Not honoring Do Not Track (DNT) is a #GDPR violation. If you receive a DNT signal, you must turn off all tracking. Furthermore, as the person has made their choice explicit and clear, you must not ask them again (via popovers, modals, etc.)
How do we get this enforced. The first part seems like it is already covered by GDPR. Would the second half we enforceable under the current framework?
@aral unless somebody goes to court over this, I don't expect this to work, sadly.
Make a complaint to your country's equivalent of the Information Commissioner:
Multiple compaints in multiple EU states wouldn't be a bad thing.
@aral Big ass motherfucking lawsuits.
Website/publisher gets hit by a million-euro-per-user class and they'll "consider alternative site dynamics reflecting consumer preferences".
Yep. Still waiting for these. Don’t see them happening though. I kept hearing about the money-blood sniffing gdpr lawyer sharks, but so far no sign of them.
Maybe there are big cases in the works for the tech giants, but what we need is some targeted cases on media/publishing. Oath and it’s slough of crap would be a good start.
@aral It could be a good default setting to honor. Not sure how deep this DNT enforcing should go.
@aral the EU DPA should make available an open endpoint that can be called to dump whatever breach automatically if a DNT request is not honored or has the issues you explained
@aral The first problem is probably to be aware it even happens. While developing / debugging Better Blocker you see it happening. But as an end user I'm mostly unaware there is even a violation on a particular site. If it weren't too much of a hassle I might report it, I did this for years with SPAM.
@aral Using the DNT header is a great idea!
One approach: Set this header, then access any websites. Don't click any 'agree' nonsense. Then prove that they tracked you, probably by making a data protection access request to see all data they have on you.
Then report that to your local Data Protection Authority, and try to get them to make a precedent. I think (due to the #GDPR), non-gov orgs can sue companies, rather than needing a DPA (cf. noyb)
@aral I'd assume you would need to contact the hosting country's equivalent of the Information Commisioner/Communications and Media Authority/etc (the government department that deals with the Internet, basically).
It probably wouldn't hurt to also contact your government's equivalent department.
(I have one website I need to report - it not only doesn't honour DNT, its functionality actually breaks completely if you have DNT settings on.)
You report the offending website, possibly giving evidence, to *your country's* Supervising Authority.
Also, you can contact the site's DPO or privacy contact asking for a copy of any and all information regarding you they may have collected during your navigation, and warn them as per GDPR they cannot destroy it since you are going to provide it as evidence to your Supervising Authority
Thoughts? That is a very good point and one that would very likely fly with the data protection agencies.
Only thing is that the choice should have to be made by the user himself. This means that while I understand #Microsoft's decision to ship with #dnt set to on, a better approach would be to ask the user on first run.
Also, what about user registration?
How are the boundaries of the DNT signal set?
@aral how do you know that there is a violation? if there is proof, then you can report to your ICO.
This is my personal Mastodon.