Q&A: Jules Polonetsky, Chief Privacy Officer, AOL - Page 5

Page 5 of 5

I think it's early yet because we don't know what the users' baseline expectations are. I think you have companies committing themselves by putting up privacy policies and making themselves liable for doing or not doing things.

As the FTC becomes increasingly technologically sophisticated, where they understand what's going on and are able to bring enforcement cases that really target particular nuances of representations, companies are increasingly going to understand that there is a pretty good law in place, and that's the law against deceptive trade practices.

If what you're doing is deceptive to the users, you're on the hook for some pain.

Q: Any types of data that should be categorically off limits?

Both AOL and our ad networks have long had rules against using the kinds of clickstream profiles that, even if anonymous, people might find discomforting -- sensitive health, sexual.

We don't want there to be "the Viagra guy," "the HIV person," the person labeled with a sexual preference because of their Web browsing.

One of the holes in the NAI rules is that if it was personal, it was ruled out -- but it wasn't addressed if it was nonpersonal. I had started getting requests from advertisers to do some things that were discomforting, and I said, "You know what, it's against our rules, but someone else is going to do it somewhere, and it's going to embarrass the entire industry. We ought to have these rules across the industry."

And the NAI indeed adopted them, and just about everybody who does anything behavioral in a significant way is now bound by those. Google is in the midst of joining. Microsoft, I think, just did join. You don't have everybody, but you have just about anybody who's anybody.

Q: AOL is not.

Ad.com is, and Tacoda is. That's where we do the kind of activity that's covered. I actually follow these rules even on AOL, but we don't serve ads on other sites -- our ad servers do that as part of their activity.

Q: In Europe ... they have taken a little tougher stance on privacy, with the Article 29 Working Party recommendations that six months is the maximum amount of time that you can keep search data on your server logs, considering IP addresses as [personally identifiable information] and some other things.

Any comment on what would be the effect on AOL's business were those recommendations become the law of the land in Europe?

We will, of course, comply with the guidance of local regulators, and are taking a look at what needs to be done to tweak any systems so that the rules are well-respected.

Q: And the business impact?

To be determined, I think. To be determined.