple times, is to use cookies to remember the user.

Another thought is for sites to do an ongoing general information campaign on what cookies are used and how. The content could be provided in both editorial form and through "house" ad space. In coordination with that effort, sites could make their privacy policies more noticeable, with some of the critical privacy information appearing directly on the content pages and not just on a deep jump page.

Finally, there is discussion in the industry to create a "white list" of cookies that follow certain best practices and to communicate this list to consumers through the Web publishers. This list would also be coordinated with the distributors of anti-spyware software, so that the cookies could be flagged in a certain way.

While it may not be clear which path is best, I believe that it is time to take a walk down one. It is no longer acceptable to say that what our industry does is less invasive than what other traditional media and direct marketers do; we can do more. The long-term winners in advertising and media will be those able to garner and protect consumer trust. The winners will be those with whom consumers are happy to share information in exchange for better and more relevant content, including ads. That is our future, so let's start figuring out how to get there.