Microsoft has reversed its plans to make “Do-Not-Track” technology a default setting for its upcoming Window Explorer 10 Web browser. Instead, the Washington-based company announced June 6 that users will have to turn on the feature voluntarily. The news was cheered by online advertisers who realize a large percentage of revenues from behavioral-tracking advertising.
DNT technology blocks the installation of “cookies” on a user’s computer that track online activity such as searches, Web sites visited, and even key words in emails used to enable advertisers in targeting advertising based on the user’s browsing preferences. The European Union announced in June that it would likely mandate DNT for its member nations. DNT also is one of the recommendations of the White House Privacy Framework, a set of guidelines released in February by the Obama administration.
Adam Mossoff, associate professor of law at the George Mason School of Law and a legal expert at the Ayn Rand Center for Individual Rights, says the thinking behind privacy proposals such as DNT is misguided.
“In today’s world, it’s not really clear what you own,” Mossoff said. “This is largely the byproduct of a shift away from property perspective and towards a privacy framework. Instead of contract and property, they’re thinking about it through the lens of privacy.”
Calls for Industry Self-Regulation
On June 6 the World Wide Web Consortium (W3C)—an international group that establishes technical standards for Web technology—adopted the official position that DNT should not be the default setting for Internet browsers and, instead, DNT should require “explicit consent” of users before being activated. Members of the W3C who drafted the position include the Electronic Frontier Foundation, Mozilla, and Jonathan Mayer of Stanford University.
On March 26, 2012 the Federal Trade Commission had released its own privacy recommendations, setting forth what it considers best practices for businesses and ways of providing consumers better control over the collection and use of their personal data. The FTC report proposes general privacy legislation and laws covering data security and breach notification, but it strongly encourages the industry to act on its own. In the past, the FTC has placed Google and Facebook under consent orders to settle allegations the companies violated their own privacy policies, forcing both to submit to 20 years of privacy audits and comprehensive security programs.
According to a U.S. Department of Commerce spokesperson who preferred to remain anonymous, a Consumer’s Privacy Bill of Rights is essential. “The FTC can enforce public commitments by a company but can’t require the company to have a privacy policy,” she said. “The Consumer Privacy Bill of Rights provides a basis for companies and other stakeholders to develop codes of conduct.… [It] provides a baseline of clear protections for consumers and greater certainty for businesses.”
The Commerce Department spokesperson also says these proposed rules came from the companies and consumers themselves. “In ‘the green paper,’ or the 2010 precursor to the [Obama] administration’s privacy report, stakeholders submitted comments that ‘were virtually unanimous in calling for strengthening the U.S. commercial data privacy framework,'” she said.
‘Standards of Absolute Perfection’
Mossoff warns businesses that adopt the agreed-upon privacy measures may be put at an economic disadvantage versus those that don’t adopt. “All of these [concerns] ideally, and should be, resolved through contracts.”
The Commerce Department spokesperson counters that the Obama administration will take the side of businesses that adopt the measures, by punishing those that don’t. She cites the administration’s report, which reads, “FTC enforcement is critical to ensuring that companies are accountable for adhering to their privacy commitments. Enforcement is also critical to ensuring that responsible companies are not disadvantaged by competitors who would play by different rules.”
However, there are 46 state breach-notification laws in place already, Mossoff notes. “I don’t think the state breach laws are insufficient,” he said. “They’re in place because some companies back in the day hadn’t disclosed they’d been hacked. I think that’s legitimate. It’s unclear what more needs to be done.”
Consumers have recently been alarmed by the massive data breaches of large online companies LinkedIn and eHarmony, but Mossoff says these companies already work around the clock to make certain such breaches are uncommon. “We can’t hold companies to standards of absolute perfection. That’s like arguing since banks get robbed form time to time, we can’t trust them with money and they should be nationalized.”
‘Chilling Effect on Businesses’
John Stephenson, director of the Communications and Technology Task Force for the American Legislative Exchange Council, says the proposed privacy regulations would result in the loss of a key revenue stream for online businesses, which would, in turn, end up forcing consumers to pay for services they currently enjoy for free.
“These new privacy laws and regulations could have a chilling effect on businesses, especially small and online businesses that rely on advertising—especially online behavioral advertising—for revenue,” Stephenson said.
Stephenson cites e-commerce trade association NetChoice, which estimates preventing online behavioral ads could cost Web businesses 65 percent of their revenues.
“That kind of loss in revenue could lead to free services like email and search engines suddenly charging consumers fees for their services,” Stephenson said.
Lindsey Dodge ([email protected]) is an assistant editor at the Michigan-based Mackinac Center for Public Policy.
Lindsey Dodge is an assistant editor at the Michigan-based Mackinac Center for Public Policy.
