Join MDN and developers like you at Mozilla's View Source conference, 12-14 September in Berlin, Germany. Learn more at

3 Collecting aggregate data based on DNT

As we detail in the case studies, there are many different approaches you might take to responding to a DNT request. Below, we give an example of how you might set a cookie to aggregate user data rather than collect it on a per-user basis. Please understand this sample code is not meant as an endorsement of data aggregation as an approach to DNT. In particular, it may not meet your users’ expectations for what DNT means, and we encourage you to think carefully about which approach to pursue. However, data aggregation is one approach already used in practice. For example, Google handles opt-outs by setting a cookie containing the string OPT-OUT for all users. The sample JavaScript code below follows that general approach.

The sample JavaScript code below also gives a starting point for how to delete and expire cookies based on DNT status.

// portion of a JavaScript file to set opt-out cookie
// assumes intojs.php file from first tutorial.

function setCookie(cookie_name, string_value, time_to_expire)
  // it is likely you already have something implemented you
  // can use. If not, there are many examples online

if (getDntStatus()) { // If you detect a Do Not Track header...
  deleteAllCookies(); // Write this code to delete cookies
  setCookie('trackingcookie', "opt-out", time() + 60*60*24*365*5);
  // sets the value of trackingcookie to opt-out for all DNT
  // users, with an expiration time of 5 years (in seconds)
} else {
  // current code for tracking goes here

For users with DNT, first you need to delete the tracking cookies you already have on their computers. (If you are not sure which cookies you set, you might consider deleting all cookies, since you can only delete your own cookies). Otherwise you will run into the problem that you set a DNT cookie, yet still have tracking cookies saved, which is bound to confuse a few savvy — and potentially vocal — users. If you store keys into a backend database, you may wish to delete information from your backend database now, before you delete the key and then have stored information you will never retrieve again. (If the current IETF draft on DNT is adopted, as per section 8.1, all third-party tracking data must be deleted, not just data in cookies.) Also think about any non-HTTP cookie tracking you may store on users’ hard drives, such as LSOs, cache cookies, HTML 5 local storage, Silverlight local storage, and so on. If you only delete HTTP cookies and leave other local storage behind, people may think you are not honoring DNT.

After deleting existing tracking cookies, if you are going to collect aggregate data, you might set a new cookie with the value of opt-out or something similar. All DNT users will share a common identifier of opt-out rather than a per-computer identifier. In our code example, we set the expiry time for the opt-out cookie to five years. You are free to choose any length of time you wish, but note that self-regulation principles require opt-out cookies to last at least five years. It is probably good practice to pick a time that is at least as long as any tracking cookies you set.

Up: Tutorials

Previous: 2 Displaying DNT status with caching

Next: Additional resources

Document Tags and Contributors

 Contributors to this page: Sheppy, jswisher
 Last updated by: Sheppy,