https://blog.mozilla.org/en/mozilla/advertisers-and-publishers-adopt-and-implement-do-not-track/ Mozilla introduced the Do Not Track feature in January 2011 and other major web browsers soon did the same. With the Do Not Track preference enabled, when a user attempts to connect to a website, a Do Not Track signal is sent as a part of the header which is sent during the connection attempt. A website which obeys Do Not Track requests is able to act on the user’s choice before loading a webpage.
A website which obeys a Do Not Track signal value of “true” can use this setting positively in multiple ways.
a) https://lemmy.world/post/22974927 More than 15 analytics tools can be conveniently configured by a website operator to obey Do Not Track signals.
b) https://filippovicentini.com/notes/2019-04-22/ https://medium.com/@fixitblog/solved-how-to-make-google-analytics-respond-to-quot-do-not-track-quot-7f9785385371 Multiple websites explain how a website operator can obey Do Not Track signals, such as when an analytics tool does not have that option. These methods can be used to prevent connections to third party tracking services.
c) At least one “cookies consent” tool obeys a Do Not Track signal by silently disabling tracking cookies without the need for user interaction with potentially annoying cookie popups.
https://www.cookieyes.com/blog/respecting-browser-do-not-track-setting-cookieyes/ “If you install CookieYes banners on your website, it will respect the active DNT of the users’ browsers and avoid placing any tracking cookies”
d) Do Not Track signals have also been legally defended as a compatible mechanism of the General Data Privacy Regulation (GDPR) for a user to indicate a preference to not be tracked, in a court case in Germany. Do Not Track signals are expected to legally apply to other countries and other scenarios involving GDPR, but court cases would likely have to happen first.
https://wideangle.co/blog/do-not-track-gdpr-opt-out “A recent German court case against LinkedIn suggest that websites that track their users should recognise DNT signals or risk violating the General Data Protection Regulation (GDPR).”
“‘The court stated the obvious and even quoted a bunch of legal commentaries on it,’ Hense said. ‘They all agreed with DNT being a valid signal.’”
In the German court case, Microsoft’s LinkedIn could attempt to overturn this verdict on appeal if first Mozilla permanently removes the Do Not Track setting from Firefox’s user interface and if Chromium then, in turn, removes the Do Not Track setting with partial reasoning being because Mozilla, the original champion of the setting, also removed it. Microsoft could then ask to have the verdict dismissed on appeal because a majority of web browsers might no longer have a Do Not Track setting in the user interfaces, and such an appeal result could be a terrible blow to privacy, as well as a blow to the possibility of conveniently obtaining private web browsing on potentially many more websites in the future.
There have been some arguments raised which call for the removal of the Do Not Track setting. Let’s explore these arguments and see if they are strong enough to justify removing the Do Not Track setting.
These arguments include:
1 - Global Privacy Control (GPC) is legally supported in some jurisdictions and thus can replace Do Not Track.
2 - Global Privacy Control can replace Do Not Track in terms of functionality.
3 - Hardly anyone enables the Do Not Track setting and thus a user may stick out in terms of fingerprinting.
https://connect.mozilla.org/t5/ideas/keep-the-quot-do-not-track-quot-option/idi-p/81951 “even with our past education campaigns around DNT… users did not care to enable it.”
4 - Hardly any of the websites which a user visits obey Do Not Track signals.
https://connect.mozilla.org/t5/ideas/keep-the-quot-do-not-track-quot-option/idi-p/81951 “it no longer made sense to offer a signal that is consistently ignored by the vast majority of site operators while also being a potential fingerprinting vector itself due to how unique it is because of its low adoption.”
5 - It gives users a false sense of security.
Counter-arguments include:
1 - Global Privacy Control is legally enforceable in some states in a country. Do Not Track is legally enforceable in a country and is expected to be legally enforceable in most European countries if corresponding legal cases get presented.
https://wideangle.co/blog/do-not-track-gdpr-opt-out “For now, the judgment only applies to companies operating in Germany. However, the relevant parts of the GDPR are the same in every other country that has implemented the law.”
