Do Not Track (DNT) and GPC
Do Not Track (DNT) was a browser-sent header asking sites not to track the user. It was never widely honoured and lacked legal force, so it largely faded. Global Privacy Control (GPC) is the spiritual successor: a signal that, under laws like the CCPA/CPRA, regulators have said must be treated as a valid opt-out. This is an educational overview, not legal advice.
What this means
Do Not Track was a header (DNT: 1) browsers could send to ask sites not to track the user across the web. Because honouring it was voluntary and undefined, adoption stalled and most browsers removed or deprioritised the setting. It conveyed intent but carried no enforcement.
GPC: the successor with legal weight
Global Privacy Control is a newer signal designed to express an opt-out of sale/sharing of personal information. Crucially, California regulators have stated that GPC must be treated as a valid opt-out request under the CCPA/CPRA, giving it the legal force DNT lacked. Practically, an operator should honour GPC where the law requires and can choose to honour DNT as a courtesy.
- DNT: advisory header, never broadly enforced
- GPC: opt-out signal recognised under CCPA/CPRA
- Honouring GPC is a compliance step, not just etiquette
How it appears in analytics and logs
A DNT or GPC signal means the visitor's browser is requesting no tracking. Under CPRA, a GPC signal is treated as a legally recognised opt-out you should honour.
Diagnostic use case
Respect DNT and GPC as opt-out signals, knowing GPC carries legal weight in jurisdictions like California while DNT was advisory.
What WebmasterID can help detect
WebmasterID honours DNT and GPC and does not set tracking cookies, so a visitor sending either signal is already not being tracked.
Common mistakes
- Assuming DNT was ever legally binding.
- Ignoring GPC where CCPA/CPRA require honouring it.
- Conflating the two signals as interchangeable.
Privacy and accuracy notes
Honouring these signals is good practice and, for GPC, legally relevant. WebmasterID respects DNT/GPC and is cookieless, so it does not track regardless of the signal.
Related pages
- CCPA / CPRA and analytics
The CCPA (as amended by the CPRA) gives California residents rights over their personal information, including a right to opt out of its sale or sharing. For analytics, that turns on whether your tooling discloses identifiers to third parties for cross-context advertising. First-party, minimised measurement narrows the exposure. This is an educational overview, not legal advice.
- Fingerprinting and why to avoid it
Fingerprinting combines device and browser characteristics — fonts, screen, headers, hardware hints — into a quasi-identifier that can recognise a returning visitor without a cookie. Because it is hidden, hard to refuse, and resistant to clearing, browser vendors and privacy regulators treat it as a tracking technique to discourage. Privacy-first analytics deliberately does not fingerprint. This is educational, not legal advice.
- Consent banners and analytics
A consent banner (or CMP) is the interface that asks visitors to accept or refuse non-essential storage and processing. For consent to be valid under EU rules it must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes and 'accept-only' dark patterns. Reducing what needs consent in the first place is the cleaner path. This is educational, not legal advice.
- Privacy-first analytics
Honours DNT/GPC and tracks no one by default.
Sources and verification notes
- W3C — Tracking Preference Expression (DNT)Original DNT specification (discontinued work).
- Global Privacy Control — specification
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.