It was completely optional for websites to support this. A few did at first.
A lot of people internally wanted it to be on-by-default, but the argument was that if it was, nobody would respect it – after all, what tracking platform would willingly only track the 0.1% of people who went into the settings to enable it? (Internet Explorer did eventually enable it by default, which got them good press but ultimately killed the feature since everyone stopped respecting it.)
Overall, I'm happy to see this sunsetted. I don't think it actually did anything – in fact, I think it implies that it did way more than it did, so it was just a faux feeling of security.
(All that being said, I would love if the cookie modals on each site became browser-level, but I'm sure there's many reasons that hasn't happened yet. And I suspect a bit reason starts with a G and ends with an Oogle.)
> I would love if the cookie modals on each site became browser-level
They are, in a roundabout way. Hop into your uBlock Origin settings and enable the Cookie Banners and Annoyances filters. The modal gets silently nuked in the background and you can carry on with your browsing. Since you never consented, this ought to be functionally the same as Declining the banner.
As long as someone who does this is prepared to pay for every site they do it on (or forgo the site in the future), since targeted advertising often pays for the site they're visiting. Personally I would like to see ads improved, not removed, as I am unwilling to have 40 different subscriptions to 40 different websites all because every user disabled targeting.
> most stabbings are not done by malicious actors, they are simply law-abiding companies which will gladly stop stabbing you if you ask.
> The header has only one form, Do-Not-Stab: 1. This is because the lack of a header indicates a clear preference that the user wants to be stabbed.
> Exceptions to the Do-Not-Stab header are accepted when commercial interests outweigh safety concerns. These include: Stabbings requested by a government. Websites SHOULD NOT try to challenge the legality of any stabbings requested, the user probably deserved it.
I worked at one of the big adtech companies at the time. DNT was a carefully negotiated compromise between the ad industry (and by proxy, the sites that depended on it for their income), the browser vendors, and privacy advocates. We implemented DNT it in our edge infrastructure and were ready to deploy it.
But then Microsoft broke the agreement by enabling it by default, as part of their war with Google (and after their own adtech ambitions ended in a 6 billion dollar write down on their acquisition of aQuantive). This killed it for everyone.
The ad industry was never going to go for an opt-out version of DNT. It worked while only a minority that cared about it opted-in, but not when the (then) dominant web browser made that choice for all of its users.
I fully understand why people hate tracking and targeted advertising (which has if anything gotten more invasive in the past decade), but at least at the time it was essential to the commercial web.
The only way to stop tracking is via laws or regulations. Technical solutions are, arguably, a never-ending arms race - probably a losing one for end users.
DNT was a way to demonstrate consumer interest in not being tracked, and it put businesses in the position of ignoring explicit requests from consumers for privacy.
Unfortunately, nobody effectively capitalized on that.
> but ultimately killed the feature since everyone stopped respecting it
I genuinely doubt that anything could have caused them to respect it. Tracking without consent is the source of their money; they're not going to give that up just because you give a positive signal that you do not consent, rather than simply never asking you in the first place.
Isn't this the entire point of browsewrapped TOS "agreements"? There's a reason why specifically tracking via cookies had to be singled out by regulation to work at all (putting aside how well or not well this actually works).
I have a friend that works in advertisement programming. Quiet ironically, "do not track" had the opposite of the intended effect. They didn't store any information about a user, except in the case of the do not track signifier in which case they had special tracking logic to make sure they didn't include that user in their datasets and future user models.
The legal situation has completely changed since then. By now, we have court cases punishing companies for ignoring the dnt signal. And with the gdpr there is a legal framework that makes this signal powerful anyway.
Removing this feature now is completely the wrong move. Instead Mozilla should have invested money to use the courts to make the signal be respected, where it isn't already.
For me, this signals that finally, Mozilla has completely crossed the line. I will look into forks now that retain the signal.
>I would love if the cookie modals on each site became browser-level,
if the EU regulators who wrote the cookie law had any competence, this is how it would have been implemented. browsers should have a cookie prompt in the UI, not websites.
It should be straight up illegal to share my data with third parties. That's not something I as an end user should be forced to opt in to.
A browser level opt-in would be even more useless than a website prompt. Demonstrably almost no end users understand what they opt in to, and that type of contract should therefore carry close to zero weight.
> Overall, I'm happy to see this sunsetted. I don't think it actually did anything – in fact, I think it implies that it did way more than it did, so it was just a faux feeling of security.
I'm sad to see this, as many sites actually used it.
Geizhals.de, a major european price comparison site, uses DNT as cookie opt out.
My personal sites, but also the official websites from a few companies I worked at used umami or plausible metrics, configured to obey the DNT header for opt out handling.
