In early 2011, Mozilla added a do-not-track feature in its Firefox browser that allowed users to clearly state that they didn't want their online activities monitored by websites and advertisers.
Other browser vendors soon followed suit, including Microsoft, Apple and Google, seemingly handing consumers a simple way to protect their information that would persist no matter what new collection technology and techniques the industry invented.
But more than 2 1/2 years later, flipping on the option still offers scant protection for consumers. Not only can companies freely ignore it – they don't even have to disclose whether or not they ignore it.
At least the latter, however, might soon change. A do-not-track transparency bill has landed on Gov. Jerry Brown's desk and indications suggest he will sign it before the looming deadline in mid-October.
If Brown signs the bill, introduced by Assemblyman Al Muratsuchi, D-Torrance (Los Angeles County), it's likely to be portrayed as a bigger victory for privacy than it actually is – the latest indication of California boldly leading the way on online privacy.
It's not that. But it is a small and solid step forward.
Do not track ignored
The law amends an existing statute requiring online companies that collect personally identifiable information to "conspicuously post" their privacy policies.
Going forward, those policies would have to include how the sites respond to do not track requests or similar mechanisms. In another update – that is only a decade or so overdue – the site would also have to state whether or not third parties can collect identifiable information about users. Those parties include the dozens or even hundreds of ad networks like TribalFusion, Facebook's FBX and Google's AdSense that inconspicuously track activity across vast swaths of the Internet.
Strictly speaking, companies would only have to disclose this information to California residents, but since no business will be eager to craft and display varying policies for varying states, it would effectively serve as a national law (if not a global one).
To be clear, a real victory here would be to take the common sense step of requiring companies to abide by the explicitly stated privacy preferences of their users. But to date that goal has proven politically unpalatable, amid stiff ad and tech industry opposition.
A committee of the World Wide Web Consortium (W3C), an online standards body, has been working for years to create an agreeable definition of do not track. But the parties have failed to agree on both basic and complicated technical questions. Participants have peeled off in frustration in recent months and days, most recently including the Digital Advertising Alliance.
In contrast, the relevant trade groups are officially unopposed to AB370 – though not in support of it.
That in itself – the lack of usual hyperbole about the bill bringing down the online economy – is the most obvious sign it doesn't do enough. But AB370 remains important for a few reasons.
First: While it is abundantly clear that few consumers carefully read the privacy policies of the sites and apps they use, tech journalists and privacy advocates do. So you can be sure that if this law goes into effect, stories will follow emphasizing that big reputable companies have made the conscious decision to ignore the wishes of their users.
I certainly look forward to writing some.
"Information on who does what will move into the public eye," said Joanne McNabb, director of privacy education and policy in the California Attorney General's office. "The goal is to bring the largely invisible practice of online tracking more into the light."
Over time, that sort of public shaming could put pressure on corporate practices. Maybe.
Second: The Federal Trade Commission has limited power to craft strong new privacy rules, but it can certainly force companies to abide by what they say they're going to do.
This is largely how Google ended up forking over $22.5 million last year, to settle charges that it "misrepresented to users of Apple Inc.'s Safari Internet browser that it would not place tracking 'cookies' or serve targeted ads to those users," according to the FTC.
"It's not without potential teeth," said John Simpson of Consumer Watchdog, a member of the W3C's working group. "If somebody says they're honoring do not track and don't, then they're in trouble."
Defining do not track
Third: Jonathan Mayer, a privacy researcher who recently resigned from the W3C talks, wrote a detailed analysis of AB370 that notes the bill slips in a definition of do not track.
"The definition is vague, to be sure, and would need clarification through policy statements, enforcement and adjudication," he said. "But, crucially, the definition is a matter of California law."
In an e-mail interview, he stressed that this could lay critical groundwork for future legislation.
"Imagine, for example, a follow-up bill that requires a website to stop tracking if it receives" a do-not-track request, he wrote. "The key terms would already be defined. It would just be a shift from transparency (i.e. you must disclose X practices) to substance (i.e. you must stop X practices)."
Big holes remain
At the same time, Mayer's post stresses that the bill leaves gigantic definitional holes that could allow companies to claim they aren't bound by the law. He imagines many of the open questions will ultimately require court battles to sort out.
To be sure, it's a shame that AB370 is all our officials are reaching for, but it also seems to be a clear reflection of current political realities.
The online and ad industries aren't about to voluntarily agree to any restrictions on their business models in the W3C talks without the credible fear that a substantive law or strict regulations would demand even more. But so far, the Obama administration, Congress and even the California Legislature have failed to convincingly telegraph any such threat.
It seems the votes simply aren't there to take on industries with substantial political clout and lobbying budgets. An earlier California do-not-track bill with sharp teeth suffered a quick death back in 2011.
What's critical is to consider AB370 as an incremental step in the right direction – and for our officials to portray it as precisely that, and not some bold final victory. It's the only way to keep the pressure on, and the industry on its toes.
"Do Not Track in California," Mayer wrote, "is just getting started."