The ad industry is urging California's attorney general to back away from proposed privacy regulations that would require companies to honor do-not-track settings that consumers can send through their browsers.
In comments filed late Friday, the major ad trade groups argue that do-not-track settings don't enable consumers to decide how their data should be handled on a company-by-company basis.
“It is not possible through these settings for a consumer to make discrete choices among businesses allowing the consumer to restrict certain businesses while permitting other businesses to transfer data to benefit the consumer,” the Interactive Advertising Bureau, Association of National Advertisers, American Association of Advertising Agencies, American Advertising Federation and Network Advertising Initiative write in 13-page comments filed late Friday with California Attorney General Xavier Becerra.
The groups add that businesses have no way of knowing whether consumers themselves activated do-not-track signals, or if an “intermediary did so without the authorization of the consumer.”
Becerra is currently finalizing regulations for California's new Consumer Privacy Act, slated to go into effect in January. That law allows state residents to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale.
A set of regulations proposed in October by Becerra would require companies to honor opt-out requests that people send through browsers, plug-ins or privacy settings.
Browser developers have offered do-not-track signals for years, but those signals don't prevent tracking. Instead, the signals communicate a do-not-track request to ad tech companies and publishers, which are free to honor the requests or not. Currently, those requests are widely ignored.
The ad industry argues that the proposed regulation requiring companies to honor the signals is “extralegal,” because it isn't in the statute's text.
“The California legislature had the opportunity to enact a browser-based signal requirement on multiple occasions, but never chose to do so,” the groups write.
The IAB and others alternatively argue that companies should be able to either honor do-not-track requests, or a different opt-out mechanism, such as the one offered through the ad industry's AdChoices program. That initiative involves notifying consumers about online tracking, and letting them opt out of receiving targeted ads (but not data collection).
That industry-run opt-out program has been criticized by privacy advocates for several reasons, including that the opt-out requests are stored in cookies -- meaning they get erased when consumers delete their cookies, or are subject to blocking by browsers. Firefox and Safari now automatically block certain cookies by default.
Along with asking Becerra to endorse cookie-based opt-outs, the IAB and others say Becerra should prohibit browser developers and other intermediaries from blocking opt-out cookies.
“Certain intermediaries in the online ecosystem stand between consumers and businesses and therefore have the ability to interfere with the data-related selections consumers may make through technological choice tools,” the groups write. “These intermediaries, such as browsers and operating systems, can impede consumers’ ability to exercise choices via the Internet that may block digital technologies (e.g., cookies, javascripts, and device identifiers) that consumers can rely on to communicate their opt out preferences...The OAG should by regulation prohibit such intermediaries from interfering in this manner.”
Andrew Weinstein, a spokesperson for the ad industry groups, says the groups are "narrowly and specifically" asking Becerra to ensure browser developers don't "interfere with the data-related selections consumers make through technological choice tools," such opt-out cookies.
The group Digital Content Next, which represents online publishers, says in its comments to Becerra that do-not-track signals can be useful to consumers, because the signals are “persistent and easy to use.”
“They can also be useful for consumer-facing companies as the signals are sent in real-time to all downstream companies,” the group adds.
But the organization says it's concerned by the lack of uniformity to the signals' messaging and design.
“In the absence of additional guidance, we are concerned that there will be a patchwork of signals which could be confusing or misleading for consumers. In addition, we are concerned that some dominant platform companies may develop their own signals in an effort to unfairly tilt the competitive landscape in their favor,” the group writes.
“Given the potential for confusion and abuse, we encourage your office to rely on the work of independent, multi-stakeholder, standard-setting groups to develop guidelines and/or an approval process for how privacy controls such as browser and device-level signals can operate and how they can be advertised to consumers.”
Currently, some browser developers explain “do-not-track” in a way that is inconsistent with California's opt-out law. For instance, Google Chrome tells people who activate do-not-track that many websites will still collect and use their browsing data for ads.
"do-not-track settings don't enable consumers to decide how their data should be handled on a company-by-company basis."
And surely neither does the existing system, as the consumer is not privvy to which companies now access their usage data.
It is better to bend to the wind than be broken.