Hiding In Plain Sight - The Browser Do Not Tracker Header

Author:Mr Richard Folsom
Profession:Kemp Little LLP

While the compliance and tentative enforcement of ' the cookie law' continues, change is also continuing in a related online privacy issue: the web browser 'Do Not Track' settings.

On the face of it, Do Not Track ('DNT') is a simple concept. It is a proposed web standard by which a user sets a flag (or header) that their web browser sends to websites when the browser requests data. This flag has three settings - DNT:1 (a wish to not be tracked); DNT:0 (consent to be tracked); and a third 'null' setting (the absence of either DNT:1 or DNT:0). On its face, this just represents a technical setting which can be used to express a user's wish, with no inherent legal (and some would argue, moral) requirement to be respected or adhered to.

Confused? You Should be

The new European privacy regulation at regulation 6(3A) specifically sets out that a user amending or setting a control on the internet browser is able to constitute consent. The DNT flag therefore seems like an ideal candidate for showing the consent required to store data on user's computers under the Privacy Regulations. For years the advertising industry has argued that a user is perfectly able to opt of cookies out by turning them off in their browser, and that the user's decision not to do this constitutes implied consent for any website to place cookies on their computer. This opinion has however been squarely rejected by a central body of European privacy regulators – the Article 29 Working Party –– who produce non-binding opinions on such matters. In their view, websites can only assume that a browser accepting cookies represents informed consent if there is a sufficient proportion of internet users with the technical knowledge of how cookies work and what they are used for. In the opinion of the European working party, this was not the case as of Dec 2011. In May 2012, the that consent might be inferred from a series of actions that in isolation do not constitute a direct expression of a user's thoughts, but went on to say that most browsers (as of May) were not sophisticated enough to assume that browser settings signify consent.

From this jumble, we can however take away that European regulatory clarity for browser based consent to cookies and tracking requires an opt-in browser setting indicating user consent to be tracked. Applying this to the draft DNT standard, a web browser indicating DNT:1 could indicated user consent as long as DNT:1 is not the default setting...

To continue reading