I'll be releasing a new version of TACO in the next few days. In the process of collecting a bunch more opt-out cookies, I came across a couple examples of horribly broken opt-outs.
In order to share my amusement/frustration with the rest of the Internet, I'm presenting them here:
In the 100+ online advertising firms whose opt-outs I have requested, this is the only one that I've found that requires a CAPTCHA in order to opt-out. By itself, this would merely be an annoyance. However, the CAPTCHA code on their opt-out page is broken, and thus even correctly entered answers are rejected as invalid. Thus, it is impossible to ever successfully receive an opt-out cookie from their site.
This company has a lot going for it. Their privacy page makes all kinds of bold promises, such as the fact that their cookies comply with the Platform for Privacy Preferences (P3P). The buttons to opt-in and opt-out are fairly easy to discover, and clearly labeled. Unfortunately, both the opt-in and opt-out buttons link to non-existent pages on their website. Anyone wishing to opt-out is thus met with a 404 error.
These are not the first two horribly broken opt-out sites that I have discovered -- just the most recent. A few weeks ago, I had to email the folks at BlueKai, after discovering that the opt-out links on their web site had been broken for over two months. On the plus side - BluKai's CEO, Omar Tawakol had the links fixed within 2 hours of my initial email, after 5PM on a Friday afternoon.
This is not an attempt to argue that these companies are maliciously providing broken opt-outs on their site. Hanlon's Razor tells us to never attribute to malice that which can be adequately explained by stupidity. In this case, it far more likely to be ineptitude rather than some devious plot to stop consumers from using the opt-outs.
Why would they need to go out of their way to break the opt-outs? Even when the opt-outs are working, few if any consumers will actually discover them in the first place.
My point is that the industry is not doing a good job of policing itself, companies are not performing the most basic form of quality assurance and testing, and it is clear that they are not hiring outside auditors to independently verify that the opt-outs are working properly.
This industry is big enough, and profitable enough to not need to depend upon a single motivated graduate student to discover and police its broken opt-outs.
This is an industry that is desperately fighting the efforts of Congress to force it to switch from an opt-out model to opt-in for data collection and use... yet many of the industry players can barely provide working opt-outs.
We need comprehensive regulatory oversight of this industry, and we need it now.