“Do Not Track” Legislation, a series of legislative efforts to give internet users the option to choose to not have their online behavior tracked by third parties. Regular internet usage involves constant interaction between the user and various entities, including large corporations like Google and Facebook. During these interactions, the internet users provide identifying information to third parties. This information, such as IP addresses and browsing history, can be used to track and profile the online behaviors of the user. For example, many websites will store a piece of data, or a âcookie,â on the userâs computer. From these cookies, advertising services can determine what websites the user has visited. This record can be used to build a profile of that userâs potential interests. In turn, this behavior profile can be used to display targeted ads to which the user is more likely to respond.
The first usage of a cookie dates back to 1994; it was designed to be a mechanism for a website to remember session history between user visits. The creation of the cookie was responsible for many modern internet features, such as virtual shopping carts and persistent log-ins. Third party cookie usage was quickly identified as a consumer privacy problem, drawing the attention of the Federal Trade Commission (FTC). See David M. Kristol, HTTP Cookies: Standards, Privacy, and Politics, 1(2) ACM Transaction on Internet Technology (2001). Subsequently, internet privacy advocates have attempted to respond to this threat by proposing cookie management policies that limit or prevent the storage of cookies on a web userâs computer. Many web browsers have implemented features specifically designed for cookie control. However, successive cookie-like technologies, such as the âLocal Shared Objectsâ stored by Adobeâs Flash, have been developed to circumvent advances in privacy controls. See Ashkan Soltani et al., Behavioral Advertising: The Offer You Cannot Refuse, 6 Harvard Law & Policy Review 273 (2012).
Privacy concerns arising from the usage this type of online behavioral tracking in social networking, advertising services, and webpage analytics have resulted in international legislative efforts to protect a web userâs ability to choose not to participate in such tracking. In March of 2011, the FTC recommended that Congress impose restrictions on web behavior tracking, including the implementation of a uniform âDo Not Trackâ mechanism for web browsers. Since 2011, a series of bills have been introduced in the United States based on the issue of behavioral tracking.
The âDo Not Track Me Online Act of 2011â proposed to authorize the FTC to promulgate regulations that would require companies to abide by opt-out settings. The Act would have enabled the FTC to impose fines on services that continue to track users who have chosen the no-tracking setting, while allowing exceptions for websites using such information for their own website analytics, websites serving less than 10,000 visitors per year, and websites belonging to the government. The FTC would have been authorized to enforce these regulations through random audits. H.R. 654, 112th Cong. (2011). The similarly titled âDo Not Track Online Act of 2011â proposed that the FTC establish standards by which a user could indicate whether he or she wished to opt out, but excepted information necessary to provide services requested by the user. Under this Act, the FTC would be obligated to enforce compliance with the âDo Not Trackâ standards. S. 913, 112th Cong. (2011). This Act was reproposed in 2013. S. 418, 113th Cong. (2013).
Also proposed in 2011 was the âConsumer Privacy Protection Act of 2011,â which proposed to balance consumer and business interests by requiring a notice and an opt-out mechanism for third-party use of personally identifiable information for targeted advertising. The FTC would have been charged with creating a safe harbor program, which would have individually excepted entities with privacy practices with substantially the same notice and data collection practices as the required by the Act. S. 799, 112th Cong. (2011).
The âCommercial Privacy Bill of Rights Act of 2011â would have required websites to provide clear notice to the users and give them the opportunity to âopt-outâ or âopt-inâ to their information being collected. This Act incorporated an exception for companies that collect data, but are conspicuous and visible to the users and have pre-existing relationships with the user. This proposal limited protection to a userâs more sensitive data such as medical, financial, and religious information. S. 799, 112th Cong. (2011).
Subsequently, the âCommercial Privacy Bill of Rights Act of 2014â was proposed. The first portion of the Act targeted companies that collect, use, transfer, or store personally identifiable information, requiring them to provide increased notice to the customer of their data usage and means to access and correct stored information. As with the âCommercial Privacy Bill of Rights Act of 2011,â tracking services must provide âopt-inâ or âopt-outâ opportunities. The second part of the Act was an amendment of the âChildrenâs Online Privacy Protection Act of 1998â referred to as âDo Not Track Kids Act of 2014.â It was intended to expand the prohibition on collecting information about children from websites and online services to online and mobile applications. S. 2378, 113th Cong. (2014).
The Obama administration released a draft legislation of a âConsumer Privacy Bill of Rights Act of 2012â in February of 2012. This proposal sought to provide more protection for the customer by addressing the commercial uses of personal data and information. This proposal incorporated several concepts from earlier Acts, including mandating the secured handling of customer data and ensuring a userâs ability to access and correct stored data. This draft legislation was re-introduced in 2015 as the âConsumer Privacy Bill of Rights Act of 2015â along with the companion bill the âData Security and Breach Notification Act of 2015.â This bill expanded on the original draft by proposing to permit services and industries to create their own regulatory standards, subject to approval by the FTC. S. 1158, 114th Cong. (2015).
Although no Federal attempt at a general âDo Not Trackâ legislation has passed, California managed to sign âAssembly Bill AB 370â into law in 2013. This legislation amended a section of the California Business and Professions Code and required websites that collect personally identifiably information about California residents to provide explicit privacy policies. that clearly identify which types of personal information they are collecting. The bill also mandated that websites and services describe how they respond to âdo-not-trackâ signals or other actions that indicate a userâs tracking preference.
Beyond legislative efforts, the FTC has worked with the advertisement industry to provide a private solution to unwanted behavior tracking. For example, the Digital Advertising Alliance promoted a self-regulatory solution that would permit users to opt out of targeted ads and most of the major web browsing platforms incorporate tracking control features.