W3C

Do Not Track and the GDPR

The Tracking Protection Working Group (TPWG) has been engaged with issues of online data protection, privacy and tracking since 2011. Its Tracking Protection Expression draft recommendation (TPE), substantially completed in 2013, first became a Candidate Recommendation (CR) in August 2015.The main feature of the TPE, the DNT request header, is now implemented by all the major browsers via a general preference setting, with the JavaScript API for registering a site-specific preference implemented by browser extensions, as well as Microsoft’s Internet Explorer and Edge browsers.

The DNT header indicates settings that a user has made within their browser, either directly or mediated by script on a page, to indicate their preference of agreeing or declining to be tracked. Once a “general preference” is configured, browsers add the DNT header to all HTTP requests, including requests to be sent to embedded sub-resources. The header value can either start with “1”, meaning “Do Not Track”, or “0” signifying “this user has agreed to tracking for the purposes explained”. There is a defined JavaScript API letting a browsing context change the DNT setting for its own domain origin, or for the domain origin of its embedded sub-resources – so called “site-specific” consent.

GDPR & ePrivacy

The General Data Protection Regulation (EU) 2016/679, which has just come into force, is important for web privacy because it clarifies what makes for valid user consent in more detail than the Data Protection Directive that preceded it. The existing ePrivacy Directive (introduced in 2002, amended 2009) requires prior user consent for access to storage in browsers, other than for a restricted set of exempted purposes, and now for consent to be valid it must meet its description in the GDPR. Consent must not only be freely given, specific, informed and unambiguous, it must be indicated by the user’s affirmative act – it is no longer enough to display “implied consent” notices, pre-selected checkboxes, or cookie walls, and it must be as easy for users to withdraw consent as to give it.

The GDPR also introduces much larger fines, making data and privacy protection a board level topic.

There is also a new ePrivacy Regulation (ePR) in the works, aimed at replacing the ePrivacy Directive. Although the European Parliament completed its deliberations last year, and voted through its own draft text, the European Council has dragged its feet somewhat. Even so, the important trilogue discussions between the European Parliament, Council and Commission, aimed at finalising the text, are expected to start soon. DNT

DNT

DNT is a highly efficient way to convey user consent to web servers because the header is always present in every request. A JavaScript global property also allows a browsing context, say for an iframe tag or a first-party page, to immediately determine the current setting. Although HTTP cookies can of course also encode a consent signal, there is no way to selectively include them in sub-resource requests, as cookies once stored will always be sent to their respective domain origins (i.e. to access third-party resources on any first-party site), and moreover there is no simple or efficient API a browsing context can use to set cookies for its embedded sub-resource domains.

The TPE also defines a JSON resource, called the Tracking Status Resource (TSR), to be made available by domains that implement DNT, located at a well-known path (/.well-known/dnt/). This resource enables domains to declare their identity, policy for tracking, and other important items, important so that browsers can show users the servers being enlisted to supply content for a page, to support the now legally required transparency. European data protection and privacy law requires that users be able to determine who they may be tracked by, for what purpose, and give their informed and specific consent if they freely choose to.

The Tracking Protection Working Group was chartered in 2017 to demonstrate the viability of TPE to address the requirements for managing cookie and tracking consent that satisfies the requirements of EU privacy legislation”. This resulted in a new CR for the TPE in October 2017 which included improvements for the Javascript API and other elements.

Later further changes in the draft were put forward to meet the requirements for the European Parliament’s agreed text for the EU’s ePrivacy Regulation, and to allow for the communications of agreed purposes requested by the AdTech or “industry side” group members. The API was extended so that a site-specific signal was available to indicate the required right-to-object for permitted “web audience measurement”(A8.1d in the European Parliament’s ePR text), i.e. to send a DNT:1 header to certain domains even if the general preference had not been set, and to define an extension to the header so that a purpose descriptor could be sent when consent had been given, i.e. an extension to the DNT:0 header. A new “purposes” property for the TSR was defined whereby a server can indicate, via a dynamically created web page, the purposes the user has agreed to by decoding the new extension field in the incoming DNT header.

Implementation

Now that the GDPR is in force, and the ePrivacy regulation final text hopefully soon to be agreed, the fact that a CR exists for efficient signalling of user consent may encourage browser providers to implement or update their DNT implementations.

If they do, DNT would offer a much better signalling method for user consent than techniques based on HTTP cookies. Third-party cookies as presently constituted cannot convey site-specific consent1, and it is unlikely that users, once they have been made aware of their right to give their prior consent, will agree if their only option is to be tracked across the entire web. Although the IAB EU’s recently introduced Consent and Transparency Framework (CTF) allows for consent to be recorded in first-party cookies, and so site-specifically, there is no mechanism to persist it within a sub-resource context without using a third-party cookie (or other domain specific storage), which is then incapable of recording the site-specific context. Without persistence the efficiency of indicating consent to third-parties becomes a problem.

