Browser Wars: From Do Not Track to the W3C

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition and advertising for decades and I’m now writing for The Monopoly Report. Check out our latest Monopoly Report podcast with Terry Kawaja of Luma Partners.

Listen to our latest podcast with Terry Kawaja

Did you know The Monopoly Report has its own podcast? This week we interviewed well-known investment banker Terry Kawaja on the role Lina Kahn’s FTC has played in slowing down the M&A market, as well as the potential for a Google spin-out.

The Next Great Browser Wars

This week, I wanted to discuss the browser vendors’ collective relationship with the advertising community and how that might be changing as browser vendors scramble to reinvent themselves. Apologies in advance for turning this into some bizarro version of the Star Wars trilogy. But before I get into my primary point about browsers and advertising, I thought it might be helpful to share some background history. Think of this like one of those Aaron Sorkin West Wing flashbacks.

Chapter 1: How Programmatic Ads almost came to an end

Fear and loathing in Amsterdam: 2012 and Do Not Track

Flashback to October, 2012. I found myself sitting in a large, college lecture room in Amsterdam with at least 75 colleagues from all over the world – an apt locale for what felt like some rather surreal lectures on the future of privacy and advertising. The chair of the W3C tracking protection working group had just told working group members that the very goal of the group was to make the world a better place by ridding it of all of those tracking companies. How close the W3C ultimately came to reaching that goal is certainly up for debate. From my side of the room, all I can say is that those meetings were pretty intense.

Worst. Amsterdam. Trip. Ever.

About a year earlier, the W3C had launched the Tracking Protection Working Group where the major browser vendors — at the urging of FTC Chair Jon Leibowitz — had agreed to work on a new privacy standard known as “Do Not Track” (DNT). The W3C working group brought together advocates, regulators, industry associations and the ad tech community. (I don’t remember a single advertiser directly participating in the DNT working group - but that’s a different story for a different day).

The idea behind DNT was simple: let’s give consumers a way to stop tracking that is easy to enact in the browser. What ensued as a result of this simple idea was a multi-year rock throwing fight (to put it mildly) which ultimately imploded because nobody in the working group could align on what it means to “track”. This is a bit of an oversimplification, but most working group participants wanted tracking to be defined in a way that benefitted their companies – and the privacy advocates seemingly wanted EVERYTHING to count as tracking. The DNT debates included many heated discussions about the distinction between 1st party and 3rd party - some based on logic…. others that struck me as anti-competitive and not founded on a reasonable or rational principle aimed at protecting privacy. I recognize that others had different views - and the disparity of viewpoints when it comes to the definition tracking is what ultimately killed DNT.

Anyway, the great DNT wars had clearly pitted the ads community against privacy advocates. And the browsers were clearly aligned with the latter. But there’s an important detail that may have been forgotten by history. The browsers went into the W3C DNT discussions having previously agreed on a key point: that under no circumstances would the DNT standard impose rules around how browsers present DNT functionality to their users. That allowed each browser flexibility in terms of how to describe DNT – and the freedom to decide whether or not DNT would be enacted by default (kudos to Mozilla, boo to MSFT).

One of the reasons that DNT never really took off is that it was a voluntary standard. In other words, there was nothing that compelled anyone to honor the signal. Yes, Mozilla was eventually able to entice Yahoo to support DNT by agreeing to a deal that made Yahoo the Firefox default search provider. There are two really important takeaways to the Yahoo / Mozilla DNT search deal: (1) Sometimes, privacy is REALLY about economics, and (2) Mozilla reportedly went back to Google in 2020 because they believed Firefox users prefer Google’s search engine. In other words, if Google is prevented via the DOJ search antitrust judgment from paying Firefox for search traffic, that could have a huge impact on Mozilla’s bottom line without a commensurate hit to Google’s bottom line.

As an aside, a rather prescient quote came via a Google rep out of the W3C DNT discussions: “To put it simply, client-side frequency capping does not work at scale… I am also unconvinced that retaining such data on the client side is a data privacy & security improvement.” Google’s thinking when it comes to browsers, advertising and data processing has clearly evolved since 2012. But I’ll give credit where it’s due – Google was spot on when it comes to identifying some of the underlying challenges.

