Behavioral targeting is the process of collecting consumer online data by placing a persistent cookie on the consumer’s computer, which then tracks their cyber wanderings. This data is collected and aggregated, allowing marketers to fine tune which online advertisements are likely to interest a particular consumer.
The Washington Post reported this week that the House subcommittee for commerce, trade, and consumer protection is planning a hearing in early December on Internet privacy. The hearing will include testimony from Web firms on the idea of a Do Not Track registry.
H.R. 5777, the Best Practices Act, is a bill introduced by subcommittee Chairman Bobby Rush, which would require that entities collecting or storing data containing personal information or sensitive information to inform consumers about which information is collected and for what purpose. However, the bill would provide an exception for entities either storing this information about fewer than 15,000 individuals, or collecting this information about fewer than 10,000 individuals during any 12-month period.
It has been a while since the idea of a “Do Not Track” registry has been introduced in Washington. Several consumer groups advocated as early as 2007 for the Federal Trade Commission (FTC) to create a Do Not Track registry. Just as the FTC created a “Do Not Call” list to protect consumers against unwarranted phone calls, by allowing them to opt-out, a “Do Not Track” registry would allow consumers to opt out of having their data collected when surfing the Web.
However, FTC Chairman Jon D. Leibowitz mentioned last July during a U.S. Senate committee on commerce, science, and transportation hearing on consumer online privacy that the FTC was currently assessing whether it was technologically feasible to implement a “Do Not Track” system through browsers. Such a system which would allow consumers to opt out easily from cookies tracking their cyberspace activities, and would be either run through the FTC, or through a private sector entity (see archived webcast @ 58:50). So the FTC seems to advocate a technological solution, not the creation of a registry.
Should browsers be the solution to protect consumers against online tracking? Researchers at the Stanford Law School Center for Internet and Society and the Security Laboratory at the Stanford Department of Computer Science introduced ”DoNotTrack.us.” It is a universal Web tracking opt-out systems, which would work by adding a HTTP header to browsers, indicating that the user does not wish to be tracked.
The researchers note on the site that “[c]ompliance with Do Not Track could be purely voluntary, enforced by industry self-regulation, or mandated by state or federal law. We do not take a position on these alternatives.”
This issue is also currently debated in the European Union. The Article 29 Working Party Group (WP29) adopted Opinion 2/2010 on online behavioral advertising. It noted that Article 5(3) of the 1995 Data Protection Directive “requires obtaining informed consent to lawfully store information or to gain access to information stored in the terminal equipment of a subscriber or user.… [T]racking cookies are ‘information’ stored in the data subject’s terminal equipment and… they are accessed by advertising network providers when data subjects visit a partner website…. Hence, any storage of cookies… and any subsequent use of previously stored cookies to gain access to data subjects’ information will have to comply with Article 5(3).” The WP29 also stated that “consent must be obtained before the cookie is placed and/or information stored in the user’s terminal equipment is collected… and… informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user.”
We may see both the U.S. and the E.U. adopt a technological solution. They may differ though, in their choice of whether or not such a solution should be enforced by governments, or be a best-practice solution. The debate is still open on both sides of the Atlantic.