Baycloud Systems has become the latest company to join the EFF’s Do Not Track (DNT) coalition, which opposes the tracking of users without their consent. Baycloud designs systems to help companies and users monitor and manage tracking cookies. Based in the UK, it provides thousands of sites across Europe with tools for compliance with European Union (EU) data protection laws.

In contrast to the U.S., with its scant legislative privacy protection and weak self-regulatory system, EU data protection law requires companies that collect user data to provide a legal basis for using it--the most important aspect of which is user consent. And this requirement has real teeth: the new General Data Protection Regulations mean that companies will soon face serious fines of up to 2 or 4 percent (depending on the violation) of worldwide turnover.

EU rules also require user consent before a site sets cookies, and public disclosure of information as to their purpose (such as feature functionality or behavioral profiling). Although the cookie rules have been applied unevenly and have not stopped tracking, the principle requiring user consent is sound.

But what are users consenting to? Companies often hide ridiculously wide claims of consent in their terms and conditions, knowing that hardly anyone will read or understand them. The consequences of consenting to tracking should be made clear and offer the user an informed choice, as our partner Medium does when you log in:

Figure 1. Medium login interface offering clear information for DNT users.

Medium's login interface offering clear information for DNT users.

Bouncer

Baycloud has developed a browser extension for Chrome, Bouncer, to give users more power over how they use DNT. Once set, the browser sends the DNT signal to every site visited. Bouncer monitors the DNT interaction with the webserver, shows the user what cookies are being set and checks if the site complies with DNT. If a site does not respect the DNT signal, and wants to run wild with your private information, Bouncer also blocks tracking cookies.

Bouncer also implements the standard Worldwide Web Consortium (W3C) interface so that sites can record in the browser if users have consented to being tracked. A control panel enables users to edit their consent settings for individual sites. Users may exempt sites because of a belief that their data won't be abused or willingness to trade data in exchange for services.

 Figure 2.

Bouncer DNT Check interface

Bouncer checks for two different flavors of DNT: that drawn up by the EFF coalition, and the Tracking Compliance and Scope” proposal still under discussion at the W3C.

Sadly, the W3C document has too many loopholes to deliver adequate protection for users. Ad companies, for example, can decide how much data collection is 'reasonably necessary and proportionate' for the billing and audit ad payments, or to monitor how often ads are shown to specific users. Behind this jargon hides a back door for tracking: these exceptions would permit companies to keep a record of a user's browsing habits. Such principles are too vague and flimsy to serve as an acceptable standard for the Web. That's why the EFF has built a coalition behind its own policy.

But the W3C has done important work on the technical aspects of the DNT signal which will provide the machinery for whatever policy finally wins out. The ability to selectively manage and fine tune consent is important for its adoption by publishers who can then hope to persuade users of their bona fides or value. Baycloud has been a leading contributor to that work and we're thrilled to have them on our side in the campaign to fix the problem of online tracking.