It seems reasonable for both settings to exist in the user interface since each setting is supported by law.
2 - Global Privacy Control is akin to Do Not Track’s weaker sibling and thus is not a valid replacement for Do Not Track. Suppose we discuss the scenario where a website obeys both Global Privacy Control signals and Do Not Track signals.
For Do Not Track, a website operator can either enable a setting in multiple analytics tools or can follow multiple websites which list a code snippet to check for Do Not Track signals. With most of these implementations, tracking data will not be sent to a third party analytics service.
For Global Privacy Control, the approach is to still send the tracking data to the third party analytics service!
https://www.techpowerup.com/329753/firefox-ditches-do-not-track-feature-in-version-135-in-favor-of-global-privacy-control “one criticism of the new reliance on Global Privacy Control is that GPC doesn’t block Google Analytics tracking requests”
When Do Not Track signals are obeyed, privacy policies appear to indicate that this feature applies to the general Internet population. At least one company with users around the world has decided to interpret Global Privacy Control as only needing to apply to users in some jurisdictions.
https://www.atlassian.com/legal/privacy-policy “our websites do respond to the Global Privacy Control (“GPC”) to opt-out of “sales” of personal information and targeted advertising in certain locales.”
3 - The Do Not Track setting is used by a significant proportion of users, with more than 20% of users reported as using it. Now is not the time to abandon it. A visit to https://amiunique.org/fingerprint shows more than 22% of users in the last 7 days, 15 days, and 30 days have enabled a “Do Not Track” HTTP header attribute value. Similar figures were reported in 2019. https://archive.today/zzcwE “A Forrester research report found 25% of people using the Do Not Track setting, and a national survey we conducted found 23%.”
If JavaScript is enabled, fingerprinting can be extremely accurate with just JavaScript alone, without examining HTTP header attribute values, meaning that Do Not Track might only be considered for fingerprinting for users who have a solution for selectively blocking JavaScript, such as a web browser addon.
https://backlinko.com/ad-blockers-users “Sep. 02, 2024” “31.5% of internet users worldwide report using an ad blocker.”
https://explodingtopics.com/blog/ad-block-users “June 25, 2024” “DataReportal found that approximately 1 in 3 (32.5%) internet users use ad blockers.”
It might be reasonable to say at least 75% of users who enabled “Do Not Track” are also users who know what an addon is and would install an addon such as uBlock Origin, Privacy Badger, NoScript, AdGuard, etc, which can be used to selectively block JavaScript. Given this assumption, 75% of the 22% of users using “Do Not Track” signals is 16.5% of all users. 16.5% represents more than half of the reported 32.5% of users using an addon to block JavaScript. Given this assumption, to blend in with the majority of the users who use an addon to block JavaScript, we should be enabling “Do Not Track” signals!
4 - Maybe we could consider intentionally searching for and visiting more websites which obey Do Not Track signals. Websites which obey Do Not Track signals indicate they are a part of the Good Guys. Having this way of differentiating websites is a good thing. We can use a web search or even an AI web search to search for “name-of-website Do Not Track privacy policy” to quickly find some of the Good Guys. A legal requirement has caused a large proportion of websites to indicate in a privacy policy whether they choose to obey or not obey Do Not Track signals.
https://www.freeprivacypolicy.com/blog/privacy-policy-do-not-track-dnt/ “As of January 1, 2014, changes to the California Online Privacy Protection Act (CalOPPA) required the owners of websites, web apps, mobile apps, and desktop apps to include a Do Not Track disclosure in their Privacy Policy agreements.”
“In order to comply with CalOPPA’s DNT requirements, website owners must make sure they: State how they respond to the DNT signals they receive from user’s web browsers”
“Even if a website owner or operator isn’t based in California, it still must include a DNT disclosure in the Privacy Policy. This is because the website or app may be attracting visitors who live in California.”
