Summer deal - Save $264 + free OVPN-tshirt when purchasing the two-year subscription
IP address

Internet provider

Amazon Data Services NoVa

Not secure

Your internet provider can monitor what you do online.

Should VPN services use modern digital marketing tools?

David Wibergh, about Online Privacy

The awareness of online privacy has increased drastically in the US over the last couple of weeks due to the annulment of the Senate bill, which will again allow internet service providers to collect and sell their customer's browsing information. Collecting customer data in this fashion brings modern digital marketing methods under the microscope and important questions arise: Are modern digital marketing tools invasive and how so? Should VPNs and other privacy services be allowed to use such methods to increase customer acquisition, and where should we draw the line?


Traditionally, businesses have created their market segments by analyzing their current customers and making assumptions about what characterizes them. Through surveys, interviews with customers, focus groups, and customer follow-ups they find out what marks a typical customer, what they tend to like, what they tend to dislike, and through what channels they can typically be reached. Once they have that information, businesses can reach new customers by advertising, and send a fitting marketing message in the channels they now know their typical customer can be reached at. This segmentation approach works quite well both in the physical and the digital realm, but it will always be based on simplifications and assumptions about who your customers are. People within the segment will still be widely different and there is no way of tailoring your marketing message such that it fits every individual within the segment. However, the important thing to take note of is that since this is a crude method of targeting new customers, it’s not privacy intrusive because it is based on assumptions about a large group of people and not actual information about an individual.

As with so many other things, technology has provided more powerful tools for businesses to create their segments. However, as is also often the case, increased power comes at the cost of privacy. Modern digital marketing tools allow marketers to skip making assumptions about target audiences and instead find the exact individuals who are interested in your products. Segmentation is no longer a matter of making assumptions about who your customers are — it’s a matter of first spreading a market message broadly and cheaply, and then creating countless narrow segments that can be as small as one or a few individuals. The marketing strategy that sometimes uses these tools is called retargeting.

Retargeting as a marketing concept

Adroll, one of the leading retargeting marketing platforms in the world describes retargeting like this:

“Retargeting converts window-shoppers into buyers. Generally 2% of shoppers convert on the first visit to an online store. Retargeting brings back the other 98%.”

Retargeting is a marketing strategy which entails reaching out to a customer who has already shown interest in purchasing a product or service but never actually done so. Traditionally, allowing yourself to be retargeted has been an opt-in feature meaning you have actively allow the seller to retarget you. For example, this can be carried out through having partial conversions where a website might ask you to enter your phone number or an e-mail address to get a free sample of a product or trial period of a service. The contact details you left them can later be used by the seller to reach out to you in order to drive you towards making a purchase.

Retargeting, carried out as in the example above, is a legitimate marketing strategy that for a long time has worked well to boost conversion and sales for businesses. Moreover, it’s historically been done without upsetting anyone – or seriously invading customers’ privacy. As such, retargeting per say is not a subject of critique. Instead, it’s through recent technical developments and because more and more personal information is being transferred to online profiles that retargeting has been carried out through questionable methods, and even worse, without a website visitor actively allowing it.

Retargeting via Facebook pixels

One example of privacy invasive retargeting is the most recent launch of Facebook’s tracking pixel. In simple terms a website using the pixel for retargeting can implement it in the following way:

  1. A web shop selling products online adds a piece of code that is called a Facebook pixel to their website codebase. The pixel code is distributed by Facebook and it is linked to the web shop’s Facebook page.

  2. The web shop can now, via their Facebook page, set up certain rules for when the pixel should ‘fire’. A few examples of rules could be to fire the Facebook pixel when a visitor enters the index page and then bounces without making a purchase, or to fire the pixel when a visitor enters a purchase page but then leaves the website. A rule can be setup for virtually any other action taken by a visitor on the site.

  3. The visitor who triggered the pixel is collected in a segment and is linked together with the visitors Facebook account, meaning Facebook now actually knows the identity of the person who visited the website. How? It’s simple, you’ve spent years giving them your personal information freely. The pixel just needs to create a link between your Facebook account and your online activity on the website you visited.

  4. The web shop now has a collection of users who fired the pixel and may create an advertisement or a purchase offer via their Facebook page to retarget the exact visitors who triggered the pixel.

