Efforts to stop website from collecting online data face political pushback, tech issues
SACRAMENTO — At a legislative hearing last week, state lawmakers grilled credit card companies and retailers about their efforts to protect consumer data from breaches like those at Target and Neiman Marcus stores. But consumer advocates said no amount of security could fully protect data from hackers. The problem lies in companies' very act of collecting mountains of consumer information, they said.
Consumers "look at a website. That's it. But then that information is forever stored," said Lenny Goldberg, a lobbyist representing consumer advocacy group Privacy Rights Clearinghouse.
But despite data breaches and government spying intensifiying concerns over privacy, one of the data privacy movement's main goals – empowering Internet users to tell Web companies not to track their online activity – appears frustratingly out of reach.
Third-party advertisers track users' browsing habits in an effort to target ads to consumers. Some allow consumers to file a "do-not-track" request with the company directly, but the larger debate centers on companies' obligation to honor do-not-track requests made indirectly, through users' activation of privacy settings on their Web browsers. Currently, there's no guarantee a company will voluntarily honor those requests.
California-based consumer advocate group Consumer Watchdog has submitted a proposed ballot initiative to require companies comply with such requests. Web companies, meanwhile, are still waiting for guidelines on how to comply with a do-not-track law passed last year, AB 370, which requires them to at least craft policies telling users how they respond to requests. Companies complain that figuring out how to apply the law is daunting.
Jamie Court, head of Consumer Watchdog, said his group is pushing a ballot initiative because AB 370 doesn't provide real protection for consumers. He said he supported AB 370, sponsored by Assemblyman Al Muratsuchi, D-Torrance and back by state Attorney General Kamala Harris, but said it wasn't enough.
"It's nice to know you're being robbed blind, but until you call the poilce, what's the point?"
Target, which late last year suffered a data breach affecting millions of customers, is "the poster child for why we need to contain and protect our data," he added. "Some of the Target data [that was stolen] included [Internet users'] information."
The ballot measure filed by Court, who also spoke at last week's hearing, would require third-party companies to honor requests by Californians to stop tracking their activity. The initiative hasn't yet gone out for signatures, and Consumer Watchdog – already backing two other ballot initiatives in the upcoming election – is seeking support from outside groups to garner the resources to qualify it. But Court said it has polled through the roof.
"Ninety percent of people want a do-not-track option," he said.
But the business community maintains there's nothing simple about complying with do-not-track rules. Robert E. Braun, an attorney with Jeffer Magnels Butler & Mitchell LLP said the longer he worked to help clients comply with AB 370, the more questions the law generates. For example, many businesses' websites are not custom-built and are administreded by other companies that may engage in third-party tracking, he said. To comply with Ab 370, clients "have had to spend time determining who is collecting [users'] data."
Companies also need help understanding what qualifies as an official request, Braun said. In addition to an explicit browser setting to that effect, "Does it [also] show up when someone turns their cookies off?"
Carl Szabo, policy counsel at Washington, D.C-based Web company association NetChoice said companies are facing an unwinnable scenario in which they can never credibly claim not to track userse. Even the types of programming codes that tell a site not to track a user aren't standardized, he said. The World Wide Web Consortium, an internation standard-setting body, still hasn't finalized a formal definition for do-not-track requests.
"If I say, 'I do comply with a do-not-track [request],' there's no standard. While I may be complying in one respect, I might not be complying with another," Szabo said.
That increases liability for companies.
"Any time a company makes a promise to a consumer… they are subject to suit if they break their promise," Szabo said.
The California Attorney General's office is working to come up with guidelines this year, but businesses already are complainging that draft guidelines they've reviewed are too stringent. Szabo said companies couldn't get "safe harbor" protections from lawsuits by using the guidelines, either.
John Simpson, who focuses on do-not-track issues for Consumer Watchdog, said Web companies are simply throwing up chaff.
"All the major Web browers now offer the ability to send [do-not-track requests]," he said, arguing that major third-party Web companies could comply if they wanted to. Regarding the issue of legal compliance, Simpson said, it's simple: No tracking means no tracking. "I think it's pretty straightforward in terms of definitions."
One reason privacy and consumer advocates don't want to lay down too specific a definition of what qualifies as do-not-track compliance, Simpson added, is because laws could end up regulation only defunct technologies.
"The way tracking is done now is putting down cookies [on a user's hard drive]," he said. "It's quite likely in the future cookies aren't going to be used anymore."
Muratsuchi and the Attorney General's office did not return requests for comment.
Given the private sector's concerns about AB 370, it's no surprise Consumer Watchdog's ballot proposition isn't popular in commercial circles. Jim Halpert, head of DLA Piper's global privacy practice and general counsel for the Internet Commerce Coalition, warned that Court's initiatve might be unconstitutional because of its regulation of companies beyond California's borders.
Halpert did agree with Simpson that changing technologies have frustrated efforts to regulate Internet privacy, but he said that showed that laws aren't the answer.
"The right way to solve this is technical standards and discussion about what the scope of do-not-track should be," he said.
But flagging efforts at self-regulation have soured consumer groups on that approach. The World Wide Web Consortium's push to come up with industry standards have suffered numerous postponements. Court said his group is tired of waiting.
"We're trying to raise the money to qualify [our initiative]. We need to get 830,000 signatures," he said. "It's not a simple thing, even thought it's a popular proposal."