Do Not Track and the GDPR
GDPR & ePrivacy
The General Data Protection Regulation (EU) 2016/679, which has just come into force, is important for web privacy because it clarifies what makes for valid user consent in more detail than the Data Protection Directive that preceded it. The existing ePrivacy Directive (introduced in 2002, amended 2009) requires prior user consent for access to storage in browsers, other than for a restricted set of exempted purposes, and now for consent to be valid it must meet its description in the GDPR. Consent must not only be freely given, specific, informed and unambiguous, it must be indicated by the user's affirmative act – it is no longer enough to display "implied consent" notices, pre-selected checkboxes, or cookie walls, and it must be as easy for users to withdraw consent as to give it.
The GDPR also introduces much larger fines, making data and privacy protection a board level topic.
There is also a new ePrivacy Regulation (ePR) in the works, aimed at replacing the ePrivacy Directive. Although the European Parliament completed its deliberations last year, and voted through its own draft text, the European Council has dragged its feet somewhat. Even so, the important trilogue discussions between the European Parliament, Council and Commission, aimed at finalising the text, are expected to start soon. DNT
The TPE also defines a JSON resource, called the Tracking Status Resource (TSR), to be made available by domains that implement DNT, located at a well-known path (/.well-known/dnt/). This resource enables domains to declare their identity, policy for tracking, and other important items, important so that browsers can show users the servers being enlisted to supply content for a page, to support the now legally required transparency. European data protection and privacy law requires that users be able to determine who they may be tracked by, for what purpose, and give their informed and specific consent if they freely choose to.
Later further changes in the draft were put forward to meet the requirements for the European Parliament's agreed text for the EU's ePrivacy Regulation, and to allow for the communications of agreed purposes requested by the AdTech or "industry side" group members. The API was extended so that a site-specific signal was available to indicate the required right-to-object for permitted "web audience measurement"(A8.1d in the European Parliament's ePR text), i.e. to send a DNT:1 header to certain domains even if the general preference had not been set, and to define an extension to the header so that a purpose descriptor could be sent when consent had been given, i.e. an extension to the DNT:0 header. A new "purposes" property for the TSR was defined whereby a server can indicate, via a dynamically created web page, the purposes the user has agreed to by decoding the new extension field in the incoming DNT header.
Now that the GDPR is in force, and the ePrivacy regulation final text hopefully soon to be agreed, the fact that a CR exists for efficient signalling of user consent may encourage browser providers to implement or update their DNT implementations.
If they do, DNT would offer a much better signalling method for user consent than techniques based on HTTP cookies. Third-party cookies as presently constituted cannot convey site-specific consent1, and it is unlikely that users, once they have been made aware of their right to give their prior consent, will agree if their only option is to be tracked across the entire web. Although the IAB EU's recently introduced Consent and Transparency Framework (CTF) allows for consent to be recorded in first-party cookies, and so site-specifically, there is no mechanism to persist it within a sub-resource context without using a third-party cookie (or other domain specific storage), which is then incapable of recording the site-specific context. Without persistence the efficiency of indicating consent to third-parties becomes a problem.
In DNT the browser absolutely determines which domain receives the consent signal, within the parameters of the Same Origin Policy and, while it does not need the elaborate encoding of party identity, with its attendant fingerprinting risks, underlying the CTF's "daisybit" identifier, this can still be incorporated in a consent-based protocol where the "daisybit" is only sent to the parties the user has agreed to. This could give the online advertising industry, the publishers that rely on it, and web users a win-win outcome – good for data protection, privacy and commerce.
The architecture of the DNT protocols has been designed to be extensible, and there have been discussions in the TPWG about additions that could help publishers and advertisers improve efficiency by extending the protocols for consent-contingent targeting and privacy-oriented audience measurement. If representatives from publishing and advertising wish to engage with that, the TPE is a great base to build on. We have had a charter extension till September but if new members with a commitment to engage were to appear, we should be able to extend it further.
Mike O'Neill is an Invited Expert in the Tracking Protection WG