AOL has unveiled a new privacy policy specifying that the company's properties -- including the recently acquired Gravity -- don't honor the do-not-track requests that users send through their browsers.
“Previously, Gravity provided users with the ability to use the browser 'Do Not Track' signal to opt out of certain personalization,” Gravity says on its site. “AOL has consolidated and simplified many of the preferences and opt-outs we offer, and as a result, 'Do Not Track' browser signals will no longer be recognized."
AOL purchased the personalization company Gravity in January for around $83 million. The company's new privacy policy will take effect on Sept. 15.
Gravity says that users can eschew personalization by visiting an opt-out page, including the ones operated by the Digital Advertising Alliance and Network Advertising Initiative. But privacy advocates say that opting out through links on those sites poses challenges, because those links are tied to cookies -- which are seen as unstable, given that consumers who are especially privacy conscious often delete their cookies.
AOL's other brands, including publishers like TechCrunch and Huffington Post, also will ignore the browser-based signals. But that decision isn't inconsistent with the current view of do-not-track, as outlined by the World Wide Web Consortium.
The do-not-track commands aren't aimed at preventing publishers from collecting data about their own visitors, says the Center for Democracy and Technology's Justin Brookman, who chairs the W3C's effort to forge a consensus about how to respond to the signals. In fact, publishers are allowed to gather information from users who have activated do-not-track, according to the W3C's most recent formulation of the concept.
All of the major browser companies now offer do-not-track headers, which tell publishers and ad networks that users don't want to be tracked. But the header doesn't actually prevent tracking. Instead, ad networks and publishers are free to ignore the signals.
Earlier this year, the Web companies, computer scientists and privacy advocates in the W3C's tracking protection working group tentatively decided that a “do not track” request will communicate that users don't want data about themselves collected by ad networks and other third parties.
But the organization also says that ad networks should be able to collect some type of information -- such as data used for ad-frequency capping -- even when people activate do-not-track. The group is still debating exactly what type of data can still be collected in that situation.
AOL suggests in its newest policy that it might change course after the industry reaches a consensus about do-not-track. “If and when a standard for responding is established, we may revisit its policy on responding to these signals,” the company says.
For now, very few Web companies appear to honor do-not-track signals -- and even some of the companies that previously respected the signals have retreated. In May, Yahoo said it would no longer honor the do-not-track requests that users send through their browsers.
Do Not Track is a universally recognised signal that can be sent in any web request, and has been supported by all major browsers for over 2 years. The W3C group tasked with turning this "fact on the ground" into an industry standard has completed the technical aspects and is close to completing the compliance section. It is clear what the signal should mean: the user has configured their browser to let servers know they do not want their general web history collected unless they give their explicit consent.
This has been clearly set out in the publically available drafts for the standard. There has been debate about such things as whether a visiting a first-party site implies consent has been given for tracking by that site, but the core concept has remained. Do Not Track means that a company should not collect data about an individual's visits to other websites without their consent.
Many companies that have business models that rely on collecting everybody's web history at virtually zero cost have refused to see that, and argue to dilute the meaning of the signal, but most people instinctively know what it means.
Outside the EU, in jurisdictions with weaker privacy laws companies self-regulatory compliance may be limited, for example first-party sites (alluded to by the reference to "publishers" above) may still collect your web history for their own purposes, but even then it would not be acceptable for them to share it with other companies without the user's permission. Some, like AOL and Yahoo, may refuse to honour the signal at all if they think they can get away with it, but that will hardly impress the majority of people, i.e. their potential customers, who have concerns about online privacy and security.