Feb. 24, 2011— -- Internet privacy is the new black (or at least it's the new green). A recent eye-opening investigative series in the Wall Street Journal exposed the complex web of companies that are "tracking" your every move online, and just how much information about you and your online behavior they're collecting in the process.
It's been nearly a decade since Congress first tried and failed to pass a privacy law. That void is a cause of consumer outcry, and Washington is finally listening.
Congress now has several privacy bills — delivered or promised — ready for debate and more are poised for introduction. The Federal Trade Commission and the Commerce Department have both weighed in on how best to approach online consumer privacy. These efforts have converged to create a raucous conversation about how technology and policy can work in concert to protect and enhance Internet privacy.
Enter Do Not Track.
When you visit a typical commercial website, that website is far from the only one that knows what you have been doing on that site: third-party companies typically contract with websites for permission to track your behavior across many, many sites. Some websites, such as dictionary.com, contract with hundreds of these data collectors (many of whom are advertising networks or are associated with advertising networks).
The information gleaned from your online wanderings is valuable and can be sold to data aggregators who will update your digital dossier or to companies in the advertising industry that will use it to target ads at you. In other words, what happens on dictionary.com -- and most popular websites -- does not stay on dictionary.com.
Many responsible individual advertising networks allow consumers to opt out of this third-party data collection. But consumers cannot be reasonably expected to hunt down every ad network out there and tell them, one at a time, "Do not track me!"
Some self-regulatory initiatives are taking important steps to give consumers more information about behavioral advertising and to make opting out easier and more persistent. For example, the Digital Advertising Alliance is working on technology to put an icon in all targeted ads to let consumers find out why that particular ad showed up in the first place.
The DAA also allows consumers to opt out of all its member companies' serving of behaviorally targeted ads (though not the tracking itself) with just a couple of clicks. Unfortunately, this opt-out is cookie-based, so if you delete your cookies out of concerns for your privacy, you're erasing the instruction to DAA member companies not to track you. (Google recently released a "Keep My Opt Outs" add-on for its Chrome browser that fixes this problem.)
However, even if you do manage to opt out of the behavioral ads of the 60 member companies in the DAA, this doesn't stop the more than 200 other tracking companies out there from following you around the web.
But if web browsers had a Do Not Track feature, then consumers would finally have a simple option to say, "Do not track me!" to every tracking site. The browser companies have recently promised to build is a Do Not Track setting that would allow consumers to prevent companies from tracking them.
Each of the major browser makers -- Google, Microsoft and Mozilla -- is taking a different approach to Do Not Track technology. But Do Not Track is under attack from some who prefer the current balance of power between consumers and trackers to remain tilted in favor of the trackers.
This power struggle has fertilized a number of growing myths on both sides of the debate -- it's time to do some weeding.
Myth: Do Not Track Puts the Government in Charge of the Internet
While , Do Not Track was inspired by the FTC's Do Not Call registry, which has been one of the most successful government-led consumer protection and privacy initiatives in decades, it does not require the same level of government intervention
To make Do Not Track work, the government does not need to maintain any kind of registry. That means no registry of Internet users, no registry of advertisers, no registry of publishers. It simply requires browsers to build the tools and trackers to respect the desires of the consumer.
Government pressure has and should continue to encourage these innovations, but technology platforms don't need the government to get Do Not track off the ground. Many believe that Do Not Track will work only if the government dictates the technology and imposes a single solution on the market, but doing so now will simply stop innovation in its tracks.
The fact is that the major browsers have taken different approaches, and we don't yet know which will work best for consumers. Or whether another approach yet to be unveiled will win the day. We need to encourage a race to the top, not determine a winner prematurely
It is perhaps overly optimistic to suggest that Do Not Track will work without a "stick" or new legal mechanism for forcing companies to respect consumers' express statement: "Do not track me!"
Legislation that spells out this enforcement mandate has already been proposed, but new legislation is probably not needed to keep companies from violating a Do Not Track request.
The FTC already has the power to pursue companies who engage in deceptive or unfair business practices. The FTC could make clear that violating a Do Not Track request would be considered a deceptive practice and then demonstrate its commitment by bringing enforcement actions.
Myth: Do Not Track Will Kill the Internet
Today, behavioral advertising that links ads to information from tracked consumers makes up a small percentage of the overall multi-billion dollar online ad marketplace. No one knows how many consumers will actually choose to opt out of being tracked, and what's important, Do Not Track does not allow users to opt out of advertising, ad reporting or many types of web analytics.
Users who tell companies "Do not track me!" will see the same number of ads, but these ads will be based on the content of the website they are visiting instead of a dossier of information about the user that has been compiled by tracking their online movements.
Companies also have the option of using Do Not Track as a kind of digital bouncer: If you are blocking their sites, you get no access to their material. Not blocking? You get full website access. That's not a new concept.
Some websites now require users to turn off programs that block ads as a condition to gaining access to their content, much as some websites and videos will load after displaying an advertisement that the consumer cannot avoid. If consumers do not want to be tracked, they can take their business elsewhere.
And some companies could decide to charge for access to their content. A free market is an essential element here: If consumers would rather pay with their wallets instead of paying with their privacy, so be it. If not, that's fine too.
It is important not to conflate Do Not Track with comprehensive privacy protection. It is not a silver bullet. It is a solution for a particular privacy concern -- behavioral advertising.
It will not address any of the privacy risks associated with mobile devices, social networking or cloud computing.
Nor will it address the collection of personal data offline or the aggregation and sale of personal data by data brokers. There is a risk that our focus on Do Not Track will divert attention from the real prize: a baseline consumer privacy law that requires all entities that collect and use personal data to engage in fair information practices.
Getting such a law passed is an urgent priority for consumers and for companies that operate in the global economy. Do Not Track is a welcome rest stop along that path, but it must not be the final destination.
Leslie Harris is president and CEO of the Center for Democracy & Technology.