Securiti announces a $75M Series C Funding Round

View

Do Not Track: Everything You Need To Know

background-image

“What do people use the internet for?”

A simple question that may elicit thousands if not millions of responses owing to nearly 5 billion people using the internet as of 2022. That impressive fact also helps showcase the internet as one of the most (if not the most) valuable consumer channels on the planet for businesses.

Organizations and websites on the internet have proven this by using user-generated data to improve the overall browsing experience of internet users. Doing so improves the chances of a website connecting with its target market more effectively, thus resulting in better conversion rates and more revenue as a result.

The data gathered results from cookies downloaded on a user’s device, which track a user’s online behavior and browsing habits. Web services use tracking to run analytics to understand how users navigate through their website, which demographics of the visitors are most popular, what advertisements would be best suited for them etc. Based on this data, a website can personalize the content users see. In a nutshell, websites know what their customers want and can more effectively deliver.

However, as many privacy advocates have argued over the years, this arrangement relies on constantly monitoring a user’s online activity via cookies and similar technologies, which can often be quite invasive. With technology advancing by the day, privacy concerns and protecting users’ data have also caught momentum. The Do Not Track (DNT) technology emerged as a result of such concerns.

DNT is a web browser add-on/extension that aims to counter constant tracking and monitoring by adding a signal to a browser’s header informing other websites that you don’t want to be tracked.

So, read on to learn more about the background of DNT, what it means in the context of data privacy laws, how it affects advertising in general, and how organizations can adopt their practices in line with DNT if they choose to do so.

A Brief Background

Netscape invented the HTTP cookie as an innocuous tool that would help keep track of users’ activities, such as logins and real-time shopping carts while using their browser. However, since then, cookies have become a far more comprehensive data collection and consumer surveillance tool than initially envisioned.

While cookies' primary users and beneficiaries remain the websites, web browsers remain the primary vehicle for this method to be used. After all, since the days of Netscape, the cookies have been stored on the web browser to allow more effective and efficient tracking of a user’s activities.

Some may be tempted to call DNT a recent phenomenon, but upon closer inspection, that doesn’t seem to be the case. Privacy advocates have been vocal about the online use of cookies and other forms of tracking mechanisms. In 2007, the Federal Trade Commission (FTC) received a request from several privacy groups to establish a Do Not Track list for online advertising.

The list would have been relatively straightforward. A list of domain names that a website uses to place its cookies. Users on a website would have been able to access this list and know. The idea was not implemented for years until, in 2010, the FTC issued a privacy report that called on web browsers to implement a DNT feature. This would allow the users to send an opt-out request from the monitoring and tracking to the websites.

Web Browsers Taking the Right Steps

In January 2011, Microsoft formally announced that its next web browser would support Tracking Protection Lists to block tracking cookies in their Windows 8 version. Advertisers and website owners heavily criticized this. Later, other browsers such as Mozilla, Apple, Opera, and Google followed suit by providing support for DNT via a browser header. All these browsers allowed the user to choose and control the default setting for DNT.

However, DNT came under significant criticism as all it did was send an opt-out request to the browsers. Discretion was still with the website owners whether they honored that request or not. In the absence of regulations that would obligate the websites to honor DNT requests, websites and publishers were just not pushed to care, and very few advertising companies offered any support for the DNT.

Reputed advertising bodies such as the Digital Advertising Alliance and the Direct Marketing Association actively discourage the use of DNT by their members, citing insufficient regulations and a lack of established protocols on how websites should respond to the header. Thus, the DNT technology sadly never launched, and it became an inadequate privacy tool.

Currently, most web browsers have built-in options allowing users to enable DNT settings, Safari is the only one that discontinued this feature, deeming DNT as an expired standard. However, web browsers have also been proactive in ensuring that users aren’t left entirely helpless. The famous “incognito mode” or “private browsing mode” was introduced by most browsers, particularly to ensure that users could browse the internet without having to worry about cookies and their browsing habits being tracked. It was a good start. It wiped the session data from a user’s device but didn’t completely disable tracking from advertisers.

A Standardized Opt-Out Solution

Most privacy regulations either have an opt-in or opt-out model in place. As the name suggests, in an opt-in model, users have to consent to have their data collected. This model is one that is supported by frameworks such as General Data Protection Regulations (GDPR). On the contrary, the opt-out model allows data collection by default. The user must indicate that they wish to opt-out of having their data collected or, by extension, having their digital activities tracked.

The California Consumer Privacy Act (CCPA) requirement of having a Do Not Sell My Personal Information button or link on their web pages is an example of an opt-out mechanism in place. Another example of the opt-out mechanism would be AdChoices, a self-regulatory program that ensures users only sees ads based on their preferences. However, the AdChoice opt-out preference is stored in a cookie. Hence, if a user were to clear the cookies in their browser, the opt-out signal would also be eliminated.

