Do Not Track Disclosure Guide for Website Owners

Most websites collect user data for analytics, personalization, or advertising. But not everyone is comfortable being tracked. To give users more control, most browsers offer a Do Not Track (DNT) option that sends a request along with their browsing activity.

Some laws, like California’s CalOPPA, require websites to disclose how they respond to these signals in their privacy policy.

This article will clarify the legal requirements surrounding DNT disclosures. Do you need it for your website?

Furthermore, we will guide website owners on what a proper DNT disclosure should include within their Website Privacy Policy Requirements.

What Is Do Not Track?

Do Not Track is a web browser setting. It gives users the option of how they would like to handle online tracking on the websites they visit. 

When a user enables DNT in their browser’s configuration, the browser sends a signal in the HTTP header to websites, indicating that the user does not want to be tracked.

It is important to note that Do Not Track is a request that is not mandatory. It is up to the website owner whether they want to honour it or not. Some websites will respect DNT signals and modify their tracking system, while others may ignore them. 

DNT was created to allow users greater control over their online privacy, especially in an environment that collects data for analytics, advertising, and personalisation. 

But in California, under the California Online Privacy Protection Act (CalOPPA), websites are required to disclose whether or not they honor Do Not Track requests in their privacy policies.

Which Laws Require Do Not Track Disclosures?

There are a few laws that need to be followed, DNT. The follwing laws are.

1. CalOPPA (California Online Privacy Protection Act)

CalOPPA is a unique California law that requires online services and websites collecting personal information from California residents to display a privacy policy clearly. A critical part of this law is about Do Not Track.

CalOPPA says your privacy policy must explain how your website responds to DNT signals or similar tracking requests. If your website does not respond to DNT signals, you must clearly say so in your privacy policy.

The law does not state a website to honour it, but it is essential for them to be transparent about it and mention it on their website. This is one of the core Website Privacy Policy Requirements for CalOPPA Compliance.

2. GDPR (General Data Protection Regulation)

The GDPR, a comprehensive privacy regulation in the European Union, does not explicitly mention “Do Not Track” signals. Instead, GDPR mainly focuses on obtaining explicit consent for data processing, providing users with rights over their data (e.g., right to access, rectification, erasure).

GDPR does not require DNT disclosures in the same way CalOPPA does. However, its core principles focus on transparency and user control. This means that if your website responds to DNT signals, you should include that information in your privacy policy. Under GDPR Articles 13 and 14, such disclosures are required for online tracking preferences.

3. CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

The California Consumer Privacy Act (CCPA), along with its updated version, the California Privacy Rights Act, expanded the consumer privacy rights in California, strengthening the framework originally established by CalOPPA.

Unlike GDPR, neither CCPA nor CPRA specifically require websites to honour Do Not Track signals or include a DNT disclosure. However, both laws give consumers strong rights such as the ability to opt out of the sale or sharing of their personal data and to limit how sensitive information is used or disclosed.

Although DNT isn’t mentioned by name, the purpose of CCPA/CPRA is to support user privacy choices. In fact, CPRA introduced the idea of Global Privacy Control, a recognised signal that lets users automatically opt out of data sharing.

For websites covered by these laws, it’s essential to clearly explain in your privacy policy how users can exercise their privacy rights and how your site responds to any recognised opt-out signals (like GPC, and DNT if you choose to address it).

What Should a Proper Do Not Track Disclosure Include?

Creating a comprehensive and compliant Do Not Track disclosure is essential for any website, especially those subject to CalOPPA compliance.

A proper disclosure serves two primary purposes: the first is to inform the user that your website is tracking, and the second is to fulfil the legal obligation for transparency. 

Here are some examples of what a proper disclosure should contain. 

1. Clear Statement on DNT Signal Recognition

The most important part of your disclosure is clearly stating whether your website notices and responds to Do Not Track signals.

• Suppose your website DOES NOT respond to DNT signals: You must explicitly state this. For example:

• “Our website does not respond to ‘Do Not Track’ signals.”
• If your website DOES respond to DNT signals: You should explain how it responds. For example:

• We honour Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. It’s also important to note that we allow third-party behavioural tracking.”

2. Explanation of Your Website’s Tracking Practices

Not just the DNT disclosure, your policy page should also explain the general approach to tracking.

Like it should sort out the data that is collected, the purpose behind data collection and the use of cookies. And most importantly, it should clearly state whether third parties (like advertisers or analytics providers) collect information on users. It is crucial for CalOPPA and is part of meeting online tracking preferences transparency requirements.

3. How Users Can Opt Out or Control Tracking

Since Do Not Track doesn’t always work, give users other clear ways to manage tracking. Tell users that they can delete or block cookies in their browser. Share links to opt-out pages like NAI and DAA. If you use a third-party tool, provide a link to the opt-out page.

4. Location Within the Privacy Policy

The DNT should be placed within the privacy policy page and under a heading like ” DNT. 

• “Do Not Track Disclosures”
• “Your Choices Regarding Tracking”
• “How We Respond to Do Not Track Signals”
• “Third-Party Tracking and Online Advertising”

What Happens if I Don’t Include a DNT Disclosure?

Here is the breakdown of what happens if you don’t have proper DNT disclosure. 

1. Legal Non-Compliance and Potential Fines

The Attorney General first gives notice for non-compliance, and a 30-day cure period is provided. When the action is not taken, the civil penalties applied are up to $2500 for non-willful violation and $7500 for willful violation.  

