Privacy techniques and Do Not Track

by 3 contributors:

Users have many privacy tools including setting opt-out cookies, using browser settings to enforce session cookies or blocking cookies entirely; ad blocking plugins that prevent content from loading; and Tracking Protection Lists (TPLs) in Internet Explorer. These are all unilateral actions taken by users, sometimes not based on an understanding of how the Internet works. DNT allows users to express their intentions and their desire for privacy. DNT also moves beyond cookie-based approaches. For example, DNT might affect a company that fingerprints users’ browsers or uses other forms of local storage, like Silverlight or LSOs (sometimes referred to as “Flash cookies” by the press.) Rather than needing to understand how these technologies work, users can enable DNT to signal a preference once and let companies determine how best to respond to that request.

Implementing DNT complements other self-regulatory mechanisms, and is not a replacement for your current investment in self-regulatory approaches. Privacy is a very nuanced, individual topic. Different users will be comfortable with different ways to manage their data. DNT gives them another way to voice their choices, and gives you another way to understand your users’ preferences.

Privacy Policies

Your privacy policy may be a good place for you to acknowledge users who have DNT enabled. You could put a banner at the top or bottom of the policy, or a graphic off to the side, calling attention to your support for DNT. It is a good practice to clearly explain what you change when you see DNT, both in terms of data collection and data use. One company today has coded its privacy policy site to change dynamically to signal support for DNT when a visitor with the header enabled visits the privacy policy.[9]

The disadvantage of communicating via privacy policies is that few people read them. You might consider other ways to communicate with users, too, based on what you know of your site use patterns, and whether there are specific areas where privacy concerns are likely to be heightened.

Opt-out cookies and ad choice

Opt-out cookies and the Ad Choice campaign[10] are complementary to Do Not Track. You may encounter users with:

  • DNT on but no opt-out cookies
  • DNT off but opt-out cookies
  • both DNT and opt-out cookies

In all three cases we suggest that you treat this as a decision from the user that they do not want to be tracked on your site. The majority of your users will have neither DNT on nor opt-out cookies set, in which case you can respond with your normal practices.

Do Not Track and the law

There is no explicit regulatory requirement in any country that mandates implementing support for the DNT header. That said, there are legal and compliance-related considerations to keep in mind when designing how to support consumer requests not to be tracked online via browser-based DNT mechanisms.

The self-regulatory program being proposed by the online advertising industry currently does not include support for DNT, as implemented by browser manufacturers. In the United States, supporting members of the DAA and the IAB are required to offer an opt-out mechanism, but the program does not require support for the DNT header at this time.

Supporting DNT has legal considerations, as it may extend a site’s compliance requirements beyond what is included in its current privacy policy. In the US, saying that a site supports DNT now means that the site must comply with that commitment across its sites and in a manner that is consistent with the site’s definition of what DNT means for its site and the expectations of its consumers.

Regulation may emerge, as early as 2012, if industry doesn’t show that it can support DNT on its own and/or current policy makers in the US and Europe aren’t successful with their proposals. In the United States, several commissioners and the chairman of the Federal Trade Commission have called for a Do Not Track system. Several legislative proposals have also been submitted at the state and federal levels that call for the creation of DNT. In Europe, a few policy makers at the national and country level have started to endorse the idea of DNT, including the Minister of the Department of Media, Culture and Sport in the United Kingdom and the Vice President of the European Commission’s Digital Agenda. Both policy makers are pushing for DNT support by mid-2012.

Please consult with your legal and privacy teams to weigh the regulatory and compliance risks associated with implementing support for Do Not Track.

Up: Introduction to Do Not Track

Previous: What does tracking mean?

Next: Case studies

[9] See http://www.chitika.com/privacy
[10] Ad Choice puts an icon on ads. Users can click the icon and navigate to a page that lets them view and set opt-out cookies for different advertisers. In Europe, so far this is not seen as a viable alternative to affirmative consent to cookies. See http://www.aboutads.info/

Document Tags and Contributors

Tags: 
Contributors to this page: Sheppy, trevorh, jswisher
Last updated by: Sheppy,