As we see in the example above, the pixel is used by the website to retarget interested visitors. That being said, the truly invasive part, from an online privacy standpoint, is not really that the website has a way to reach these visitors again. Instead, the problem is that the website has shared information about their visitors with Facebook — a third-party platform that can now create a connection between online behavior and an actual identity. What’s even worse is that this happens behind the scenes meaning that the visitor does not actively allow it. Legally, Facebook and similar third-party marketing platforms get around that issue through complex privacy policies that few will actually analyze and read.

Facebook is by no means alone in offering retargeting in this fashion. What should also be mentioned is that Facebook offers many other less obtrusive ways of reaching their users for marketing purposes. Platforms like Adroll specializes in offering comprehensive retargeting possibilities on a wide array of platforms, as well as cross-device functionality. However, regardless of there being many platforms using similar technologies, Facebook’s pixel retargeting stands out as one of the most invasive ones simply because Facebook owns more personal information than any other social media platform, company, and probably even government in the world. The more structured, extensive and centralized personal information becomes, the higher the risk for it being used in the wrong ways.

VPN services and digital marketing

So where does OVPN draw the line between legitimate and illegitimate methods to acquire customers? A few weeks back we talked about our logging policy which we summarized as follows:

"We believe that a [VPN] company should seek to log the bare minimum required to run their service, and customers should opt-in for any additional information stored on the servers."

We take a similar standpoint when it comes to digital marketing: We believe a VPN company and other online security companies can use digital marketing methods as long as the target segment is assumed, and to only use retargeting when a user provides the retargeting information.

In reality, most of our customer acquisitions come from user referrals and organic search engine results which have nothing to do with segmentation. The paid digital marketing tools we use are Google Adwords, posting and boosting blog entries via our Facebook page, Adrecord (A Swedish affiliate network), and retargeting through e-mails.

  • **Google Adwords:**The beauty of Google Adwords is that it only reaches someone when a potential customer is actively searching to fill a need. Just like with organic searches, Adwords is as opt-in as it gets since no segmentation is needed. An important note is that we’ve actively chosen to not use many of the tools offered by Google that can help with optimizing Adwords campaigns, one of them being Adwords retargeting which can otherwise be used in a similar fashion as the Facebook pixel. Another important note is that we do not use Google Analytics to optimize campaigns as this would share users' browsing information with Google. Instead, we run an open source alternative on our own servers, called Piwik where data is not shared with a third party. Piwik also allows us to decide what kind of information we track and don't track. As an example, we've setup Piwik to anonymize the two last bytes in our visitors IP address.

  • Facebook: We do have a Facebook page which is used to spread our blog entries and important service information. When we boost blog post entries we only use assumed target audiences, meaning we guess the characteristics of our target group which was described in the beginning of this blog post. We do not use a Facebook pixel to track activity or conversions on our website, and we do not use any of Facebook’s retargeting tools. While we sometimes boost important messages to people who follows our Facebook page, we still feel that liking our Facebook page is very much an active choice by the user and therefore a legitimate method to reach customers.

  • Adrecord: In contrast to Facebook and Google, Adrecord is a marketing platform limited to the Swedish market. Bloggers in Sweden apply to show our banners on their websites and we are charged if a conversion comes from a particular blog. There is no particular targeting taking place in this case as it’s up to a blogger whether to show our or someone else’s banner.

  • Opt-in Retargeting: We do use retargeting in that we reach out to previous users via e-mail. As mentioned above we deem it to be okay as long as the user provides the information themselves. Since we do not require an e-mail address to be entered to create an account with us, the user has been made aware of us collecting their e-mail address, if they choose to share it with us.


While modern marketing methods are trespassing on privacy at an increased rate, the other side of the coin is that it raises awareness and forces ordinary people to learn more about the area. As OVPN has been advocates of online privacy for years, we feel helping to spread the information in these times is the best thing to do. Just like we encourage you to ask your VPN provider for details regarding their logging policy, we also encourage you to ask for the marketing tools they use and what their reasoning are for using them. Only by learning and questioning things in our surroundings are we able to make businesses change their ways.

David Wibergh