The E-Privacy Directive and Do Not Track complement each other: both were designed to give individuals control over tracking irrespective of technology.

footprints in sand

The e-privacy directive was designed is to give people control over tracking, i.e. you have to be asked for permission before collecting data about your web history. Of course, the technique most often used for tracking is persistent UID cookies, but the language in Article 5 of the Directive is not specific to cookies and includes use of other browser storage such as that used for fingerprinting.

The "implied consent" alleviation and the Do Not Track process are both in essence about helping sites manage the inevitable transition to prior consent. Sites can imply consent has been given if a visitor continues to navigate their site. Outside the EU sites can continue to track unless the DNT header is present.

Both allow sites to assume, in the majority of cases initially, that consent has been given, but many of their visitors will eventually learn that they can revoke their consent or set Do Not Track in their browser.

Already a significant number of browsers have DNT enabled (averaged over all browsers it is now more than 17%) and the ICO, CNIL and other DPAs who allow for implied consent always said that consent should be permanently revocable. If a user revokes their consent then tracking measures such as placing UID cookies or fingerprinting must be stopped, so the ability to do that must be implemented by the site in any case.

This is why we at Baycloud Systems concentrated from the start on the technology needed to manage 1st party and third-party storage. Even if consent has been assumed at first it must be possible for the user to explicitly remove it, and tracking behaviour will have to be stopped both by the site's own server and by any 3rd party server referenced by the site. Cookies and other storage used for tracking will have to be managed even if initially only it is required in the minority of cases.

There are many ways that information can be given and consent obtained, and it should be entirely up to the site how to implement it, though we offer model implementations of these different techniques to our customers.

We make it easy for sites to manage their own first-party storage, and have our own tag management capability (and support other tag management systems) to manage third-parties. Because there is no generally accepted way to communicate an individual's consent status to embedded third-parties, some reengineering of the site is required. We realised early on that implementing this was not that easy for many sites, though we worked to make it as simple as possible. We saw, 2 years ago, that the DNT process could establish a universal signal that sites could use to communicate user consent to their third-parties, making re-engineering unnecessary, and decided to join the W3C's Tracking Protection Working Group.

Because sites up till now have tended not to respect the DNT header many people had to resort to crude script and advertising blocking browser extensions. Because these make arbitrary and often partisan decisions about which website elements to block this has lead to diminished web experiences, and damaged the business operations of the responsible publishers and brands who take data protection and privacy seriously.

The DNT signal is now supported by all major browsers and the standard is close to finalisation. The DNT consent API has been implemented by Microsoft's Internet Explorer which will soon be followed by others. Until the signal is widely respected by 3rd parties, sites in Europe will need to use tag management conditioned by user consent, and we have always supported this. But ultimately sites will be able to rely on agreements with 3rd parties that they honour DNT and they will only need tag management for the few companies that continue not to.

The availability of DNT support and its consent API in browsers will complement Europe's data protection and privacy law, and make it far easier for sites anywhere in the world to give people control over tracking.