When doing a Google search about Do-Not-Track and the California Consumer Privacy Act (CCPA) it’s rather common to see that sites must respect the Do-Not-Track (DNT) setting rather than validate each scenario with the user.
I feel this is problematic.
The draft regulations presently read:
If a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.
https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf
So it doesn’t call out DNT by name. Which to me, is good – because if we take a look at the status of the W3C specification it reads:
Since its last publication as a Candidate Recommendation, there has not been sufficient deployment of these extensions (as defined) to justify further advancement, nor have there been indications of planned support among user agents, third parties, and the ecosystem at large. The working group has therefore decided to conclude its work…
https://w3c.github.io/dnt/drafts/tracking-dnt.html#widl-Navigator-doNotTrack
The status of Candidate Recommendation is important. This means it did not complete the recommendation process for the W3C. So what is a Candidate Recommendation?
Candidate Recommendation indicates that no further improvement is expected without additional implementation experience and testing. A Candidate Recommendation is expected to be as well-written, detailed, self-consistent, and technically complete as a Recommendation, and acceptable as such if and when the requirements for further advancement are met
https://www.w3.org/2019/Process-20190301/#rec-advance
In theory it’d then progress to Proposed Recommendation before finally becoming a W3C Recommendation. I feel it’s important to understand the difference between Candidate and Formally Recommended.
A W3C Recommendation is a specification or set of guidelines or requirements that, after extensive consensus-building, has received the endorsement of W3C Members and the Director. W3C recommends the wide deployment of its Recommendations as standards for the Web. The W3C Royalty-Free IPR licenses granted under the W3C Patent Policy apply to W3C Recommendations.
https://www.w3.org/2019/Process-20190301/#rec-advance
So while the specification was ‘complete’ it did not advance to the point of wide agreement and endorsement. As such, Safari abandoned the effort earlier this year citing:
The introduction of ITP 2.1 coincides with Safari removing support for the Do Not Track (DNT) signal. The DNT signal was an attempt by web stakeholders to offer users an off-by-default way to ask servers not to track them. Importantly, DNT did not offer technical enforcement to prevent tracking of users by websites. Apple supported the DNT project starting in 2011, but since then, the vast majority of websites unfortunately have not changed their behavior in response to the DNT signal for the users who elected to turn it on. Instead, online tracking and tracking techniques have become more pervasive and sophisticated in spite of the DNT project.
https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/
So as a result as a specification it is not adopted across all major browsers.
Since the specification did not advance, it could very well be that other major browsers remove support in effort to clean up their codebase and remove identifiers which can be used in fingerprinting, just as Safari has done. However without a common widely accepted identifier regarding tracking it will potentially be exceptionally difficult for websites and vendors to comply which may end up having to look for and acknowledge multiple mechanics.
This may jump start the discussion again, and I hope it does. However until that time I see Do-Not-Track as a ‘best shot’ at compliance with the CCPA, but also a possible legal minefield for being recognized as the definitive mechanism that browsers should use that websites serving residents of California are required by law to abide by.