The Do Not Track efforts led by self-managed advertising groups aren't going as well as some might hope, with at least eight participating companies continuing to track users across the Web even after they opt out. The finding highlights the weaknesses of an entirely voluntary system: just because the companies say they will do it doesn't necessarily mean that they will.

The Network Advertising Initiative (NAI) is one of several self-regulating groups aimed at adopting voluntary codes of conduct when it comes to advertising to users online. Late last year, those groups (including the NAI) announced that they would begin pushing the Advertising Option Icon, an icon that is meant to let users know which sites are participating in behavioral tracking. Users would then be able to easily opt out of any behaviorally targeted advertising if they so choose. Collectively, the groups represent some 5,000 other companies that advertise online, though use of the icon itself is voluntary as long as they offer the opt-out functionality.

But how many companies are actually respecting those rules? Stanford's Center for Internet & Society recently examined the tracking behavior of 64 of 75 of NAI's member companies when users turn on the Do Not Track settings or opt out of behavioral ad tracking. Of the 64, the CIS said that 33 companies left their tracking cookies in place after the user opted out. This in itself sounds surprising, but it's not—as part of their agreement with NAI, companies only have to agree to stop offering behaviorally targeted ads to users when users want to opt out. They can continue to keep cookies on your machine, as long as those cookies aren't being used to create specially targeted ads.

So what about the rest? Two advertising companies took overt steps to respect the Do Not Track headers sent by browsers like Firefox, Internet Explorer, and Safari, which we just learned is actually a step beyond NAI's baseline requirement. Another 10 companies went even further by stopping the tracking and removing the cookies altogether (and just for interest's sake, it's worth noting that Google falls into this category).

That leaves us with the eight companies dwelling in the hall of shame: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street On Demand, and TARGUSinfo AdAdvisor. These guys all specify in their privacy policies that users can opt out of behavioral tracking and advertising, but the CIS researchers found that they all kept some form of unique user information around on the user's computer even after opting out. Most of them removed certain pieces of information while keeping other items, but one (Vibrant Media) simply kept on tracking as if the user had never opted out in the first place.

That's 12.5 percent of the 64 companies that seem to outright violate their own policies, and it's anyone's guess as to how that extrapolates out to the 5,000 other entities that are participating in these self-regulatory initiatives.

(Update: Ian Leuchars from 24/7 Real Media reached out to us to defend his company's case. "We do not track , target or store data on users who have opted out. That is not our policy or our practice," Luchars said. "We have tried to reach the researcher whose material you reference in your article, as it seems that there has been an error within his reporting.")

Update 2: Jonathan Gardner from Vibrant Media has also reached out to us with an explanation of what the company is doing:

"We drop a user ID cookie when a user initiates engagement with one of our ad units. This collects non-personally identifiable information on keywords a user has engaged with. If the user doesn’t visit a site in our network for 10 days, we delete this data. If someone opts out, we add a do-not-track cookie. We had been deleting any data associated with the user ID, but had not been deleting the cookie itself (based on our understanding, this is acceptable for NAI compliance). When we encounter someone with a do-not-track cookie, we completely ignore the user ID and therefore don’t use their information to serve ads. To outside eyes, because the user ID cookie still exists and the last seen timestamp is updated, it may look like information gathering is enabled, however it is not. To prevent further misunderstanding, we will start work to delete the user ID cookie, and if the if do-not-track cookie is present we will not create a new user ID cookie. Although the cookie was remaining, we do not reference or use the ID in any way and we completely delete all data, be it in logs or storage devices for that particular user ID. Going forward, we will also be deleting that cookie.

This is not to say Do Not Track is ineffective—there are already a number of high-profile industry supporters, and more are getting on board every day. But respecting the Do Not Track headers is voluntary, and the ad industry is still trying to cobble together it own cookie-based regulations. There has yet to be a single standard for not tracking users across the Internet, and there are certainly no laws yet that require any entity to comply with any set of relevant rules.

Some legislators are trying to change that, though. Senator Jay Rockefeller (D-WV) introduced the Do-Not-Track Online Act of 2011 in May of this year, which would create a "universal legal obligation" for companies to honor users' opt-out requests on the Internet and mobile devices. It would also give the Federal Trade Commission the power to take action against companies that don't comply. Numerous privacy groups—including the ACLU, Consumer Protection, and Privacy Rights Clearinghouse, to name a few—threw their support behind the bill immediately, describing it as "a crucial civil liberties protection for the twenty-first century."

The final details of the bill have yet to be hammered out, but the privacy groups are optimistic that legislation is the way to go and that the FTC can handle the burden. The FTC itself has been pushing for a Do Not Track mechanism online since 2010, and the Obama administration has voiced its support for some kind of "consumer privacy bill of rights," so it certainly sounds like there's government support if the bill were to pass. The advertising industry has so far fought this kind of legislation, but given the CIS's findings so far, the industry had better focus on getting its member companies in line with their own rules before arguing that less is more.