A default set of rules for online advertising and privacy

Further to my post of a few days ago about online advertising, I thought I’d knock up some rules for how it should operate.

  1. Privacy is paramount. The default is to not track or identify the user in any way whatsoever. All tracking must be opt-in and the default ‘Ok’ or ‘Yes’ response to cookie confirmations, post-registration settings and similar must be to track absolutely nothing and save absolutely no cookies, fingerprints and similar. In order for any tracking to apply or any cookies to be saved a user must actively seek out and tick a box that explicitly defines what will happen.
  2. If a user does select to allow tracking, it applies only to the site they are on at that moment and only that site can refer back to the tracking stats. If a user wishes to allow cross-site tracking, it must be via a separate opt-in a user must explicitly select.
  3. Pop-ups must go.
  4. Nothing should auto-play; no video, no audio, no anything.
  5. All on-site adverts must be static for the duration of that page load.
  6. Adverts may not constitute more than 20% of any given screen.

So who enforces all this?

I’m not proposing breaching these rules becomes a crime punishable by death (although …), it’s just a code of conduct. It could be ‘enforced’ by advertising networks and ad-blocking software, and data protection regulations might also be able to wade in on parts of it.

What are the chances of something like this actually happening?

Virtually zero. Many interested parties would vigorously resist such a code of conduct because they thrive on tracking us, profiling us and accumulating our data. It would be far too severe a shift of the online advertising landscape to tolerate. Considering users is not high on their list of priorities.

But hardly a day goes by without some sort of privacy breach in the news. Although my motivation for this was the abundance and style of adverts carried by some sites, it impinges on privacy issues too and these will eventually tip the scales.

An alternative way something like this might work is that there’s a centralised (and very secure) ‘registry’ where we put all our personal data and we actively allow sites to access it if we choose to.

Maybe all an individual site stores about us is a username, email address and password. That’s all a site needs to log us in. If we want to allow a site to access additional data, we then go into this central registry and have to manipulate settings that might look like this:

  • Allow anysite.com to access date of birth: YES/NO
  • Allow anysite.com to access address: YES/NO
  • Allow anysite.com to anonymously fingerprint you: YES/NO
  • Allow anysiye.com to track you on anysite.com: YES/NO
  • Allow anysite.com to track you on all its networked sites: YES/NO
  • Allow advertising networks to track you on anysite.com: YES/NO
  • Allow advertising networks to track you cross-_site: YES/NO

Or something along those lines. Maybe advertising networks would have their own settings in this registry, but hopefully you can see what I’m getting at.

The idea is that from one place you can see what every site is doing with your data. If a site does not have an entry in your registry it simply tracks nothing. If we allow a site some access then some sort of API could be invoked.

Tim Berners-Lee has a project called Solid that purports to do something along these lines but maybe it doesn’t go far enough for my liking.

Anyway, I’ve rambled on long enough here (and maybe at too many tangents) but it annoys me how ‘conditioned’ we’ve become to all this.