Why Do-Not-Track Can Be Mandatory

In the US, they propose to require technology companies to take into account the consent of users to transfer their personal data to advertising networks.

/ photo by Tom Roberts - Unsplash

Do-Not-Track (DNT) allows the network user to give or withdraw as a consent to transfer data to third parties about his actions on the page and to their use in online advertising.

By default, DNT is null, indicating that there is no preference.
')
The prototype of the Do-Not-Track mechanism was developed in 2009 by security expert Christopher Soghoian and Mozilla employee Sid Stamm. They offered DNT to the US Federal Trade Commission (FTC), which was just trying to launch a registry of sites that convey information about visitors to advertising services. But the DNT was considered a more convenient mechanism, and the Commission approved its entry in December 2010. In 2011, DNT was already in Chrome, Firefox, Safari, Opera, Internet Explorer. In the same year, Do-Not-Track decided to standardize at the World Wide Web Consortium (W3C) level, but this work was never completed.

No law directly requires that site owners adhere to the principle of Do-Not-Track. The closest thing to making it compulsory is that it has approached GDPR - the regulation gives EU citizens the opportunity to prohibit the processing of their personal data in online services. However, the DNT itself is not mentioned in the GDPR, and so far there have been no sanctions for non-compliance with its requirements.

Due to the lack of legislative support, many sites simply ignore Do-Not-Track. Given this state of affairs, in January 2019, the W3C working group stopped developing the standard. And in February, DNT was removed from Safari, which caused an ambiguous reaction.

Anyway, in a 2017 poll, a quarter (out of more than 50,000) of respondents said that they were using Do-Not-Track. 61% of survey participants also worry that they cannot control the transfer of their data between advertising networks and advertisers. This question cannot but concern people, therefore DNT still has supporters who do not give up attempts to “legalize” this mechanism and make it mandatory.

What is offered

The new law was proposed by representatives of DuckDuckGo, who advocate regulatory restrictions on the ability to collect Internet user data. The initiative was called The Do-Not-Track Act of 2019 . So far this is only a draft version of the bill.

The document proposes that site owners be obliged to take into account the user's failure to install third-party cookies and transfer information about site visits to advertising networks. The act will help not only people who want to protect their personal data, but also the advertisers themselves. The latter are sometimes faced with fraud site owners who place banners.

Unscrupulous webmasters can set up affiliate cookies for many online stores that work with a specific advertising network. During the storage period of these cookies, the user can make a purchase at one of the partner resources. Then the site owner will receive a reward, although he did not bring the buyer to the online store. In this case, the advertiser is wasting money.

It is important to note that the requirements of the draft law will need (if adopted) to be observed only when the Do-Not-Track is enabled. In other situations, the use of personal data (PD) in online advertising will not be specifically limited.

Among other things, the bill proposes to limit the exchange of user PD between services of the same company. For example, information from WhatsApp should not be used for advertisements on Instagram or Facebook.

The document also describes exceptional cases in which the installation of cookies and data collection will not be restricted. The act will allow the transfer of PD to correct errors in the work of services, analysis of information security sites, financial transactions and journalistic research that fall under the First Amendment to the US Constitution (page 5 of the document ).


/ photo by Kyle Glenn - Unsplash

The bill proposes fines for companies that continue to ignore Do-Not-Track. The minimum amount is $ 50 thousand, and the maximum amount is $ 10 million or 2% of the company's annual revenue. The law will potentially extend to all companies operating in the United States, but its future is still in question.

Opinions about the initiative

The authors of the initiative and some journalists believe that the US senators will support the act. A number of politicians in the United States are already in favor of expanding the rights of citizens in the field of personal data protection. For example, regulation of the collection of PD supports the senator and one of the likely presidential candidates - Elizabeth Warren. The Do-Not-Track of 2019 is believed to be the first step towards a larger bill following the example of a European GDPR.

In favor of the act says that DNT is a ready-made technical solution. It is available in many browsers and does not require the development of new tools.

There are opinions against the bill. The act was not supported by one of the authors of the original W3C standard for Do-Not-Track Pam Dixon (Pam Dixon). According to her, mandatory compliance with DNT is not enough for the safety of PD. Dixon proposes to develop, instead of an act, a full-fledged standard for collecting data on site visits, which will suit both supporters of the protection of PD, and the online advertising industry, and politicians.

Other initiatives

The US Senate is considering two more proposals for regulating the collection of PD.

The author of the first initiative was Oregon Senator Ron Wyden. He believes that the FTC should develop cybersecurity standards for IT companies. Wyden also supports the creation of a unified national registry of citizens who refused to share their personal data in online services. Violation of the requirements implies severe penalties - fines for companies in the amount of 4% of annual revenue or a prison term of 10–20 years for leaders of the organization responsible for data protection.

The second initiative was proposed by Virginia senator Mark Warner (Mark Warner). He published a document in which he proposed 20 promising ways to regulate the IT segment. For example, to develop the American analogue of the GDPR, which will determine the procedure for working with PD of the inhabitants of the country.

Data protection laws are promoted not only at the federal level, but also in individual states. California Consumer Privacy Act (CCPA) will take effect in California in 2020. It will oblige companies to provide, at the request of customers, information collected about them and a list of third parties who have access to this data.

Conclusion

The adoption of a new data protection law is supported by representatives of both US parties. Moreover, some Republicans believe that the initiative will be supported by the citizens of the country.

Even if the draft law on mandatory compliance with the DNT is not accepted, the issue of personal data protection will continue to be discussed in the US Senate. Most likely, the basis for new legislative initiatives and a guide for politicians will be GDPR.

---

What we write about in our Telegram channel:

• Find out in 60 seconds: what is a service-defined firewall
• Create an open source data center - three funds that do it
• Why vGPU are not inferior in performance to iron solutions
• IaaS for comfortable business scaling - Avito.ru case
• Why companies use virtual machines, not containers