Opt-in Procedures of Web Sites Selling Information to Third Parties Ryan Kaczowka – Youngstown State University Chris Hoofnagle, J.D. Nathan Good, Ph.D. Background Results (cont.) Sample Datacard In order to subsidize free services to consumers, web sites often need to sell customer information to third parties including advertisers, aggregators, and direct marketers. NextMark (lists.nextmark.com) is a leading exchange for such information, which boasts a database of over 60,000 telephone, postal, and email lists available to search through and purchase. NextMark maintains a “datacard” for each list. The datacard describes the list, including the privacy rules that governed collection of information about the consumer. This is important because list buyers can be liable for knowingly using information from a company that promised not to sell customer data (see In re Datran Media). In this study, we focused upon representations to list buyers about the privacy rules governing consumer information. Stated DMA members were also more likely to have opt-in privacy than non-DMA members. Real Opt-in Procedures with Respect to DMA Membership 50 45 40 35 30 25 DMA Members Non DMA Members 20 15 10 Methods Results 5 0 Opt-in We started by crawling the NextMark database for consumer email lists matching “.com”, “.net”, and “.org” datacards that could be traced to their source web sites. This narrowed down the set from 60,000+ to 3,653 items. After scanning for valid URLs, we were left with only 499 unique domains. We created a Gmail account, using plus notation to generate unique addresses for each domain. We signed up for each site and noted both the stated privacy on the datacard, highlighted in green in the sample datacard, and the real privacy employed by the web site. We discarded data brokers, broken web sites, missing web sites, and web sites that required purchases, leaving us with 197 sites we were able to analyze. Out of the datacards with “unknown” privacy, over half of them were confirmed opt-in or confirmed opt-in with a confirmation link. Only one was double opt-in, and the rest were simply opt-in. Datacards with Unknown Stated Privacy Confirmed opt-in Confirmed opt-in with activation link Double opt-in Sites with a larger number of names on mailing lists are more likely to be opt-in. Sites employing confirmed opt-in have slightly over half the average total universe as opt-in. Sites using confirmed opt-in with an activation link have less than half the average total universe as confirmed opt-in. The one double opt-in site has a very low total universe relative to the others. 1% Number of Consumers Enrolled and Privacy Procedures 3,000,000 23% Opt-in 45% Confirmed opt-in 2,500,000 Confirmed opt-in with 2,000,000 activation link Double opt-in Definitions 31% 1,500,000 We found four categories of privacy on the NextMark datacards we used: 1,000,000 Opt-in is the lowest level of privacy. According to the NextMark glossary, opt-in usually involves a checkbox that must be checked to enable third-party information sale. However, many web sites consider clicking a register button on a site with a privacy policy to be sufficient to opt-in a user. Confirmed opt-in refers to web sites that send a confirmation e-mail after a person signs up. Double opt-in refers to a web site that requires a user to create an account, log in, and manually opt in to third-party information sharing. Out of the web sites we tried, only one used this method. Web sites stated by NextMark to be DMA members were much more likely to have an “unknown” stated privacy procedures. Stated Procedures with Respect to DMA Membership Confirmed opt-in Confirmed opt-in with activation link Double opt-in Conclusion and Future Work 60 50 40 DMA Members Non DMA Members 20 In our observed procedures, we further categorized confirmed opt-in into plain e-mail confirmations and e-mail confirmations with activation links. 0 Opt-in 70 30 Unknown can be any of the three above. Almost half of the datacards had “unknown” privacy. 500,000 10 0 Unknown Opt-in Confirmed opt-in The study did not find significant correlations between stated and observed procedures. Many of the stated procedures were incorrect, but they were just as likely to employ a higher level of privacy as a lower level of privacy. Still, we found that many websites consider that by merely signing up for an email list, the user also consents to unrelated, third party advertising, and as lists get larger, they are more likely to have weaker privacy protections for users. A future study could look deeper into the opt-in process, keeping track of opt-in checkboxes and whether they are checked by default. Further research could also include checking whether the sites respect opt-in/opt-out. This work was supported by the TRUST Center (NSF award number CCF-0424422)