For users with DNT, first you need to delete the tracking cookies you already have on their computers. (If you are not sure which cookies you set, you might consider deleting all cookies, since you can only delete your own cookies). Otherwise you will run into the problem that you set a DNT cookie, yet still have tracking cookies saved, which is bound to confuse a few savvy — and potentially vocal — users. If you store keys into a backend database, you may wish to delete information from your backend database now, before you delete the key and then have stored information you will never retrieve again. (If the current IETF draft on DNT is adopted, as per section 8.1, all third-party tracking data must be deleted, not just data in cookies.) Also think about any non-HTTP cookie tracking you may store on users’ hard drives, such as LSOs, cache cookies, HTML 5 local storage, Silverlight local storage, and so on. If you only delete HTTP cookies and leave other local storage behind, people may think you are not honoring DNT.
After deleting existing tracking cookies, if you are going to collect aggregate data, you might set a new cookie with the value of opt-out or something similar. All DNT users will share a common identifier of opt-out rather than a per-computer identifier. In our code example, we set the expiry time for the opt-out cookie to five years. You are free to choose any length of time you wish, but note that self-regulation principles require opt-out cookies to last at least five years. It is probably good practice to pick a time that is at least as long as any tracking cookies you set.
Previous: 2 Displaying DNT status with caching
Next: Additional resources