And only recently German courts have ruled that the DNT header is legally considered rejection of tracking (Az.: 16 O 420/19)
It's actively used across the web, and Mozilla just decides to kill it? What the heck?
I think a new browser could genuinely gain massive popularity if it was really good at this, and advertised the feature heavily, particularly in the EU.
Google will never touch it with a hundred-foot pole due to antitrust concerns, they're effectively banned from making any significant, user-experience-affecting changes to Chrome at this point.
Many people would immediately switch to a browser with 1) reliable Youtube ad blocking, 2) no cookie modals, and possibly 3) no other "distractors", like subscription pop-ups or "related articles" widgets.
Yes, ad blockers and reader mode can sort-of do all three, mostly, ish, but they're not easy to set up for non-techies, particularly on smartphones, even more particularly on iPhones, so a simple marketing pitch of "get this app, have these features" would probably work.
One would have to default to accepting cookies, though. Most users don't care either way, while website owners do. If you defaulted to refusing, they'd try to fight you and make their popups harder to auto dismiss, while auto-accepting would do the opposite.
I somewhat agree... but browsers aren't a profitable business. In 30 years of browsers being mainstream, nobody has built one that's sustainable –– only works if it's subsidized by a larger company.
There's been a few attempts (Brave wants to monetize via crypto, Arc is pivoting away), but it's really hard. People don't want to pray for a browser – 99% of people are apathetic, and the 1% that cares aren't known for paying for things.
I believe what you describe is something very close to Firefox. Enabling uBlock is down to a few clicks, but that does not seem to have helped Firefox gain massive popularity.
> Many people would immediately switch to a browser with 1) reliable Youtube ad blocking, 2) no cookie modals, and possibly 3) no other "distractors", like subscription pop-ups or "related articles" widgets.
Here's the thing. Do-Not-Track was an active signal of intent from the user to the backend. Violation therefore, could be proven by merely showing the signal was sent, and the provider ultimately ignored it.
Getting rid of it for being "ignored" is ignoring that it is a means for the User to signal to the rest of us they do not wish to take part in tracking. Which in our world, is the important bit. A provider not being challenged with this bit can argue that the user doesn't mind being tracked because they didn't explicitly say so.
I understand that many people here have a bad taste of Mozilla's recent actions in many aspects. But the reality here is that this is at worst removing something that almost nobody respected. It was based on honor system and even in Switzerland they do have random inspections for honor system. Browsers never had any enforcement of this feature. And ironically it was used as additional data point of tracking privacy aware people who went out of the way to enable it.
Medium supported it for ages. Tools like Matomo came with support for it by default.
Firefox has implemented the replacement, Global Privacy Control. It has the exact same problems and isn't respected either, except even fewer websites have implementations that respect GPC.
It's not a real solution to the normalised cyberstalking websites practice today, but it's also not entirely useless.
GPC does not meet GDPR's requirements and cannot be used for gaining consent under GDPR. There already has been a browser signal in design that meets GDPR requirements for consent, but it was ignored. The industry instead rallied behind GPC.
the conversation / system is rigged. how it should have been done in a fair way:
1. assume the user by default does not want to be tracked and make do-not-track opt-out.
2. have it running for a few years and gradually increase the heat on the discussion that nobody respects it.
If it would've been done this way it would've been newsworthy and maybe would've been considered as something to enforce via regulation (at least in EU).
But as it stands do-not-track never had a chance to succeed - I believe that was by intention.
I have to second this. It's a voluntary rule used by a browser with the market share that looks more like a rounding error. If this is all somebody was using to depend on their online privacy then they need a class.
In that light removing it might push a few people to apply more protections to their browser and be an overall (if extremely minor) win for privacy.
About time. It has never achieved anything meaningful for protecting your privacy, if not helping the opposite by providing yet another signal to help uniquely identify a user and improve tracking.
Although, anti-tracking in general is basically fighting a losing battle. Go to https://amiunique.org/ and you'll see why. I use Firefox with all possible protection mechanics -- "strict" tracking protection mode, uBlock origin, yet I cannot escape first-party tracking.
One striking example: These days browsers may expose how many cores your device's CPU has to websites. That alone could eliminate 80%-90% of users. Combined with user agent, IP, language etc you are pretty much uniquely identified.
What I'd love to see is a default JavaScript environment (ideally across all browsers, but at least in FF) that is sufficiently basic as to be identical for all users with an icon appearing in the address bar when a site wishes to use advanced features that might enable tracking, so that these can be enabled on a case-by-case basis.
> Although, anti-tracking in general is basically fighting a losing battle. Go to https://amiunique.org/ and you'll see why.
