DNT is generally a failed proposal and ignored by virtually all websites. There is no real grassroots or legislative force behind it. This term should be changed to be neutral and have no effect on the grade of a website.
When reviewing Privacy Policies, there are three possible reactions to DNT headers.
Some services, like privacy-friendly analytics such as Piwik/Matomo do respect those signals (which is covered by this case)
Other services ignore DNT headers and track anyway, which is linked to this case
Non-CCPA compliant services may not inform users on tracking behaviour when receiving a DNT header. If this happens, we can’t automatically assign one case or another, so either we directly ask the service (as PrivatePrawn did) or no point is created.
As long as these three situations exist, I believe it is important to mark as a bad point services that don’t do the effort to respect user will.
It is important that the grade assigned via the extension be useful and informative - else it will be ignored. Including the DNT header makes it less useful and less informative.
GPC handles what you would allow me to do with your data (do-not-sell-or-share).
In the development community I’m in, we don’t really handle the Sec-GPC header, because we would never handle user data in this matter anyway (or you could say we always treat Sec-GPC to be 1)
The technical test if GPC is handled is if /.well-known/gpc.json returns a JSON where gpc is set to TRUE. However this is optional and absence does not indicate that GPC is ignored (since for GDPR-compliant sites GPC should be a given anyway).
DNT handles which technology I can use to gather data from you.
In the development community I’m in, we use DNT as an additional wish of the user to accept a suboptimal user experience (videos not auto-playing, additional clicks to explicitly send data to external services) for improved data control.
There is a similar technical test with /.well-known/dnt-policy.txt for sites which wish to actively indicate that they comply.
My opinion
Taking care of the DNT header is a positive indicator that the site actively wants to empower users to decide between the best/intended experience and on-site data collection and third-party data dissemination (IP addresses, browsing behaviour, f.e. when embedding a video from a third party)
However there is no defined standard what should be part of the DNT-treatment.
Not taking care of the DNT header is neutral. As previous posters mentioned the proposal failed to reach a wider development audience.
Taking care of the GPC header is also a positive, but only indicates what we expect all sites to do anyway: Not sharing or selling our data with third parties without consent.
The problem: “Collecting” is still allowed and “Sharing” is ill-defined and hotly debated in data security circles. Is it sharing data to Google if you embed a YouTube Video? Arguably yes (I ask your browser to expose your IP-address to fetch the video), but on the other hand you also share that data to your hoster’s internet service provider and any router inbetween.
Thus not taking care of the GPC header is neutral too (because f.e. for EU-sites the GDPR enforces this behaviour anyway).
possible solution would be to change the case to “This service allows you to limit preprocessing of your data through automated means like DnT or GPC headers.”
Also maybe a separated case for services that only make that work when law requires it like under the CCPA
I strongly disagree with this proposal. The DNT header saw no wide adoption because companies saw no direct consequences for their actions. With TOSDR being one of the very few mediums that users actually use, it would be extremely counter-productive to remove the negative score of the DNT header point.
Sites that do the effort to respect their users deserve to be rewarded, and the sites that don’t deserve to be shamed.
The DNT header has been defined for many years now and is well known in the tech world. Therefor we must assume that companies who have chosen not to respect their user’s right to privacy must have done so out of malice and greed.
To try and use mass-adoption as an excuse is nonsencial. Companies don’t need others to do the same in order to respect their users.
you should also consider that DnT is deemed “end of life”. Yes services should be rewarded for having it, but punishing a service for not spendending expansive work hours on a mostly dead feature is a waste, especially considering that newer standards, that even are designed with CCPA and GDPR in mind like GPC exist.
newer standards, that even are designed with CCPA and GDPR in mind like GPC exist.
Could you name some of those new standards? I’m keen on keeping DNT because so far it’s the only one that’s been integrated into browsers.
It might make sense to remove DNT once such new standards get to the user’s browsers, but until then it’ll do us no good to remove this case point.
Sorry, I wasn’t aware of that. Then, with the objective of making the extension’s output more useful, I agree that case 233 should be made neutral.
As for GCP, it sounds like it could be a great addition in the near future. But we’ll have to wait and see if that gets the legal backing it needs.
Just as an additional perspective from a developer.
Handling both DNT and GPC is the same effort as only handling GPC.
In JavaScript it’s just…
if ('1' == window.navigator.doNotTrack || window.navigator.globalPrivacyControl)
{
return; // User requires additional privacy, end this function now
}
// Rest of the function doing something privacy invasive.
…that handled both DNT and GPC… so not hours of work.
The code to handle the same in JaveEE / PHP is similarly short.
However, as mentioned in my post above:
DNT is about being tracked at all / GPC is about what the provider can do with the tracking-data.
GPC is a compromise: Yes you can track all you want, but “don’t sell or share”.
For sites operating in the EU GPC is basically given, because the GDPR has similar rules. GPC is only relevant, where you have to actively opt-out of data-brokering (like in the US), where as with GDPR you have to actively opt-in.
There is still a place for privacy-loving people for DNT (at least via browser extensions), so a bonus for pages respecting it, but society settled on a compromise, so no penalty if you don’t treat DNT.
UPDATE, December 2021: Global Privacy Control is now available in the general release version of Firefox (Firefox 95). People interested in turning it on can follow the steps outlined below.
Case 233 will be neutralized.
and 2 more cases for GPC should be esablished with the not respected one being negative,
and the respected one being positive.
EDIT: When thinking about how to decide which mechanism is which case I changed my mind and agree with Moritz Beneke.
One case “positive when respected” and “neutral when ignored”.
Reason: My own argument about Case 241. Where respecting GPC is legally required not respecting it is a reason to sue the company, but internationally adhering to automated opt-in/opt-out solutions is only a nice-to-have feature.
