Technical Body Moves Closer to Do Not Track Standards

Davis Wright Tremaine LLP

The long running struggle to develop technical standards for the implementation of a do not track (DNT) specification is moving closer to completion. The World Wide Web Consortium (W3C) working group recently released a “last call working draft” of its tracking compliance specification. The specification would establish server-side standards for honoring a user’s DNT preference.

The draft specification would require, among other things, that a first party organization not share any “network interactions” with any third parties if the user sets the DNT preference in their browser. The first party can continue to collect, retain and use the interaction data for certain internal purposes, such as customizing content and first-party advertising, and may also share that data with “service providers” that are acting on their behalf. If the DNT preference is set, a third party to the user interaction (e.g., advertising network, embedded widget provider) may only collect and use the interaction data if (a) the user has explicitly granted consent, (b) the data is collected for a limited set of permitted purposes (e.g., frequency capping, financial logging, security and debugging), or (c) if the data is permanently de-identified (as defined in the specification). Even if the collection is for a permitted purpose, a third party must still comply with a number of additional restrictions, such as practicing data minimization, implementing reasonable security and retaining data only for specified retention periods. Moreover, a third party’s data collection and use must be “reasonably necessary and proportionate” to the permitted purpose. A party may engage in activities that are otherwise prohibited by the specification if they have the user’s explicit and informed consent.

Finally, the draft specification would require first and third parties to alert users whether they will comply with users’ DNT requests. A party that decides not to honor DNT requests must clearly state the specific reasons in the party’s privacy policies.

Remember, the California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites and online services to disclose in their privacy policy how their website responds to DNT signals sent by a visitor’s web browser if they collect “personally identifiable information” about the online activities over time and across third-party websites from any consumers residing in California. CalOPPA requires disclosure but does not affirmatively require a website to honor a DNT preference. Many website operators are delaying a decision about whether to honor a DNT preference until industry standards are established.

A full copy of the “last call” draft is available here. All comments must be submitted by Oct. 7, 2015.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.