Should targeted ads and/or de-aggregated data sharing be included?

[troy]

So far, the site has focused on helping people opt out of data sharing with third parties for the third party's own use. It also includes a few cases where opting out of the recipient/aggregator service is easier than opting out of all the sources (examples: social media platforms, data brokers, background check/personal data providers).

However, so far it's intentionally avoided opt-out instructions where the only impact is (a) targeted ads from the company itself, or (b) de-aggregated data sharing for reporting (where individual info/transactions can't be identified).

There's a couple reasons for that:

1. This is all about practical impact: helping an average person (who might be willing to invest 20 minutes) make the biggest dent in their unwanted data. The impact from opting out of data sharing with third parties is way, way higher than opting out of ad targeting by the first-party vendor. If someone's got 20 minutes to opt out of 3-4 companies, I want them to spend it opting out of data sharing.
2. A longer list is more daunting for visitors and less effective at highlighting/penalizing the companies who are sharing data. It becomes an impossibly-long set of basically every company with an online presence, not the ~20% of companies (a guess) that have the worst practices.
3. Anyone who doesn't like targeted ads (myself included) should be using an ad blocker, and if they are, they basically won't see any of the results. Related to Opt-Out URL Scheme Issue #1 - for most people, the only way to avoid behavior-targeted ads that's doable with the time they're willing to put in is using an ad blocker, and it's nearly 100% effective.
4. Unlike data sharing with third parties, I think targeted ads are closer to expected at this point. It's not something anyone would opt in to, but it's also so common that it's not a surprise.

Thoughts, anyone?

CC @metametapod - I'd appreciate your thoughts on this.

[metametapod]

Maybe it would be helpful to put them on a separate page that's de-prioritized from more egregious third-party sharing/selling. I think it is useful to issue opt-out requests of targeted advertising to companies in areas with legislation that supports it, since it can be done at the account-level in addition to the browser-level and makes it clear that it's unwanted. It's also typically done using a third-party company that may be building a larger profile of users.

My understanding is that if companies did first-party analytics or advertising it wouldn't necessarily be an issue with e.g. CCPA. I'm skeptical of claims regarding de-identified data sharing for third-party analytics since it's unclear if that still includes things like browser fingerprinting, date of birth, IP address, etc.

[troy]

Thanks for writing these thoughts, @metametapod. I sat on this issue until I had some time to put into it.

I agree that de-prioritizing would make maintenance easier. After some thought, I'm not convinced that it could attract enough readers to follow the instructions to make maintenance worthwhile. The intersection of people with these traits just seems too small:

• concerned enough about ad tracking/personalization to work through a list like this
• don't use ad blockers (or use ad blockers but elect to put in the effort to opt out of ad tracking anyway)
• technically-savvy enough to maintain their opt-out preferences as they change devices (since a lot of ad opt-out prefs are cookies, which tend to be more brittle)

Also, on balance, I think the time that would go into an ad opt-out list would yield more impact if it was spent on the main data sharing opt out list. There's still a fair number of vendors/organizations which have opt out preferences that aren't included, and at least from anecdotes from Internet users, people do seem motivated enough to use the existing list.

So, as much as I wish we could make a dent in ad tracking, I don't think it's a good fit here. If this inspires any thoughts or ideas, please feel free to re-open this or make a new issue.

[metametapod]

Thank you for considering. One thing I want to note is that there's a difference between opting out at the browser-level (e.g. via opt-out cookies) and the account-level (e.g. via CCPA do not sell or share requests). It's not clear to me that opting out at the browser-level would prevent a site from for example sharing purchase history to a third party to build a profile for targeted advertising. I agree that for browser-level opt-outs, ad blockers and GPC signals are more effective.

[troy]

That distinction between account and browser/cookie opt-out makes sense to me too. How about these guidelines for what the site would typically include?

• Data sharing with third parties, regardless of opt-out method (this is most of the current entries), and
• Account-level opt-outs (but not browser-level) of other things

Of course, we can always make exceptions to these, but they seem like a reasonable starting point. Opinions welcome 🙂

[metametapod]

That sounds good to me.