In today's Internet, advertising is ubiquitous. It is the
main source of revenue for many web sites and services. It is also
the subject of increasing scrutiny by privacy advocates and
regulators, as advertisers and ad networks develop ever-more
sophisticated means to track and profile users in the quest to
optimize their effectiveness.
In Canada, online behavioural advertising (sometimes referred to
as interest-based advertising) has been the subject of significant
attention from the Office of the Privacy Commissioner. The Office
recently released a research report on the subject, concluding
that many organizations and web sites are not fully-compliant with
the guidelines the Office issued on the subject in
2011. This comes in the wake of specific findings in a number of
cases relating to opt-in consent, use of sensitive information for
profiling purposes, and online tracking of children.
These are not new issues. In 2007, consumer advocate groups
asked the U.S. Federal Trade Commission to establish a national
"Do Not Track" list, which web advertisers would be
required to honour. By 2011, this had evolved into an http
header-based signaling model, allowing users to communicate their
preference to web servers but relying on voluntary adoption by the
The draft standard remains voluntary. It defines a set of
practices which organizations that wish to claim compliance must
follow; but there is no obligation to comply and no technical
mechanism to verify compliance.
The core principle of the draft standard is that third parties
(such as ad networks) must not collect identifying information
without some other form of consent when the user enables the DNT
header, except for frequency-capping, auditing, security or
debugging purposes.2 This rejects proposals from some
industry groups which would have permitted collection of profiling
information for market research purposes, limiting only the
delivery of customized advertising based on that profiling
The draft standard also calls on servers to send a response
signal indicating whether or not they will respect the DNT header.
Several responses are available including "C", to
indicate that the service believes it has express consent to
collect the information, notwithstanding the presence of the DNT
header, and "D", indicating that the service will simply
disregard the user preference.
The latter possibility reflects the relatively weak consensus
underlying the Do-Not-Track standard. Some major web sites,
including Yahoo! and AOL, have already decided not to honour the
Some organizations, including Google, had pointed to the lack of
standardization as a justification for not responding to the DNT
header.4 Now that the W3C standard has emerged, at least
in draft form, it will be interesting to see whether it provokes
any significant industry or regulatory response, either to embrace
the new standard or reject it.
But, for some on the user side, it may be case of too-little,
too-late. Use of ad-blocking tools has climbed dramatically since 2013. This trend
suggests that the advertising privacy battleground may already have
Nonetheless, the W3C standards process continues. Interested
parties have until October 7, 2015 to submit comments on the draft
standards. Instructions are provided in the working draft document.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).