Do Not Track still matters, in Europe as well as the US

Do Not Track still matters, in Europe as well as the US

The recent ruling of the Berlin Regional Court, reported by VZBV & tweeted by @peterhense, is important because websites will have to assume that people are exercising their right to object if their browsers have been set to send the "Do Not Track" header signal DNT:1. 

Configuring browsers to send DNT:1 makes it very easy to object to personal data being processed when the justifying legal basis claimed is Legitimate Interest.  This is the legal basis for processing claimed by the bulk of online publisher sites monetising behavioural or programatic advertising. As European residents become aware of this ruling they will increasingly demand that publishers respect their objection to being tracked.

Most browsers support the DNT setting, with the notable exception of Apple's Safari which stopped supporting it in 2019 (ostensibly for pointlessly removing 1 bit of entropy).

The technical definition of Do Not Track allowed servers to respect a browser user's informed consent, unlike the GPC signal which is still not supported by most mainstream browsers.

This matters in the US as well as in Europe because State legislation such as the CCPA and CPRA allows people to signal their opt-out from the sale or commercial exploitation of the personal data using a suitable brower signal, although this is no longer limited to GPC.

Here is a machine translation from German of the VZBV article:

Court bans LinkedIn data protection violations
Berlin Regional Court largely upholds vzbv's lawsuit against LinkedIn Ireland Unlimited Company
LinkedIn informed users on the website that it is currently not responding to “Do Not Track” signals set in the browser.
Presetting the visibility of member profiles on the company's partner sites is not permitted.
In a partial ruling, the LG Berlin ha only supported by a single only supportedd already banned the sending of unsolicited emails to non-members.
Woman sits at the laptop
The social network LinkedIn is no longer allowed to announce on its website that it does not respond to “do-not-track” signals with which users object to the tracking of their surfing behavior via their browser settings. The Berlin Regional Court decided this following a lawsuit from the Federal Association of Consumer Organizations (vzbv). The court also prohibited the company from setting a default that would make the member's profile visible on other websites and applications. Last year, the court banned the sending of unsolicited emails to non-members.
“When consumers activate the ‘Do Not Track’ function in their browser, it sends a clear message: They do not want their surfing behavior to be spied on for advertising and other purposes,” says Rosemarie Rodden, legal officer at vzbv. “Website operators must respect this signal.”
Objection to tracking ignored
Internet surfers can use their browser to set the websites they visit to receive a “Do-Not-Track” (DNT) signal. It conveys your wish that online activities not be tracked and evaluated. LinkedIn announced on its website that it does not respond to such DNT signals. This means that even against the will of the user, personal data such as the IP address and information about the use of the website can be evaluated for analysis and marketing purposes, including by third parties.
The Berlin Regional Court agreed with the vzbv's opinion that the company's communication was misleading. It suggests that the use of the DNT signal is legally irrelevant and that the defendant does not need to observe such a signal. That is not the case. According to the General Data Protection Regulation, the right to object to the processing of personal data can also be exercised using automated procedures. A DNT signal represents an effective contradiction.
The court rejected a further application in this context for procedural reasons.
Profile published without necessary consent
In all other points the vzbv lawsuit was successful without any restrictions. The court prohibited LinkedIn from activating the “profile visibility” function when logging in for the first time. This default setting made the personal LinkedIn profile publicly visible to non-members and outside the network - for example on search engines - without consent. The judges made it clear that a switch activated in advance does not meet the requirements for effective consent to the publication of personal data. “User profiles must not automatically be publicly visible when they are created,” says Rosemarie Rodden.
Unsolicited email sending prohibited
The Berlin Regional Court had already upheld part of the lawsuit last year. LinkedIn is now prohibited from sending email invitations to consumers who are not members of the network and who have not agreed to the use of their email address. In addition, in a further partial acknowledgment judgment, the court prohibited the use of several provisions in the company's terms and conditions, including clauses that only the English version of the contract should be binding and that litigation may only be brought in Dublin, Ireland.
Key data on the verdict
Date of judgment: August 24, 2023
File number: 16 O 420/19 – not legally binding
Court: Berlin Regional Court

Check out our other blog posts