Do Not Track Disclosures

Etienne Cussol CIPP/E, CIPM

by Etienne Cussol CIPP/E, CIPM

July 16, 2024

Start Building Compliance
Do-Not-Track-Disclosures-01

Many companies track users’ web browsing behavior for analytics and advertising purposes.

However, some users don’t want to be tracked, so web browsers often include a Do Not Track (DNT) option that allows users to send a DNT request with their browsing traffic.

Websites aren’t obligated to comply with Do Not Track requests, but under laws like the California Online Privacy Protection Act (CalOPPA), you must disclose to your users in a privacy policy how you handle and respond to them.

Read on to find out how Do Not Track works, whether you need a Do Not Track disclosure on your site, and how to comply with Do Not Track laws.

Table of Contents
  1. What Is Do Not Track (DNT)?
  2. What Is a Do Not Track Disclosure?
  3. Is It Mandatory to Respond to Do Not Track Requests?
  4. Do Not Track Disclosure Examples
  5. Does Your Privacy Policy Need a Do Not Track Disclosure?
  6. What Data Privacy Laws Require Do Not Track Disclosures?
  7. Future DNT Developments
  8. Summary

What Is Do Not Track (DNT)?

Do Not Track (DNT) is a feature that users can enable on website browsers to request that websites and ad companies don’t track their web browsing activities.

Many web browsers come with a Do Not Track option, including:

  • Chrome
  • Firefox
  • Safari
  • Internet Explorer
  • Microsoft Edge

Users can typically adjust Do Not Track preferences by clicking a button or toggling a switch in the browser’s privacy settings.

For example, to send Do Not Track requests in Chrome, users toggle the “Send a ‘Do Not Track’ request with your browsing traffic” switch in the “Cookies and other site data” section in Chrome’s settings, as shown in the screenshot below.

However, because there isn’t a DNT technology industry standard on how companies should respond to DNT signals, Do Not Track features aren’t available on all browsers.

Additionally, websites can choose if they want to honor Do Not Track requests or not and can decide how to interpret the requests.

For instance, websites may respond to the request by not showing personalized ads but still collecting personal data for other purposes.

Many websites also rely on third-party services that track users’ browsing activities across websites. If DNT is enabled, the third party is altered but still gets to choose whether to continue its tracking practices.

What Is a Do Not Track Disclosure?

A Do Not Track disclosure is a paragraph in a website’s privacy policy that notifies users whether or not the website complies with Do Not Track requests.

Under current state laws, websites don’t need to comply with a user’s Do Not Track requests.

However, under CalOPPA, you must clearly explain in your privacy policy if and how you respond to such requests.

The DNT legal requirements work in tandem with California’s primary consumer privacy law, the California Consumer Privacy Act (CCPA).

The CCPA outlines additional, more strict data processing requirements, including mandating that websites must honor universal opt-out mechanisms (UOOMs)

DNT vs. UOOMs

A DNT request is not the same as universal opt-out mechanisms (UOOMs) like Global Privacy Control (GPC).

UOOMs are browser settings or extensions that communicate a user’s desire to opt out of certain data processing activities, and websites are required to comply under laws like the:

  • California Consumer Privacy Act (CCPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)

Is It Mandatory to Respond to Do Not Track Requests?

While honoring DNT requests is not mandatory, if your business falls under CalOPPA, you must explain if and how you respond to them in a clause in your privacy policy.

You can choose specifically how you respond so long as you’re transparent and accurate.

Do Not Track Disclosure Examples

Let’s review examples of Do Not Track disclosures from different websites so you know what information to include in your own.

DNT Disclosure Example #1: Medium

Let’s look at an example of a Do Not Track disclosure from the publishing platform Medium.

Medium’s disclosure clearly states that its website honors users’ Do Not Track requests, as shown in the screenshot below.

medium_do_not_track_disclosure

The DNT disclosure also explains how enabling Do Not Track affects Medium’s first-party and third-party tracking practices.

If your website honors Do Not Track requests, you should also explain to users what happens when they enable DNT and use your site, as shown in Medium’s example.

DNT Disclosure Example #2: LinkedIn

Next, look at LinkedIn for an example of a Do Not Track disclosure specifying that the site does not respond to DNT signals.

Their disclosure, shown in the screenshot below, indicates the lack of an industry standard for DNT responses.

LinkedIn-Do-Not-Track-disclosure

Their disclosure explains what Do Not Track is, how it works, and states that LinkedIn doesn’t allow third-party advertising services to identify LinkedIn members without additional consent.

For your users’ convenience, explain how DNT signals work in your disclosure, as shown in the LinkedIn sample above.

DNT Disclosure Example #3: Associated Press

Let’s examine the Associated Press’s Do Not Track disclosure embedded in its privacy policy.

As shown in the screenshot below, the Associated Press states that it doesn’t respond to Do Not Track requests and explains that its third-party partners might also not honor them.

Associated-Press-Do-Not-Track-disclosure

Associated Press links to its third-party Google Analytics platform, so privacy-conscious users can opt out of having their data used in Google Analytics reports.

Like the above example, it’s a good practice to disclose third-party trackers on your site and clarify that they may not comply with DNT signals.

Does Your Privacy Policy Need a Do Not Track Disclosure?

If you have users from California, you need a Do Not Track disclosure in your privacy policy stating how your site handles DNT requests to comply with CalOPPA.

In addition, businesses that want to maintain trust with their customers should be open about how they collect and use personal data.

When that policy includes a DNT disclosure, consumers take it as a sign that the company is honest in how it conducts business.

What Data Privacy Laws Require Do Not Track Disclosures?

A 2014 amendment to CalOPPA made it compulsory for websites to reveal how they respond to do not track requests.

By disclosing this information, users become more aware of how websites use their personal data, such as web surfing habits, so they can choose to either stay on the website or leave.

CalOPPA has a broad scope, and its requirements extend to any website that tracks the online behaviors of people in California.

To comply with CalOPPA DNT requirements, outline your response to DNT requests in your privacy policy.

You can also place a clear, conspicuous link within your privacy policy to your DNT disclosure.

For full compliance with CalOPPA, you must also disclose:

  • How you will respond to the browser’s do not track signals
  • Whether there are third-party trackers on the site
  • Other mechanisms that allow users to have control over their personal information

Future DNT Developments

The future of DNT technology is uncertain, especially now that state-level U.S. privacy laws require websites to honor UOOMs like GPC but not necessarily DNT signals.

UOOMs may become the industry standard, taking over DNT settings, at least in the U.S.

That said, for businesses to thrive in the modern digital age, it’s best practice to always be transparent and fully disclose your data collection and processing activities, including whether and how you respond to users’ Do Not Track requests.

Summary

Even though DNT technology might eventually get replaced by UOOMs, CalOPPA provisions are still in place and require websites that have visitors from California to post a DNT disclosure in your privacy policy explaining how you respond to Do Not Track requests.

Make your disclosure as clear, easy-to-read, and honest as possible so your users understand exactly how you handle these requests.

Ensure you’re complying with all applicable privacy laws that might impact your business.

Etienne Cussol CIPP/E, CIPM
More about the author

Written by Etienne Cussol CIPP/E, CIPM

Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author

Related Articles

Explore more resources