Opt-in Procedures of Web Sites Selling Information to Third Parties
Ryan Kaczowka – Youngstown State University
Chris Hoofnagle, J.D.
Nathan Good, Ph.D.
Background
Results (cont.)
Sample Datacard
In order to subsidize free services to consumers, web sites often
need to sell customer information to third parties including
advertisers, aggregators, and direct marketers. NextMark
(lists.nextmark.com) is a leading exchange for such
information, which boasts a database of over 60,000 telephone,
postal, and email lists available to search through and
purchase. NextMark maintains a “datacard” for each list. The
datacard describes the list, including the privacy rules that
governed collection of information about the consumer. This is
important because list buyers can be liable for knowingly using
information from a company that promised not to sell
customer data (see In re Datran Media). In this study, we
focused upon representations to list buyers about the privacy
rules governing consumer information.
Stated DMA members were also more likely to have opt-in privacy than non-DMA members.
Real Opt-in Procedures with Respect to DMA Membership
50
45
40
35
30
25
DMA Members
Non DMA Members
20
15
10
Methods
Results
5
0
Opt-in
We started by crawling the NextMark database for consumer email lists matching “.com”, “.net”, and “.org” datacards that
could be traced to their source web sites. This narrowed down
the set from 60,000+ to 3,653 items. After scanning for valid
URLs, we were left with only 499 unique domains.
We created a Gmail account, using plus notation to generate
unique addresses for each domain. We signed up for each site
and noted both the stated privacy on the datacard, highlighted
in green in the sample datacard, and the real privacy employed
by the web site. We discarded data brokers, broken web sites,
missing web sites, and web sites that required purchases,
leaving us with 197 sites we were able to analyze.
Out of the datacards with “unknown” privacy, over half of them were
confirmed opt-in or confirmed opt-in with a confirmation link. Only
one was double opt-in, and the rest were simply opt-in.
Datacards with Unknown Stated Privacy
Confirmed opt-in
Confirmed opt-in with activation
link
Double opt-in
Sites with a larger number of names on mailing lists are more likely to be opt-in. Sites employing
confirmed opt-in have slightly over half the average total universe as opt-in. Sites using confirmed opt-in
with an activation link have less than half the average total universe as confirmed opt-in. The one double
opt-in site has a very low total universe relative to the others.
1%
Number of Consumers Enrolled and Privacy Procedures
3,000,000
23%
Opt-in
45%
Confirmed opt-in
2,500,000
Confirmed opt-in with
2,000,000
activation link
Double opt-in
Definitions
31%
1,500,000
We found four categories of privacy on the NextMark
datacards we used:
1,000,000
Opt-in is the lowest level of privacy. According to the
NextMark glossary, opt-in usually involves a checkbox that
must be checked to enable third-party information sale.
However, many web sites consider clicking a register button
on a site with a privacy policy to be sufficient to opt-in a user.
Confirmed opt-in refers to web sites that send a confirmation
e-mail after a person signs up.
Double opt-in refers to a web site that requires a user to create
an account, log in, and manually opt in to third-party
information sharing. Out of the web sites we tried, only one
used this method.
Web sites stated by NextMark to be DMA members were much more
likely to have an “unknown” stated privacy procedures.
Stated Procedures with Respect to DMA
Membership
Confirmed opt-in
Confirmed opt-in with activation link
Double opt-in
Conclusion and Future Work
60
50
40
DMA Members
Non DMA Members
20
In our observed procedures, we further categorized confirmed
opt-in into plain e-mail confirmations and e-mail confirmations
with activation links.
0
Opt-in
70
30
Unknown can be any of the three above. Almost half of the
datacards had “unknown” privacy.
500,000
10
0
Unknown
Opt-in
Confirmed opt-in
The study did not find significant correlations between stated and observed procedures. Many of the
stated procedures were incorrect, but they were just as likely to employ a higher level of privacy as a lower
level of privacy.
Still, we found that many websites consider that by merely signing up for an email list, the user also
consents to unrelated, third party advertising, and as lists get larger, they are more likely to have weaker
privacy protections for users. A future study could look deeper into the opt-in process, keeping track of
opt-in checkboxes and whether they are checked by default. Further research could also include checking
whether the sites respect opt-in/opt-out.
This work was supported by the TRUST Center (NSF award number CCF-0424422)