While speaking with companies that have implemented DNT or are in the process of doing so, we also heard of a few other decision points that may apply to your company. NAI members and other companies offer opt-out cookies; IP addresses are uniquely identifiable but easy to forget because they are not usually part of cookie data; mobile devices have additional sources of private data; and for a few companies it is important to think about how to manage third party cookies that are set as if they are from first parties.
One company planned to implement DNT by deleting all cookies they set, and then they realized this would also include any opt-out cookies for their site. They elected to make an exception and leave opt-out cookies. This way if users experiment with DNT and turn DNT off, the users will not have to set all of their opt-outs again. This is a conservative approach that respects user choice, and is easy to explain.
At the time of writing, the United States Senate is about to consider new laws mandating data retention for IP addresses and other information. In the future, multi-national companies may find that the US and EU regulations conflict. You might want to review the current status of legal requirements and prohibitions as you consider your options with IP addresses. There are three approaches we have seen companies take:
- Continue to collect IP address in server logs, regardless of DNT status. In some cases this is simply oversight, since server logs are not cookie-based and may not immediately come to mind as a form of tracking users. However, European Union nations classify IP address as personally identifiable information, and EU visitors may have a strong expectation that their IP addresses are not logged.
- Truncate IP addresses in server logs by dropping the last octet of the address (so, for example, 126.96.36.199 and 188.8.131.52 both become the truncated 128.2.45, and the two IP addresses become indistinguishable.) The idea here is generally that because there may be 255 computers with the same first three octets for their IP address, truncation should provide some privacy. At the same time, companies can still use truncated IP addresses for geoIP to understand where their customers are physically located. Truncation is not anonymity. Especially in small datasets, there is a good chance of unique or very few users matching the truncated IP address. If your only other choice is to store the full IP address, truncation is a modest step toward protecting user privacy.
- Do not log IP addresses. It is technically easy to set Apache or IIS to not record the IP addresses of visitors who had DNT enabled. We have not tested it, but sample code is available from http://donottrack.us/server.
Firefox supports sending a DNT header on a mobile device, for example, from Firefox on an Android cell phone. If you have a version of your website optimized for mobile device users, you can implement support for Do Not Track for your mobile website too.
DNT for mobile devices works the same way as DNT for browsers not designed for mobile devices: when users turn DNT on, their browser sends “DNT: 1” as an HTTP header. Mobile web browsing is affected, but mobile applications that do not use HTTP are not affected.
If you collect information that is not available from desktop computers (for example GPS based geolocation, serial number, UDID, or any device-specific identifiers) you might want to think about how to limit that collection for DNT-enabled visitors
Third-party cookies in a first-party context
In general, you can only read, modify, or delete cookies that you set. However, some advertising companies are setting their cookies on a first-party site as if the advertising companies were the first party. There situation pertains to a very few companies; if yours is not one of them, you can skip this section.
As an example of what we mean by a third-party cookie set as if it were a first-party cookie, imagine user Alice visits website MyNews.com which serves an advertisement from a company called Adverts. She might get cookies from multiple hosts, for example mynews, www.mynews, and adverts. We would expect to see first party cookies in mynews and www.mynews, and third party cookies in adverts. However, there are a few companies that serve their third-party cookies in a first-party way, for example an advertising cookie from Adverts set on the mynews host. Several companies offer this functionality. Google Analytics is a prevalent example. We use them throughout this section, though we did not speak with Google about their practices.
We spoke with an advertiser that sets third-party cookies in a first-party context. When they receive a DNT header, they want to make sure they delete all of the cookies they set. However, because they are setting cookies like a first party, they have access to more than just the cookies they write themselves. For example, if an advertising company sets first-party cookies on the mynews host, that means they can also delete any other cookies set on mynews — including cookies set by MyNews and even by competing advertising companies that also are setting third-party cookies in a first-party context. If Adverts decided to delete all cookies they have access to, they could also delete any Google Analytics cookies plus all first-party cookies. This could happen even if Google did not honor DNT and the first-party did not honor DNT.
While Mozilla does not wish to define tracking, this is one area where we will express an opinion. It is probably not a good practice to delete competitor’s cookies in the name of DNT. We suggest that you only delete cookies you set, even if you have access to other cookies that are also third-party cookies in a first-party context, or classical first-party cookies set by a first-party.
An advertising company wanted to honor DNT headers in the following way:
- Do not delete any cookies set by another party
- Do not delete any opt-out cookies
- Delete all cookies the advertising company set
This sounds simple. The advertising company sets four cookies with known names. All they have to do when they see a DNT header is to delete those four cookies. However, there was one added bit of complexity. The advertising company exposes an API to their customers, which enables their customers to write their own advertising cookies in the same directory. The advertising company has no way to know what names their customers use for any cookies set through this API. As a result, the advertising company cannot delete all cookies associated with their product, because they do not know what their customers’ cookies are called, and they cannot delete all cookies without deleting cookies from other parties.
Moving forward, the advertising company is considering a preface for all of their cookies, so they can delete all of their cookies that being with their preface. Even after they deploy this new system, they will still have “legacy” cookies their customers set through the API. Eventually all of those cookies will expire, but that will take time. Until then, they could attempt to get a list of all customer cookie names and hard code those into their DNT response. Or they could encourage all of their customers to migrate cookie data to the new naming convention. Neither of these is a perfect solution.
Up: Case studies
Previous: 4 Software company
Next: Decision flow chart