Behavioral data collection is opaque to consumers. This makes back-end oversight the lynch-pin to enforce consumer choice. Back-end privacy compliance standards should be published, just like public accounting standards. Every consumer has a stake, so failures must be visible. If advertisers consider it important enough, independent companies, not just industry-controlled organizations like the NAI, will provide compliance reviews.
It’s technically simple to separate tracking cookies from cookies that are used for non-behavioral purposes, and to overwrite each tracking cookie with a non-unique cookie when the user opts-out. By doing so, a consumer can have greater assurance that their behavior is not being tracked. Companies must support that assurance by certifying the list of domains and cookies that they use for tracking.
The current “opt-in” framework is fair to consumers only if they can opt-out of all tracking at once, rather than chase down the opt-outs of individual companies. That choice and the user’s current opt-out status should appear whenever notice of tracking is provided (and not multiple clicks away). Anyone in the ad business who says anything like, “We can’t do that because it makes it too easy to opt-out” just doesn’t get it.
In terms of fairness, it’s hard to understand the notion that data companies can trade in information about you that you can’t even see. If you can show that information for ad buying, then you can show it to the consumer. Opponents of this are short-sighted; this is a great opportunity to talk directly with the consumer about what interests them.
The way browsers work now, consumers can’t make durable privacy choices with just a click; opt-outs are swept away each time they clear their browser history. They may need to drag and drop a bookmark or install an add-on. But whatever the mechanism, durability options should be provided and explained at each choice point. Since this is a wishlist, perhaps I can also ask that ad companies use local storage via html5 or Flash to ensure the durability of opt-out choices. This would require a retooling of ad-company systems, but is quite do-able.
Outliers from privacy best practices and certification should find it hard to do business. Given the certification backlog at the NAI, prehaps this can’t happen immediately, but the deadline should be measured in months, not years. Adoption will accelerate if the big players (like Google’s ad exchange) embrace the idea. This is also where big websites need to pitch in to better control who they invite to the party when they place tags on their pages.