Defining 'Do Not Track'
In January, CDT released a proposal that attempted to scope what the phrase “do not track” (DNT) should and should not communicate. We launched our effort in order to support the implementation of global browser controls to prevent unwanted tracking, and in order to bring clarity to the nuanced questions of what a “do not track” instruction should mean to users and to industry. Uncertainty around these definitions seemed to us both a potential barrier to the adoption of DNT technologies, as well as a potential threat to innovation around the incorporation of beneficial third-party content and services into many, if not most, modern websites.
Today, in advance of the upcoming W3C workshop on Do Not Track, CDT has released an updated version of the proposal. The updated document reflects feedback from a wide range of stakeholders: consumer advocates, online service providers, Internet service providers, regulators, and academics. While most of the provisions have remained the same, we have updated our definition of “tracking” to better clarify the types of activities that do not fall under its umbrella and we have categorized one new type of activity as a tracking activity.
In the updated proposal, CDT suggests that the following definition for “tracking” be applied in the context of DNT:
Tracking is the collection and correlation of data about the web-based activities of a particular user, computer, or device across non-commonly branded websites, for any purpose other than specifically excepted third-party ad reporting practices, narrowly scoped fraud prevention, or compliance with law enforcement requests.
In addition to updating this definition, CDT also clarified that we believe consumers' communications that they do not wish to be tracked should apply to the appending of demographic information to users’ devices by third party services. For example, DNT should apply in those instances where a vendor tries to place on the user’s device a cookie with personal or demographic information (such as gender or age) that is designed to be read by one or more ad networks (or other third-party entities) as the user browses the web. We made this change at the urging of many of the stakeholders who provided feedback on the initial scoping draft.
We still consider this document a work in progress and look forward to continuing conversations about how to ensure that DNT becomes a tool that users can rely on to help protect their privacy.