Do Not Track, Browser Fingerprinting, and the Global Privacy Control

View

Do Not Track

The Do Not Track (DNT) header was an attempt to create a standardized way for users to opt-out of tracking on all websites. Browsers should send the header set to 1 to indicate a user opt-out of tracking, 0 for a user opt-in, or simply not send it to express no user preference. Support for it was widely implemented in browsers, but it was not adopted by the advertising industry or by most tech companies. Google added support for the header in Google Chrome, but never abided by the header in their user tracking! Getting widespread global adoption for any web standard is challenging, and for privacy standards this is made doubly challenging by the vested interests of the ad industry and so many players on the internet in ensuring that ads still get eyeballs and users still get tracked.

Browser Fingerprinting

Ironically, sending an opt-out with the DNT header now actually increases the likelihood of privacy harm to the user, because it's unusual, which makes it easier to fingerprint that user based on their browser and system configuration. It's important to be aware of browser fingerprinting, as it is increasingly used to uniquely identify users in place of cookies. While you can clear your cookies and local storage, you rarely change the configuration of your system (browser, user agent, screen resolution, operating system, graphics card...). All of that and more is detectable by web pages using a little JavaScript code. So if you collect any of this data about your users, you should treat it all as personal data, because collectively it is just as uniquely identifying as a name or email address.

💻 Exercise: test how uniquely identifiable your browser configuration is with these educational browser fingerprinting tools. Do the results surprise you? Where we're going (into ad industry purgatory), we don't need cookies...


Global Privacy Control

The Global Privacy Control (GPC) header is a proposed successor to DNT - and will hopefully enjoy a little more success. It has already been recognised as a valid Do Not Sell My Personal Information signal under the California Consumer Privacy Act (CCPA), which means that if you have Californian users you are legally required to support this header and respect those users' opt-out of tracking. The header is Sec-GPC and an opt-out is enabled if its value is 1. In browsers which have implemented support, it can also be accessed via the DOM in JavaScript. The specification is still evolving, so check out its website and reference server for the latest code-level details.