2. Damage to User Trust and Reputation

A missing DNT notice can indicate a lack of transparency to users. This can create trust issues and could reduce the engagement of users with your site. They will not trust your site and share information or purchase something. 

3. More Monitoring and Privacy Issues

Having no DNT notice could signal that your website is noncompliant with privacy regulations in general and could open your entire privacy policy and data handling practices.  This creates the opportunity for discovering other privacy violations that may be more serious.

4. Missed Opportunity for Proactive Compliance

Privacy laws are constantly changing. If you believe that a specific disclosure is not essential, you may be incorrect if it is required. Your site will always be insecure and continuously behind the regulatory environment.

Can Third Parties Ignore My Site’s DNT Privacy Policy?

The answer is yes, in most cases, third parties can ignore your DNT privacy policy as there is no universal, enforced legal standard requirement to honour them. Let’s break down the reasons:

1. No Legal Requirement to Respect DNT

CalOPPA requires websites to disclose their Do Not Track policy, but does not obligate them to honour DNT signals. This means a site can state, “We do not respond to DNT signals,” and still remain compliant. At the federal level, there is no U.S. law mandating respect for DNT, and international privacy laws like GDPR also do not specifically require it. Instead, they focus on consent, transparency, and protecting user rights through other mechanisms.

2. Absence of a Universal Technical Standard for Response

Besides the fact that there has never been a legal requirement for compliance, there has also never been an agreement on a technical or operational standard for how a website or third party should respond to a DNT signal. Does this mean stopping all analytics? Just targeted ads? What about cookies that are required for the basic functionality of the site? This uncertainty has proven to be an obstacle.

3. Focus on Other Privacy Signals 

DNT’s inability to provide valuable privacy assurance has resulted in newer and more legally enforceable signals, such as GPC, that have been developed and adopted. 

GPC is becoming popular in laws like CPRA, Colorado, and Connecticut, and websites must treat it as a valid opt-out signal for data sharing or sales. 

What can you do as a website owner? 

• Be Transparent: Clearly state if your site respects DNT and whether third parties collect user data, as CalOPPA requires.
• Offer Options: Since DNT has little effect, provide users with real tracking controls, like opt-out links and browser settings.
• Prioritise GPC: Focus on legally recognised signals like GPC, which have actual compliance requirements.

What is the Difference Between Do Not Track and Global Privacy Control?

The online privacy laws have changed significantly. From Do Not Track to newer signals like Global Privacy Control. 

Do Not Track

• A browser setting that asks websites not to track users across the web.
• The problem: It was never legally enforced, and most sites ignore it.
• But if you fall under CalOPPA, you still need a Do Not Track Disclosure in your privacy policy, even if you state you don’t honour it.

Global Privacy Control

• A newer signal supported by laws like the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA).
• Unlike DNT, websites must legally respect GPC as an opt-out preference when selling or sharing personal data.

How the WPLP Compliance Platform Assists with DNT Compliance

The WPLP Compliance Platform, which helps in cookie consent management, also helps with Do Not Track and Global Privacy Control compliance by:

• Automated Signal Detection: The platform is capable of automatically identifying both the existing Do Not Track header and the legal Global Privacy Control signal from the user’s device.
• Honouring Opt-Out Requests: For legal locations where the GPC signal is valid, the platform automatically treats the GPC signal as a formal “Do Not Sell or Share My Personal Information” request. While DNT is not a legally enforceable request, the WPLP Compliance Platform is designed to honour the DNT signal as a user’s preference for privacy.
• Modifying Data Processing: The platform modifies its cookie consent and data collection behaviour upon detecting a DNT or GPC signal has been received and activated.
• Consent logs and Audit trail ready: The platform produces an audit-ready Consent Log. This is a crucial way to maintain records needed in fulfilling compliance obligations to regulatory bodies.
• Geo-Targeting: The platform offers geo-targeting to display the appropriate privacy banner and compliance rules, such as GPC, to those users located only in the applicable geographic region, thus improving the user experience.

Case Studies 

I found two cases that were filed for not respecting the Do Not Track disclosure. 

• Tractor Supply Company: Fined $1.35 million by the California Privacy Protection Agency for violations of the California Consumer Privacy Act, which included failing to provide consumers with an effective mechanism to opt out of the selling and sharing of their personal information, including through opt-out preference signals such as Global Privacy Control.
• Hulu Case: Hulu faced severe penalties for not honouring Do Not Track signals, but it wasn’t illegal since no law required compliance. The issue was a lack of transparency, under CalOPPA, Hulu had to disclose its DNT policy. It later updated its privacy policy to state that it does not respond to DNT, making it compliant.

Conclusion 

Although Do Not Track may not hold the same promise it once did, its disclosure requirement, especially under CalOPPA, continues to be a critical feature of website compliance.

If not taken seriously, it opens the door for penalties, legal action, and mistrust in your audience. Additionally, the emergence of privacy signals such as GPC focuses more on users’ preferences and choices, and it must be legally recognised and honoured.

The message is clear: transparency is needed. A good privacy policy explains what you will do regarding DNT, your tracking practices, and how you respond to new signals, such as GPC. It is an essential legal shield and trust-building exercise.

With compliance solutions like the WPLP Compliance Platform, companies can manage their privacy policy, honour valid opt-out requests, and adequately protect themselves in a complex and evolving privacy environment. 

Disclaimer: The information provided in this blog post is for general informational purposes only and does not constitute legal advice.