Do Not Track

Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

HTTP
Persistence Compression HTTPS QUIC
Request methods
OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT PATCH
Header fields
Cookie ETag Location HTTP referer DNT X-Forwarded-For
Response status codes
301 Moved Permanently 302 Found 303 See Other 403 Forbidden 404 Not Found 451 Unavailable for Legal Reasons
Security access control methods
Basic access authentication Digest access authentication
Security vulnerabilities
HTTP header injection HTTP request smuggling HTTP response splitting HTTP parameter pollution
v t e

The Do Not Track header was originally proposed in 2009 by researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky.[1] Mozilla Firefox[2] became the first browser to implement the feature, while Internet Explorer,[3] Apple's Safari,[4] Opera[5] and Google Chrome[6] all later added support. Efforts to standardize Do Not Track by the W3C in the Tracking Preference Expression (DNT) Working Group reached only the Candidate Recommendation stage and ended in September 2018[7] due to insufficient deployment and support.[8][9]

DNT is not widely adopted by the industry, with companies citing the lack of legal mandates for its use, (see Do Not Track legislation) as well as unclear standards and guidelines for how websites are to interpret the header. Thus, critics purport that it is not guaranteed enabling DNT will actually have any effect at all.[10] The W3C disbanded its DNT working group in January 2019, citing insufficient support and adoption.[11] Apple discontinued support for DNT the following month, citing browser fingerprinting concerns.[12][13] As of March 2023, Mozilla Firefox continues to support DNT, where it is turned on by default in private browsing mode and optional in regular mode.[14]

In 2020, a coalition of US-based internet companies announced the Global Privacy Control[15] header that spiritually succeeds Do Not Track header. The creators hope that this new header will meet the definition of "user-enabled global privacy controls" defined by the California Consumer Privacy Act (CCPA) and European General Data Protection Regulation (GDPR).[15] In this case, the new header would be automatically strengthened by existing laws and companies would be required to honor it.[16]