Skip to Content

Privacy & Data

At Senate Hearing, CDT Weighs in on Status of ‘Do Not Track’

Last week, Justin Brookman, CDT’s Director of Consumer Privacy, testified before the Senate Commerce Committee at a hearing entitled, “A Status Update on the Development of Voluntary Do-Not-Track Standards.” Senator Jay Rockefeller, Chairman of the Committee, called the hearing to examine the steps industry stakeholders have taken to fulfill their public commitment to honor Do-Not-Track requests from consumers.

Online behavioral advertising has been an issue that regulators and privacy advocates have wrestled with for over fifteen years. In 2010, after years of waiting on self-regulation, the FTC formally recommended the development of Do Not Track — a one-stop browser setting that would universally and persistently turn off behavioral online tracking. Browsers responded and began iterating on ways to offer Do Not Track tools. In 2011, the World Wide Web Consortium (W3C) formed a Tracking Protection Working Group, made up of industry members, privacy advocates and academic experts, to form standards for a universal Do Not Track request tool.

The advertising industry was (perhaps understandably) slower to embrace Do Not Track, but in February 2012, the Digital Advertising (DAA), the umbrella self-regulatory group for the online advertising industry, announced that they would “begin work” to allow users to opt out of behavioral advertising through browser-based methods like Do Not Track. At the time, the DAA stated that this functionality would be implemented within nine months.

It’s now 14 months later, and so far the DAA hasn’t lived up to their commitment. Today, only a handful of websites acknowledges and responds to Do Not Track headers in any way. And that’s why Senator Rockefeller called the hearing — to investigate why the advertising industry hasn’t made good on its promise.

Luigi Mastria, Managing Director of the DAA, also testified at the hearing. In his testimony, Mastria defended the DAA’s self-regulatory initiatives, and asserted that they already meet the privacy demands of consumers. And he’s right that the DAA does maintain a website through which users can opt out of behavioral advertising by its member companies. However, as Brookman noted in his testimony, this only applies to DAA members, which Mastria admitted in his testimony is only “90 to 97 percent” of the online advertising industry. Other companies receive no indication at all that the user does not want to be tracked. Additionally, the DAA opt-out is almost always cookie-based. If the user or the user’s anti-virus software deletes his or her cookies, the opt-out cookies are deleted as well, and as a result companies no longer know that said user does not want to be tracked.

Another limitation of the DAA’s current “opt-out” option is that it only prevents users from seeing targeted ads, but not from the tracking itself. The DAA’s code of conduct allows collection for the purposes of understanding “consumer preferences and behaviors [or] research about consumers, products, or services”. This overly broad exception allows for extensive tracking even after a user opts out. Chairman Rockefeller noted at the hearing that the industry’s exceptions for market research and other uses promote unfettered data collection about consumers’ online activities.

Mastria also blamed recent actions by Microsoft and Mozilla for DAA’s failure to live up to its obligations. (Microsoft recently turned the Do Not Track feature on by default in Internet Explorer 10 on Windows 8, and Mozilla recently announced that it will block third party cookies by default on the Firefox browser.) It’s not entirely clear why Mozilla’s action justifies delay on Do Not Track — DAA’s promise to abide by Do Not Track made no reference to cookies, and Apple’s Safari browser has blocked third party cookies for years. Either way, the DAA has offered no excuse to ignore Google’s Chrome implementation of Do Not Track; it meets every possible condition DAA has or could impose, and yet today, DAA does not require its members to respect the requests from Chrome users who went out of their way to turn on DNT.

Adam Thierer, Senior Research Fellow at the Mercatus Center and another witness at the hearing, argued that requiring websites to accept Do Not Track requests will hurt the online economy. As Brookman pointed out in his testimony, Do Not Track is intended to be an incremental improvement on industry opt-outs, a concept that industry members have long supported. Furthermore, Safari users have effectively had Do Not Track turned on by default for several years, ever since Apple made the decision to prevent third parties from setting cookies. Yet, Brookman notes, the Internet still works on Apple devices; users enjoy the same wide variety of free Web content as users of other browsers, supported by non-behaviorally targeted advertisements.

The next W3C Tracking Protection Working Group meeting is next week in Sunnyvale, California. This is possibly the last opportunity the working group will have to break the logjam in negotiations. CDT has proposed reasonable, practical approaches for the past three years, and we will continue to work to find a solution that allows for ad networks to serve ads but limits as much as possible the logging of consumer behavior. Fortunately, since Chairman Rockefeller’s hearing, the DAA has reengaged with W3C, and has even recognized a willingness to address the problem of over-collection for market research and product improvement. That alone offers significant hope that the remaining differences between advocates and industry can be overcome. However, if the working group fails, the browsers will continue to fight back, and not being able to track cookie users may be the least of industry’s problems.