BBB Reveals BlueCava, Turn, and Others Needed Privacy Fixes

The Better Business Bureau has released names of ad tech firms it has investigated for compliance with industry-wide online privacy standards. Ad data companies BlueCava, Turn, DataXu, and lesser-known OxaMedia were called out today by BBB for relatively minor violations of the ad industry’s behavioral advertising self-regulatory program. Though some privacy advocates may consider the response too lenient, firms have all agreed to implement appropriate corrections and won’t be penalized.

“Our goal is to help them come into compliance,” said Genie Barton, VP and director of the BBB’s Online Interest-Based Advertising Accountability Program and Mobile Marketing Initiatives. “If they don’t, we can and would refer them to a [government regulatory] agency.” That shouldn’t be the necessary in the cases announced today.

BlueCava’s situation is especially interesting because it suggests the BBB’s approach to monitoring behavioral ad companies for compliance with the self-reg program is not focused on cookies alone – but all technologies enabling data collection and tracking. When the BBB monitors evaluated BlueCava, a firm that targets through device identification rather than via cookies, they noticed the firm’s privacy policy was not explicit about its collection and data use for behavioral targeting across multiple devices in a household. It also wasn’t clear about what would happen when a user opted out from data collection and use. Essentially, BBB wanted BlueCava to explain specifically to users that they would need to complete additional steps to opt out from multiple devices.

“This case tells us that the [online behavioral advertising] principles are not confined to cookie-based technology; they cover every technology,” said Barton. “We require that BlueCava be very clear in its privacy page in explaining what device fingerprinting is.”

According to BBB, BlueCava “pledged to make the development of this multi-device opt-out mechanism part of its product development work.”

Digital marketing platform company DataXu was also evaluated by BBB, which found that the firm’s opt-out cookie did not work as a result of programming errors. The company corrected the problem, according to BBB.

Another problem was detected in Turn’s web site disclosure. The audience targeting firm had failed to mention its participation in the DAA program on its site, but now does, stating in its privacy policy that it “is in compliance with the DAA’s Self-Regulatory Principles for Online Behavioral Advertising.”

Today’s decisions mark the second time since the program was implemented that the BBB – which administers the Digital Advertising Alliance’s behavioral advertising accountability program – has publicized names of companies it has evaluated for compliance. “Now we are looking across the board at every aspect of transparency and consumer control in much more complicated arenas,” said Barton.

Ad network OxaMedia was not aware of the DAA principles or compliance program at all when its Italian technologists were contacted by BBB. Since then, the company is abiding by the principles and making note of it on the OxaMedia site. “Using the OxaMedia Opt Out Cookie will not prevent advertisements served through OxaMedia from being presented to you but will stop the collection and storing of data regarding your visit while being served an advertisement by one of our clients,” states the AdChoices page on the company’s site.

As the organization overseeing compliance monitoring for the DAA program, the BBB essentially has any company involved in behavioral advertising in its purview, according to Barton. The group employs technology developed by Evidon specifically for the DAA program to monitor companies operating in the behavioral ad ecosystem to isolate any that may not be following the industry’s self-regulatory guidelines.

“If [a company is] engaged in OBA, they could hear from me any day,” said Barton. However, firms not engaged in online behavioral advertising don’t fall within the self-regulatory program’s scope. For example, though BBB detected ad management platform Rovion was not abiding by a DAA rule, the group determined it had no authority to demand a change to the company’s practices. Even so, according to BBB, Rovion decided to alter its opt-out cookie to last for five years, the standard according to DAA guidelines.

Related reading