In just one week, privacy advocates have seen two major proposals to promote consumer privacy on the Internet. In California, a "Do-Not-Track" bill regulating tracking cookies, passed through committee clearing a major hurdle to adoption. Simultaneously, Sen Rockefeller introduced a very similar bill in the US Senate.
Both bills would require companies to honor a "Do-Not-Track" preference set by consumers, usually as a browser setting. The bills represent a significant step forward in online privacy and should be strongly supported by voters.
California has led the nation in Internet law several times before, in areas such as anti-spam regulations, database breach notification and privacy law. The Do-Not-Track bill has a better chance in California than it does in the US Senate, but passage anywhere would have far reaching effects on the industry. Predictably, companies with business models that profit tremendously from tracking users objected strenuously, providing congressional testimony and press conferences to foretell the collapse of the online economy.
Do-Not-Track bills are significant not because they regulate tracking of users, but because they shift the power and control from large anonymous databases to the user's own browser. Previous attempts to introduce industry standards for privacy and control, such as the W3C's Platform for Privacy Preferences (P3P), never took off because they did not address the underlying issue of control and ownership of information.
User tracking information has tremendous, intrinsic, concentrated and obvious value to corporations. The competing value of privacy is diffuse, intangible and spread out among many users. A quid-pro-quo exchange of value, where a consumer gives up privacy to get access to a service or convenience, is by default lopsided. The user is getting an obvious service but losing a not so obvious amount of privacy. Their data is exposed to theft, government intrusion, loss and misuse but none of that is immediate or obvious. Worse, the quid-pro-quo between corporations and consumers is never explicit. Corporations collect tracking data invisibly and, at least until they are breached, seemingly without cost to the consumer.
Do-Not-Track makes the quid-pro-quo explicit by letting users set a preference in their browser that tells companies no to track their online activity. The bills simply force companies to comply with that preference. But users can easily go beyond simply "turning off". Once the power has shifted, users can decide to implement per-site controls (whitelists) or dynamic controls based on privacy policies.
For example, a user might set Do-Not-Track-Unless policy that examines a company's Platform for Privacy Preferences (P3P) electronic disclosure and adjusts the tracking preference accordingly. In other words, users now have a "quid" to negotiate. Companies will be forced to "buy" tracking by offering better services, better privacy, better security or simply money. That's a privacy seller's market.
Obviously, things are not that simple. The bills need to protect consumers from coercive terms and conditions or end user licence agreements that force them to forfeit the Do-Not-Track control. The bills should also give consumers the explicit right to enter into class action litigation to enforce that control.
Even weak bills are a vast improvement over the status quo. Let your representatives know that consumers and voters, not corporations, should be given control over their own privacy.