A Guide for Consumers Who Want to Protect Their Privacy and Companies That Want to Respect Consumer Choice
Tracking systems—systems for collecting information about users’ online activities—are everywhere on the Web today. They follow and profile users without consent, using cookies, beacons, browser and device 'fingerprints', and other unique identifiers to spy on our online activities. Traditional cookies can be blocked or purged, but system fingerprinting and many forms of “supercookies,” are harder to stop.
Frequently, evading this type of tracking means blocking online advertisements entirely. That’s because ads are often designed to collect user data for billing and other purposes. And it’s not just ads: many embedded page elements such as social network “like” buttons will track user data when the element is first loaded, even if the user never clicks on that button or embed.
We think using the Web—including viewing online advertisements—shouldn’t come at the cost of privacy. Whether their business is analytics, advertising, or social networking, companies dealing with data must be persuaded to respect a universal opt-out from tracking and collecting personal data without consent.
This guide outlines exactly how such a universal opt-out will work. It summarizes for individual users as well as a website operators how the “Do Not Track” setting in the browser should be respected. It’s a policy that strikes a balance between user privacy and the needs of data service operators. Read the full DNT policy.
The Basics of Do Not Track
Not all websites honor DNT signals or EFF’s DNT policy, so we suggest users install tracking protection software such as Privacy Badger to enforce their privacy in the meantime.
Do Not Track (DNT) is a setting configured in the browser. When activated, DNT transmits a signal that indicates the user does not consent to tracking.
DNT Binds Websites and Third Parties
When a DNT user interacts with a complying domain, she will be treated as someone about whom nothing is known and nothing is to be remembered (subject to exceptions and rules described below).
We already see websites implementing this.
Welcome to the party!
- First party: a website that you visit directly. For example, right now you're on https://eff.org. So EFF is acting as a first party.
- Third party: content that is generally served from a website you aren't visiting. For example, embedded advertisements or social media buttons.
The publisher Medium has adopted the policy as a first party, and it ensures that any third parties used on its site (ads, widgets, analytics) will not collect data on DNT users without consent.
Keeping this promise is straightforward if the third parties have adopted DNT or have practices consistent with its standards. For example, the analytics company Mixpanel will be rolling out a compliant analytics service that will make it simple for any first party publisher to collect analytics data in a manner consistent with the policy.
If the third party is not DNT compliant, the first party must either get a contractual commitment from it to respect DNT users' opt-outs, or else take technical steps to prevent user data from leaking to the third party.
For example: suppose that a DNT user views a webpage that has promised to comply with EFF’s DNT policy. If that webpage contains a social networking “like” button, no user data should be transmitted to that social network unless the button is clicked. But imagine the social network does not honor DNT and currently will collect data on users as soon as the “like” button is loaded on the page. So the DNT-compliant site can choose to remove the the “like” button, negotiate special treatment for its DNT visitors with the social network, or find a way to disable the “like” button's tracking functionality unless the DNT user interacts with it.
DNT Means Do Not Collect...
Under our policy, compliant entities should not collect unique identifiers such as cookies, fingerprints, or supercookies from DNT users, unless one of the exceptions below applies or the user has given her informed consent.
And Do Not Retain...
Logs containing protocol data generated in the course of any network interaction (browser name and version, IP address) can be retained for a maximum of ten days. After that, operators can keep statistically aggregated or de-identified records, which they may use for modeling and observing readership patterns, usage statistics, etc. Such datasets may be shared or retained indefinitely, but this policy provides guidelines to help ensure that individuals' information won't be re-identified.
Except Where Required...
Sometimes sites are forced by law to retain certain types of data. If this occurs, users must receive notification of the request if the law allows it. Data may also be retained in response to suspected security incidents or fraud; all such data must be stored securely and protected against disclosure. Companies may not, however, share this data with other parties, or use it to build user profiles or personalize content.
Necessary to Complete a Transaction...
When a user performs an action, information about them can be held for as long as required for the transaction. In the case of an online purchase, a physical address may be needed for delivery. Similarly, if a comment is posted to a website, a copy will be retained together with information about the user account. If an ad is clicked, that click may be recorded for billing the advertiser's payment to the host website.
... Or With the Clear Consent of the User
Some websites may offer a different type or level of service (or even refuse service altogether) for users who have opted out of tracking. In those cases, a user may choose to give her consent to tracking in order to access the functionality of the site. Users may also be willing to be tracked or disclose personal information because they want to support a site financially. If a site obtains clear and informed consent before collecting data, it remains DNT-compliant.
Fig.1 Medium.com provides DNT users with clear enough guidance at log-in to obtain consent.
No Mobile Version
This policy was designed for desktop browsers interacting with websites. This policy isn’t necessarily appropriate for the mobile environment.
Making Widespread Do Not Track Adoption Easier
Under EFF’s DNT policy, companies do not need to make an all-or-nothing DNT decision across all their Web domains; they can agree to honor DNT on their main domain, or only when providing services for others (advertising, analytics, widgets etc).
For example, a site might run a social network, www.example.com, and an ad network serving ads for other sites, ads.example.com. Under the EFF policy, the site can decide to comply on ads.example.com without implementing the policy on the main social network. Even though the two sites share the same owner, they don’t have to follow the same policy. This makes adoption easier, especially for third parties. The more third party services respect this DNT policy, the easier it will be for first party services to seamlessly embed those third party tools in their sites without worrying about DNT compliance. So, adoption on a per-domain basis should help DNT spread more quickly.
Companies supporting DNT do so voluntarily, but existing law generally requires companies to honor such voluntary commitments. Under such laws, a company that doesn’t do what it says it will do may be engaging in an unfair, deceptive or misleading trade practice. Consumer protection entities like the Federal Trade Commission and state attorneys general can take action against such deceptive practices.
Is DNT for You?
Effect of 'Do Not Track'
|Filter Bubble / Customized content||Stops or de-identifies*|
|Social Media Widgets ('like” buttons, etc)||Data sent only when clicked|
|Ads||Allowed if privacy compliant|
|Targeted ads||Stops or de-identifies*|
|Visitor datasets||Can only hold if aggregated and de-identified|
|Webserver logs||10 days (no cookies or unique IDs other than IP)|
|Browsing anonymity||Maybe someday. In the meantime, use Tor.|
|Protection against unlawful or mass surveillance||No|
* Customization of content cannot be based on unique user identifiers under EFF’s DNT policy, but it may be possible to implement non-tracking forms of customization, where the user's browser or the site knows (for instance) that the user is interested in cars but doesn't know why, or who they are.
This guide was an overview. Check out the full Do Not Track policy and the technical implementation guide.