This law was created after Do Not Track signals were introduced into major web browsers. The continued existence of the Do Not Track setting in the user interfaces of web browsers means the law will still have a reason to exist and privacy policies will continue to be required to display this information, allowing us to quickly identify some of the Good Guys and even more of the Bad Guys.
If we are stuck using a Bad Guy website, the very existence of the ability to easily configure obeying Do Not Track signals in more than 15 analytics products means it is possible to contact a website operator and ask the website operator to enable the setting. For anyone who says it won’t work, I ask you, have you tried?
If there are a lot of bad apples in a market, should we make it even harder to find the good apples, or should we feel happy that a tool exists (Do Not Track) which makes it easier to distinguish some of the bad apples from some of the rare good apples (by using a search engine to look at a very specific section common to most privacy policies)? The same argument can be used for any market where it is difficult to find something you think is good, including shopping for good clothing or finding a suitable marriage partner.
Why is it okay to say we should remove the Do Not Track feature because many websites do not obey it and because it could be used for fingerprinting, but exactly the same statements can be made about Global Privacy Control, while it is supposedly okay to use the Global Privacy Control setting?
5 - In Mozilla Firefox, immediately next to the Do Not Track setting is a link that has an explanation which does not seem to give a false sense of security.
https://archive.today/evyo1 “Honoring this setting is voluntary — individual websites are not required to respect it.”
Mozilla has made multiple revisions to the wording of the Do Not Track feature and if someone feels there is a better way to formulate the text of the option, Mozilla allows anyone to make suggestions.
If we want to talk about a false sense of security, when we see Global Privacy Control’s Firefox option’s text of “Tell web sites not to sell or share my data” should we expect a website which obeys Global Privacy Control signals to share our data with a third party like Google? We might not expect as much, but our data will apparently be shared with that third party when that third party’s analytics service is used by a website operator.
What can we do?
A] Enable Do Not Track signals in our web browsers and teach our family members how to do the same.
The following website obeys Do Not Track signals and gives instructions for many types of web browsers on how to enable Do Not Track signals.
https://www.surreycc.gov.uk/website/cookies/do-not-track “How to enable the ‘Do Not Track’ browser setting”
For Firefox users, the Do Not Track option can be toggled in about:config. In the top address bar, type in the text about:config and go to the about:config webpage. When asked to Proceed with Caution, choose to Accept the Risk and Continue. In the “Search preference name” text field we can enter a value of “donottrack” and then look at the value (true or false) of the privacy.donottrackheader.enable preference. If the value is false, we can use the toggle button to set the value to true. Our change will be applied immediately and we can close the about:config webpage tab at our convenience. This approach still works in Firefox 135 and also works in older Firefox versions.
B] Use one or more methods of selectively blocking Bad Guy JavaScript. Probabilistic tracking using a Do Not Track signal is likely to apply only to users who block JavaScript deterministic tracking. Do a good deed for the world and teach your family members how to use such an addon.
https://ublockorigin.com/ https://privacybadger.org/ https://noscript.net/ https://adguard.com/
C] If you have a Mozilla account or you do not mind creating one, you are invited to log in and “give kudos” at the following link.
https://connect.mozilla.org/t5/ideas/keep-the-quot-do-not-track-quot-option/idi-p/81951
D] Contact the website operators of websites which you use a lot and ask them to enable the Do Not Track feature in their analytics tools and send them the links in b) at the start of this posting. If you get a response, consider sharing that response with the community.
It is kind of a joke in practice. I wouldn’t turn it on since it makes you a target.
Yeah it makes you stand out as a fingerprint data point. I generally thought it was recommended to not enable since privacy violators won’t respect it anyways.
Really good write-up, thanks OP!
I’m not really sure I can support using DNT headers currently. Some good points were made about alongside GPC, DNT being legally recognized for GDPR requests in some countries. I live in the US outside of California, and don’t closely follow along to the nuances of either CCPA or GDPR, so correct me if I get something wrong. Given the list of websites in a comment that respect DNT, the notion that DNT is voluntary to handle, and how many websites use to harm users instead (further fingerprinting data points), I don’t see why Mozilla should be keeping around DNT for the time being.
