For example, efforts to reach a compromise over data collection have proved fruitless. More than two years ago the Federal Trade Commission asked advertisers, advocates, publishers, and technology companies to come up with a voluntary Do Not Track standard everyone could live with. After more than 50 meetings of the W3C Tracking Protection Working Group, they are no closer to a consensus, says Mayer, who has attended nearly every meeting. Meanwhile, the number of companies tracking consumers across the Web has grown from nearly 800 to more than 1,300 over the past year, according to Evidon's most recent Global Tracking Report.
When Microsoft announced last October that Internet Explorer 10 would ship with Do Not Track set as a default, the ad industry said it would refuse to recognize the setting within IE10 because it "does not represent user choice." That move raised concern among some privacy advocates who feared it would derail the Do Not Track process entirely. The ad industry sounded similar alarms when Mozilla announced it was considering automatic blocking of third-party cookies -- the core technology of most Web trackers -- in an upcoming version of Firefox.
While industry trade groups like the Network Advertising Initiative and the Digital Advertising Alliance offer opt-out mechanisms for consumers, these only curtail data collection related to the delivery of targeted ads.
"Self-regulation," says Mayer, "is an oxymoron."
Yet self-regulation combined with FTC oversight may be the most practical path forward, argues Marc Groman, executive director of the NAI and former chief privacy officer for the FTC.
"Companies that are good actors spend a shocking amount of time and resources reading the FTC tea leaves," says Groman. "And when companies go over the line, the FTC brings actions that help inform the entire ecosystem what practices are off limits."
The greatest potential harm from tracking comes not from delivering ads based on one's browsing history, says Groman, but from using that data to make other decisions about users -- such as their eligibility for insurance, credit, or employment. That's why trade groups like the NAI and the DAA prohibit their members from using data for this purpose, and both groups periodically monitor members for compliance.