Meanwhile, in Europe, the ePrivacy Directive came into force. The Directive has been amended by Directive 2009/136 which changes how some cookies are handled, requiring affirmative consent from users for cookies that are not “strictly necessary”. In addition, persistent cookies that contain a unique user ID are classified as personal data. Companies are not sure how to comply with these new regulations without diminishing user experiences online. In part due to these concerns, the cookie directive will not be enforced for a year. Regulators are considering whether DNT could eventually become a mechanism to establish consent to cookies.
Mechanisms for Internet privacy are usually grounded in a theory of notice and choice. As one example, websites offer notice of their data practices through privacy policies, and users choose to visit a site or not. In practice, privacy policies have been unsuccessful in providing clear, usable notice. Unsurprisingly, few users actually read them. This creates information asymmetries where the companies offering goods or services know substantially more than the buyer. Economists identify information asymmetries as a market condition in which there is a high likelihood that is better for government to intervene, rather than to rely on a free market solution.
Users have additional choices beyond electing not to visit a specific website. Many advertisers offer opt-out cookies. These allow users to communicate a preference for privacy rather than targeted advertising. The details of what an opt-out cookie actually does, however, vary from site to site. For example, an online behavioral advertising (OBA) company might respond to an opt-out by deleting all existing cookies and setting no new cookies, beyond the opt-out cookie itself. One major search and advertising company responds to an opt-out request by replacing a unique identifier for the user with the string “OPT-OUT.” The company continues to collect the same information, but all users who have opted out are aggregated together as if they were one giant user. Another major search and advertising company responds by keeping exactly the same data collection practices, but slightly changing data use. In all three cases, the companies stop showing targeted advertisements based on behavioral profiles. Users have no transparent way to know how their data is collected and used, and in practice, they do not understand what NAI opt-out cookies do.
Beyond the issue of user confusion regarding what it means to opt-out, opt-out cookies suffer from a technical challenge. Many of the users who set opt-out cookies also regularly delete all of their cookies in order to preserve privacy. This deletes their opt-out cookies as well. There are technical measures to respond to this problem, including the TACO plugin that retains opt-out cookies, as well as a similar solution built into Google’s Chrome Web browser. These responses do not work in settings where cookies are not set at all, like on some mobile platforms.
As mentioned above, users also have choices in managing their cookies. Using techniques such as rejecting cookies, using session cookies that only last until the user quits their browser, and employing anti-spyware software that deletes many advertisers’ cookies, approximately 30% of US Internet users regularly clear or block cookies. That jumps to approximately 50% in Europe. This reality challenges cookie-based advertising technologies. Some advertisers have moved away from HTTP cookies, using other forms of local storage like LSOs (Flash cookies,) Silverlight, or HTML5. Other advertisers are using techniques like browser fingerprinting or typing patterns to uniquely identify users without using local storage. IP address is a quasi-stable identifier, and on all but new versions of Windows, IPv6 includes MAC addresses (hardware-based permanent unique identifiers) as part of the user’s IP address by default. Most modern mobile devices have unique identifiers. This means that even users who set opt-out cookies, delete other cookies, and read privacy policies may still not have transparency or control over their data privacy. With technologies that do not rely on local storage, users are particularly unlikely to know what data is being collected about them, by whom, or how it is being used. Since the notice and choice approach requires transparency to work — and, if the US is to continue with a self-regulatory approach — then we require new tools to empower user control.
In January of 2011, FTC staff members issued a draft report endorsing Do Not Track as one possible new approach. The FTC report states that current industry self-regulation efforts in the U.S. are not enough to avoid increased regulation or legislation. The DNT idea started in 2007, and has changed substantially since. As an alternative to new legislation, the FTC report suggested that industry devise a DNT mechanism that allows users to opt out of data collection and use. In their next Web browser releases after the FTC report, both Mozilla Firefox and Microsoft’s Internet Explorer implemented a DNT feature in the spring of 2011, and shortly after added support for mobile browsing on Android. Apple’s Safari web browser added support for Do Not Track in the summer of 2011. By 2012, we expect that approximately half of Internet users will have upgraded to a modern Web browser that supports DNT. All three browser implementations have different user interfaces for users to enable DNT, but all three respond in the same way on the back end, sending the same message to websites.
Although three browsers elected to implement sending the same DNT signal, they could diverge in the future. To ensure DNT means the same thing regardless of which browsers and websites are involved, two different standards bodies have discussed DNT — the IETF and the W3C. As of summer 2011, it appears W3C will take the lead on DNT standards. If your company is interested in following or participating in DNT standards, you might consider subscribing to W3C mailing lists to keep up-to-date.
Do Not Track is being discussed primarily within the United States at this time. Presumably this will change, both because W3C is an international standards body, and because European companies face pressure to find technical means to comply with the ePrivacy Directive and opinions of the Article 29 Working Group. European privacy requirements around notice and consent are undergoing rapid change.
Next: How Do Not Track works
 See Implementing the EU e-Privacy Directive: The Cookie Problem for an overview of the EU privacy directives.
 Aleecia M. McDonald and Lorrie Faith Cranor, “Beliefs and Behaviors: Internet Users’ Understanding of Behavioral Advertising,” 38th Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference) (October, 2010)