Three lawmakers are asking the Internet standards group World Wide Web Consortium to revise its approach to online privacy.
Senators Ed Markey (D-Mass.), Al Franken (D-Minn.) and Joe Barton (R-Texas) say in a new letter to the W3C that its proposed "do-not-track" definition won't protect users' privacy. The lawmakers specifically criticize the W3C for allowing "first-party" sites like Amazon to collect data from users who have activated a do-not-track command.
"We believe that both first and third parties should be held to high standards that respect privacy and promote competition online," the lawmakers write.
The senators are weighing in on standards unveiled in July, when the W3C proposed that ad networks and exchanges should stop collecting data from users who have turned on the do-not-track signals (except for auditing, security, debugging and frequency capping purposes).
The prohibition on data collection would apply when ad networks and other companies are engaged in cross-site tracking -- meaning that they collect data about users from one company's site in order to serve them targeted ads on a different site.
When publishers encounter users who have turned on do-not-track commands, the publishers would remain free to collect data on their own sites, but not at sites operated by other publishers. For instance, Facebook would be able to collect data at Facebook.com -- even if users have turned on do-not-track -- but wouldn't be able to gather data about those users via Like buttons installed on other companies' sites.
The lawmakers say the different rules for first and third parties "gives certain companies ... an exemption from what could serve as an important consumer protection and an unfair advantage over companies that better honor consumer rights and expectations."
Some ad tech companies have raised similar complaints. Last year Max P. Ochoa, general counsel and chief privacy officer at the demand side platform Turn, said the proposed definition of tracking will result in “a dramatic concentration of market power in the hands of first parties that have shown themselves willing to collude to manipulate markets and are historically poor stewards of privacy.”
He pointed out that some first parties -- including Google and Facebook, although Ochoa didn't name them specifically -- faced enforcement actions for allegedly violating their privacy policies.
But supporters of the W3C approach say that consumers expect that sites they navigate to will collect data.
"As the FTC has noted, most consumers understand and expect first parties to collect data in order to optimize or customize their experience," Jason Kint, CEO of Digital Content Next, writes in an email to MediaPost. "Third parties by definition tend to collect data about consumers with very little transparency and that data is mostly used in ways that do not benefit the consumer. For those larger companies who straddle both worlds, the W3C DNT standard took that into account to align with consumer expectations and context."
All the major browser companies now offer do-not-track headers, which were designed to enable consumers to opt out of online behavioral advertising. But those settings don't actually prevent anyone from tracking users. Instead, the headers send a signal to publishers and ad networks -- which are free to honor them or not.
The W3C has spent four years trying to forge a consensus between privacy advocates, computer scientists and industry representatives about how to interpret those do-not-track signals.
The process has been extremely contentious. The group repeatedly changed leadership, and saw high-profile defections by some privacy advocates as well as the self-regulatory trade organization Digital Advertising Alliance.
One reason why the W3C had trouble crafting a standard stemmed from Microsoft's 2012 announcement that it would turn on do-not-track by default in Internet Explorer. That move initially struck some observers as pro-privacy. But the decision also enabled ad companies to justify ignoring do-not-track settings on the grounds that they didn't reflect users' choices.
Microsoft reversed course in April, saying it would stop activating do-not-track signals by default.
For their part, Markey, Barton and Franken disagree with Microsoft's more recent decision. "Any final standard should direct browsers to default to 'Do Not Track' to provide consumers with adequate control over their personal information," they write.