The re-posting of this article is part of a cross-posting agreement with CyberLex.
In today’s Internet, advertising is ubiquitous. It is the main source of revenue for many web sites and services. It is also the subject of increasing scrutiny by privacy advocates and regulators, as advertisers and ad networks develop ever-more sophisticated means to track and profile users in the quest to optimize their effectiveness.
In Canada, online behavioural advertising (sometimes referred to as interest-based advertising) has been the subject of significant attention from the Office of the Privacy Commissioner. The Office recently released a research report on the subject, concluding that many organizations and web sites are not fully-compliant with the guidelines the Office issued on the subject in 2011. This comes in the wake of specific findings in a number of cases relating to opt-in consent, use of sensitive information for profiling purposes, and online tracking of children.
These are not new issues. In 2007, consumer advocate groups asked the U.S. Federal Trade Commission to establish a national “Do Not Track” list, which web advertisers would be required to honour. By 2011, this had evolved into an http header-based signaling model, allowing users to communicate their preference to web servers but relying on voluntary adoption by the advertisers.[1]
In 2011, the World Wide Web Consortium (W3C) began efforts to standardize the model. On July 14, 2015, they released a long-awaited “Last-Call Working Draft” standard for server-side compliance, as a companion to an earlier draft standard for the user expression of tracking preferences.
The draft standard remains voluntary. It defines a set of practices which organizations that wish to claim compliance must follow; but there is no obligation to comply and no technical mechanism to verify compliance.
The core principle of the draft standard is that third parties (such as ad networks) must not collect identifying information without some other form of consent when the user enables the DNT header, except for frequency-capping, auditing, security or debugging purposes.[2] This rejects proposals from some industry groups which would have permitted collection of profiling information for market research purposes, limiting only the delivery of customized advertising based on that profiling information.
The draft standard also calls on servers to send a response signal indicating whether or not they will respect the DNT header. Several responses are available including “C”, to indicate that the service believes it has express consent to collect the information, notwithstanding the presence of the DNT header, and “D”, indicating that the service will simply disregard the user preference.
The latter possibility reflects the relatively weak consensus underlying the Do-Not-Track standard. Some major web sites, including Yahoo! and AOL, have already decided not to honour the DNT header.[3]
Some organizations, including Google, had pointed to the lack of standardization as a justification for not responding to the DNT header.[4] Now that the W3C standard has emerged, at least in draft form, it will be interesting to see whether it provokes any significant industry or regulatory response, either to embrace the new standard or reject it.
But, for some on the user side, it may be case of too-little, too-late. Use of ad-blocking tools has climbed dramatically since 2013. This trend suggests that the advertising privacy battleground may already have shifted.
Nonetheless, the W3C standards process continues. Interested parties have until October 7, 2015 to submit comments on the draft standards. Instructions are provided in the working draft document.
© McCarthy Tétrault LLP
Keith D. Rose is an associate in McCarthy Tétrault's Business and Technology Law Groups in Toronto.
[1] The Digital Advertising Alliance, a consortium of U.S. advertisers, operates a self-regulatory regime based on opt-out principles, under a voluntary agreement with the U.S. federal administration. The Digital Advertising Alliance Canada operates a similar regime in Canada.
[2] First parties (i.e. the sites with which users directly interact) may collect identifying information even when the Do-Not-Track header flag is set, but may not share it with third parties.
[3] See e.g. https://nakedsecurity.sophos.com/2014/08/26/do-not-track-the-privacy-standard-thats-melting-away/.
[4] See e.g. http://arstechnica.com/information-technology/2014/05/yahoo-is-the-latest-company-ignoring-web-users-requests-for-privacy/.