E-Privacy, Data Protection Law, and the Do Not Track signal.

The body responsible for Do Not Track (DNT), the W3C’s Tracking Protection Working Group will shortly be releasing the technical part of the standard in a process named Last Call (LC) when implementers and others can review it and make comments. Unlike other W3C standards at this stage the core of DNT is already implemented by most desktop and mobile browsers, in that users can specify their general preference not to be tracked. The draft standard now also includes an API for establishing site-specific and web-wide domain specific exceptions to the general preference, so that a user can specify that they do not want to be tracked in general, but give their consent to specific sites and domains. Microsoft’s Internet Explorer already implements the bulk of the new API.

A W3C DNT compliance standard, a detailed description of how servers should respond to the DNT signal has yet to be agreed by the TPWG because many of its members represent companies from the behavioural advertising industry and find it hard to agree with those that hold to a fundamental human right to privacy point of view. But in reality this is of less importance in much of the world because there are laws in place that will determine how the signal should be construed. In Europe the Article 29 committee (WP29), in which all European Data Protection Authorities (DPAs) are represented, is expected to release its own recommendation on what DNT means in the context of European law and treaty. It can also be expected that the Berlin Group, the international body representing the views of DPAs in the EU, Asia-Pacific and the Americas will also elaborate further on the unanimous recommendations it has already published about DNT.

The DNT TPE includes a mechanism so servers can transparently specify what standard they use for DNT compliance, and it is expected that European companies will seek the guidance from their local DPA, which will be in turn reflect what the WP29 and others recommend. The e-privacy directive already specifies that user consent must be obtained before using non-strictly necessary storage in browsers, and the simultaneous presence of a DNT signal can only mean that long duration persistent identifiers (UIDs) cannot fall into the “strictly necessary” category. It will also means that the use of “browser fingerprinting”, where identifiers are derived from unique data already stored in user’s devices, would be unlawful without consent, although many DPAs hold that this is already the case.

Under current agreed draft of the forthcoming General Data Protection Regulation (GDPR) Do Not Track is already referenced as a mechanism to register an objection to so-called pseudonymous data. This is a category of Personally Identifiable Data (PII) in which it is not generally possible to identify a data subject using “standard” identifiers such as name, location or e-mail address and the collection of which does not need the explicit consent of users. The DNT signal will mean users can declare their “right-to-object” to such PII collection, while at the same time giving their explicit consent to trusted companies.

Do Not Track is already set in about 20% of browser requests to European websites, and its meaning under EU law will hopefully soon be clarified. This will help make both the e-privacy directive and the new GDPR more effective in protecting citizen’s fundamental rights and establishing their trust in the web.