Why we need a sound Do-Not-Track standard for privacy online - Main contents
This really is privacy and data protection week! In Brussels there is the Computers, Privacy & Data Protection conference and the Commission is soon adopting its proposal for a reform of the European Data Protection legal framework (which I wrote about here).
So today, a blog on how I want to ensure privacy and user control when you’re browsing online: in particular, a standard known as “do not track” (DNT) that I hope will have a big role to play for the future of online privacy.
First a bit of background: what is “do not track”, and why is it so important?
You might be familiar with the EU’s e-Privacy directive. It was amended in 2009 and was to be implemented in national law by May last year. Some have termed it the “Cookie directive”. But in reality it goes beyond cookies, it’s a directive to protect us against all kinds of malware and spyware, to ensure the confidentiality of your electronic communications, and to outlaw automated unsolicited marketing phone calls and spam without the consent of the receiver.
The part which relates to cookies - Article 5(3) - means that providers need to obtain your consent to place or access cookies or other information on your computer or smartphone unless it is strictly necessary for a service you have already asked for. So if you log in to a web service, the cookie that remembers that you are logged in is fine - and indeed this makes our lives a whole lot easier online. But a cookie that is used to build a profile of what you are doing online is less OK: it might mean that your web surfing over time (searches, web pages visited, the content viewed, etc.) is tracked, for example in order to match ads against your interests as determined from the profile. The use of such cookies requires your consent.
Applying this in practice is not easy. Not all Member States have yet transposed the e-Privacy directive into national laws, despite the May 2011 deadline to do so. And while some of the national authorities responsible for enforcing the rules have already provided guidance, others haven’t. So there are different interpretations, sometimes, or even confusion about what the rules mean and how to comply with them.
How can we address this problem?
The industry has set up a self-regulatory initiative on online behavioural advertising. However, European data protection authorities have recently confirmed my view that this code alone, while certainly contributing a lot to transparency, will not solve the issue, being inherently limited.
Others have started to offer various tools or services they say help businesses to comply with e-Privacy obligations on cookies (just to pick some random examples: here, here or here). While it is not for me to endorse any particular tool or service, I applaud this overall development, which is bringing some genuine innovation; but it still leaves something to be desired because not all such tools are based on the same interpretation of the law and, more importantly, the diversity of resulting approaches taken by websites could confuse users.
Enter do-not-track (DNT). A global DNT standard would describe the technical details of a “signal” that users can send, to providers, via their online equipment, including their web browser. The signal indicates their preferences regarding tracking. For example, if I wanted to help advertisers send me more relevant ads I would signal that being tracked is OK with me. On the other side the standard would also set out how providers need to react to the signal, i.e. make clear what DNT users will expect to happen.
This would help businesses because they could read the signal and thus know whether they have the users’ consent or not. Current browser settings don’t allow for this - as they do not systematically communicate to the provider what the user has decided. That’s like just throwing junk mail in the bin - when what you should be doing is letting the sender know that you don’t want any more.
But the important thing is that it makes it clear and simple for companies to comply with the law - and to send a straightforward signal to users that their company is compliant and trustworthy. Plus, it makes it easy for consumers to let providers know what they want - and take control over what gets known and recorded about them by others online.
Even better, once the standard is out there, tool makers can dream up new ways to make the use of DNT yet more simple, easy and intuitive to understand, e.g. in a web browser or on your phone. There could also be new certification schemes that make it easier for companies to differentiate themselves and for users to deal with those that respect their privacy preferences.
Back in June I called on the industry and stakeholders to get to the table and agree a standard for do-not-track within a year. The work started shortly after - and so far seems to be going well; I will be getting an update shortly, when we are hosting a meeting of the W3C’s “Tracking Protection Working Group” in Brussels.
This is important because I am not pushing for any DNT standard, but for a standard that I could endorse, for a standard that is rich enough, in substance, to signal that users’ right to online privacy is respected by companies who implement it. This is not a simple task, in particular as the underlying legal privacy frameworks differ across jurisdictions, and I am happy to see that the W3C has assembled an impressive group of experts to get it done.
With this in mind, I am convinced that DNT can become a very successful standard, along with the other standards that have made the web what it is today: global, open and interoperable and in keeping with the generative end-to-end principle that has made the web such a phenomenal success. This is about empowering the citizen, by putting control in the hands of the user in a way that is fair and transparent. Along with us at the Commission and in Member State authorities, our colleagues in the United States also continue to take a keen interest in the work. Authorities on both sides of the Atlantic need to be vigilant that the effort is not derailed by special interests who may see short-term commercial advantages in preserving the current — but unsatisfactory — status quo.
So I look forward to news about a rich and sound DNT standard that really makes it easy to comply with privacy laws - a standard that everyone wants to use and is able to use. That will be in the interests of all consumers, and all businesses that want consumers to trust them.