The renewed notice-and-choice framework being rolled out for behavioral advertising has an important shortcoming: Opt-out cookies only serve to turn off the delivery of behaviorally targeted ads, they don’t promise to turn off data collection in the first place.
The problem is that many companies provide opt-out cookies that are written separately from their tracking cookies. This means a tracking company may be collecting data with one cookie, while being told by another cookie not to apply it. Because the user still remains uniquely identifiable to the tracking system, the risk of technical (or ethical) failure remains. In that sense, the opt-out framework doesn’t really answer a central privacy concern.
Perhaps the solution is simple:
When a user opts out, a non-unique opt out cookie should always overwrite each cookie that stores behavioral information.
When this rule is followed, an opted-out consumer can be assured that there’s no unique tracking cookie on their computer that could be used for data collection. Several opt-out cookies, notably the Google DoubleClick cookie, already operate this way by replacing the unique user “id” with the non-unique “OPT-OUT”.
Compliance with this requirement is simple to verify and monitor. Watchdogs can confirm through external sampling that opt-out cookies are being delivered on request and that they are non-unique. More often than not, opt-out failures will result from simple technical problems that cause the cookie not to be written in the first place; we’ve seen more than a dozen broken opt-outs in the last year through PrivacyChoice. Through random sampling, you can also confirm that once a company delivers an opt-out cookie, it stays in place and doesn’t revert to a unique cookie that could be used for tracking.
If an ad company still needs to use unique cookies for non-targeting purposes (like frequency caps) even on opted-out machines, they should certify and publish which cookies are which, so that behavioral cookies are always identified. Verifying accurate identification should be part of the NAI’s annual technical review, as should be confirming that no non-cookie tracking methods are used (which is also easy to monitor externally). These kinds of direct reviews or audits of backend process will be far more simple and effective than trying to determine forensically whether opted-out consumers are only being served untargeted ads.
A cookie overwriting requirement would require some technical changes for companies that currently separate their behavioral cookies from their opt-out cookie, or those that combine behavioral and non-behavioral functions in a single cookie. But this seems like a small price to pay for a significantly more effective and accountable opt-out framework, which is the heart of the self-regulatory effort.