But even though those signals are now in use, they are widely ignored -- largely because Web companies have been waiting for guidance from the Internet standards group World Wide Web Consortium, which is trying to figure out how sites should respond to those signals.
Tomorrow, the organization's tracking protection group is slated to vote on some possibilities, which will then to go the group's chairs for further consideration.
One of the ideas up for a vote has privacy advocates crying foul. That proposal, put forward by the trade group Digital Advertising Alliance and others in the ad industry, would allow companies to continue to profile people who have turned on do-not-track, and also send them ads targeted based on their Web activity. In other words, the ad industry's official position is that turning on do-not-track shouldn't stop online behavioral advertising.
Instead, the industry says that anyone who wants to opt out of receiving ads targeted based on behavior should click on opt-out links in privacy policies, or at sites run by self-regulatory groups. The ad industry says that it doesn't want to treat a do-not-track signal as an opt-out because too many people (up to 25%) have do-not-track turned on these days. (In some cases, that's because browser makers or anti-virus companies are turning on the signal by default.)
But opting out through a link is inherently problematic, given that they're cookie-based. For one thing, when people delete their cookies -- as privacy-conscious users tend to do -- they also delete their opt-out cookies. For another, they're not universal, but only affect companies that participate in the self-regulatory program.
In fact, the limits of opt-out links are what spurred the Federal Trade Commission to call for a universal do-not-track mechanism in its 2010 preliminary report on privacy.
Nevertheless, the ad industry now says that do-not-track should not affect online behavioral advertising. Instead, the industry is proposing that ad networks, exchanges and other companies should practice “data hygiene” when they receive a visit from someone with do-not-track turned on.
What, exactly, is data hygiene? That's a good question -- and one whose answer seems elusive. Members of the W3C have exchanged scores of public emails this week in hopes of nailing down the concept.
One possibility is that ad networks will shed precise URLs, but retain the profiling information associated with the pages that users visit. In other words, companies can't retain that someone visits the URL of, say, ShoeStoreX.com/12345, but could retain information about the precise pair of shoes that the person saw on the page.
Justin Brookman, director of consumer privacy for the digital rights group Center for Democracy & Technology, tells MediaPost that any privacy benefit to consumers from that approach is “marginal” at best.
Other privacy advocates to weigh in publicly on the matter seem to agree. Expert Lauren Gelman wrote in a public email to the group that the idea of shedding URLs, but keeping the information associated with the pages is “just like translating English URLs to Spanish and then saying the Spanish ones are out of scope.”
She adds: “It ignores the fact that if you collect multiple data points about a unique identifier, you can eventually determine ... personal characteristics.”
Stanford computer scientist and law school graduate Jonathan Mayer tells MediaPost that he considers the industry's proposal “a stunning about-face,” adding that it's “far afield of what U.S. and EU regulators have called for.”
The industry's proposal also raises an obvious question: If companies can shed certain information about users, and still have enough information to create marketing profiles, shouldn't they do that regardless of whether people turn on do-not-track?
Brookman says he believes the answer is yes. “They should require data hygiene for all their targets,” he tells MediaPost. “It shouldn't be something you have to turn on.”