California ‘do not track’ bill is toothless

Wed, September 11, 2013

How is it possible that a piece of legislation purported to advance the principles of "Do Not Track" does nothing to prevent unwanted tracking?

California's AB 370, widely characterized as a "Do Not Track bill,” has inspired both lukewarm praise by some advocates and grumbling from industry as a source of unnecessary regulation.  The bill has been marketed as the first DNT legislation but you know there is something amiss when a bill sails through both state houses with no registered opposition.

As it turns out, the bill is as toothless as an abandoned denture factory. What are the penalties under AB 370 if a company chooses to track a consumer who has indicated the she wishes not to be tracked? None whatsoever; companies needn't honor consumer DNT preferences, in keeping with current practices, provided that they add a few lines to their privacy polices that few, if any, consumers will ever read.

According to the bill:

AB 370 will allow consumers to learn from a website's privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.

If only that were true.

Privacy policy disclosures have never been about safeguarding users' privacy. Their function has been to protect businesses from liability and allow them to collect and profit from consumer data, while providing the illusion of consent. It is well known that consumers do not read these abysmally written walls of text. Many are familiar with Gamestation's 2010 April Fools joke, which resulted in thousands of users giving the company claim to their "immortal soul" after agreeing to the company's terms of service. Before that, a license agreement by the company PC Pitstop included a clause offering users $1,000 if they had read this far into the fine print and then contacted the company. Five months of sales went by before anyone read it. 

Online privacy disclosures are intentionally overwritten and incomprehensible because the practice allows businesses to shut consumers out of the data collection discussion. A study from Carnegie Mellon found that the average consumer would need to spend an average of 76 days a year in order to read all the privacy policies they encounter on the Internet. Are we to believe that making these documents even longer (as AB 370 will do) will benefit consumers?

AB 370 is being called an effort at "transparency" but I believe all it will accomplish is to allow companies to hide behind opaque online disclosures and then do as they please, usually without a user's awareness or informed consent.

A real DNT bill, Senator Rockefeller's S.418, sends a clearer message to online advertisers: when consumers indicate a preference not to be tracked, they must not be tracked. AB 370, by contrast, threatens to undermine the goals of DNT, particularly if other lawmakers adopt this inconsequential legislation as a model for other states. From a privacy standpoint, it is worse than no bill at all.

Once the Governor signs the bill, we're likely to hear a chorus of self congratulatory voices from the tech industry, politicians, and some advocates about how AB 370 supposedly is an important step for Do Not Track and for consumer privacy.

But don't expect many high fives from consumers. There's nothing in it for them.

— Joe Ridout

Keep Up-to-Date

Subscribe to Our Updates

Powered by SalsaLabs

Thank you for your interest in our privacy mailing list. Please complete the form below. Required details are marked.

Optional Member Code

Add me to the following list(s):
  •   Take Action Alerts & Legislation.
  •   Consumer Information.
  •   Newsletters.

Contact Us

Give Us Feedback / Ask Questions