Yes, the fingerprinting metric for DNT may not be that unique of a data point if a given user isn’t using content blocking extensions and other browser-hardening techniques. It still is however a data point often masked to follow the herd in order to minimize fingerprinting in territories where user privacy isn’t enforced by law. If law actually demanded respect to user privacy, I think DNT could work. As it stands though, it really doesn’t seem like DNT is well-ingrained in law.
Given the list of sites you listed, I only recognize two websites on the list that claim to support DNT. Perhaps a majority of these sites are from smaller organizations and/or based in the EU? On top, this is only what the sites’ privacy policies claim, no? How many of these sites are actively proven to respect DNT beyond claiming that they do?
It really seems like DNT is still considered way too optional for websites to handle and respect. The best way for this to change is for the GDPR to recognize proper DNT handling as mandatory for sites to be compliant in the EU. Furthermore (unlikely to happen anytime soon but would be helpful) is for the US to gain similar privacy laws at the country-level that also defines enforcement.
There is just about zero reason I think nicely asking website admins to monitor and add support for DNT. Given that a majority of the problem with violations isn’t with the smallest of independent websites, but those run by larger businesses, I doubt simple activism will work. If just activism for respecting the privacy of users actually did something, I feel like in ~15 years Do Not Track headers would have shown meaningful progress. The only way going forward is deliberate user-enforced destruction of available tracking points granted to websites or law that dictates when and how websites may track users: be it GPC, DNT, or something else. Only when a consensus is being reached should Mozilla and browsers prepare to support the enforced feature.
EDIT: re-reading the list of websites claiming support for DNT, I found a second website I recognize.
More than 200 websites which obey Do Not Track signals
https://www.actorsite.com/privacy-policy https://builder.io/docs/privacy https://www.ckcancercenter.com/privacy-policy.html https://elesplace.org/privacy-policy https://www.royalresortscaribbean.com/pdf/PrivacyPolicy.pdf https://www.americaphonebook.com/privacypolicy.htm https://www.itup.org/privacy-policy/ https://www.milligan.edu/privacy/ https://www.bmigeorgia.org/privacy-notice https://www.lamisinstitute.com/privacy-policy https://www.pizanoschicago.com/privacy-policy/ https://www.docsites.com/privacy/ https://dogtrainerhawaii.com/privacy-policy/ https://www.kidznotes.org/privacy-policy/ https://harrissmile.com/privacy-policy/ https://www.researchandme.com/legal/privacy https://thesauceologygroup.com/ https://drurybodyshop.com/privacy-policy/ https://www.istemai.com/istem_privacy_policy.html https://veregy.com/privacy-policy/ https://childrensparadise.com/privacy-policy/ https://manzelexpress.com/privacy https://cs.newton-conover.org/o/cs/page/privacy-policy https://drtraceywilliams.com/privacy-policy/ https://www.landmarkathens.com/privacy-policy/ https://www.irvineparkrailroad.com/privacy-policy/ https://www.paritygo.com/privacy-policy/ https://www.faitfellowship.org/privacy-policy/ https://middlecoffdentalgroup.com/privacy-policy/ https://www.gocadmium.com/privacy-policy https://www.tr3dent.com/privacy/ https://www.chrishartlaw.com/privacy-policy/ https://www.srbx.org/privacy-policy.html https://seoshope.com/privacy-policy/ https://www.ilcao.org/downloads/omjprivacypolicy.html https://www.guru99.com/privacy-policy https://www.ennovationlifesciences.com/index.php/privacy-policy/ https://www.wheelership.com/privacypolicy https://www.rillusion.com/privacy.html https://risesouffle.com/privacy-policy https://www.g2inc.com/privacy-policy/ https://werelivingwell.com/privacy-policy-2/ https://mru.edu/privacy-policy