• by Shankar Gupta , June 17, 2005

The relatively new marketing tool of behavioral targeting--which, in some cases, depends on monitoring consumers as they go from page to page--already has raised eyebrows among both online executives and privacy advocates.

Now, in hopes of heading off privacy-related criticisms at the pass, behavioral targeting company AlmondNet recently tapped a privacy consultancy--Chapell & Associates--to develop a privacy strategy.

With the move, AlmondNet joins the growing roster of behavioral targeting companies that have recently hired privacy officers. Tacoda, for instance, hired former Real Media co-founder Mark Pinney as CFO and chief privacy officer last November. Claria, which recently launched a behavioral targeting network, also last year brought in a chief privacy officer--D. Reed Freeman Jr., a former Federal Trade Commission lawyer.

AlmondNet's business model differs slightly from companies such as Tacoda and Revenue Science--which use cookies to track users through specific publishers' sites--and Claria's, which relies on tracking the surfing behaviors of the 40 million users who have downloaded its ad-serving software.

AlmondNet uses cookies to track the search history of users across the Web, then serves ads to users based on their search history. To power its network, AlmondNet relies on partnerships with Internet service providers and adware companies.

The centerpiece of the company's current privacy policy is a link to the opt-out page on every ad they serve. The words "powered by AlmondNet" appear in the ad, and if users click on that link, they are taken directly to the opt-out page. The users must retain the company's cookie on their computer, however--if the file is deleted, the user will begin seeing AlmondNet ads again.

Roy Shkedi, the CEO of AlmondNet, said the company hasn't yet received any complaints about its privacy practices. "We want to have a privacy-friendly behavioral-targeted ad service, so we retained Chapell & Associates to help us make sure that our strategy is in the forefront," he said.

But it's clear that others in the industry are concerned about how consumers will respond to such techniques, especially as they become more common and better-known. Speaking at a behavioral targeting conference last month, Tribal DDB CEO Matt Freeman said: "How we do it will make all the difference ... We have a bad history of misusing the things we can do."

Alan Chapell, of Chapell & Associates, said that the behavioral targeting space has come under a good deal of scrutiny because of consumer ire over adware and spyware.

But, he said, best practices for behavioral targeting remain a bit murky. The dilemma facing the companies is that to effectively target ads, they need to have a lot of data collected about consumers, but consumers aren't always so interested in providing it. "You need to have a score of information on consumers, but consumers have indicated that they might not be comfortable with that level of data sharing," he said. "But on the other hand, they're also not comfortable with ads that are not relevant to them."

Privacy expert Ari Schwartz, an associate director at the Center for Democracy and Technology, said that devising best practices shouldn't be that difficult. Rules laid out in the late 1980s by the Paris-based Organisation for Economic Cooperation and Development are a good starting point, he said.

Those standards, initially created to guide governments in using data collected about citizens, state that information should be collected fairly and lawfully, with the consent of the subject. The guidelines also state that data should be collected with a specific purpose in mind at the time of collection, used only by the authority of law or with the consent of the subject, and kept secure. Companies collecting data should be open about their practices of collecting data, allow individuals to find out if there's any data about them, and be accountable for compliance with all standards.

In practice, companies that do not tie any identifiable personal data and delete the information after a short time would largely follow the OECD's guidelines. "If you're talking about the best practices, we would look towards something that deletes historical information, and does not [use] personally identifiable information," Schwartz said.