The DNT, on the other hand, is a far simpler opt-out mechanism. Anytime a user connects to the internet, their traffic requests begin with bits of information known as “headers”. These headers include information such as the user’s browser, the default language, device, location, and other information. The DNT is a header, which, when enabled, precedes all other headers indicating to a website that this particular user does not wish the rest of their headers to be tracked.

At this point, if a website honors DNT requests, it may filter out such users, and this is why the DNT is a far more standardized opt-out mechanism since it can be enabled on any user’s traffic without requiring the use of any additional form of cookies.

Advertising Under the Microscope

Of course, the most direct impact of DNT was, is, and will always primarily be in the digital advertising world. Digital marketing now represents a significant strategic tool for most organizations, and for good reasons. Why target thousands when you can target millions? Or, more accurately, why target a thousand random users online when you can now target a million users far more likely to opt for what you have to offer?

That latter bit relies on tracking users’ online browsing behaviors and habits. DNT represents an existential threat to the advertising world. Even when browsers or websites choose not to offer any support for DNT, users have plenty of alternatives, such as Adblockers, that undo the entire purpose of collecting users’ data in the first place.

There have been growing calls for the advertising industry to adopt more privacy-friendly and less invasive methods. There’s no clear answer to how the industry plans to do that as a whole, but individual stakeholders have been developing methods to make it a possibility.

Google has been particularly active in that regard. It introduced Federated Learning of Cohorts (FLoC) that would have categorized all users into groups based on their shared interests online as an experiment to see if cookies could be replaced altogether.

It has since scrapped FLoC and focused on Topics. It is yet another experiment meant to replace individualized data collection on users.

The Future of Do Not Track

While DNT may not have become a standard industry practice, it may yet still achieve what it was meant to in essence.

The EU’s e-Privacy Directive requires businesses to give notice to website visitors on the use of cookies and track users via or use cookies only after they obtain users’ explicit consent. The websites are required to display a banner that clearly shows which are strictly necessary cookies and the ones that are only required for analytics for advertising purposes. This allows the users to choose and select which cookies they wish to accept.

The Global Privacy Control (GPC) is an HTTP header field, similar to the Do Not Track. It is a browser extension, which, when enabled, sends signals to websites that the user wishes to opt-out from selling their personal data (in compliance with the CCPA) or both, the selling and sharing of their personal data (in compliance with the CPRA from January 1st, 2023).

Just like the DNT, the GPC can indicate to all websites and publishers that a user does not want to have their data sold or shared in any form by ad trackers regardless of the technology being used, i.e., cookies, etc. The GPC has garnered a name for itself after being declared a valid mechanism for a consumer to make a ‘Do Not Sell My Personal Information’ request as per Section 1798.120 of CCPA.

The California Attorney General left little room for doubt after reiterating that organizations subject to the CCPA would have to respect any signals sent via the GPC or face penalties for non-compliance with CCPA Section 1798.120.

The recent fine levied on Sephora for failing to detect and process consumers’ opt-out requests made via their GPC signals indicates that organizations must now take such global user consent preference signals and requests not to have their data tracked, collected, or sold very seriously.

GPC may very well be the spiritual successor to the DNT, as many have described it so. However, unlike the DNT, websites now have a legal and regulatory obligation to adhere to it, with strict monetary fines for those that fail to do so. Read more on GPC and what it means for privacy here.

Automate Do Not Track Signals with Securiti Privacy Center

Just like the Do Not Sell My Personal Information signal under the CCPA, other data regulations have similar options for users. The upcoming California Privacy Rights Act (CPRA) takes it further with its Do Not Sell or Share My Personal Information signal.

In other words, users now have a legal right to request an end to the website collecting or sharing their data with third parties for cross-contextual advertising even without there being an exchange of monetary value - covering a lacuna that existed in CCPA Section 1798.120 which was being exploited by certain online advertisers to consider their activities outside the remit of a ‘sale of personal information’. This new provision will require websites to rethink their online advertising strategies and pay greater attention to regulatory compliance to avoid millions of dollars in fines and the loss of users’ trust.

Securiti is a market leader in providing enterprise solutions related to data compliance and governance. Its artificial intelligence and machine learning algorithms-based solutions ensure an organization can effectively comply with any and all global obligations set forth by data regulations.

Its Privacy Center allows a website to comply with a myriad of complex and evolving global privacy regulations from a centralized interface, such as cookie consent, privacy notice management, individual DSAR requests, and Do Not Sell functionalities.

Additionally, Securiti provides a Do Not Track functionality that lets you detect the DNT signal from the leading W3C Working Group and reflect the user's status properly within the centralized Privacy Center dashboard.

Request a demo today to learn more about how Securiti can help you comply with the CCPA and all other significant data regulations globally.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.

Newsletter



Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 RSAC Leader Forrester Badge IAPP Innovation award 2020 Gartner Cool Vendor Award Sinet Innovator Award