https://premium.infornweb.com/privacy-policy/ https://www.townmoneysaver.com/PrivacyPolicy https://terrycmisfeldt.com/privacy-policy/ https://www.lacucinareno.com/privacy-policy.html https://www.stylewe.com/information/privacy-policy https://www.choixmalins.com/privacy-policy/ https://auroraflighttraining.com/privacy-policy/ https://www.franchisefastlane.com/privacy https://www.hospiceandcommunitycare.org/hospice-care/website-privacy-policy/ https://philadelphiaeaglesdentist.com/privacy-policy/ https://www.rosesdaughters.com/privacy-policy/ https://aomorispring.com/privacy https://projects.cangguproperti.com/privacy-policy https://www.bostoncollegiate.org/privacy-policy/ https://www.medtrition.com/privacy-policy/ https://www.advtrain.com/privacy-policy/ https://counta.com/privacy-policy/ https://trackmaker.com/main/en/privacy-policy https://www.cadl.org/contact-help/policy-site-map/privacy-policy https://www.centralarkansasfamilyclinic.com/privacy http://www.himalichacha.com/privacy-policy.html https://muniss.net/legal/ https://pointstravels.com/privacy-policy/ https://moriumius.jp/en/policy/ https://noracora.com/information/privacy-policy https://www.cspwal.com/privacy-policy https://www.ccsblaw.com/privacy-policy/ https://srifas.com/privacy-policy/ https://www.roberthainesco.com/privacy-policy/ https://www.dashhound.com/privacy-policy/ https://www.marseilleshotel.com/privacy-policy/ https://vanessaduplessie.com/privacy-policy/ https://jasonlowensteinmd.com/privacy-policy/ https://www.dellrapidsdental.com/privacy-policy https://mypaperhub.com/privacy.php https://www.elijahnotes.com/privacy-policy/ https://www.eliscoffee.com/privacy-policy/ https://www.mdscheduler.net/app/PrivacyPolicy.aspx https://www.rockhilleyecenter.com/privacy-policy/ https://lvg.virginia.edu/policies-procedures/privacy-policy https://www.catalystkids.org/privacy-policy/ https://www.jumbledbrain.com/privacy-policy/ https://jenniferperkins.com/privacy-and-cookie-policy/ https://www.optionsforlearning.org/pdf/Policy-_35-Website-Privacy-Policy-FINAL-10-23-2018.pdf https://takingroot.com/privacy-policy/ https://www.intergroom.com/privacy-policy https://www.scenicsuds.com/privacy-policy https://www.weknowgrass.org/privacy https://barnessolar.com/terms/ https://weolive.com/privacy/ https://bataviafamilydental.com/privacy-policy/ https://orilliadentistry.com/privacy-policy/ https://grymesschool.org/privacy-policy/ https://www.kenrashsoutdoorfurniture.com/privacy-policy https://montrosedentalgroup.com/privacy-policy/ https://www.morganchasecatering.com/privacy-policy https://www.allpridefitness.com/privacy-policy https://www.lassendas.com/privacy/ https://mezzotechnologies.com/privacy-policy/ https://harbor360hotel.com/privacy-policy/ https://www.paintedgrapenc.com/privacy-policy.html https://advancementresources.org/privacy-policy/ https://www.p-b.com/privacy-policy/ https://anydate.com/privacy-policy-terms-of-use/ https://keepfloridabeautiful.org/privacy-policy/ https://herosports.com/privacy-policy/ https://www.aacn.org/privacy-policy https://www.augustint.com/us/support-338.html https://www.inetis.com/privacy-policy.html https://www.anesthesiascheduler.com/app/PrivacyPolicy.aspx https://revivesmile.com/privacy-policy/ https://mtbakerlodging.com/privacy-policy/ https://myplazadental.com/privacy-policy/ https://www.tampalanguagecenter.com/terms https://parkridgesmiles.com/privacy-policy/ https://agilevirtualpt.com/privacy-policy/ https://www.columbiaconventioncenter.com/privacy-policy https://www.innatwillowgrove.com/privacy-policy https://aylmerfamilydental.com/privacy-policy/ https://www.axiad.com/privacy-policy https://womancarepc.com/privacy-policy/ https://familydentalphx.com/privacy-policy/ https://www.yourvalleysmile.com/privacy-policy.html https://workwelldentalmanagement.com/privacy-policy/ https://prokolusa.com/privacy-policy/ https://www.awra.org/AWRA/Members/Privacy.aspx https://wsbr.org/privacy-policy/ https://www.brusselsbistro.com/privacy-policy