Can Online Privacy Compliance Even Be Implemented? Not Until Now.
It happens every day. You visit a website. Information on your visit is passed to a third party (such as an ad network). That third party uses the data for purposes that is not something you’ve explicitly condoned. For example, go to Zappos and look at your favorite red shoe. Then go about your daily web life – and notice how that red shoe will show up in Zappos ads on other websites unrelated to Zappos. This form of advertising, called re-targeting, happens because Zappos has given information from your site visit to various third parties who then run the ad. But, what if you didn’t want Zappos to give any information on your visit to any retargeter? What if you didn’t want your data given to any third party for any purpose at all?
A myriad of solutions have been proposed to address this problem, but they all revolve around the same fundamental framework. The framework is that your browser communicates to the website you’re visiting whether you consent to being tracked through your data being shared with third parties. And that website complies. Here are some of the competing philosophies:
- Every website has to explicitly ask you what your preference is when you visit it and then lock in that preference for future visits (e.g. certain EU countries).
- You have to proactively opt-out of tracking in your browser settings, otherwise there is implied consent for all websites to track you (e.g. U.S. Do Not Track Legislation).
- The default setting of the browser should turn off tracking (e.g. Microsoft).
While a disproportionate amount of energy has been spent arguing about the merits of these varying philosophies, they are all based on an assumption that is flawed. The flawed assumption is that if a website receives notification from your browser that you don’t want to be tracked – they can actually technically comply with that request. Think for a moment how hard that is. The instant you hit a webpage, your tracking preference is communicated, and somehow that website has to turn off all tracking applications in the website before any of those applications run. It all has to happen in a nanosecond.
To date, there have been two primary approaches to addressing this technically. Both have their flaws.
- Comply, after the fact. This is referred to as “un-pixeling”. The way this works is your browser communicates your tracking preference at the time of your visit, but the website does nothing differently. You are still being tracked. After your visit, though, the website communicates to the various third parties that they shared your data with that you did not want to be tracked – and then they expect that third parties honor that request by deleting your information in their records. The flaw with this approach is it’s not actually compliant at the time of your visit, and there’s no guarantee of compliance after your visit either.
- Centralize all tags. Given that all tracking applications are tag-based, this approach involves putting every tag-based application on a website into a single tag management system (TMS). By having all of the tags in a TMS, the website can then control whether the applications run after receiving your tracking preference information. The flaw with this approach is two-fold. Most websites don’t use a TMS, though I personally expect that to change very quickly. The more important issue is that even in the most comprehensive TMS deployments, it’s never the case that every single tag across a company’s web properties sits in a TMS. So, complete compliance in this model is not realistic.
So, where do we go from here? Are we destined to have all of this debate on Internet privacy philosophies and policies, all the while lacking a realistic means to implement any agreed upon policy? That was the case until recently. Just this week, Volition portfolio company, Ensighten, received a patent on a novel approach to consumer Internet privacy management. It’s finally a practical and easy way to comprehensively comply with your privacy preferences. How does it work?
Ensighten’s privacy management platform is both simple and brilliant. It only requires that a company puts a single line of code in the header of their webpage. It then auto detects all existing and new tags on the page. Then, when you visit a webpage with Ensighten’s privacy service running, it can automatically suppress any and all tag-based applications that require suppression based on your stated preferences and the regulations of your country. Importantly, Ensighten can do this prior to any of these applications running. This solution also does not require the deployment of a tag management system. Simple, comprehensive, and real-time privacy compliance has arrived.
So let the debate rage on. Whatever the final answer is, there will now be a way to act on it.