Twenty-first century technology may be considered our servant, but the question of who exactly it serves is one that is coming up more and more as we advance into the Internet age. As far reaching in so many people’s lives as the Web tends to be, fundamental questions about privacy have not yet been answered.
Even as more and more people adopt smartphone and tablet technology, the idea that some entities are following people around the Web still comes off as a bit creepy at times. There’s no shame in Googling yourself or lurking around your friends’ Facebook profiles, but when companies we have no real relationship with can easily track our movements online, the entire affair screams out for deeper probing.
That is why the Do Not Track movement has taken off around the world, and why U.S. based tech firms from all sectors are working on coming up with a solution before any new laws get passed that could find their Web tracking tactics to be illegal.
Do Not Track Laws Too Confusing?
Do Not Track laws are going into effect in the UK this month, and the World Wide Web Consortium (W3C) is close to finalizing its own protocols on Web tracking, but U.S. legislation may not be far behind. That means U.S. tech firms are facing a complicated landscape of privacy versus customer experience in the online world.
For example, starting on May 26, a year-long grace period expired in the UK, and new Privacy and Electronic Communications Regulations rules went into effect. It forces companies conducting online tracking into compliance or face fines of up to 500,000 pounds sterling for serious offenses. Not all forms of tracking are covered by this one directive, of course, and that is one reason the whole process is so divisive and/or confusing.
Furthermore, while all of the most widely used Internet browser companies have installed some kind of cookie-killing mechanism, websites don’t have to honor those tools, though some have volunteered to do so. Microsoft decided to release a new version of Internet Explorer with its Do No Track feature set to on as the default. A few days after making the announcement, new DNT draft specifications rendered that decision moot, and all browsers must give users a choice as to whether to turn on this function. If Microsoft doesn't change its mind, it will be out of compliance on with new Web standards.
Meanwhile, any U.S. based Do Not Track law may have to wait until 2013, a non election year, but tech firms should step up now and do some self regulation before it comes to that, Jonathan Mayer, a Stanford researcher working on the W3C standards this summer, said in an interview.
“The Federal Trade Commission wants to get some kind of legislation if the ad industry doesn’t get its act together,” Mayer said. (Editor's Note: Read The FTC Privacy Report, "Do Not Track" Options, and Web Analytics)
For those companies who do have a large presence in European markets, Do Not Track will have the biggest impact on third-party software companies, and less so on first-party websites like B2B sites. The same goes for W3C standards, and likely any future U.S. legislation as well. In other words, first-party websites will have much more authority to track visitors for analytics and site functionality than those third-party properties.
First-Party Websites and Third-Party Operators
First-party websites are the places people go to voluntarily. CMSWire and Google are first party websites, and people go there because they are looking for something. Third-party operators are those who sometimes have a presence on those first party sites, but the visitor may not know they are there or who they are. The difference is the visitor is at least giving inferred consent by going to those first-party sites. This is an important distinction, and one the ad industry tends to gloss over in negotiations, Mayer said.
As to how careful U.S. companies have to be around European Do Not Track laws, it will depend on how much business they do in those countries, Mayer said. In other words, companies who have a heavy European footprint will have to abide by laws there. Besides the Privacy and Electronic Communications Regulations update in the UK, the European Commission is also updating its General Data Protection Regulation. The new directive will force websites to get visitors’ permission before tracking them online, and the proposal is already headed to the European Parliament for discussion.
Firms Banking on No U.S. Laws Getting Passed in 2012
In the U.S., no laws will likely pass this year, and Semphonic VP Strategic Analytics, Phil Kemelor, said he sees that as a good thing.
“Privacy lawsuits will likely be more effective than any legislation,” Kemelor said. “The companies that are most affected by this (DNT) will have to adapt. They always do.”
It’s really an opportunity for websites to find out more about those who do opt into sharing their info, Kemelor said. That’s because many people do value a personalized web experience when they go to a website. Many visitors enjoy an engaging Web experience, and the more information websites know about those visitors, the better equipped they’ll be to customize a page for that person. This makes for a delicate balance, but Kemelor said it would be easy get around any Do Not Track law.
“Companies will give incentives to those who share (information),” Kemelor said. “They are the most valuable visitors anyway.”
Additionally, Web browsers don’t have really easy to understand DNT mechanisms, Kemelor said. “Websites will be doing it themselves.”
Third-party operators who don’t police themselves may end up fighting against one of several proposed pieces of legislation currently stalled in Congress. The most industry friendly of those is the Commercial Privacy Bill of Rights Act of 2011 put forward by Senators John Kerry and John McCain. This bill has no Do Not Track feature and instead relies on consumers to opt out of unwanted tracking and marketing.
Privacy advocates, on the other hand, have mostly thrown their weight behind the Do-Not-Track Act of 2011 proposed by Senator Jay Rockefeller. This law more specifically targets third-party operators, and gives the FTC enforcement authority.
The main difference is the Kerry/McCain bill gives people a chance to opt out of tracking, where the Rockefeller bill forces companies to not track those who have defined such a preference. A good way to think about it is the Rockefeller bill comes closest to the online version of the Do Not Call list for telemarketers.
Small Behavioral Marketing Firms Strongly Opposed
These are the companies who stand to lose the most in this fight, and privacy advocates agree it is not first-party websites that are the biggest concern. Trying to disable third-party tracking is what it’s really all about, Rainey Reitman, spokesperson for the Electronic Frontier Foundation said.
People have no relationship with these third-party operators, and it’s very hard to know who’s tracking what and what is done with that information. That’s why efforts are not targeted as much to first-party websites. Visitors go to those websites for a reason, therefore much of the usual analytical tracking and normal visitor profiling is not being targeted by privacy advocates.
In the case of ongoing W3C negotiations, those opposed to broad Do Not Track policies are a divided group, with the above mentioned small firms being the most against it, Mayer said.
“Small third party websites have no incentive to sign up for DNT,” he said. “There’s a split growing among the various business models.”
This week, the W3C Tracking Protection Working Group is meeting in Bellevue, Wash. to begin finalizing the group’s recommendations on standardizing DNT technology. These are exactly the kinds of policies that could be used as a model in part of any future U.S. legislation, and industry and privacy advocates are watching closely.
(Correction notice: An earlier version of this story said Microsoft changed its position on the IE 10 DNT function. The error is regretted)