Respecting browser privacy settings

Privacy is a hot topic at the moment. Mostly because of news that companies were fined for violating privacy laws. Especially the GDPR in Europe is mentioned a lot. But there are also other laws, like the CCPA in California.

Browsers have had privacy settings for a while. One of these settings is known as “Do Not Track (DNT)”. But websites mostly ignored them for several reasons.

One could argue that ignoring DNT is a violation of the GDPR, but I haven’t heard of anyone being fined for doing so.

This has lead to a new “standard” called Global Privacy Control (GPC). It seems to have broad support, more than DNT ever had. Although it is still a proposed specification, you can already use GPC in browsers and extensions.

So the question is: How do you support these privacy settings on your website?

Well, you can either do it on the server by checking HTTP headers or read the settings from the browser with JavaScript. Below are examples on how to do this.

HTTP headers

DNT: "1"
Sec-GPC: "1"

Headers must have the string value 1. For example, the value true is invalid. DNT is for “Do Not Track” and Sec-GPC for “Global Privacy Control”.

PHP example

<?php
// Do Not Track
$dnt = false;
if (isset($_SERVER['HTTP_DNT']) && $_SERVER['HTTP_DNT'] === '1') {
  $dnt = true;
}

// Global Privacy Control
$gpc = false;
if (isset($_SERVER['HTTP_SEC_GPC']) && $_SERVER['HTTP_SEC_GPC'] === '1') {
  $gpc = true;
}

JS example (client-side)


// Do Not Track
var dnt = false;
if ('doNotTrack' in navigator && navigator.doNotTrack === '1') {
  dnt = true;
}

// Global Privacy Control
var gpc = false;
if ('globalPrivacyControl' in navigator && navigator.globalPrivacyControl) {
  gpc = true;
}

So you can decide if you want to respect both settings or just GPC. If privacy settings are active, you can skip a privacy consent banner, because you already know the preference. I wonder if more websites will start following this practise or just keep sticking to the consent banners we all love.