https://www.naics.com/privacypolicy/ https://compassionandchoices.org/privacy-policy/ https://www.oakleafclinics.com/privacy_policy.pdf https://www.bluestonepim.com/privacy-policy https://hartfordfamilydentistry.com/privacy-policy/ https://eldredgelumber.com/privacy-policy/ https://www.parrapediatrics.com/privacy-policy-2/ https://edgewaterdentistchicago.com/privacy-policy/ https://www.privacy.haleon.com/en-us/general/general-full-text/ https://lesshousemorehome.co/privacy-policy/ https://www.sambuno.com/sambuno-privacy-policy/ https://rzsoftware.com/cookie-policy/ https://bingoplayers.com/privacy-policy https://rebeccahite.com/privacy-policy/ https://kecny.com/privacy-policy/ https://paulcassimus.com/privacy-policy https://www.penndelbowling.com/privacy https://www.learningfornature.org/en/privacy-policy/ https://www.caviarandbananas.com/assets/pdfs/cb_privacy_policy.pdf https://hamptonresearch.com/privacy-policy-25.html https://www.jamesbatesllp.com/privacy-policy/ https://www.healthcare.gov/privacy/ https://purexp.com/privacy-policy/ https://help.pinterest.com/en/topics/privacy-safety-and-legal https://www.nwgroom.com/privacy-policy https://www.lightdirections.com/privacy-policy https://www.vinivia.com/legal/cookies https://birdbuffer.com/privacy-policy-2/ https://ettsdds.com/privacy-policy/ https://www.arenaenergy.com/privacy-policy/ https://doctorwestmoreland.com/privacy-policy/ https://hwhmt.com/privacy-policy https://excelrehabsports.com/resources/privacy-policy/ https://www.familyfirstathome.com/privacy-policy https://ofcourseme.com/privacy-policy-2/ https://atlanticbrainandspine.com/privacy-policy/ https://fifth-avenue-dental.com/privacy-policy/ https://www.sowela.edu/privacy/ https://itaberco.com/privacy-policy/ https://midcitypeds.com/privacy-policy/ https://www.6minded.com/privacy-policy https://waynebelisle.com/privacy-policy/ https://kopernik-foundation.org/privacy-policy/ https://majormarine.com/privacy-policy/ https://holteybrownnewsom.com/privacy-policy/ https://blackbeards.com/privacy-policy/ https://pslstrive.org/privacypolicy http://champaceramics.com/Privacy https://www.sugaravenue.com/privacy-policy/ https://www.quetext.com/privacy-policy https://winnipegperiodontist.com/privacy-policy/ https://brardentistry.com/privacy-policy/ https://www.lindseya.com/privacy-policy-and-disclaimer/ https://www.daytonabahamahouse.com/privacy-policy http://www.techbeatph.com/wproot/about-us/privacy-policy/ https://citiesalive.org/citiesalive-privacy-policy https://milfordfamilydentalma.com/privacy-policy/ https://www.equian.com/privacy-policy/ https://hallhall.com/privacy-policy/ http://beatingbeats.com/privacy-policy https://cityventures.com/privacy-policy/ https://www.businessmapping.com/privacy.php https://entcenterutah.com/privacy-policy/ https://metrorichmondzoo.com/privacy-policy/ https://w4.shangri-la-frontier.com/privacy-policy/ https://www.poteaudental.com/privacy-policy.html https://eastlake.church/privacy-policy https://www.sellooil.com/privacy-policy/ https://www.wlf.louisiana.gov/page/privacy-policy-wma-app https://www.getstreamline.com/privacy-policy https://www.rolair.com/privacy https://www.arcadiapublishing.com/pages/privacy https://sddentalspecialists.com/privacy-policy/ http://jpisaacsauthor.com/privacy-policy/ https://www.aspirephysicalrecovery.com/privacy-policy/ https://elearning.costar.com/privacy-policy https://lospoblanos.com/privacy-policy https://luigis-citypizza.com/privacy/ https://bcgl-law.com/privacy-policy/ https://graypants.com/privacy-policy/ https://www.ledistrict.com/privacy https://luggagehero.com/terms-conditions/privacy-policy/ https://clearlinkpartners.com/privacy/ https://www.mems25.org/home/MEMS2025_PrivacyPolicy.pdf https://www.turntableindy.com/privacy https://www.gritman.org/privacy-policy/ https://carmifamilydental.com/privacy-policy/ https://olympuseyemd.com/privacy-policy/ https://ossonetwork.com/privacy-policy https://www.nwaproclad.com/privacy https://fairlawnwest.org/privacy-policy/Check out
