From this report, it sounds like the Do-Not-Track header (as implemented in Firefox 4) now has the support of at least two tracking companies, Chitika and BlueKai. By implementing the header these companies support a forward-looking approach to user privacy, and add credibility to the industry’s self-regulatory effort.
If your company uses tracking, here’s how you can also comply right now, with a minimum of effort:
- Don’t wait for a fancy definition. Even if the edge boundaries of the definition of “tracking” are not yet universally agreed, for the vast majority of tracking companies, it’s clear enough that a Do Not Track election is intended to cover their core activities. Take BlueKai for example: there’s no question that nearly everything they do on a user’s machine involves “tracking” by just about any definition. If the same is true for your company, there’s no reason to wait to give effect to the user’s choice.
- Treat the header like an opt-out cookie. Even though ad-industry leadership has yet to deal with the “do-not-target” versus “do-not-track” distinction, a fine starting approach is to treat a computer transmitting the Do-Not-Track header just as you would a computer that already has your opt-out cookie. Whatever policy you apply to opted-out computers you should apply to Do-Not-Track elected computers.
- Write the opt-out cookie when you see the header. An elegant, simple and user-friendly way to give effect to that Do-Not-Track choice (which was suggested to me recently) is to always recognize the header by writing your standard opt-out cookie in response. By adding this process, you can bridge the Do-Not-Track process with your existing opt-out systems, and you can make the user’s choice persistent. Not only that, since the user now sees your opt-out cookie in their cookie list, they have direct assurance that their choice is being honored.
- Put it in your policy. Now that you’ve stepped up to the plate to implement, make it official by adding a few new sentences to your privacy policy, something like: “Our systems are designed to recognize a ‘Do Not Track’ election made in the latest version of Firefox. We treat these users in the same way as if they have an opt-out cookie.”
Jim, this is all great advice. While I know you know, I gather the issue for OLB advertisers is that “Do Not Track” in the FTC report is quite ambiguous, ie.
- Press release: “One method of simplified choice the FTC staff recommends is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes.”
- Report: Given these limitations, Commission staff supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising, sometimes referred to as “Do Not Track.” Such a universal mechanism could be accomplished by legislation or potentially through robust, enforceable self-regulation. The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a
persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted
advertisements.
I gather there are multiple ambiguities, just a few for examples:
- Does the setting mean no collection of data or just no targeted ads? I gather no collection of data is a big issue on several levels including technology investment to change.
- For no targeted ads, does it just mean only 3rd party as in the earlier FTC report and the OLBA self reg or also 1st party? If only 3rd party, does it have all the exclusions both in the earlier FTC report and as interpreted/expanded in the OLBA self reg, ie. Online Behavioral Advertising does not include the activities of First Parties, Ad Delivery or Ad Reporting, or contextual advertising (i.e. advertising based on the content of the Web page being visited, a consumer’s current visit to a Web page, or a search query)?
- Are just html cookies covered or are other technologies like flash cookies also covered, assuming regeneration of html through flash isn’t supported by anyone even in the self reg community?
- If its also collection, does that also bar collection on system log reports that have many uses including security, etc.
While I’m no longer directly involved in the work, I’m assuming that the industry statements of we don’t know what such a browser setting would mean refers to all these issues and likely others. I’m guessing that industry may rightly be concerned that honoring the setting at any level without the clear definition may leave them open to all other levels. The industry opt-out website and the NAI site, of course, carefully define all these issues in ways designed to meet FTC notice standards and consistent with the OLBA self reg.
My guess is that if the browser companies are going to include these settings and have them actually work, versus just throwing the issue over the wall to advertisers, they need to be quite specific on what is covered and what isn’t. They also need to include a few FAQ’s. For example, assuming the exclusions seemingly supported by the FTC’s earlier report are still valid, then people need to be aware that all targeted advertising will not cease, eg. 1st party.
Look forward to your thoughts on these issues.
Paul, thanks very much for the thoughtful comment. A couple of additional points in reply:
1. As you point out, it may be a while before do-not-track versus do-not-target is resolved, even though I think it’s clear enough from the FTC that they want do-not-track. My point in this post is to say, even if an organization is going to wait for a formal requirement around tracking versus targeting, it should at least implement the level of opt-out that is currently available. As long as the privacy policy is amended to be clear about how the DNT header is being interpreted (no-track or no-target), it’s hard to see a serious consumer complaint that the company misled the user or made them worse off by applying the opt-out that is available.
2. I don’t think there’s any question that the FTC and industry organizations are after third-party and not first-party tracking. This is a complete red-herring, in my view.
3. Nor is there any question that tracking via Flash cookies — or any other persistent identifier — would be covered.
4. Fraud and law enforcement exceptions are no doubt on the table. But again, since I think those are already in place now in existing opt-out programs, interpreting the DNT header as an opt-out today doesn’t raise any new issue here.
Finally, I couldn’t agree with you more that the browser makers need to provide more FAQ information for consumers as this comes together. But again, if the industry wants to really demonstrate commitment to consumer choice, there’s no reason to wait.
Pingback: Two suggestions for the W3C Workshop on Do-Not-Track | PrivacyChoice Blog