Not honoring Do Not Track (DNT) is a violation. If you receive a DNT signal, you must turn off all tracking. Furthermore, as the person has made their choice explicit and clear, you must not ask them again (via popovers, modals, etc.)

How do we get this enforced. The first part seems like it is already covered by GDPR. Would the second half we enforceable under the current framework?


@aral unless somebody goes to court over this, I don't expect this to work, sadly.

Make a complaint to your country's equivalent of the Information Commissioner:

Multiple compaints in multiple EU states wouldn't be a bad thing.

@aral Big ass motherfucking lawsuits.

Website/publisher gets hit by a million-euro-per-user class and they'll "consider alternative site dynamics reflecting consumer preferences".

@aral It could be a good default setting to honor. Not sure how deep this DNT enforcing should go.

@Aral Balkan This would be a great thing, do you have any source for this?

@aral the EU DPA should make available an open endpoint that can be called to dump whatever breach automatically if a DNT request is not honored or has the issues you explained

This is supposed to be covered by the #ePrivacy bill that is supposed to be ratified next year. Unless lobbying of EU parliament members succeeds and it is watered down to nothing again, but how likely is that ....

@aral The first problem is probably to be aware it even happens. While developing / debugging Better Blocker you see it happening. But as an end user I'm mostly unaware there is even a violation on a particular site. If it weren't too much of a hassle I might report it, I did this for years with SPAM.

@aral Using the DNT header is a great idea!

One approach: Set this header, then access any websites. Don't click any 'agree' nonsense. Then prove that they tracked you, probably by making a data protection access request to see all data they have on you.

Then report that to your local Data Protection Authority, and try to get them to make a precedent. I think (due to the #GDPR), non-gov orgs can sue companies, rather than needing a DPA (cf. noyb)

@aral I'd assume you would need to contact the hosting country's equivalent of the Information Commisioner/Communications and Media Authority/etc (the government department that deals with the Internet, basically).

It probably wouldn't hurt to also contact your government's equivalent department.

(I have one website I need to report - it not only doesn't honour DNT, its functionality actually breaks completely if you have DNT settings on.)



You report the offending website, possibly giving evidence, to *your country's* Supervising Authority.

Also, you can contact the site's DPO or privacy contact asking for a copy of any and all information regarding you they may have collected during your navigation, and warn them as per GDPR they cannot destroy it since you are going to provide it as evidence to your Supervising Authority


Thoughts? That is a very good point and one that would very likely fly with the data protection agencies.

Only thing is that the choice should have to be made by the user himself. This means that while I understand #Microsoft's decision to ship with #dnt set to on, a better approach would be to ask the user on first run.

Also, what about user registration?

How are the boundaries of the DNT signal set?

@aral how do you know that there is a violation? if there is proof, then you can report to your ICO.

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!