How California’s New ‘Do-Not-Track’ Law Will Hurt Consumers (Forbes Cross-Post)

California enacted a new law (AB 370) requiring many websites to disclose more information about how they track users. Websites that collect personal information about their users must disclose (1) how they respond to a web browser’s “do not track” (DNT) signal, and (2) if third parties can collect personal information across a network of sites. The law doesn’t require websites to honor browser DNT signals or block third party tracking; it simply tries to increase transparency about the website’s practices. Despite that intent, the law almost certainly doesn’t help consumers, though the law is a win for other constituents. An assessment of winners and losers from this new law:

Winner: California’s Department of Justice’s Privacy Enforcement and Protection Unit. A couple of years ago, the California Attorney General’s office assigned a group of prosecutors to work the Internet privacy beat. The unit has struggled to find good cases to prosecute; its flagship prosecution has been the low-stakes claim that Delta Airline’s mobile app didn’t adequately display a privacy policy. The new law vastly expands the unit’s potential enforcement targets–basically, every California website that doesn’t promptly update its privacy policies.

Winner: Plaintiffs’ Lawyers. I doubt plaintiffs’ lawyers will sue websites for failing to make the required disclosures. Instead, I expect plaintiffs’ lawyers will troll through the new disclosures looking for litigation-bait. Because a browser’s DNT signal communicates ambiguous information to the website, a website’s explanation of how they treat that signal necessarily will be ambiguous as well, leaving room for plaintiff lawyers to misinterpret and over-interpret the website’s disclosures. Furthermore, I expect plaintiffs’ lawyers will try to establish liability for websites that admit they don’t honor the browser’s DNT signal.

Winner: Reporters. Reporters will surely generate good link-bait by writing articles mocking and shaming some high-visibility websites.

Winner: Do-Not-Track Advocates. For years, industry representatives, advocates and technologists have been trying to define what it means to “track” online behavior so that industry could build solutions to effectuate consumers’ tracking preferences. Those negotiations broke down spectacularly last year, and efforts to revitalize the process this year have failed. This law bypasses all of those efforts. In effect, the law lets browser manufacturers create and self-define their DNT signals, and websites must explain what they do with those signals. While this outcome gives a lot of power (too much?) to browser manufacturers, it does break the negotiation logjam while giving privacy advocates some tangible output for their efforts.

Loser: Websites. Websites will incur numerous costs due to the law: (1) determining what, if anything, they have to do to comply with the law, (2) figuring out how to describe their practices, (3) keeping those descriptions current over time, even as browsers change their signals and websites evolve their service offerings, and (4) dealing with the inevitable enforcement actions and lawsuits, meritorious or not. Most privacy advocates would scoff at these costs (or secretly celebrate them), but these costs are yet another de facto tax on the Internet ecosystem. The tax might be justified if it produces commensurate social benefit, but…

Loser: Consumers. We already know consumers don’t read privacy policies, so putting new disclosures into privacy policies won’t lead to more informed consumers. Consumers also routinely acquiesce to browsers’ default DNT signals, so consumers today aren’t making informed choices about their desired tracking. Will the new disclosures required by this law improve either situation? No.

Worse, the concept of “tracking” is murky to consumers. Beyond the reference to browser DNT signals, the law specifically applies to only one type of tracking: the use of “personally identifiable information” to track users across time and over multiple websites. Thus, the law doesn’t address a website’s internal tracking like Amazon’s personalized recommendations; the use of third party analytic services; tracking based solely on IP addresses (or browser settings) if that tracking information isn’t combined with personally identifiable information; and many other types of behavior that might constitute “tracking.”

Due to the semantic ambiguity of “tracking,” consumers might mistakenly infer that a website publicly declaring that it is honoring browsers’ DNT signal isn’t “tracking” them. To the extent consumers even see the disclosures, it will almost certainly mislead them, and perhaps cause them to overestimate their protection. This reminds me of how California’s current requirement that websites display “privacy policies” misled consumers into thinking those documents protected them.

Loser: The California Legislature. Mandatory disclosure laws rarely succeed. And state legislatures suck at regulating the Internet.

For more on these issues, see my 2006 academic article on online tracking.

[Photo credit: Rail switches in yard off mainline // ShutterStock]