Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Web-standards group releases draft “Do-Not-Track” mechanism

Posted in Advertising & Marketing, Online, United States

The group that develops technical standards and guidelines for the World Wide Web released a set of draft standards on Monday that are intended to allow consumers to limit and control how they are tracked online.

The standards, developed by the World Wide Web Consortium (known as the “W3C”), would allow consumers to set a “Do-Not-Track” preference using their browser or other tools.  The proposal effectively sets up an “opt-out” mechanism for online tracking because no preference is transmitted until the user affirmatively selects a setting.  The standard states that, absent laws, rules or other requirements to the contrary, servers may interpret the lack of an expressed preference “as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances.”  Once set by the user, the Do-Not-Track preference would be transmitted to any website the user visits; the standard requires website servers that have implemented the standard to send a response signal indicating whether the website respects the tracking preference.  Users would be able to affirmatively allow tracking, block all tracking, or refuse tracking generally but allow tracking on certain sites.

The standards are being developed by the W3C’s Tracking Protection Working Group, which includes representatives from industry, consumer groups, and government.  W3C standards, officially called “Recommendations,” are not legally binding but are influential.  Websites that explicitly say they will respect the Do-Not-Track setting also may face scrutiny from the Federal Trade Commission if they fail to comply with the standard.  The FTC has brought enforcement actions — including a recently settled action over Google’s Buzz service — against companies that allegedly fail to comply with their own statements regarding their privacy practices.  Two bills pending in Congress, one in the House and one in the Senate,  would explicitly require websites to comply with Do-Not-Track settings. 

The W3C documents released Monday are First Public Working Drafts and leave many questions unresolved.  For instance, although the draft standards would require third-party advertisers to respect a user’s tracking preference, Monday’s draft leaves open for discussion whether to require compliance by first-party advertisers or even how broadly to define the term “first party.”

The draft notes that the definition of tracking itself “will obviously be the topic of conversation and will need significant work,” with the current text representing “a straw man and a starting point.” The current draft defines “behavioral tracking” as “the collection and retention of transactional data about the web-based activities of a particular user, computer, or device across non-commonly branded entities in a form that allows activities across non-commonly branded entities to be attributed to a particular user, computer, or device, over time, for any purpose other than the explicitly-excepted purposes specified below.”  The draft lists several potential categories of data that might be exempt, such as third-party analytics and de-identified data.

The W3C expects to finalize the standards by mid-2012. 

A Do Not Track mechanism like that contemplated by the W3C standard could be consistent with the recommendations contained in a preliminary FTC staff report on consumer privacy released in December, which supported a uniform, browser-based Do Not Track setting.  Several browsers, including recent versions of Microsoft’s Internet Explorer and Mozilla’s Firefox, already include Do-Not-Track mechanisms similar to what the W3C standard proposes.