As part of its broader effort to develop a “Do Not Track” (DNT) web browser privacy standard, the World Wide Web Consortium (“W3C”), an international organization that develops Internet standards, recently released a draft of one technical component of the standard to gather implementation experience from the developer community.

The W3C Tracking Protection Working Group (“TPWG”) published its Candidate Recommendation for the Tracking Preference Expression, which does two things: (1) defines a standard signal to allow end users to express their preferences regarding online tracking and (2) provides a mechanism for sites to communicate whether and how they honor a received preference. “Tracking” is defined in the Candidate Recommendation as “the collection of data regarding a particular user’s activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.”

The Tracking Preference Expression

The goal of the standard is to allow end users to express their personal preferences regarding tracking to each server that they communicate with over the Internet.

To comply with the standard, a browser would need to offer users a minimum of two alternative “DNT” choices: (1) “not enabled” or (2) “this user prefers not to be tracked on the target site.” A browser also may (but is not required to) offer a third alternative choice: “this user prefers to allow tracking on the target site.” End users can express preferences for a specific website, which would be stored by the browser. The end user’s tracking preference will be expressed in a DNT header field for HTTP requests (i.e., “this user prefers not to be tracked on the target site” or “this user prefers to allow tracking on the target site”).

According to the W3C, for the signal to convey the end user’s preference, and “not the choice of some vendor, institution, site, or network-imposed mechanism outside the user’s control,” no tracking preference will be expressed in the absence of affirmative user choice. Thus, a browser’s default must be “not enabled,” in which case the browser must not generate a DNT header field.

The Candidate Recommendation does not specify how the tracking preference choices are offered to the end user or how the preference is enabled. Consequently, each browser is responsible for determining the user experience by which a tracking preference is chosen. For example, a user might select a check-box in his or her browser’s configuration, install an add-on or plug-in that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., “Privacy settings: high”).

Response To the DNT Header

The Candidate Recommendation also calls on a server to send a response back to the web browser indicating whether or not it will respect the DNT header expressing the user’s tracking preference. Several responses are available, including a response indicating that it: (1) will not use the data collected for tracking; (2) might perform or enable tracking using the data collected; (3) believes it has received prior consent for tracking the user, notwithstanding the tracking preference expressed by the DNT header; and (4) is unable or unwilling to respect a tracking preference, in which case the server must detail within its privacy policy the conditions under which a tracking preference might be disregarded.

Where the end user has not chosen a tracking preference, the Candidate Recommendation states: “In the absence of regulatory, legal, or other requirements, servers may interpret the lack of an expressed tracking preference as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances.” Similarly, the Recommendation advises that servers “might make use of other preference information outside the scope of this protocol, such as site-specific user preferences or third-party registration services, to inform or adjust their behavior when no explicit preference is expressed via this protocol.”

Although the Candidate Recommendation outlines the means by which a recipient can communicate compliance with a user’s expressed tracking preference, absent are standards regarding what a recipient of the signal needs to do to comply with such an expressed preference. The W3C is still working to define such a framework, following its publication of a Working Draft on Tracking Compliance and Scope on July 15, 2015.

Next Steps

The W3C process has been controversial. The Digital Advertising Alliance, an independent non-profit that establishes and enforces privacy standards across the online advertising industry, withdrew from the TPWG in September 2013. But the TPWG has continued working on a DNT standard and published this Candidate Recommendation. A Candidate Recommendation is a document that W3C believes has been widely reviewed and satisfies the TPWG’s technical requirements and is published to gather implementation experience. The TPWG is accepting comments and expects to have sufficient implementation experience by February 20, 2016. After wide review of the technical soundness and implementability of the Tracking Preference Expression specification, the Candidate Recommendation may advance to a Proposed Recommendation. The Proposed Recommendation will be sent to the W3C Advisory Committee for final endorsement. Ultimately, the Proposed Recommendation may become a W3C Recommendation, which is a specification or set of guidelines that has received the endorsement of W3C Members and the Director. However, W3C Recommendations are not legally binding.