Much time and energy is being expended to build systems to verify compliance with the notice-and-opt-out framework for online behavioral advertising. The notion is that an independent organization can confirm that behaviorally targeted ads always are accompanied by the proper notice-and-choice disclosure, and that ad delivery companies refrain from showing behaviorally targeted ads to consumers who have opted-out.
The pace of technological development suggests that these efforts are misguided.
To understand why, consider these two recent developments:
- Panopticlick, which demonstrates that operating system and browser configurations are sufficiently unique to identify a computer over time, even without using cookies, supercookies or any other affirmative means of tracking.
- Scout Analytics’ new tracking service, which identifies a user (not a computer) based on the unique signature provided by how they type and use their mouse.
Given the huge value in behavioral targeting, you can expect to see a whole host of approaches like these, which offer far greater accuracy and durability. Because these technologies work purely on the backend, they do not leave artifacts like cookies that provide a forensic means to determine when tracking is occurring.
It is conceivable that behavioral targeting might be detectable through continuous correlation between behaviors demonstrated and the subject matter of advertising delivered, in a panel or other test environment; but the likely effectiveness and necessary scale of such a system are in the realm of speculation.
In practical terms, only two things really matter:
- The decisions that websites make about which companies are allowed to collect information about users, which come into sharper focus as those decisions face public and regulatory scrutiny.
- The published policies and reputations of tracking companies, supported by the audits and other oversight provided by organizations like the NAI and TRUSTe, which websites can rely upon in making those decisions.