Why 'Do Not Track' doesn't work

How DNT was supposed to work

The flow was simple. Your browser sends an extra header with each request: DNT: 1. Websites that honour DNT see the header and don't load tracking scripts, don't set advertising cookies, don't share your visit with third parties. In theory.

Why it didn't work

Three reasons, all unfixable:

• No legal force. DNT was a polite request. Honouring it cost ad-supported sites real money. Honouring it was voluntary. Predictably, it was rare.
• No definition of 'tracking'. The standard never agreed on what 'tracking' meant. Sites could honour DNT in name while still doing analytics, fingerprinting, or first-party data sharing.
• Microsoft turned it on by default in IE. The ad industry, already lukewarm on DNT, used this to argue the signal was no longer 'meaningful' (because users hadn't actively chosen it) and ignored it on principle.

By 2019 the W3C closed the working group. Apple removed DNT from Safari to stop misleading users that it did anything. Firefox kept the toggle but warned users it didn't matter.

What replaced it: Global Privacy Control

Global Privacy Control (GPC) is a similar header (Sec-GPC: 1) that signals 'do not sell or share my data'. The difference: in California (under CCPA / CPRA) and Colorado (under CPA), honouring GPC is legally required for businesses subject to those laws. The California Attorney General has enforced this, Sephora paid $1.2M in 2022 for ignoring GPC.

Outside California and Colorado, GPC is still mostly voluntary. But it's the first 'do not track' signal with real teeth in some jurisdictions.

What Dazr does

Dazr sends both DNT and GPC by default. Realistically, neither alone protects you. The harder defences, third-party cookie blocking, anti-fingerprinting, tracker blocking, encrypted DNS, are what actually stop tracking. DNT and GPC are useful for the legal record (especially under California and Colorado law) and otherwise as a small additional signal.