Re: Mapping DNT to GDPR

Hello Robin,

A co-author and I argue that DNT may be used to fulfill GDPR depending on how browsers work [1]. 

The W3C working group has designed DNT from the start to be a tri-part state.
 DNT:1 - request not to be tracked
 DNT:0 - agreement to be tracked
 unset - in the US, the user has not made a choice for privacy so it’s ok to still track them.
   - in the EU, the user has not consented to tracking, so it’s not ok to track them.

This is related to the point Roy raised, but a little different. Basically tracking as opt-in v. opt-out flips based on where the user is located. 

Roy’s point covers things like: it’s not ok for a general purpose browser to choose a setting for their users (i.e. IE.) At a purist level it does not even matter if the browser spams DNT:1 or DNT:0 for users who did not elect it themselves, it will break *somewhere* it is merely the details of how things break that change based on where the user is. 

The phrase “general purpose browser” above exempts things like privacy mode, or a plug-in for privacy, or a plug-in for more personalized ads and shopping suggestions. Those might reasonably send a specific DNT setting as part of how they serve their audience. But for all other general purpose browsers, if the user has not made a choice, don’t send a DNT signal.

Of course there are more details beyond this. I think Mike did a good job at the big picture so I’ll let that stand. Please feel free to contact me on or off list if I can be of assistance. 

 Aleecia
[1]  Zuiderveen Borgesius, F. J., and McDonald, A. M. (2015). Do Not Track for Europe. <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2588086> 43rd Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference) September 26, 2015.