Starting last year, and with a major addition to the policy effective on April 8th, Google AdSense began requiring their publishers to have a clearly-written, easily visible privacy policies on their sites.

As is usual, this requirement was overlooked by a bunch of the 'get rich quick' crowd, who tend to get weeded out of the program anyway, and a great wailing and gnashing of teeth ensued. But, frankly...I don't care to deal with the problems those folks have anyway. What I would like to do is explain the purpose of a privacy policy, Google's particular requirements for an AdSense publisher's policy, and how you can easily write one for your site so you don't lose your AdSense account.

Why have a privacy policy at all?

The first and foremost reason for a privacy policy about doing ethical business. Let's look at this from a few standpoints - Google's, the advertiser's, the publisher's, and the site visitor's. 

First, Google. Google is, and partners with, some of the largest companies in the world through the AdSense/Words programs. If parties on either side of the fence - sane parties I mean, not these "AdSense is a scam because I got caught trying to scam them and they banned my account doofi - lost faith in the Google brand (which is largely built on their ethics) then the whole thing falls apart. 

The advertisers must have a degree of confidence that Google both maintains and enforces standards among their AdSense publishers. So, if Richard Branson happens to stop by LowGenius.Com and sees that I don't have a privacy policy and there's an ad for Virgin Airways at the top of my page, he's going to throw a fit and pull his ads. This means that the whole network loses, both tangibly and intangibly; tangibly because that advertiser's cash is now not flowing through the network into the publisher's hands, and intangibly because of the loss of confidence in the safety and reliability of the program among advertisers in general.

The publishers need to know that AdSense is looking out for them, and is not allowing advertiser payments to be diverted through corner-cutting and shady tactics. The privacy policy requirement is also a bit of a subversive quality initiative by Google, intentional or not - the policy protects the publishers from users who are paranoid (utterly unjustified, by the way) about cookies and tracking technology, as well as allowing them to demonstrate in a public, tangible fashion that they are committed to the safety, security, and confidence of their users.

Finally, the end user benefits from a good privacy policy for a couple of reasons. It gives them a chance to read accurate information about how cookies and other tracking technology works without a lot of hyperbole or scaremongering, as sometimes happens in media reports on cybersecurity. It also gives them the choice and information about how to opt out of participating or accepting these cookies. Some people, no matter how many times you explain to them that this is a completely benign technology and does not relate to their personal identity in the least, simply fee threatened or insecure about the idea of Google, or anyone else, 'following' them around the internet to see what their interests are. It is quite properly their choice to refuse to participate in this technology, without having to avoid your site.

Ultimately, a good privacy policy is just good, sensible business.

This tracking stuff sounds kinda big-brother scary! Why does Google need to know all these things?

This is a very common misconception or misplaced fear, and sometimes the media coverage of cybersecurity issues doesn't help.

A cookie is a small text file written to your computer by a website. Only the website that writes the cookies can read them. For instance, when I'm working on development at this site, I'll often load "www.lowgenius.com" into one browser window, and "lowgenius.com" into a second. Since the logins here are cookie-based, if I log on to www.lowgenius.com, I can stay logged off lowgenius.com and see the site as a normal user would.

Every web server on the internet collects a certain amount of information, from which a great deal of additional information can be determined. This is absolutely without regard to cookies or javascript, and includes things like:

• Your IP address (the numeric designation of your computer on the 'net)
• Your operating system type and version
• Your browser type and version
• The ability of your browser to handle certain file types, like Flash, Javascript, and so forth.

Analytics and tracking systems employ log analysis, automated IP lookups, and other technology to provide a greater degree of detail. When Javacript is involved, you can get even more detail, for instance the screen resolution and color depth of the monitor a give user has.

AdSense uses cookies to track the general interest categories of the sites you visit that have AdSense on them, in order to serve advertisements to you that are more likely to appeal to your personal interests. If you visit a lot of gaming sites, you'll see more gaming ads. If you visit a lot of programming sites, you'll see more programming ads. In no way is this information connected to your personal identity. It does, however, not only help Google serve their advertisements more effectively, but when aggregated and analyzed can reveal important information about market trends, browsing habits among different demographic or geographic groups, and so forth.

The technology is evolving a bit now, so that for instance, a visitor to my gaming blog might have their Google ad cookie tweaked to indicate an interest in video games, and that could be used to help the next AdWords site they visit to decide 'hey, maybe this guy will like to see this Halo or World of Warcraft or NVidia graphics card ad.' 

As the technology becomes more complex, it becomes possible to collect more information about the user's interests without their explicit input or consent, and thus we've come to the point where we have privacy policies and things like that, to tell people how they can choose NOT to divulge that information...because to not give them that choice would be unethical and a little too close to legitimate Orwellian intrusion for some people (although I personally have no issue with it in the least). 

In theory, you could go quite nuts with this - remember that Tom Cruise flick where he's walking through a mall and all of the TV screens are advertising products to him personally?  Outside of the limitations of civil rights and commonsense wariness of being TOO readily identifiable, there's no reason that technology couldn't be implemented right this minute.  Indeed, what we're seeing across the 'net today is precisely that implementation, but without the intrusive RFID chipping of every human being on the planet.

In conclusion:  a privacy policy is really just a matter of doing the right thing.  Your visitors want to know if you're storing information on their computer, and they want to know if a third party is storing information on your computer via their site.  Most intelligent and sane people understand that this information is not some insidious profiling mechanism from a science fiction feature, but rather a convenient and easy tool for site owners and application developers to automate processes, allow the user to have a degree of personalized and customized experience, and of course, for advertisers to more accurately target the things they're trying to sell you.