Last week the California Senate unanimously approved a bill requiring that operators of commercial websites and online services that collect personal information disclose how they respond to “do-not-track” signals from web browsers and whether they allow third parties to engage in online tracking.  The legislation, which was introduced by Assemblyman Al Muratsuchi, has been sponsored by CA Attorney General Kamala Harris. 

The proposed new law would amend the California Online Privacy Protection Act (“CalOPPA”), which requires that covered websites conspicuously post a privacy policy disclosing certain information and practices.  Specifically, the bill adds new requirements that a privacy policy:

  • “disclose how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection”; and
  • “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

The operator may satisfy the disclosure regarding how the operator responds to do-not-track signals by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

Continue Reading Bill Adding Do-Not-Track Disclosures to CalOPPA Passes California Senate

By Emily Borgen

Legislation was reintroduced in the Senate last week that would allow Internet users to opt out of certain forms of online tracking.  The bill [PDF] was previously introduced in 2011.

The “Do-Not-Track Online Act of 2013,” introduced on February 27 by Senators Rockefeller (D-W.Va.) and Blumenthal (D-Conn.), would require the Federal Trade

The Worldwide Web Consortium’s Tracking Protection Working Group concluded a three-day international stakeholder meeting in Amsterdam on October 5 without reaching consensus on certain key issues concerning a global do-not-track standard.  There are reportedly three major unresolved questions:  (1) what the default setting should be—whether do not track should be turned on or off

Updated on October 1, 2012 to add information about Chairman Leibowitz’s response to the nine Representatives’ letter. 

As we previously noted, in March of this year the Federal Trade Commission called for the implementation of a Do Not Track (DNT) system that allows consumers to opt out of the collection of all online behavioral data other than data needed for certain limited purposes, such as preventing fraud.  Much of the debate over DNT has been taking place within the World Wide Web Consortium (W3C), which has been convening talks to develop a standard for what it means to honor a consumer’s DNT preference. 

According to media reports, advocacy groups are now asking the FTC to become more actively involved in the W3C discussions.  In a letter to FTC Chairman Jon Leibowitz, the Center for Digital Democracy, Consumer Watchdog, and the Electronic Frontier Foundation wrote, “The W3C talks have reached a point where a clear statement from the FTC will play a decisive role in reaching consensus.”  The organizations want the FTC to support a proposal that would permit the collection of analytics information only if the data cannot be linked to specific users or devices, as well as a proposal that websites should honor DNT irrespective of whether the DNT setting is turned on by default — an issue we blogged about here

Meanwhile, nine House members have reportedly written to the FTC to raise concerns about the agency’s role in the W3C process.  The lawmakers questioned whether the FTC and W3C have adequately considered DNT’s potential effect on third-party advertising networks and publishers.  The members also requested information about the agency’s authority to participate in the W3C discussions, studies the agency considered before advocating for DNT, and other information.  Rep. Mick Mulvaney (R-SC) today sent a separate letter to Chairman Leibowitz, asking for similar information and criticizing the FTC for “acting outside the scope of Congressional intent” by seeking to create government policy in an area reserved for Congress.

Edit:  Chairman Leibowitz responded to the Representatives’ letter by emphasizing that the FTC’s role in W3C “in no way usurps the legislative process or imposes a burden on industry” because any DNT standard adopted by the W3C would be self-regulatory and voluntary.  The nine House members’ letter is available here, and Chairman Leibowitz’s response is available here.

Continue Reading FTC’s Role in “Do Not Track” Discussions Under Debate

Yesterday, Microsoft announced that users of Windows 8 and Internet Explorer 10 will have a “first run” option to disable the default “Do Not Track” privacy setting.  A first run option occurs during the software set-up process.  If users take no action, the DNT setting will be enabled by default.

Shortly after the Federal Trade

Earlier today, members of Congress and regulators gathered for a symposium on “The Impact of Media on the Health & Well-Being of Children.”   Participants included Congressman Edward Markey (D-MA), Congresswoman Debbie Wasserman Schultz (D-FL), Senator Richard Blumenthal (D-CT), Jon Leibowitz, Chairman, Federal Trade Commission, and Mignon Clyburn, Commissioner, Federal Communications Commission, as well as researchers and members of the public interest community.  In response to a question, Chairman Leibowitz informed the audience that the FTC expects to issue a revised Children’s Online Privacy Protection Act (“COPPA”) Rule by “the end of the year and hopefully sooner.” 

During their remarks, Congressmen Markey and Wasserman Shultz each expressed support for the Do Not Track Kids Act of 2011 (H.R. 1895), which we have blogged about here.  The bill would expand privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that website operators provide “eraser buttons” to enable the deletion of personal information shared publicly by minors.  Senator Blumenthal also indicated that he was supportive of the legislative proposal, which he described as “common sensical,” although he stated that there likely would be substantial concern among advertisers and other stakeholders about implementation issues.

Continue Reading Members of Congress Examine Impact of Media and Marketing On Children

The group that develops technical standards and guidelines for the World Wide Web released a set of draft standards on Monday that are intended to allow consumers to limit and control how they are tracked online.

The standards, developed by the World Wide Web Consortium (known as the “W3C”), would allow consumers to set a “Do-Not-Track” preference using their browser or other tools.  The proposal effectively sets up an “opt-out” mechanism for online tracking because no preference is transmitted until the user affirmatively selects a setting.  The standard states that, absent laws, rules or other requirements to the contrary, servers may interpret the lack of an expressed preference “as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances.”  Once set by the user, the Do-Not-Track preference would be transmitted to any website the user visits; the standard requires website servers that have implemented the standard to send a response signal indicating whether the website respects the tracking preference.  Users would be able to affirmatively allow tracking, block all tracking, or refuse tracking generally but allow tracking on certain sites.

Continue Reading Web-standards group releases draft “Do-Not-Track” mechanism

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing entitled , “Understanding Consumer Attitudes About Privacy.”  The hearing featured a single panel with a mix of industry representatives and consumer privacy advocates, including representatives from Intuit, Microsoft, the Digital Advertising Alliance, Evidon, and the World Privacy Forum. 

A primary focus of the hearing was the efficacy of industry self-regulatory initiatives and other efforts to provide consumers with information and choices about managing their online privacy.  In particular, members expressed interest in the “About Ads” self-regulatory principles for online behavioral advertising and other company-specific efforts to provide consumers with notice and choice. 

Continue Reading Bono Mack Holds Hearing About Consumer Privacy Expectations

This week, Stanford Security Lab reported preliminary results from a platform it has been developing, a chief application of which is to detect various forms of third-party tracking in an automated manner.  According to researcher Jonathan Mayer’s release, which emphasizes that these are “preliminary findings from experimental software,” Stanford’s system has detected that over half of the companies tested that belong to the self-regulatory Network Advertising Initiative (“NAI”) group leave tracking cookies on users’ computers even after a user opts out of online behavioral targeting.  Importantly, though, NAI member companies are required by the NAI guidelines only to allow and abide by requests to opt out of behavioral ad targeting, and the guidelines do not contain commitments with respect to tracking.   This distinction between targeting and tracking has been the subject of increasing attention, including from the Federal Trade Commission.    

The preliminary study results also reportedly show that at least eight NAI members—including prominent networks such as 24/7 Real Media and Audience Science—commit in their privacy policies to stop tracking users following an opt-out request, but nonetheless leave tracking cookies in place.  Although the media and, increasingly, plaintiffs’ counsel can be quick to latch onto these types of reports, it will be critical to closely examine each company’s privacy policy language in the context of the company’s actual practices.

Continue Reading Preliminary Results Reported From Stanford “Tracking the Trackers” Study