What is a Do Not Track request and why do I need it in my privacy policy?

Do Not Track (DNT) is a browser setting available on all major web browsers, which tells websites not to track your personal data.

Here’s how it works – once you switch on DNT, your browser sends a request to each website you visit not to send you cookies or fire up any other third-party analytics or tracking tools.

In theory, a website should then automatically recognise this request and avoid tracking you while you’re on the site, but it depends on whether a website owner actually chooses to recognise and action these requests.

However, with the introduction of the California Consumer Privacy Act (CCPA)’s ‘Right To Opt-Out’, certain organisations are now obligated to respect these requests and may face fines if they fail to comply.

In this article, we’ll cover everything that business owners need to know about DNT requests and how to ensure your privacy policy is compliant.

What do the latest privacy regulations say about DNT requests?

If you’re a small business owner who has a website or app that is run in California, or if you have users who are based in California, the CalOPPA and CCPA may apply to your business.

While DNT requests were not legally binding in previous years, the ‘Right to Opt-Out’ gives website users the authority to stop the “sale” of their personal information to third parties.

Under the CCPA, “sale” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

So, even if your business isn’t exchanging people’s personal data for money, you could still be violating the CCPA if you’re doing it in return for anything that benefits your business.

For example, you may use cookies and tracking pixels via Google Analytics to gain insights about your website and business.

To maintain compliance with both the CalOPPA and CCPA, you’ll need to include a number of disclosures in your privacy policy which explain:

1.  How your business responds to DNT requests.
   If you don’t respond at all, all you’ll need to do is ensure this is clearly disclosed in your policy. If you do, then you’ll need to explain how your business responds to the signal – that is,
2. Your website’s online tracking practices.
   This includes other third parties (such as Google Analytics) that may be tracking a visitor while they’re on your website.
3. How visitors to your website can opt-out of tracking.
   Both privacy laws make it abundantly clear that you shouldn’t purposely deceive or make it difficult for users to opt-out of tracking. Your privacy policy must be easy to find and access on your website and be written in plain language to clearly explain your what your users’ privacy options are and how to opt-out of tracking.

Do DNT requests even work?

In between the ambiguous and constantly changing legislation around tracking technologies, and the tools currently available to website users and business owners, there’s still a ways to go before we can expect 100% compliance with DNT requests.

For one, there’s the practical issue of users having to opt-out from websites one-by-one, which isn’t an easy or sustainable strategy to protecting their privacy.

While some privacy advocates and developers have built a number of browser extensions designed to automate this process, they aren’t all universally supported (and some website owners aren’t even technically equipped to action DNT requests).

One promising development is the creation of the Global Privacy Control (GPC) – a global opt-out setting which will automatically send out a signal to every website users visit.

So far, a range of major organisations and browsers have joined the movement and integrated their privacy practices with the GPC, with 40 million users and counting.

When it comes to privacy compliance, it’s best to err on the side of caution, particularly when there’s room for interpretation around laws with serious penalties for your business.

Generate a CCPA-ready privacy policy with GetTerms.io

Save yourself the time and trouble of writing your own policy with our website privacy policy generators. Generate Your Privacy Policy Now