More on Do-Not-Track
One of my colleagues, Pat Connolly, has been doing a lot of work on the privacy front and has this to say about “do-not-track.”
By now, readers have seen by now the preliminary FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change (the “FTC Report”) recommending implementation of a “Do Not Track” mechanism available to all Internet users. The Staff envisions “a uniform and comprehensive way for consumers to choose to block online tracking and targeted advertising” accomplished by legislation or potentially through robust, enforceable self-regulation. Media outlets have heralded the ill-defined mechanism as a simple and powerful tool to aid Internet users in their losing battle to elude an ever more complex and technologically sophisticated tracking bogeyman. Sounds great! “Where do I sign up?” ask the masses. Slow down masses. As with most sweeping government regulations, the devil is in the details. More bedeviling is that there are no, or very few, details. The Staff merely suggests that a “persistent browser cookie” might be the most practical means of implementing “Do Not Track.” Serious technical and other challenges to implementation, and uncertainty as to whether legislation or “robust, enforceable self-regulation” would be sufficient are then acknowledged.
In a nod to the FTC report, the recent Department of Commerce green paper: Commercial Data Privacy and Innovation in the Internet Economy (the “Commerce Green Paper”) asks how the Commerce Department can best “encourage the discussion and development” of technologies such as “Do Not Track.” In general, the Commerce Green Paper reflects greater support for cooperative industry self-regulation regimes than does the FTC Report. Commerce acknowledges that the rate at which new technologies and services develop, and the pace at which consumers form expectations about acceptable and unacceptable uses of personal information, is measured in weeks or months, while a rulemaking can take years and result in rules addressing long-since abandoned services. As such, Commerce suggests engaging multi- stakeholder groups, and employing a “Dynamic Privacy Framework” as the best means of enabling Internet users to take advantage of “Do Not Track” in whatever form it emerges. The Commerce Green Paper mentions in a footnote testimony that goes to the heart of what every stakeholder should have in mind: “[A]greement on what is meant by the ‘do-not-track’ sign on, say, the user’s browser, is a . . . complex task, requiring agreement on policy and best practices among a number of players including users, advertisers, marketers, technology companies, and other intermediaries.”
FTC states that the most practical method of providing uniform choice for online behavioral advertising would involve placing a setting similar to a persistent cookie on an Internet-user’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. “Do Not Track” boosters, media and the FTC trumpet the success of FTC’s popular and successful Do Not Call registry as a bellwether of what life in a “Do Not Track” world will look like. Some have stated that the complexity of implementing “Do Not Track” would be similar to that involved with implementing Do Not Call. Unlike Do Not Call, however, it would be unnecessary, impossible, futile and kind of ironic for the government to set up a centrally administered database of people who have elected to take shelter under any FTC-enforced “Do Not Track” umbrella. FTC’s envisioned “uniform and persistent choice” browser setting would instead send a universally recognized message to deactivate tracking technologies.
Although a “Do Not Track” mechanism could be simple to implement from a technical standpoint, to the extent that it takes the form of a simple on/off switch such a mechanism could amount to an innovation-stifling, business-model killing command and control regime enforced by bureaucrats. The Commerce Department Green Paper recognizes that this is the worst-case scenario. The Green Paper states that any “Do Not Track” mechanism needs to be colored by stakeholder input and ultimately more nuanced than simply allowing consumers to flip a switch to turn off all tracking technologies. Commentators point out that this is because most Internet users like using the free stuff available on the Internet and are willing to pay for it by way of receiving certain targeted advertisements. The question for stakeholders, then, becomes what constitutes “tracking” and what filter will users will be able to apply to tracking activities so as to personalize their experience? For example, a user may be happy to receive targeted marketing from businesses relevant to his profession, but opposed to the collection and sharing of any information concerning that rash he picked up in the hotel spa. Stakes are high concerning the answer to the question of what tracking is, as countless innovative business models rely on monetizing information about Internet users in one way or another.
Do Not Track makes a lot of sense as a normative principle. If an Internet user feels uncomfortable with a certain behavior, that user should be able to opt out of being subject to that behavior, whether the behavior is accomplished by way of a cookie, a flash cookie, or some other method either he or his browser has not learned how to fend off. The problem is in figuring out how to attack the behavior (collecting and sharing information and Internet browsing behavior concerning that rash) without creating a bright-line rule against innovative, useful and responsible ways of collecting and using information in the context of informed consent. Content providers use the information they collect to do lots of stuff that Snidely Whiplash would find downright mundane and in many cases benevolent (e.g., debugging and personalizing user experiences).
“Do Not Track” is not like Do Not Call. When the FTC bars a vinyl siding salesman from calling me at dinner, I am happy. If FTC inadvertently prevents me from enjoying a personalized experience on Pandora, my utility will likely take a hit. As such, FTC has proposed a system where users exercise “granular control” over their “Do Not Track” preferences, rather than a crudely fashioned on/off switch. As technologies and uses of information advance, though, how can such granular control be exercised and enforced without ending up with a tome of regulations the size of the Internal Revenue Code? This is where it is essential for stakeholders to provide input to FTC and the Commerce Department. “Do Not Track” was conceived with the best intentions in mind, but I’m afraid with little thought beyond how great everyone thinks Do Not Call is and whether the technology exists to persistently block scary-sounding trackers. Stakeholders need to give the FTC and Commerce Department some real-world perspective as to what a command and control “Do Not Track” regime would look like in practice and as to what alternatives there are for protecting Internet users’ interest in the responsible, transparent use of their data in the context of informed consent. To these ends, FTC has asked several very important questions concerning any implementation of an enforceable “Do Not Track” regime. Among them:
- How should a universal choice mechanism be designed for consumers to control online behavioral advertising?
- How can such a mechanism be designed so that it is clear to consumers what they are choosing and what the limitations of the choice are?
- What are the potential costs and benefits of offering a standardized uniform choice mechanism to control online behavioral advertising?
- How many consumers would likely choose to avoid receiving targeted advertising?
- How many consumers, on an absolute and percentage basis, have utilized the opt-out tools currently provided?
- What is the likely impact if large numbers of consumers elect to opt out? How would it affect online publishers and advertisers, and how would it affect consumers?
- In addition to providing the option to opt out of receiving ads completely, should a universal choice mechanism for online behavioral advertising include an option that allows consumers more granular control over the types of advertising they want to receive and the type of data they are willing to have collected about them?
- Should the concept of a universal choice mechanism be extended beyond online behavioral advertising and include, for example, behavioral advertising for mobile applications?
- If the private sector does not implement an effective uniform choice mechanism voluntarily, should the FTC recommend legislation requiring such a mechanism?