Do Not Track 2.0 (opt-out preference signals)

The Do Not Track privacy standard never really got off the ground, but the concept behind DNT lives on today in the Global Privacy Control (GPC) and similar opt-out preference signals – particularly as codified in a number of U.S. State privacy laws. The idea behind the GPC is similar to DNT. But rather than saying that the signal dictated a vague term like “tracking”; the signal was tied to activities codified in U.S. state law (i.e., data sales, profiling and targeted ads). So when your ad systems see (programmatically speaking) that the GPC signal is “ON” for a particular user, those systems are supposed to treat that user as having opted out. Passing privacy signals isn’t exactly new for programmatic – the concept of privacy signals go at least as far back to the 2012 COPPA standard, and are a big part of the IAB EU TCF as well as the signal specs being crafted the IAB Tech lab.

Like I said, these signals aren’t new, but they will become increasingly important if/when cookie-based campaigns become a smaller part of the digital media mix and the NAI/DAA cookie opt-out tools are deprecated. I should probably mention that honoring GPC and similar signals is (or will soon be) required by several states, including California, Colorado and Connecticut.

Do all browsers support these opt-out signals?

Not as of today. Some browsers and browser plug-ins support GPC - some even turn GPC on by default. Opt-out preference signals were supposed to have their official coming out party last month – until California Governor Newsom vetoed the bill that would have required browsers and mobile operating systems to include user opt-out preference signals as a feature.

Word on the street is that the bill (AB-3048) was killed by Google lobbyists, but I wouldn’t be surprised if Apple had a hand in the bill’s demise as well – as they don’t want anyone dictating how they protect their customers. Like most businesses, I’m sure browsers are wary of the government mandating browser features. But I think there’s more to it than simply keeping government off their backs. Once you have a law requiring the creation of a privacy signal, you open yourself up to further law/regulation for how that signal gets presented and how it works within the totality of your other offerings. (i.e., one of the very things that browsers tried to safeguard against when they conceived the DNT standard).

OK. But what does all this have to do with browsers and advertising?

I’m sorry – we’re out of time. This week, I was mostly sharing background information. I promise to go into more detail next week. If you don’t remember anything else from this week’s missive, please keep the following in mind:

• Historically, browsers have been philosophically aligned with privacy advocates – but when the browser is owned by big tech company with a robust ads business, tensions have ensued.

• Browsers have pushed back on anything they felt would get in the way of their relationship with their users - and don’t want anyone telling them what features to offer and how to present those features.

• The concept “privacy as a pretext” wasn’t invented during the DNT debates - but it was certainly perfected during that era.

• One person’s “tracking” is another person’s “personalization”.

• Economics sometimes play a bigger role in privacy discussions than some might have us believe.

Alan’s Hot Takes…

There’s so much going on with big tech these days. Here are a few stories that struck me over the past week. Some of these MIGHT be thought of as “water cooler” discussions for those days you’re back in the office. It’s not like you can talk about the Jets or Mets any more…. (PS - Go Liberty!)

• Privacy literacy – My friends, next time someone characterizes someone else’s ad tech stack as “fingerprinting”, ask that person to define the term in context of how fingerprinting compares to traditional HTTP cookie campaigns re: privacy and utility. #McPrivacy.

• Briskin v Shopify class action – I try not to get too wonky on these pages, but this class action case has all kinds of potential impact for retail media, the distinction between 1st/3rd party - and just might create the impetus for a federal privacy law.

• Another Privacy Coalition - A private company is reportedly working with the UK data protection regulator to create a certification initiative. I will eagerly participate and I hope many of you do as well. That said, I’m getting a big “Lucy will pull the football away” vibe - but maybe that’s two decades of experience in this arena guiding me.

•  NYT sends cease and desist letter to Perplexity – The NY Times (and a few other pubs) have reportedly sent a “lawyer letter” to AI startup Perplexity demanding that the company stop using its content. This just over 20 years after the launch of Gator - the now infamous adware company that first irked the publishing community by popping its own ads over publisher content (among other things…) Perplexity is reportedly looking to raise $500 million - maybe some of that $$$ goes to pubs? Anyone from Perplexity want to come on the pod to share your side of the story?

• Is EU regulation killing innovation? - Soon after publication of Draghi Report which initiated a bit of reflection in EU policy circles about how to foster innovation, a group of EU data protection regulators (the EDPB) doubled down issuing multiple opinions which: (a) confirmed the consent is required for virtually any form of digital ad, (b) recommended additional thorough vetting on your vendor sub-processes. The tl;dr is - the EU has a fondness for paperwork. Also, give your privacy team a hug today.

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below. I’m also available to consult on how the ouija board of digital media is moving or to help with due diligence on M&A.

If you liked this explainer (and got to the bottom), please subscribe to the newest member of the Marketecture family, Ad Tech Explained.