Do-Not-Track is back on track: what Berlin's ruling could mean for our online privacy
'Do Not Track' settings cannot be ignored, the judge ruled
Germany is perhaps the most proactive country when it comes to protecting its citizens' privacy, something that privacy advocates and enthusiasts have been aware of for a while now, and the country recently reiterated its stance against Microsoft-owned LinkedIn.
A Berlin Court ruled in favor of the Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband, vzbv), which filed a lawsuit against LinkedIn for ignoring users who turned on the 'do-not-track' function on their browsers. According to the German judge, companies must respect these settings under GDPR.
A small victory for privacy, the Do-Not-Track (DNT) ruling might end up reshaping how websites and other online platforms have to handle our data more broadly. Adoption and support of DNT has been in sharp decline over the past years. Now, ad-blocker and VPN service provider, AdGuard, believes this potentially game-changing court decision could exhume the once-abandoned privacy initiative for good.
The fall of Do-Not-Track
Do-Not-Track (DNT) requests are signals on the browser level that inform a website not to collect or track your browsing data. DNT was first proposed by researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky in 2009 to limit web tracking. A year later, the US Federal Trade Commission gave its approval and called for the creation of a universal mechanism that'd give users more agency back over their data.
The first web browser to support the new initiative was privacy-focused Mozilla Firefox which added the feature in March 2011. Other services followed suit, including Microsoft’s Internet Explorer, Apple’s Safari, and Opera. Google Chrome embraced the industry trend in 2012.
"The early 2010s was perhaps the time when the enthusiasm for the DNT and its potential to improve privacy was at its peak," said AdGuard.
Yet, after initial success with browsers, the DNT wave seemed destined to dwindle. The problems started from the lack of similar support among websites and advertisers. Even Google implemented the feature only on Chrome, refusing to "change behavior" on its websites and web services. The final nail in the coffin came in 2019, when the group working on standardizing DNT was dismantled due to a lack of consensus.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
Privacy advocacy groups didn't want to renounce giving users a way to better protect their personal data and browsing activities, though. "While DNT failed to gain much support, the need for a mechanism that would allow people to opt out of having their personal information shared or sold was still strong," explained AdGuard.
That's true, and security software like virtual private networks, ad-blockers, and Tor browser can help you enjoy better anonymity when surfing the web. Nevertheless, experts believe organizations should allow their customers to decide whether to have their information shared or sold in the first place. It was from this need for an alternative that the Global Privacy Control (GPC) was born in 2020.
Similar to DNT, the GPC is a signal sent over HTTP to op-out having your browsing data processed. Supporters of this new initiative include many privacy-first browsers and search engines—like DuckDuckGo, Brave, and Firefox—and browser extensions such as Abine’s Blur, Disconnect, OptMeowt, and EFF's Privacy Badger.
GPC seems to have gained more traction than DNT was ever capable of—until now at least. Learning from past mistakes, GPC found a way to add value for publishers and advertisers, too, who recognize that GPC seems to help websites increase trust among users. At the same time, GPC still allows them to sell ad space without having to sell data to third parties.
According to AdGuard, GPC also makes things a bit easier for websites. "GPC is more precise about what exactly the other party is allowed or disallowed to do, this is part of the attempt to make it legally binding. DNT just says "don't track me" without specifying what tracking is. What if the data being collected is actually required for the service to operate? GPC says "do not sell or share my data" which is much easier to understand."
In August 2022, GPC even won its first legal battle in California against commercial retail brand, Sephora. A success that the DNT initiative can claim under its belt.
Germany vs LinkedIn
October 30, 2023, will be probably remembered as a milestone for the DNT initiative as the Berlin Regional Court ruled that LinkedIn can no longer ignore its users' Do-Not-Track requests.
"When consumers activate the 'do-not-track' function of their browser, it sends a clear message: They do not want their surfing behavior to be spied on for advertising and other purposes," says Rosemarie Rodden, legal officer at vzbv. "Website operators must respect this signal."
It turned out that the judge agreed with vzbv, ruling that the social media giant is no longer allowed to warn users it doesn't respect DNT signals. That's because, under GDPR, the right to opt out of web tracking and data collection can also be exercised using automated procedures.
The recent ruling of the Berlin Regional Court, reported by VZBV & tweeted by @peterhense, is important because websites will have to assume that people are exercising their right to object if their browsers have been set to send the "Do Not Track" header signal DNT:1.…November 1, 2023
"In other words, the court implied that a DNT signal was legally binding," AdGuard told TechRadar. According to the company, the verdict "sets a precedent and revives the all-but-abandoned idea of Do-Not-Track."
On a very different point of view, a LinkedIn spokesperson told Cybernews: "We disagree with the court’s decision which relates to an outdated version of our platform and intend to appeal the ruling."
A new era for Do Not Track protections?
"The implications of this ruling are far-reaching and potentially earth-shattering. Websites have been ignoring the signal for years without consequence," AdGuard told us.
According to the company, the mere fact that the judge backed up the consumer groups' requests in DNT highlights the need for companies to prioritize user preferences. At the same time, despite being unclear of what might happen next, AdGuard is also hopeful this could mark the start of a new era for Do-Not-Track which, for the first time, has been recognized as legally binding in Court in favor of the more promising GPC.
On this point, an AdGuard spokesperson told me: "We hope that the [DNT] signal will become binding, but it may be a long shot. Industry players have long gotten used to the fact that they may turn a blind eye on DNT signals, and it will take active steps by regulators to change their behavior. In general, enforcement is possible."
However, especially for those living outside Germany, the security firm invites all its users to actively enable the 'Ask websites not to track you' option when using its services. This can be found via the settings tab, either under Stealth mode when using AdGuard apps for Mac and Windows and AdGuard browser extensions, or under Tracking Protection on AdGuard Android app.
"AdGuard has always prioritized user privacy, supporting both DNT and GPC across its range of products. We are offering users an easy way to enable both these settings with a single click. In light of this pivotal court decision, we feel that AdGuard's commitment becomes even more crucial."
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com