Absence of agreed ‘DNT’ definition means companies keep tracking us online
Selecting ‘do not track’ means little when there is no legal requirement to observe these settings
Privacy advocates argue that DNT would thus make privacy regulations easier to comply with for advertisers. But first, a standard must be agreed, then policies hammered out around the standard.
Technically, the way in which many companies currently undertake third-party tracking may fall foul of existing EU opt-in privacy standards for web cookies – data placed on a user’s computer that enables some services to be activated, and activities to be tracked, argues O Brien.
Many advertisers believe the cookie rule applies only to the use of text-based cookies, but O Brien and O’Carroll both note that it actually refers to any data placed on a computer which then sends a call back to a server.
Third-party tracking often utilises a tracking pixel, rater than a text file, on the user’s computer, which then calls down advertisements or other data from a server.
However, because there’s no legal requirement to observe an internet user’s DNT settings, and no formal agreement on what DNT means, people can only block third-party tracking – which takes place on many websites and social media sites – by using add-ons like the Electronic Frontier Foundation’s Privacy Badger, or going through a clumsy process of opting out on the web pages of the organisations that do the tracking.
O’Brien reminds web users that if they are using sites that offer free services – even those, like Twitter, which currently promise not to use third party tracking – advertisements, tailored according to information from the site’s users, are what generate income for the site.
“The customer is still the product being sold.”
Privacy auditsFacebook, which until now had a policy of not doing third-party tracking, has said it will refer those people who wish to opt out of being tracked to the relevant websites of the tracking companies.
But this is unlikely to be an acceptable solution in Europe, which has tougher data protection laws that the US. The issue is likely to land, as have other Facebook privacy concerns, on the desk of the Irish Office of the Data Protection Commission. Facebook has already come under two high-profile privacy audits here, because its European headquarters is in Dublin.
Facebook has not yet rolled out third-party tracking to European users, says O’Carroll, something he doesn’t expect will happen until the end of the year, on a phased basis. And the way in which it is being done for US users will not be acceptable in the EU, he states.
“We’re looking for a lot more information from them, and are expecting quite a high bar to be maintained,” he says. “They have a lot of power and audience, and we expect them to have very clear information and tell users what they’re doing,” and offer opt-in, rather than opt-out, controls.
“We’re going to watch it carefully.”