Closed Bug 1462851 Opened 6 years ago Closed 5 years ago

Art. 7 (1) + Art. 21 (5) GDPR: Please only load and run Analytics scripts if navigator.doNotTrack is not 1

Categories

(Websites :: Web Analytics, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: jan, Unassigned)

Details

(Keywords: privacy)

https://gdpr-info.eu/art-7-gdpr/
> The data subject shall have the right to withdraw his or her consent at any time. 

https://gdpr-info.eu/art-21-gdpr/
> In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
* navigator.doNotTrack
* "DNT" HTTP request header

https://developer.mozilla.org/en-US/docs/Web/API/Navigator/doNotTrack
https://support.mozilla.org/en-US/kb/how-do-i-turn-do-not-track-feature
https://support.google.com/chrome/answer/2790761?hl=en

https://support.mozilla.org/de/kb/wie-verhindere-ich-dass-websites-mich-verfolgen
https://support.google.com/chrome/answer/2790761?hl=de
https://www.fachanwalt-it.de/cookies-und-privatsphaere-neue-moeglichkeiten-von-firefox-co/
https://www.gesetze-im-internet.de/tmg/__15.html

Regardless of the legally non-binding Web Standard text the "DNT" Header itself is a direct declaration of the user's will and means "Do not track [me]", as it is described inside browser software and required from browser vendors as Opt-Out option by Art. 21 (5) GDPR. It has to be respected and it's not allowed to demand a second revocation attempt from the user via Opt-Out cookie or whatsoever.

It means that I don't want that a website watches me doing something and collects/processes any tracking data locally or remote. It can legally only happen "what I could expect" what would happen, so it's also not possible that I re-consent to tracking without knowing. DNT:1 does not restrict a game to track my mouse activity to let me move inside a virtual world. DNT:1 legally blocks tracking activities related to advertising, market research and personalization (§15 (3) german TMG), for example.

Data can be only processed if the user consented without revocation etc. and if it's necessary. DNT:1 is a revocation of consent related to tracking. That's why not an unneeded connection can be established to Google Analytics.

For example https://bugzilla.mozilla.org has 
> <script async src="https://www.google-analytics.com/analytics.js"></script>
in its source code. That is illegal after May 25 if it's send to EU citizens because there is no local check if there's still a non-revocated consent (whether it's still necessary (legal) to make this connection to a third party whose purpose is tracking).

No panic: The first warning should be free of charge and a Data Protection Authority should also allow time to remedy the deficiency without directly imposing a fine. They will be busy anyways.

Besides being a privacy advocate organization and saying "Demand better of the Internet" (Mitchell Baker) you are currently running a nice privacy campaign in Berlin:
https://twitter.com/alias_eitel/status/997156652276121606
https://twitter.com/wirereporter/status/995002489144594434
https://twitter.com/firefox_DE/status/996365081221959680

(Because this is also a setting within your browser software it may also decline certain capabilities like bug 1454252.)
bug 1515144 and other problems seem to be fixed. Thanks!
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.