In DNT the browser absolutely determines which domain receives the consent signal, within the parameters of the Same Origin Policy and, while it does not need the elaborate encoding of party identity, with its attendant fingerprinting risks, underlying the CTF’s “daisybit” identifier, this can still be incorporated in a consent-based protocol where the “daisybit” is only sent to the parties the user has agreed to. This could give the online advertising industry, the publishers that rely on it, and web users a win-win outcome – good for data protection, privacy and commerce.

Extensions

The architecture of the DNT protocols has been designed to be extensible, and there have been discussions in the TPWG about additions that could help publishers and advertisers improve efficiency by extending the protocols for consent-contingent targeting and privacy-oriented audience measurement. If representatives from publishing and advertising wish to engage with that, the TPE is a great base to build on. We have had a charter extension till September but if new members with a commitment to engage were to appear, we should be able to extend it further.


Mike O’Neill is an Invited Expert in the Tracking Protection WG

4 thoughts on “Do Not Track and the GDPR

  1. I am for the concept of allowing all users who browse the web more control over their data. And I do not agree with how anyone, company or even government have been able to easily manipulate the general public by underlining an enormous amount of fine print that must be agreed upon if choosing to utilize such services being provided.

    Even though a user is fully responsible upon the data that is being shared a percise lime must be drawn when it pertains to any user’s privacy.

    First of all, I as an American am not associated with the E.U. in any way shape or form. And yet as much as I’m doing my research pertaing to the G.D.P.R. I can find anywhere that states that I have the right to have a company based within the E.U. to delete my data!? And if they don’t, how would I know? And if I do know how does my Government protect us from anyone outside of the U.S. collecting as much data as they can from us Americans and could possibly planning a digital attack that not many Americans are costly comprehensive to how today’s technology works to begin with. And this topic alone can be discussed in more detail.

    Furthermore, I’m also concerned about a new form of a blockade being implemented in today’s market. With the unbelievable amount of deception when it pertains to any form of an E-Commerce business within the U.S.

    As of right now this entire ordeal with online privacy, data collecting etc. seems to hurt the American people on a much more economical broad scale, rather than ensuring a level playing field for users world wide.

    I hope I am mistaken about how I’m viewing this and am only trying to encourage all people to utilize the internet as a powerful resource. I thank you for your time.

    Matthew S. Shea

    1. Hi Matthew,

      DNT was started in as a response to concerns expressed in the US as well as elsewhere. The W3C activity took off after a Witehouse meeting where Pres. Obamacalled on the online industry to come up with a way for people to express their agreement (or not) to being tracked. He said legislation would follow if a mechanism did not emerge,but this did not in the end happen (the DNT signal did become available on browsers but web sites on the whole ignored it).

      The EU has responded to tracking with more law based approaches, namely ePrivacy, but again this has been mainly ignored by companies, perhaps because the sanctions available to regulators were inadequate given the expense of prosecution, and the law did not reach US entities.
      The GDPR has changed the environment on this so now there will be a change in tracking behaviour in Europe. US based web servers where they target European residents will also have to comply.with ePrivacy and the GDPR..

      DNT is simply a signal designed to convey user consent for tracking, and will help protect privacy whatever the legal jurisdiction.

  2. As a Performance Engineer, the DNT provisions and the recommendations from rfc6302 are going to have broad impacts on my work. It will become more difficult to catch poor performance issues.

    Today, I can pull information inside of logs, or tools such as Dynatrace, AppD, Newrelic, down to the session level and watch (sometimes with PII data attached) how the system under examination is performing, allowing me to catch performance issues quicker. Security professionals also have the same need for detailed access to catch security issues.

    The recommendation for purging logs quickly is also going to complicate issues regarding catching long term performance and security issues as well as trend analysis. This will make the building of load profiles more difficult if no system contains objective truth because of missing data from DNT provisions.

    I can see companies making direct decisions if the GDPR fines are low, to simply be in a non-compliant state as long as there is access to the European market. This would allow current performance and security analysis practices to continue. If the fines are large or the threat of cutoff from the market is made, then be prepared to simply throw hardware at your performance issues and be prepared for many more uncaught data breaches.

  3. Hi James,

    The TPE (DNT technical document) does not deal with log data per se and I have not been involved with RFC6302, but there are data protection principles, which in Europe at least have legal force, that have a bearing on how long activity logs should be kept.

    Where logs contain personal data, which now can mean IP addresses, cookie UIDs and the like, they must be processed for a limited purpose and must not be kept for longer than necessary.

    There is no reason that concerns about security and data breaches need to conflict with these basic principals.

Leave a Reply

Your email address will not be published. Required fields are marked *