Speaking of the need to better educate consumers about digital privacy concerns, today’s New York Times features two articles that shed light on two widespread online data collection practices.
The article “Online Age Quiz Is a Window for Drug Makers” notes that RealAge, a popular online quiz meant to determine ones “real age” based how well you treat your body, makes its money by supplying the data, in various forms, to pharmaceutical companies. According to the Times:
Pharmaceutical companies pay RealAge to compile test results of RealAge members and send them marketing messages by e-mail. The drug companies can even use RealAge answers to find people who show symptoms of a disease — and begin sending them messages about it even before the people have received a diagnosis from their doctors.
…
RealAge allows drug companies to send e-mail messages based on those test results. It acts as a clearinghouse for drug companies, including Pfizer, Novartis and GlaxoSmithKline, allowing them to use almost any combination of answers from the test to find people to market to, including whether someone is taking antidepressants, how sexually active they are and even if their marriage is happy.
RealAge sends the selected recipients a series of e-mail messages about a condition they might have, usually sponsored by a drug company that sells a medication for that condition.
This doesn’t come as a surprise to those of us who study and advocate for privacy rights, but I’m guessing the majority of users who complete these — and similar — online quizes think they’re just for fun, and don’t expect their data to be shared with third parties. Or, again as the Times puts it,
While few people would fill out a detailed questionnaire about their health and hand it over to a drug company looking for suggestions for new medications, that is essentially what RealAge is doing.
RealAge’s privacy policy notes the personal data it collects, as well as the use of Web bugs to track usage on the site, and includes the standard language about when it will share your personal data with 3rd parties: “to fulfill the services that you have asked us to provide to you, including but not limited to sending you free newsletters and promotional e-mails.”
RealAge can provide a valuable service, and it seems to make good-faith efforts to control what personal health information lands in the hands of drug makers, but it is important for consumers to recognize that these kinds of quizzes are rarely just play.
::
The Times‘ other article, “Your Online Clicks Have Value, for Someone Who Has Something to Sell,” reveals the sizable industry focused on tracking and compiling users’ clickstream data. These so-called “behavioral exchanges” focus on creating customized tracking cookies based on a user’s specific browsing behavior, and then “selling” that cookie to advertisers to target their online ads.
While similar to Google’s (and others’) attempts at behavioral targeting, Google’s product is only able to profile users based on their interactions with websites that feature Google (nee DoubleClick) ads. The behavioral exchanges described in the NYT are trying to cast a broader net, and provide this kind of targeting to advertisers who might not be participating in large scale advertising networks. One of the companies profiles also attempts to include user registration data from websites in the user profiles they compile and sell.
The two companies profiled in the article, however, are attempting to address user privacy concerns:
Both BlueKai and eXelate have made a surprising decision on privacy. They not only provide a page where consumers can refuse all targeting, but they are allowing consumers to see what information has been collected about them, at exelate.com/new/consumers-optoutpreferencemanager.html for eXelate, and tags.bluekai.com/registry for BlueKai.
To see how this works, visitors can look at that BlueKai page, which might list some categories they are interested in, or might list nothing. Then, they could go to Kayak.com, which works with BlueKai, and perform a flight search.
Now, when they return to the BlueKai page, they should see a number of categories have been added within travel, like “first class,” or “Friday departures,” depending on what they searched for.
I checked out my profile on both sites, but they didn’t have anything on me, probably becuase I’ve installed Chris Soghoian’s Targeted Advertising Cookie Opt-Out plugin.
MichaelZimmer.org 
“I checked out my profile on both sites, but they didn’t have anything on me, probably becuase I’ve installed Chris Soghoian’s Targeted Advertising Cookie Opt-Out plugin.”
Looks like this plugin does not yet block BlueKai cookies: http://www.dubfire.net/opt-out/
Nor does it block cookies from the rest of the folks in this data exchange space: eXelate, Permuto, etc.
A more plausible reason for BlueKai not knowing anything about you is that they still have a reasonably small network of sites.
Interesting. I’m curious about your thoughts on whether legislation is necessary to address plain vanilla (BlueKai-type) information gathering. Notwithstanding the comment above, it seems like the TACO extension and surfing w/o cookies are easy alternatives that users just need to educate themselves about.
Regarding the drug companies, there was a case from 5 or so years ago that addressed a similar practice (not sure how factually similar): In re Pharmatrak
Hi guys,
I’ve supported exelate in my add-on since the very first version, although I list them by their old name “exelator” on my site. I’ll change that soon. Their system is a bit of a pain in the ass, as it requires opt-out cookies for about six different domain names.
As of v1.5 released this past weekend, Blue Kai is now supported.
Finally, I don’t support Purmuto — but then, they don’t even have a privacy policy on their website, let alone an opt-out mechanism.
Thanks for installing TACO guys.