In the EU, the two situations I described are both legal obligations (regarding collection of personal data, the legal obligation is probably stronger than I described).
[I have understood that this is not the same in the US and the situation is therefore murky and EU law is not respected on the internet as a whole.]
What you described is not a legal obligation, although I personally think you should provide the option to opt-out of ads - I know of several sites that do and this makes a positive difference to me as a user.
None: the website requires explicit opt-in permission to collect personal data in the first place, making opt-out DNT largely irrelevant.
e.g. from http://www.theregister.co.uk/2012/01/27/time_running_out_for...
[Peter Hustinx, the European Data Protection Supervisor] said that the DNT system "although valuable" seemed to "fall short of the" of the requirements for obtaining lawful consent set out in the EU's Privacy and Electronic Communications Directive.
In practice, I agree there are several problems: it is common industry practice to ignore data protection concerns (led by example of large US corporations) and EU member states have neither the intent nor the means to enforce the law. What's more, the recent cookie directive debacle makes the EU seem confused and toothless.
Intended reform makes the situation even more clear: http://ec.europa.eu/justice/newsroom/data-protection/news/12...
I particularly recommend "How will the data protection reform affect social networks?", which discusses the requirements of 'privacy by default' and 'privacy by design'.
Businesses collect personal data without explicit consent all the time. Think of records when you buy something by card, for example. Not only is the subject of the data not required to give explicit consent for keeping a record of this transaction, but they also have no right in law to have such data deleted, and indeed businesses may not be able to delete it within the law given their obligations to maintain adequate tax records. If you pay for something by card, it's implicit that you agree to this.
For something closer to the tracking we're talking about, it is normal to maintain server logs that show visits to your site, and to record various information that is voluntarily sent by browsers as part of HTTP requests. There's obviously some debate about how much IP addresses represent personal identification, but clearly in practice they can identify individuals under some circumstances. That doesn't mean someone has to ask you for permission to see your IP address when you visit their site, because obviously that would make no sense technically.
Obviously there are implications to keeping some of this data or using it for other purposes, but as I said, this is where things aren't always clear even in theory. Some issues really are black and white, but you quickly get into what is fair or reasonable or implicitly permitted by data subjects and what is crossing that line and should require explicit consent.
In practice, it's even worse, because we have silly things like the infamous EU cookie rules that are almost universally disliked by users (they make the experience of using web sites worse), almost universally ignored by business (who don't want the overheads of implementation and don't want their users' experience to be worse), and as far as I know universally unenforced by regulators (who would in many cases have to start by going after their own governments for flagrant violation). While possibly well-intentioned, such poorly conceived rules just bring data protection law into disrepute while alienating almost everyone. They also demonstrate that realistically there are few risks to flagrantly ignoring the rules as a business, which is hardly going to help with promoting good practice.
I'd love to run my own ad server, got any suggestions? Been a little while since I looked, but I only saw extremely expensive "enterprise" ad solutions, crappy open source solutions, and lots and lots of SaaS options.
