Fresh off successful efforts to quash the Stop Online Piracy Act, a number of internet companies are turning to consumer privacy issues. Web giants like Google and Facebook have been facing mounting political pressure and popular demands for greater user choice and control over privacy settings. In the forefront of the debate is the proposed Do Not Track mechanism to restrict the tracking of user data. In the hands of web service providers and advertisers, information relating to consumers’ online activities – such as browsing history, search terms and geographical location – are pieced together to form a digital fingerprint of interests and preferences. This knowledge enables the delivery of personalized content and targeted behavioural advertising. The industry fears that strict privacy measures could negatively impact advertising revenue, a substantial component of corporate growth.
In North America, web companies have resisted government intervention and moved towards self-regulation. In late February, the Digital Advertising Alliance – representing over 90% of US online advertising – announced an industry-wide self-regulatory program for online behavioural advertising. Under the program, participating companies like Google and Yahoo have committed to implementing the Do Not Track option in web browsers. By year end, Google Chrome will become one of the last major browsers to support Do Not Track. Microsoft Internet Explorer 9, Mozilla Firefox, and Apple Safari already provide the option to send a Do Not Track header with each page request.
The latest move by the DAA coincided with the White House’s unveiling of voluntary privacy guidelines in the form of a Consumer Privacy Bill of Rights. These guidelines are intended to address sectors not already subject to federal privacy legislation. Seven key principles were outlined: individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability. While it does not specify Do Not Track as a solution, the Bill of Rights calls for more choice and control over the tracking of consumers’ online data. Both the White House and the Federal Trade Commission (FTC) have lauded the DAA’s announcement as a positive step forward in the direction of implementing concrete privacy protection measures. In fact, the FTC had recommended the Do Not Track concept in 2010 as part of its “privacy by design” approach. Nevertheless, the White House has asked legislators to enact proposed consumer privacy legislations to backstop the self-regulated regime.
In substance, the DAA’s recent initiative falls short of addressing key concerns regarding user tracking. The browser based opt-out function would block targeted behavioural advertising, but does not ensure that underlying user data will not be collected and stored in the first place. Furthermore, the proposal applies to third party companies, such as advertisers that track users via cookies, but not to first party service providers. User tracking for broad purposes like market research and product development will also be exempt from the program.
The European Union’s Article 29 Data Protection Working Party has pointed out that the DAA-style self-regulatory rules do not satisfy the applicable European privacy standards. In a recent letter, the working party chair stated:
DNT should imply that no user data are collected, retained, processed and shared anymore, with the exception of information strictly necessary to provide the service explicitly requested by the subscriber or user. It must be clear that data from a user with an active DNT-setting cannot be used for purposes such as “market research” and “product development”
The World Wide Web Consortium (W3C) – an international body that develops web standards – also welcomed the DAA program, and is pushing head with the development of international e-privacy guidelines. Its member company Mozilla was the first to implement browser-based Do Not Track. In response to the DAA proposal, Mozilla reiterated its commitment to working with W3C and the three underlying principles of giving user real choices, minimizing data collection, and letting users control their online experiences.
Some view the DAA’s Do Not Track mechanism as an attempt to preempt W3C’s standard development. It is not clear, however, that self-regulation will remain the industry’s modus operandi for long. Government regulators and international bodies are paying increasingly closer attention to the privacy policies and practices of web service providers and online advertisers. For instance, the National Association of Attorneys General (NAAG) recently sent a letter to Google CEO Larry Page expressing concern over Google’s new privacy policies and asking for an opt-out option to be provided. As privacy breaches continue to make news headlines, the popular demand for meaningful choice and control over the tracking of user data would likely go unsatisfied by the industry’s self-proposed rules. Depending on the pace and scope of implementation of measures like DAA’s Do Not Track, it may be a matter of time before industry self-regulation gives way to legislative enactments and government regulation.