Many companies track users’ web browsing behavior for analytics and advertising purposes.
However, some users don’t want to be tracked, so they enable the “Do Not Track” (DNT) option in their browsers.
Many web browsers come with a Do Not Track option, which allows users to send a Do Not Track request with their browsing traffic. While websites are not obligated to comply with Do Not Track requests, you should disclose to your users how you will handle DNT requests.
Read on to find out how Do Not Track works, whether you need a Do Not Track disclosure on your site, and how to comply with Do Not Track laws.
1. What Is Do Not Track (DNT)?
Do Not Track (DNT) is a feature that users can enable on website browsers to request that websites and ad companies don’t track their web browsing activities.
When users enable Do Not Track in their browser settings, the browser sends a Do Not Track signal in the form of a DNT HTTP header to users’ web traffic, letting websites know that they don’t want to be tracked.
However, websites can choose whether or not to honor Do Not Track requests, and decide how to interpret the requests. For example, websites may respond to the request by not showing personalized ads, but they will still collect personal data for other purposes.
Many web browsers come with a Do Not Track option. These web browsers include:
- Chrome
- Firefox
- Safari
- Internet Explorer
- Microsoft Edge
Users can adjust Do Not Track preferences by clicking a button or toggling a switch in the browser’s privacy settings.
For example, to send Do Not Track requests in Chrome, users toggle the “Send a ‘Do Not Track’ request with your browsing traffic” switch in the “Cookies and other site data” section in Chrome’s settings.
Currently, because there isn’t yet a DNT technology industry standard on how companies should respond to DNT signals, Do Not Track features aren’t available on all browsers.
2. What Is a Do Not Track Disclosure?
A Do Not Track disclosure is a paragraph included in a website’s privacy policy that notifies users whether or not the website complies with Do Not Track requests.
Under current state legislation, websites do not need to comply with a users’ Do Not Track requests. However, websites do need to inform users how they respond to DNT requests.
3. Do Not Track Disclosure Examples
Let’s go over some examples of Do Not Track disclosures from different websites to see what information is included.
DNT Disclosure Example #1: Medium
Medium’s Do Not Track Policy states that their website honors users’ Do Not Track requests. While they acknowledge that there’s no industry consensus on how to respond to DNT requests, they apply the World Wide Web Consortium’s recommendations.
The DNT disclosure also provides an in-depth explanation of how enabling Do Not Track affects Medium’s first-party and third-party tracking practices.
If your website honors Do Not Track requests, explain to users what happens when they enable Do Not Track and use your site, as shown in Medium’s example.
DNT Disclosure Example #2: LinkedIn
LinkedIn is an example of a Do Not Track disclosure that specifies that the site does not respond to DNT signals. Their disclosure points out the lack of an industry standard for DNT responses, and goes over what Do Not Track is and how it works.
The disclosure also explains that in the DNT context, LinkedIn does not allow third-party advertising services to identify LinkedIn members without additional consent.
For the convenience of your users, consider explaining how DNT signals work in your disclosure, as LinkedIn does.
DNT Disclosure Example #3: Associated Press
Associated Press’s Do Not Track disclosure is embedded in their privacy policy. In addition to stating that they don’t respond to Do Not Track requests, Associated Press explains that their third-party partners also might not honor Do Not Track requests.
Associated Press links to their third-party Google Analytics platform so privacy-conscious users have the choice to opt out of their data being used in their Google Analytics reports.
Like the above example, it’s a good practice to disclose third-party trackers on your site and clarify that they may not comply with DNT signals.
4. Does Your Privacy Policy Need a Do Not Track Disclosure?
You need a Do Not Track disclosure if you have users from California, in order to comply with state privacy laws.
For example, the California Online Privacy Protection Act (CalOPPA) requires your site to include a Do Not Track disclosure stating how your site handles DNT requests.
In addition, any business that wants to maintain trust with its customers should be open about how it uses personal data. The Federal Trade Commission (FTC) mandates that companies honor any promises made in a posted privacy policy. When that policy includes a DNT disclosure, consumers can take it as a sign that the company is honest in how it conducts business.
5. Do Not Track and CalOPPA
A CalOPPA amendment in 2014 made it compulsory for websites to reveal how they respond to do not track requests. As a result, consumers have more awareness of how websites use information about their web surfing habits, and can make the choice to either stay on the website or leave.
CalOPPA requirements extend to websites outside California so long as they track residents from California.
A good practice for complying with CalOPPA DNT requirements is to outline your response to DNT requests in your privacy policy. Another way to meet CalOPPA Do Not Track requirements is to place a clear and conspicuous link within your privacy policy to your DNT disclosure.
To comply with CalOPPA, you must disclose:
- How you will respond to the browser’s do not track signals
- Whether there are third-party trackers on the site
- Other mechanisms that allow users to have control over the collection of their personal information
6. Future DNT Developments
While the future is uncertain when it comes to the development of a DNT industry standard and DNT legislations, as a business, it’s wiser to err on the side of transparency and full disclosure by explaining your Do Not Track responses to users.
reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy