How accurate is your website privacy policy?

Estimated Reading Time: 5 minutes

Many of us remember using Brightest Flashlight Free, a very popular Android app that did a little bit more than what it disclosed to its users. According to the Federal Trade Commission (FTC), the app was sharing GPS location and ID data without the consent of its users.

As a result, Goldenshores Technologies, LLC, the  company behind the app had to settle with the FTC. This settlement prohibits Goldenshores Technologies, LLC from misrepresenting how information of their users/consumers is collected and shared.

What can be learned from this unfortunate incident is always have a privacy policy and do not collect information about consumers without their consent. Your privacy policy should state exactly what information is being collected and how that information is being used. This, however, assumes that companies always know how marketing and analytics tags that they put on their websites collect and distribute visitor information. Let’s consider an example.

I recently visited a popular site – Pandora.com. After I scanned their website with Tag Inspector, I noticed something quite complex and puzzling. Below is a vast map of tags and platforms that in some shape or form collect data and information about users and their sessions while they navigate the site. Here is a copy of the report (this will also give you a chance to view the image below in much higher resolution).

Pandora.com - Scan of 1st party and 3rd party tag

I am not concerned with all these platforms, but with such immense complexity, is it really feasible for an organization like Pandora.com to always be aware of how data from their users and consumers is being collected and/or passed onto the Internet?

I took my study a step further. Over two days, I tracked all the websites that I visited. Beyond info that I expected – Google Analytics on 20 websites, Doubleclick and Facebook Social Plugin on 19 websites, I found this:

  1. Media6Degrees tag fired 8 times. Here is what it does – captures a unique brand signal from existing customers and scores prospects based on their digital journeys through millions of websites, m6d offers a real-time advertising solution.
  2. Dotomi tag fired 6 times. Here is what it does – allows decisions such as the banner creative and media placement to be determined in real-time at the user and impression level.
  3. CrowdControl tag fired 5 times. Here is what it does – allows publishers and marketers to collect, organize, and monetize their audience data.

I am not going into greater detail outlining every tool, tag, beacon that fired. In short, 280+ tags fired and in some shape or form my information was being collected. There are two types of tags that you can see on pandora.com chart:

  1. 1st party tags that loaded directly on the site were deployed by Pandora.com. For example, Nielsen Online and Google Analytics.
  2. Other tags that loaded did not originate on the source of the site but actually loaded from other tags (known as 3rd party tags). For example, Google AdSence loaded App Nexus and Google AdWords Remarketing tag loaded DoubleClick that loaded over 10 other tags. Here is a detailed view:

Pandora.com - 3rd Party tags

I trust all the websites that I visited, but there are two questions that concern me:

  1. Do the website owners/managers/operators know all the 1st party tags, 3rd party tags, and tags piggybacking of other tags that are being fired when users like me come to their website?
  2. Does the privacy policy of these websites take into account everything that is being used to collect my information online.

Pandora has a well written Privacy Policy, and here is an excerpt regarding their use of beacons and tracking pixels:

Pandora, its third party advertising partners, and tracking-utility partners employ a technology known as “beacons” or “tracking pixels” (each, a “Beacon”). A Beacon is a small one-pixel-by-one-pixel clear image that is embedded in HTML content, and is about the size of a period at the end of a sentence. When HTML content containing a Beacon is rendered, the Beacon transmits anonymous, non-personally identifiable information to a server, such as a numeric count, unique identifier, or IP address. Pandora and its advertising partners use Beacons to help us better manage content on our Service. For example, we may place a Beacon in HTML-based emails to let us know which emails recipients have opened, or on a webpage to count the number of unique visitors to that page. The use of a Beacon allows us to gauge the effectiveness of certain communications and of our marketing campaigns.

I am just curious about who their advertising partners are? Are all the tags or beacons that fired make up their advertising partner network? Does the policy include use of 3rd party or piggybacking tags collecting data as well since these tags are not “embedded in HTML content” directly? I don’t mind when my data is collected in such a way. However, others might. At the very least, I want to be sure that each site I visit is aware of all the beacons that it uses. Otherwise, it might become a slippery slope when one of the beacons does something of which the website operator is unaware.  

If you are interested in uncovering what tags are firing and what tags are piggybacking off of other tags, run a scan on TagInspector.com and find out for yourself. This is a sure way to know that your Privacy Policy is in tact with the actual tag deployment. Better safe than sorry.

Originally Published On May 27, 2014
July 20, 2017