The fine people at the UC Berkeley law school have pulled together an amazing
two-day workshop about Web Tracking in Brussels. The conversation kicked off today with European Commissioner Neelie Kroes talking
about privacy, self-regulation and do not track, and with Director General Robert Madelin and FTC Commissioner Julie Brill on the subsequent panel. Together, the three handed a sizable challenge to the Web standards community: Standardize Do Not Track within a year (or less), be transparent, be inclusive.
Neelie Kroes‘ key points: While the advertising industry’s self-regulatory efforts are important and welcome, they aren’t enough. Tracking protection cannot be limited to just cookies (and cannot ignore other ways to create client state); it cannot be limited to just advertising or other specific sectors; and it cannot be limited to just the use of the data; instead, tracking protection needs to apply to data collection as well. Also, industry needs to address both Web and mobile tracking, and soon. Kroes’
challenge to industry: Standardize Do Not Track by June 2012. Come to the standards table.
FTC Commissioner Julie Brill spoke about the FTC’s efforts in the space over the last several years. She reminded us of the FTC’s staff
paper and the five
principles for an effective Do Not Track technology: 1. It must be easy to use (in fact, asked Brill, wouldn’t it be nice if the advertising industry was making opt-outs as easy to use as ads); 2. It must be effective; 3. It must be universal; 4. It must deal with collection as well as with use of information; 5. It must be persistent (and not go away after 5 days, or when you delete your cookies). As a significant footnote, Brill pointed out the special sensitivity of geolocation information, and the need for minimization there.
On standardization, Brill’s worry is that industry standardization might be too slow a process, and could possibly take beyond mid 2012.
Finally, Robert Madelin (Director General for the European Commission DG Information Society and Media) put the tracking conversation into the context of Internet regulation overall (“it can’t be a random walk between individual jurisdictions”) and the eG8, and into broader thinking about effective self-regulatory approaches. The sweet spot, according to Madelin, is somewhere in the middle between strongly mandated co-regulation and purely industry-led self-regulation: industry-led, yes – but inclusive, with a clear process, and with clear accountability and transparency to the public, and with a preference for shipping over the sort of perfection that can hold up agreement forever.
Nick Doty blogged about our plans with Do Not Track earlier today. We believe that the standards process provides an appropriate framework for conversations about not just the bits on the wire, but also the broader meaning of do not track.