The long running struggle to develop technical standards for the implementation of a do not track (DNT) specification is moving closer to completion. The World Wide Web Consortium (W3C) working group recently released a “last call working draft” of its tracking compliance specification. The specification would establish server-side standards for honoring a user’s DNT preference.
The draft specification would require, among other things, that a first party organization not share any “network interactions” with any third parties if the user sets the DNT preference in their browser. The first party can continue to collect, retain and use the interaction data for certain internal purposes, such as customizing content and first-party advertising, and may also share that data with “service providers” that are acting on their behalf. If the DNT preference is set, a third party to the user interaction (e.g., advertising network, embedded widget provider) may only collect and use the interaction data if (a) the user has explicitly granted consent, (b) the data is collected for a limited set of permitted purposes (e.g., frequency capping, financial logging, security and debugging), or (c) if the data is permanently de-identified (as defined in the specification). Even if the collection is for a permitted purpose, a third party must still comply with a number of additional restrictions, such as practicing data minimization, implementing reasonable security and retaining data only for specified retention periods. Moreover, a third party’s data collection and use must be “reasonably necessary and proportionate” to the permitted purpose. A party may engage in activities that are otherwise prohibited by the specification if they have the user’s explicit and informed consent.
Finally, the draft specification would require first and third parties to alert users whether they will comply with users’ DNT requests. A party that decides not to honor DNT requests must clearly state the specific reasons in the party’s privacy policies.
Remember, the California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites and online services to disclose in their privacy policy how their website responds to DNT signals sent by a visitor’s web browser if they collect “personally identifiable information” about the online activities over time and across third-party websites from any consumers residing in California. CalOPPA requires disclosure but does not affirmatively require a website to honor a DNT preference. Many website operators are delaying a decision about whether to honor a DNT preference until industry standards are established.
A full copy of the “last call” draft is available here. All comments must be submitted by Oct. 7, 2015.
