This week, Stanford Security Lab reported preliminary results from a platform it has been developing, a chief application of which is to detect various forms of third-party tracking in an automated manner. According to researcher Jonathan Mayer’s release, which emphasizes that these are “preliminary findings from experimental software,” Stanford’s system has detected that over half of the companies tested that belong to the self-regulatory Network Advertising Initiative (“NAI”) group leave tracking cookies on users’ computers even after a user opts out of online behavioral targeting. Importantly, though, NAI member companies are required by the NAI guidelines only to allow and abide by requests to opt out of behavioral ad targeting, and the guidelines do not contain commitments with respect to tracking. This distinction between targeting and tracking has been the subject of increasing attention, including from the Federal Trade Commission.
The preliminary findings also suggests that at least ten companies exceed their obligations as NAI members and the commitments in their privacy policies by removing tracking cookies upon receipt of a behavioral targeting opt-out request.