The world’s biggest advertising group, WPP, through their media buying subsidiary GroupM have just issued a comment to the Do Not Track Tracking Preference Expression public list.
Their position is close to that of some of the ad-tech and online media companies that have taken part in W3C discussions on DNT, basically saying that the existing self-regulation program offered by the NAI and DAA is as far as they want to go in giving people control over online privacy.
One of their criticisms is that the TPE requires “an affirmative opt-in”. In fact it does not have this requirement, but specifically says browsers should not set DNT by default. The recent letter from the Article 29 working party correctly criticised the DNT process for the exactly opposite reason, pointing out the European law required explicit consent or an opt-in for tracking. Confusingly GroupM also claim that the AdChoices self-regulatory icon also represents an opt-in, which is again the inverse of the truth. Not only is it clearly an opt-out (tracking occurs unless you can find who does it and tell them no), it has the further impediment of being domain specific and incapable of expressing a user’s general preference. GroupM voiced other objections such as that some intermediaries may set the DNT signal without a user being aware, but in reality this is very unlikely to happen being in no one’s interest.
On the other hand this comment does point out a real problem with DNT which was the early agreement between large US companies such as Google, Yahoo and Facebook and some American civil society groups to mainly limit the scope of Do Not Track to third-parties. Although this does not apply in the EU, outside it unfairly discriminates against one section of the online advertising community, i.e. those other than the large US internet companies.
Another result of attempting to limit the scope of DNT has been the difficulties agreeing on an intelligible definition of “tracking”, with the TPWG chairs in the end having to forge an uneasy and impenetrable compromise. How is it possible to have rules for data collected by a data controller acting in one arbitrary technical role when having few for data collected about the same individual while by the same entity acting in another role? If a server can collect and retain data as a first party then apply it to the same individual to change their web experience or collect their web history when they are acting as a third-party on another site users will see this as tracking and assume that DNT does not work.
Tracking is implemented increasingly via script executing in the first-party origin. With first Safari (the default browser on iPhones and iPads) ensuring third-party cookies were blocked by default and later Firefox and others, the only scalable way to passively identify a user is to use a unique identity in the top-level origin and communicate the identified data using Ajax or a “tracking gif” image element. This goes some way to explain why the larger firms initially backed the scope restriction to third-parties, which they thought would become redundant anyway. The US consumer protection groups presumably agreed this as an attempt to enlist the support of the large US companies and online publishers but now many of the former are stating that they will not respect the Do Not Track signal anyway (it being hard to avoid the logic that any viable DNT rules out such cross-context tracking), and the latter would have been satisfied with a suitably explained out-of-band or in-band consent (or a “strictly necessary” alleviation similar to that in Article 5(3) of the e-privacy directive) for a login.
All this led to the lengthy delays caused by complaints by smaller ad-tech companies that they were being unfairly restricted whereas if there had been a level playing field from the outset many of them could have been encouraged to embrace consent as a way to establish trusting relationships with consumers. Many of the smaller companies have since ceased their involvement with the W3C DNT process and have tried to establish common ground within the DAA’s DNTbis process, so far without success. The conflict of interest between them and the large “first-party” companies will inevitably re-emerge in any forum.
Fortunately for us in Europe this does not need to be a problem. The e-privacy directive applies to any tracking entity, whether in a first-party or third-party role. Because the TPE allows for alternative compliance regimes, and describes a transparent mechanism for servers to refer to one, European servers can say that they respect DNT irrespective of how they are referenced in a request. I urge the Article 29 Working Party to publish such a model compliance statement that would align with EU law.
In my view the smaller ad-tech companies should reengage to help establish a level playing field and a better outcome for themselves, now being a good time to offer to fully support DNT in exchange for a DNT contingent lifting of third-party cookie blocks.
The DNT signal should signify exactly what it says, no tracking anywhere by anyone, unless the user has given their explicit agreement for it. The TPE standard complements the e-privacy directive and the forthcoming data protection regulation by creating a transparent and widely implemented signal that can be used to indicate consent, (or refusal if the data collected is claimed to be “pseudonymous” under Article 6.2(f) of the DP regulation). The continuing TCS debate is important because of the need to get cross-border consensus between the EU and US, but ultimately Europe can have its own version.