Most websites and mobile apps use various tools to track browsing activity. This is done for a number of reasons:

  1. To get some insight into how many unique visitors the website receives
  2. To see how users interact with the web pages
  3. To gauge the effectiveness of ads

This article explores the Do Not Track (DNT) browser setting and the importance of a DNT clause in a Privacy Policy. It also looks at some examples of how different websites approach the DNT disclosure in their Privacy Policies.


Understanding DNT

Understanding DNT

DNT is a web browser setting a consumer may set to "on" or "off." When turned on, the user is instructing their browser to disable tracking of their web browsing activities. In simple terms, it's a setting that gives users the option to opt out of being tracked by the websites they visit.

When someone enables the DNT setting in their web browser, the browser automatically sends a special request to the websites they visit, asking the sites to stop tracking their activity. The users who leave the DNT setting disabled in their web browsers are essentially telling the websites they visit that they agree to have their activity tracked.

Why would a user want to have their browsing activity tracked? The answer is that technologies tracking browser activities can personalize and greatly improve the user's online experience with the tracking data.

However, the web browser doesn't have any control over whether or not the DNT request will be honored by individual sites the user visits. Some websites may choose to honor the request, while others may choose to ignore it.

No law exists that requires a website to respect a user's DNT setting.

Do Not Track in Privacy Policies and CalOPPA

Do Not Track in Privacy Policies and CalOPPA

As of January 1, 2014, changes to the California Online Privacy Protection Act (CalOPPA) required the owners of websites, web apps, mobile apps, and desktop apps to include a Do Not Track disclosure in their Privacy Policy agreements.

The DNT disclosure should be a simple sentence or two that states whether or not the website responds to the DNT signals it receives.

A website has two options when addressing how it responds to the DNT requests it receives from visitors' web browsers:

  1. The website responds to the DNT setting configured on the user's web browser
  2. The website does not respond to the DNT setting configured on the user's web browser

In addition to this, the website's Privacy Policy also should address the possible presence of third parties (such as analytics companies and advertising networks) that may be conducting online behavioral tracking on the website or mobile app.

In order to comply with CalOPPA's DNT requirements, website owners must make sure they:

  • Clearly label the section in their Privacy Policy agreement that addresses online tracking, and
  • State how they respond to the DNT signals they receive from user's web browsers

The purpose of the DNT requirement is to let visitors know how the website responds to the DNT settings they've configured in their web browsers.

Is it Mandatory to Respond to a Do Not Track Request?

Is it Mandatory to Respond to a Do Not Track Request?

It isn't mandatory to respond to a DNT request. However, it is mandatory under CalOPPA to disclose whether you respond or not.

Even if a website owner or operator isn't based in California, it still must include a DNT disclosure in the Privacy Policy. This is because the website or app may be attracting visitors who live in California.

Simply put, if a website or mobile app receives visitors from California, then the site is required by law to disclose how it manages DNT requests. However, remember that the site is not required to respond to the DNT request.

What this means is that CalOPPA merely requires online business owners to inform site visitors whether or not they follow the DNT setting. Since they are not required to actually honor the request, it's entirely acceptable to state that the website does not honor the DNT requests it receives.

In fact, it is generally recommended that sites should not respond to the DNT request unless and until it can guarantee that third party websites integrating with the site will respond to the DNT request the same way. Third-party websites may include analytics services like Google Analytics, or advertising networks like Google AdSense.

For example, if a simple blog honors the DNT setting on a visitor's web browser but also uses Google Analytics, which doesn't honor DNT settings, then the site should not honor the DNT settings either.

Examples of DNT Disclosures

Most websites include a simple DNT disclosure in their Privacy Policies. Following are some examples of DNT disclosures in the Privacy Policies of some popular websites.

H&M

H&M has a DNT disclosure clause in its Privacy Policy under the Online Tracking section.

H and M Privacy Policy: Online Tracking (DNT) Clause

It states that the company's websites do not support DNT settings and aren't participants of DNT frameworks that would allow them to respond to DNT signals. This simple statement meets the requirements of CalOPPA.

Medium

Medium links to a separate Do Not Track Policy page from its main Medium Policy page that explains how they handle DNT requests.

Medium's DNT Policy excerpt

This DNT Policy states that they will honor their readers' DNT settings requests. While it's not necessary to include a separate DNT Policy, it does help ensure that your website visitors will be able to quickly and easily find out about your DNT practices.

GitHub

GitHub includes a Tracking and Analytics section in its Privacy Policy and at the end of it includes information about Do Not Track signals.

GitHub Privacy Statement: Tracking and Analytics clause - DNT

Wix

Wix has a simple, one-line DNT disclosure in its Privacy Policy agreement which says that it does not honor DNT requests from browsers or mobile apps.

Wix Privacy Policy: "Do Not Track" Signals Clause

Summary

If a website operates in California or attracts visitors from California and collects personal information, it is required by law to comply with CalOPPA. This includes complying with the DNT disclosure rule and letting your users know whether or not you respond to their DNT settings.

Do this by either including a section in your current Privacy Policy stating what you do, or by creating a separate Do Not Track Policy and linking it to your Privacy Policy.

Remember, you don't have to honor DNT requests. You just have to disclose whether or not you do.