By Teri Karobonik
Admittedly, the law tried to address this lack of standardization, it just did so poorly. 370(7) allow website operators to define DNT for themselves by providing a conspicuous link to a description of the DNT standard that the website follows. This essentially dumps the ongoing debate about the DNT standard into the laps of web service operators. It leaves it up to services to find, understand and adopt another group’s standard. In theory, this could lead to the widespread adoption of a DNT standard by a popular choice.
We’re concerned that in practice 370(7) does not work as planned. Unless a service specifically wants to adopt a certain standard and has the capacity to ensure they keep their compliance with that standard up to date, we will likely see a lot of sites simply disclaiming DNT entirely.
In an effort to come up with DNT language that is accurate without being a PR nightmare, many sites that are good actors might want to express desire for a DNT standard, but not be able to promise to comply with the current amorphous standard of DNT. This will lead many sites to potential language that would comply with the law, but avoid making promises they can’t keep. Here’s an example:
Do Not Track (DNT) is a privacy preference users can set if they do not want web services to collect information about their online activity. However, there is currently no universal standard for sending and receiving DNT signals. Due to this lack of universal standard, it would be impossible for us to promise that we comply with all known and unknown DNT standards.
Therefore, we do not in any way monitor or respond to DNT signals or other mechanisms that provide a choice regarding the collection of personally identifiable information about activities over time and across different Web sites or online services.
If a universal standard for DNT becomes available we may revisit our DNT Policy.
There’s probably at least one privacy advocate reading this thinking that disclaiming everything is not a solution. In the long term hopefully this will be true, but the current reality is a small tech startup is much better off promising nothing and delivering more rather than promising to observe DNT but not actually living up to their promises. Given the amorphous DNT, standard services have to be careful not to put themselves in a situation where they might be subject to an action by California’s new privacy enforcement unit. Services always need to explain to users clearly what information is being collected and how that information is being used.
We look forward to seeing a clearer DNT standard, and methods of complying with these standards. We also think sites can differentiate themselves in the marketplace by providing superior privacy to their users.
Until then we support the work of organizations like the Electronic Frontier Foundation and the Electronic Privacy Information Center who are fighting for a universal DNT standard. However, we do not think it’s fair to put the weight of this complicated debate on the backs of small entrepreneurs.
Overall the idea of implementing Do Not Track legislation at the state level is a bad idea. In the short term it only helps create an inconsistent standard for DNT and places an undue burden on small entrepreneurs. There are so many other problems that the State of California is facing that don’t involve the Internet. We hope that in the new year the State of California will focus on those local issues.
If you’re worried that your website might not be compliant with the new DNT law feel free to contact us and we’ll see if we can help out.
Special thanks to NMR interns Elisabeth Morgan and Siamak Hefazi for their help on background research for this blog.