Security Now - Global Privacy Control
Starts at 1:26:55
and
Security Now - Revisiting Global Privacy Control
Starts at 1:19:25
My understanding of some points:
For California residents, perhaps only when you browse a website from an IP address in California, a website which obeys Global Privacy Control signals can opt you out of sharing and selling your data after it is collected but it will not opt you out of data being collected by the website and the website’s third party analytics services. Colorado and Connecticut residents also have some legal protection using Global Privacy Control but the legislation is different and a website may react differently. The video was made in California and details about other locations were not fully discussed. Some states such as Virginia have corresponding legislation but do not appear to enforce the use of Global Privacy Control by website operators. Floria appears to primarily target big tech. Utah, Texas, Montana, Tennessee, Oregon, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island have also enacted some form of privacy legislation with different degrees of applicability.
Global Privacy Control will apparently not apply to users in regions without corresponding regulation, at least for the example website in the video. In contrast, Do Not Track appears to apply to users everywhere when a website claims to obey Do Not Track signals. The act of claiming to obey Do Not Track signals makes that claim legally binding.
Global Privacy Control allows for third party analytics tools to still collect data about you. In the process of collecting data about you, a website may use a Global Privacy Control signal as a reason to ask you to disable Global Privacy Control protection for this website. Do Not Track does not appear to have this drawback, at least for Do Not Track implementations which follow the code snippets in b) which prevent third party analytics connections.
“Technical identifiers” is a very scary term and if you see it, it can mean many terrible things. According to the video, “technical identifiers” can include: your IP address, your cookie IDs, browser local storage identifiers, mobile device identifiers such as the Android advertising ID or the Apple identifier for advertising platforms, operating system based identifiers such as those offered on smart or connected TVs or media streaming devices, partner supplied technical identifiers, encrypted or one-way cryptographic hashes of personal information such as email addresses and phone numbers, account identifiers, derivatives or escalated versions of these identifiers, operating system or browser versions, cohort audience, and more. “In other words, everything. Trying to find some way to track you, hook onto you, see where you went, what you’re thinking, what you like, what you’re doing. We want it all.”
“There is no US federal law requiring companies to respect GPC. Also the GDPR interpretation of GPC sadly seems a little weak.”
“There are still too many regions that have no privacy regulations and the various regulations that do exist need to be harmonized with one another on what GPC really means. For example does the request apply only to further data collection or should it apply to data already collected? Does it apply to the user or just the device that set the GPC flag?”
In summary:
Global Privacy Control is not a replacement for Do Not Track. Do Not Track may offer stronger consumer protection. Global Privacy Control may be implemented by many US websites which choose not obey Do Not Track, offering arguably weak protection in place of no protection. Do Not Track has the potential to provide strong protection for European websites and for any website which volunteers to obey Do Not Track signals. Some US state laws recognize a universal opt-out mechanism, which can include Do Not Track or Global Privacy Control. The two settings deserve to coexist.
