Do Not Track Disclosures

By: Etienne Cussol CIPP/E, CIPM Etienne Cussol CIPP/E, CIPM | Updated on: January 26, 2021

Reviewed By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Start Building Compliance
Do-Not-Track-Disclosures-01

Many companies track users’ web browsing behavior for analytics and advertising purposes.

However, some users don’t want to be tracked, so they enable the “Do Not Track” (DNT) option in their browsers.

Many web browsers come with a Do Not Track option, which allows users to send a Do Not Track request with their browsing traffic. While websites are not obligated to comply with Do Not Track requests, you should disclose to your users how you will handle DNT requests.

Read on to find out how Do Not Track works, whether you need a Do Not Track disclosure on your site, and how to comply with Do Not Track laws.

Table of Contents
  1. What Is Do Not Track (DNT)?
  2. What Is a Do Not Track Disclosure?
  3. Do Not Track Disclosure Examples
  4. Does Your Privacy Policy Need a Do Not Track Disclosure?
  5. Do Not Track and CalOPPA
  6. Future DNT Developments

1. What Is Do Not Track (DNT)?

Do Not Track (DNT) is a feature that users can enable on website browsers to request that websites and ad companies don’t track their web browsing activities.

When users enable Do Not Track in their browser settings, the browser sends a Do Not Track signal in the form of a DNT HTTP header to users’ web traffic, letting websites know that they don’t want to be tracked.

However, websites can choose whether or not to honor Do Not Track requests, and decide how to interpret the requests. For example, websites may respond to the request by not showing personalized ads, but they will still collect personal data for other purposes.

Many web browsers come with a Do Not Track option. These web browsers include:

  • Chrome
  • Firefox
  • Safari
  • Internet Explorer
  • Microsoft Edge

Users can adjust Do Not Track preferences by clicking a button or toggling a switch in the browser’s privacy settings.

For example, to send Do Not Track requests in Chrome, users toggle the “Send a ‘Do Not Track’ request with your browsing traffic” switch in the “Cookies and other site data” section in Chrome’s settings.

Google Chrome Do Not Track settings

Currently, because there isn’t yet a DNT technology industry standard on how companies should respond to DNT signals, Do Not Track features aren’t available on all browsers.

2. What Is a Do Not Track Disclosure?

A Do Not Track disclosure is a paragraph included in a website’s privacy policy that notifies users whether or not the website complies with Do Not Track requests.

Under current state legislation, websites do not need to comply with a users’ Do Not Track requests. However, websites do need to inform users how they respond to DNT requests.

3. Do Not Track Disclosure Examples

Let’s go over some examples of Do Not Track disclosures from different websites to see what information is included.

DNT Disclosure Example #1: Medium

Medium’s Do Not Track Policy states that their website honors users’ Do Not Track requests. While they acknowledge that there’s no industry consensus on how to respond to DNT requests, they apply the World Wide Web Consortium’s recommendations.

The DNT disclosure also provides an in-depth explanation of how enabling Do Not Track affects Medium’s first-party and third-party tracking practices.

Medium's Do Not Track disclosure

If your website honors Do Not Track requests, explain to users what happens when they enable Do Not Track and use your site, as shown in Medium’s example.

DNT Disclosure Example #2: LinkedIn

LinkedIn is an example of a Do Not Track disclosure that specifies that the site does not respond to DNT signals. Their disclosure points out the lack of an industry standard for DNT responses, and goes over what Do Not Track is and how it works.

The disclosure also explains that in the DNT context, LinkedIn does not allow third-party advertising services to identify LinkedIn members without additional consent.

LinkedIn's Do Not Track disclosure

For the convenience of your users, consider explaining how DNT signals work in your disclosure, as LinkedIn does.

DNT Disclosure Example #3: Associated Press

Associated Press’s Do Not Track disclosure is embedded in their privacy policy. In addition to stating that they don’t respond to Do Not Track requests, Associated Press explains that their third-party partners also might not honor Do Not Track requests.

Associated Press links to their third-party Google Analytics platform so privacy-conscious users have the choice to opt out of their data being used in their Google Analytics reports.

Associated Press Do Not Track disclosure

Like the above example, it’s a good practice to disclose third-party trackers on your site and clarify that they may not comply with DNT signals.

4. Does Your Privacy Policy Need a Do Not Track Disclosure?

You need a Do Not Track disclosure if you have users from California, in order to comply with state privacy laws.

For example, the California Online Privacy Protection Act (CalOPPA) requires your site to include a Do Not Track disclosure stating how your site handles DNT requests.

In addition, any business that wants to maintain trust with its customers should be open about how it uses personal data. The Federal Trade Commission (FTC) mandates that companies honor any promises made in a posted privacy policy. When that policy includes a DNT disclosure, consumers can take it as a sign that the company is honest in how it conducts business.

5. Do Not Track and CalOPPA

A CalOPPA amendment in 2014 made it compulsory for websites to reveal how they respond to do not track requests. As a result, consumers have more awareness of how websites use information about their web surfing habits, and can make the choice to either stay on the website or leave.

CalOPPA requirements extend to websites outside California so long as they track residents from California.

A good practice for complying with CalOPPA DNT requirements is to outline your response to DNT requests in your privacy policy. Another way to meet CalOPPA Do Not Track requirements is to place a clear and conspicuous link within your privacy policy to your DNT disclosure.

To comply with CalOPPA, you must disclose:

  • How you will respond to the browser’s do not track signals
  • Whether there are third-party trackers on the site
  • Other mechanisms that allow users to have control over the collection of their personal information

6. Future DNT Developments

While the future is uncertain when it comes to the development of a DNT industry standard and DNT legislations, as a business, it’s wiser to err on the side of transparency and full disclosure by explaining your Do Not Track responses to users.

Etienne Cussol CIPP/E, CIPM
More about the author

Written by Etienne Cussol CIPP/E, CIPM

Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author
Masha Komnenic CIPP/E, CIPM, CIPT, FIP

reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy

Related Articles

Explore more resources