Online ads that follow you and what you need to know about DNT

There’s a river of ink about online privacy. One area of particular interest to online advertisers is how privacy standards will affect marketers’ ability to serve personalized ads to targeted individuals. In an age when more and more people eschew advertising, personalization can make it relevant and more welcome (to some). It can also freak some people out if they think Big Brother is watching. By now we are all familiar with an online experience that goes something like this…

I browse around the web looking for a pair of shoes. Later the same day I see ads pop up on other websites (like this Facebook example) for the same shoes that I looked at earlier.


How this works

This ad targeting is possible due to sophisticated networks of services all working together. In the example above:

  1. I visit the OnlineShoes website and put a pair of shoes in my shopping cart but don’t check out.
  2. OnlineShoes’ website places a “first-party cookie” on my computer. This cookie is a small text file that identifies me whenever I visit the OnlineShoes site. The main purpose of this first-party cookie is ensure that if I put something in my shopping cart, leave the site and return later, that item will still be in my cart (that was the original reason cookies were invented). As the site loads into my browser and reads the cookie file it says, “Oh, there’s John again, show him his shopping cart.”
  3. The OnlineShoes website also places “third-party cookies” on my computer. Lots of them (20 to be exact – see the list in the image above). These cookies allow third-party services to identify me when I visit sites other than OnlineShoes (like Facebook). They also facilitate the surveillance, collection and storage of my online behavior by various services that create an anonymous profile of me in order to better personalize the advertising I see.
  4. When I visit Facebook later the same day, Facebook sends a signal to various third-party services to make them aware that I’m looking at my news feed. This information makes its way through a series of networks (DSPs, SSPs, ad networks) to the ad service used by OnlineShoes. The ad service checks in with Online Shoes to see if they know anything about me and gets information that I left something in my shopping cart. Finally, the ad server builds an ad on the fly, puts a picture of what I left in my shopping cart in the ad, and displays that ad on my Facebook news feed. All this happens in a few milliseconds.

What’s even more remarkable, technologically speaking, is that most online ads are now purchased using real-time bidding (RTB). In these cases, when I visit a website that is connected to these DSPs, SSPs and ad networks, computers bid for the chance to get an ad in front of me based not just on cost, but also how well I fit the behavioral and psychographic profile being targeted by the advertiser. All this happens in a few milliseconds as the page loads in my web browser. But I digress, that’s the topic for another blog…

Most people are legitimately concerned about online privacy. And even though the tracking that allows the example I illustrated above is anonymous (it is tracked using a unique identifier associated with my web browser which does not include my personal identity), people get nervous about this kind of tracking. After all, there are dozens — perhaps hundreds — of services, servers and companies gathering, storing and sharing information about my online behavior. People get anxious. Governments and lawyers get involved. Things get messy.

Enter “Do Not Track” (DNT)

Most modern web browsers are now able to be configured to send a DNT signal. The idea behind the DNT feature is simple: it’s supposed to be like adding your name to a “do not call” list so that telemarketers stop calling. Unfortunately, in practice DNT is not that simple. There are no agreed-upon standards and there is no universal legal or regulatory control over DNT (see

Attempts at Federal legislation have been unsuccessful. International standards are being worked on by the W3C. However, all website owners should be aware of a California law passed in 2013:

California’s AB 370 does not prohibit tracking. It only requires that operators of Online Services disclose how they respond to a do-not-track signal, and whether third party service providers have the ability to collect personal information from individuals during their visit of that Online Service and follow that individual over time and on other Online Services. (IT Law Group).

Some legal advice

In the absence of universal laws around how a website must respond to a DNT request from a user’s browser, I recommend that all website owners consult their legal counsel for specific advice. With the caveat that I am certainly not an attorney, I’ll venture here to offer some recommendations about what I consider to be the absolute minimum that all websites should do to comply with the spirit of DNT.

Every website should have a privacy policy. That privacy policy should inform people about how site visitor information is gathered and stored. If a site uses first-party and third-party cookies, it should inform people of that fact along with the reasons (personalizing the experience, etc.). And because of California AB 370, your website privacy policy should also inform people how you respond when you receive a DNT signal from a web browser. In the disclosure you can say that you do or do not respond to the DNT signal. You should consult your legal counsel for the correct language to use on your site.

It’s important to reiterate that DNT is about anonymous tracking. When it comes to collecting, storing and using web visitor’s personal information (name, address, phone, social security number, age, race, account numbers, passwords, etc.) there are much stricter laws, regulations and standards that must be met, both inside the U.S. and in other countries if you do business internationally. These issues are beyond the scope of this post but should be understood by the owners of all websites that collect personal information from site visitors.

Is supporting DNT counterintuitive for marketers?

To be sure, marketers benefit from the systems and services that allow tracking, targeting and personalization of online ads. At the same time, as marketers we should honor people’s desire for privacy if that is their preference. The best image for a brand is earned only by respecting customers. In this case that means marketers should honor consumer DNT requests. In addition, honoring these requests also contributes to building credibility for the online advertising industry and proving it be trusted to operate without excessive regulation or legislation.

Want to receive our weekly blog insights? Subscribe now.