By Omer Tene
Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, and I are delighted to announce that our paper, “To Track or ‘Do Not Track’: Advancing Transparency and Individual Control in Online Behavioral Advertising,” has been accepted for publication in the Fall 2011 issue of the Minnesota Journal of Law, Science, and Technology (MJLST).
The paper, which was presented at the last Privacy Law Scholars Conference (PLSC) in Berkeley, reviews and criticizes the current debate on online behavioral tracking, including the Federal Trade Commission’s Do Not Track (DNT) proposal.
The past decade has seen a proliferation of online data collection, processing, analysis and storage capacities leading businesses to employ increasingly sophisticated technologies to track and profile individual users. The use of online behavioral tracking for advertising purposes has drawn criticism from journalists, privacy advocates and regulators. Indeed, the behavioral tracking industry is currently the focus of the online privacy debate, with DNT at the center of attention. We point out that the debate surrounding DNT and specific details of its implementation disguises a more fundamental disagreement among stakeholders about deeper societal values and norms. Unless policymakers address this underlying normative question – is online behavioral tracking a societal good or an unnecessary evil – they may not be able to find a solution for implementing user privacy preferences.
By emphasizing “notice and choice” (or “transparency and consent” in European parlance), the current legal framework imposes a burden on businesses and users which both sides struggle to lift. Users are ill placed to make responsible decisions about their online data, given the increasing complexity of the online information ecosystem. Indeed, even privacy professionals would be hard-pressed to explain the inner-workings of the online market for consumer information; the parties involved; and actual or potential uses of information. Imposing this burden on users places them at an inherent disadvantage and ultimately compromises their rights.
The discussion among policymakers has been captured by debate of exactly how choice should be made; obsessed with the procedural mechanics of choosing (opt-in; opt-out; pre-checked box; forced choice; central opt-out; located on web page; linked to privacy policy; in browser; in advanced settings; etc.). The underlying premise is: “if users only knew – they would choose right.” We argue that this is not a valid value-based proposition. Putting forth – “we do not have a position with respect to online behavioral tracking; our only position is that users should have a freedom to choose” – typically hides the real argument, which is “users should choose what we think is right for them.” Regardless of fine-tuning, notice and choice mechanisms presented to users will never be “value neutral.”
The balance between innovation and privacy will be better served if policymakers focus the debate on the tradeoff between efficiency and individual rights, and if businesses implement tracking mechanisms fairly and responsibly. Policymakers simply cannot continue to sidestep these questions in the hope that “users will decide” for themselves. Instead of repeatedly passing the buck to users, the debate should focus on the limits of online behavioral tracking practices by considering which activities are socially acceptable and spelling out default norms. At the end of the day, it is not the size of the font in privacy notices or location of check-boxes in advanced browser settings which will legitimize or delegitimize online behavioral tracking. Rather, it is the boundaries set by policymakers, either in law, regulation or self-regulation, based on balancing industry interests and individual rights.
The reason policymakers fail to reach consensus on notice and choice is that such mechanisms are inherently skewed and always disguise an implicit value judgment. Policymakers decided smoking is a social evil, imposing tremendous costs on the state and individuals; hence notices on cigarette packs are visceral (photo of emaciated lungs or dead bodies) and scolding (“cigarettes cause cancer”; “smoking can kill you”). Policymakers decided front seat passenger airbags should not be deactivated except after careful, premeditated deliberation; hence they disguised the disabling switch and permitted only authorized mechanics to perform the operation after customers execute liability release forms. Policymakers in most European Union Member States decided organ donations were a societal good with benefits far outweighing the costs in religious sentiment; they therefore adopted a legal regime of opt out, or presumed consent, where every citizen is deemed to have consented to organ donation unless expressly opting out by recording in writing their unwillingness to donate. If policymakers do not decide whether online behavioral tracking is a societal good or evil, they are unlikely to ever settle the current dispute.
In our paper, we describe the various online tracking technologies deployed by industry and the different purposes of online behavioral tracking. We lay out the existing regulatory framework applicable to online behavioral tracking in the European Union and United States and address some of the existing proposals for regulatory reform. Finally, we discuss our views with respect to the desirable allocation of responsibility among users, businesses and policymakers.
A draft of our paper can be downloaded from the SSRN site here.