Three years after CDT and other public interest groups first introduced the idea of “Do Not Track,” Microsoft and Firefox have both committed to building Do Not Track mechanisms into their browsers. Meanwhile, the Federal Trade Commission (FTC) featured Do Not Track prominently in its recent privacy report. The message is clear: Do Not Track is here to stay.
The mechanisms for implementing Do Not Track vary considerably, but the underlying principle is the same: it’s time to empower consumers to prevent the collection and correlation of data about their Internet activities across websites.
Translating this principle into practice, however, is not simple — it requires a difficult conversation about how to define “tracking.” Achieving consensus on this question would guide the development and implementation of browser-based DNT tools, would serve as the basis for educating consumers about their options, and would guide enforcement bodies, such as the Federal Trade Commission, as they consider the implications of the concept.
In order to jumpstart the necessary work of defining “tracking,” CDT has released a proposal that attempts to scope what the phrase “do not track” should and should not communicate.
In our proposal, CDT suggests that the following definition for “tracking” in the context of Do Not Track:
Tracking is the collection and correlation of data about the Internet activities of a particular user, computer, or device, over time and across non-commonly branded websites, for any purpose other than fraud prevention or compliance with law enforcement requests.
CDT suggests that the following activities should be considered “tracking” in the context of Do Not Track mechanisms: Third-party online behavioral advertising; Third-party behavioral data collection for first party uses; Third-party behavioral data collection for other uses; and behavioral data collected by first parties and transferred to third parties in identifiable form. The scoping proposal also includes definitions and examples to help illuminate what might constitute a tracking activity.
We understand that other data collection and use activities raise privacy concerns, but believe that these are out of scope for a Do Not Track proposal (they are, however, in scope for a much-needed comprehensive consumer privacy bill).
This proposal is meant to serve as a guide for implementing the spirit of DNT, but it does not have all the answers. In the coming months, CDT will be consulting with major browser makers, privacy and consumer advocates, advertising networks, online publishers, and others stakeholders to improve and work toward implementation of this draft. We will also be exploring how to translate the idea of “Do Not Track” to other platforms, such as the mobile space, where users lack appropriate tools to stop third-party tracking.