Why Do-Not-Track May Be Required

In the United States, they propose to oblige technology companies to take into account the consent of users to transfer their personal data to advertising networks.

/ photo Tom Roberts - Unsplash

Do-Not-Track (DNT) allows the network user to give or withdraw consent to the transfer to third parties of data on his actions on the page and their use in online advertising.

By default, DNT is null, indicating no preference.

The prototype Do-Not-Track mechanism was developed in 2009 by information security expert Christopher Soghoian) and Mozilla employee Sid Stamm. They proposed the DNT to the US Federal Trade Commission (FTC), which was just trying to launch a registry of sites that transmit information about visitors to advertising services. But DNT was considered a more convenient mechanism, and the Commission approved its introduction in December 2010. In 2011, DNT was already in Chrome, Firefox, Safari, Opera, Internet Explorer. In the same year, Do-Not-Track decided to standardize at the W3C (World Wide Web Consortium) level, but this work was never completed.


No law directly requires compliance with the Do-Not-Track principle by site owners. The closest to making it mandatory was GDPR - the regulation gives EU citizens the opportunity to prohibit the processing of their personal data in online services. However, the DNT itself is not mentioned in the GDPR, and so far there have been no sanctions for non-compliance with its requirements.

Due to the lack of legislative support, many sites simply ignore Do-Not-Track. Given this situation, in January 2019, the W3C working group stopped developing the standard. And in February, DNT was removed from Safari, which caused an mixed reaction.

One way or another, in a 2017 survey, a quarter (of more than 50 thousand) of respondents said they use Do-Not-Track. 61% of survey participants are also worried that they cannot control the transfer of their data between ad networks and advertisers. This question cannot but worry people, therefore DNT still has supporters who do not abandon attempts to “legalize” this mechanism and make it mandatory.

What do they offer

Representatives of DuckDuckGo, who advocate regulatory restrictions on the ability to collect data for Internet users, have proposed a new law. The initiative was called The Do-Not-Track Act of 2019 . So far this is only a draft version of the bill.

The document suggests obliging site owners to take into account the user's refusal to install third-party cookies and transfer information about the site’s visit to advertising networks. The act can help not only people who want to protect their personal data, but also the advertisers themselves. The latter sometimes face fraud by the owners of sites hosting banners.

Unscrupulous webmasters can set affiliate cookies for many online stores that work with a specific advertising network. During the storage period of these cookies, the user can make a purchase on one of the partner resources. Then the owner of the site will receive a reward, although he did not bring the buyer to the online store. In this case, the advertiser is wasting money.

It is important to note that the requirements of the bill will need to be (if passed) only with Do-Not-Track enabled. In other situations, the use of personal data (PD) in online advertising will not be specifically limited.

Among other things, the bill proposes to limit the exchange of user PD between the services of the same company. For example, information from WhatsApp should not be used for advertisements on Instagram or Facebook.

The document also describes exceptional cases in which the setting of cookies and data collection will not be limited. The Act will allow the transfer of PD to correct errors in the operation of services, analysis of information security sites, financial transactions and journalistic research that fall under the scope of the First Amendment to the US Constitution (page 5 of the document ).


/ photo Kyle Glenn - Unsplash

The bill offers fines for companies that continue to ignore Do-Not-Track. The minimum amount is $ 50 thousand, and the maximum is $ 10 million or 2% of the company's annual revenue. The law will potentially apply to all companies operating in the United States, but its future is still in doubt.

Opinions about the initiative

The authors of the initiative and some journalists believe that US senators will support the act. A number of politicians in the United States are already in favor of expanding the rights of citizens in the field of personal data protection. For example, senator and one of the likely presidential candidates, Elizabeth Warren, support the collection of PD . It is believed that The Do-Not-Track of 2019 could be the first step towards a larger bill following the example of the European GDPR.

In favor of the act and says that DNT is a turnkey technical solution. It is available in many browsers and does not require the development of new tools.

There are opinions against the bill. The act was not supported by one of the authors of the original W3C Do-Not-Track standard Pam Dixon. According to her wordsMandatory DNT compliance is not sufficient for PD safety. Dixon proposes to develop, instead of an act, a full-fledged standard for collecting data on site visits, which will suit both advocates of PD protection, the online advertising industry, and politicians.

Other initiatives

The US Senate is considering two more proposals for regulating the collection of PD.

The author of the first initiative was Oregon Senator Ron Wyden. He believes that the FTC should develop cyber security standards for IT companies. Widen also advocates the creation of a single national register of citizens who refused to share their personal data in online services. Serious penalties are imposed for violation of requirements - fines for companies in the amount of 4% of annual revenue or a prison term of 10–20 years for heads of organizations responsible for data protection. Suggested a

second initiativeVirginia Senator Mark Warner He published a document in which he proposed 20 promising ways to regulate the IT segment. For example, to develop an American analogue of GDPR, which will determine the procedure for working with PD of the country's inhabitants.

Data protection laws are promoted not only at the federal level, but also in individual states. Starting in 2020, the California Consumer Privacy Act (CCPA) will enter into force in California. It will oblige companies to issue, at the request of customers, information gathered about them and a list of third parties who have access to this data.

Conclusion

The adoption of a new data protection law is supported by representatives of both US parties. Moreover, some Republicans believe that citizens of the country will support the initiative.

Even if the draft law on mandatory compliance with DNT is not adopted, the issue of protecting personal data will continue to be discussed in the US Senate. Most likely, GDPR will become the basis for new legislative initiatives and a guide for politicians.

---

What are we writing about in our Telegram channel:

• Learn in 60 seconds: what is a service-defined firewall
• Create an open source data center - three funds that do this
• Why vGPUs are not inferior in performance to iron solutions
• IaaS for comfortable business scaling - Avito.ru case
• Why companies use virtual machines, not containers