The goal shouldn't be to appear non-unique. There are too many little things that will out you. Even if you somehow account for every single one of them today your next browser update could enable more and you can't trust that amiunique.org is looking at every identifying data point either. It's an arms race you're going to lose.
What you want is to be differently unique for each website you visit. Even better if you have JS disabled by default and sites can't collect 90% of the data points your browser exposes at all. The best protection you could get would be to change up IP addresses via VPN and randomize your user-agent and other tells.
There are two orthogonal issues. You're mainly talking about the need of making the tracking (for people who don't want to be tracked) impractical; what also needs to be done is to make it illegal.
I feel like DNT was a "rushed" (i.e. with no legal backing) attempt to achieve the latter.
> These days browsers may expose how many cores your device's CPU has to websites.
This information could be determined prior to the introduction of navigator.hardwareConcurrency.
I published a timing attack polyfill that derives this information and initially proposed the navigator.hardwareConcurrency API as a replacement for this timing attack polyfill.
In addition to the fundamental utility of this API, browser vendors also saw implementing this as a way to save battery life by making it no longer necessary for websites to benchmark user devices to determine this value.
Removing this feature harms user agency. This will result in Firefox users having to deal with more annoying consent prompts.
Transcend Consent Management's default configuration opts users out of every unessential tracking purpose (and suppresses automatic consent prompts) whenever DNT is enabled, but only opts users out of "Sale/sharing of info" when only GPC is enabled.
Removing this centralized privacy signal means some users cannot express full opt outs to Transcend Consent Management by default without having to interact with annoying banners.
I believe this change was steamrolled without taking in proper consideration and feedback from the web community. Mozilla made this change so fast that barely anyone noticed the issue before it got closed[1]. To add insult to injury, they've
configured their Bugzilla to disallow further comments from non-Mozilla employees after issues are closed.
I shared similar feedback with the Chrome team in 2023 when they were proposing to remove DNT[2]. They considered my feedback and currently DNT is still in Chrome, with its removal indefinitely postponed.
That it should exist because one (and there's probably not many) consent managers actually understands and uses this flag is not a strong point in support of that feature.
There's better ways to protect your privacy that don't rely on a best effort voluntary flag that you send to advertisers and hope they accept it.
Separately, privacy signals are being required by law in some regions. If we're going to have browser level privacy signals in the first place, we might as well support and use them as intended.
Counter: It does, because some organizations and webmasters did respect it.
The other option, Mozilla should have done, is shame companies that did not respect it. A continually updated list, a notification when browsing a site that did not, etc, but the problem comes from this being a vendor issue and that it would not be 100% accurate.
Shaming is the only way this would have worked out, but they didn't, but for the ones who did this out of being a decent organization, they now no longer have a standard to base it on.
That nobody respects is is a false statement. Some do. Also that header permits users to signal sites if they want or not to be tracked, avoiding cookie popups.
Edit: I just saw that Firefox supports GPC, which seems a better alternative to DNT.
So GPC is basically the same as DNT, but according to [1], "GPC improves on DNT in several ways:"
- Legal backing: Unlike DNT, GPC is supported by more laws, like the CCPA, which requires businesses to honor these signals.
- Targeted approach: While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
- Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
But essentially, it's more or less the same.
So it seems it's less "Firefox removes DNT" and more "Firefox deprecates earlier ineffective version of GPC".
> GPC is supported by more laws, like the CCPA, which requires businesses to honor these signals
Because it's off by default? It's the exact same thing, a header with a preset value.
> While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
My needs are not being tracked. The tracking is what comes before the selling. I don't want to opt out of selling, I want to opt out of tracking.
> Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
"Gaps in functionality"? The difference between GPC and DNT is that DNT sends "DNT: 1" and GPC sends "Sec-GPC: 1".
Companies that never respected DNT aren't going to respect GPC. The only difference here is that IE doesn't have GPC enabled by default, but it does have DNT enabled by default.
> Companies that never respected DNT aren't going to respect GPC.
It depends. While I agree that GPC is technically just a more complicated form of DNT, the major difference is that DNT is 100% optional for websites to honor, which is why they don't, but GPC becomes mandatory for nations that have reasonable laws around tracking. Companies operating in those nations will honor it because there are legal penalties if they don't.
If I understand correctly, DNT is being deprecated in favor of a new proposal, "Global Privacy Control": https://w3c.github.io/gpc/
So instead of sending the header:
DNT: 1
Firefox will now optionally (via a different setting than was used for DNT) send:
Sec-GPC: 1
I'm unclear on why anyone thinks this is a useful change. As a website owner who previously implemented anonymization code activated in the presence of a DNT header, I guess I can add code to also look for Sec-GPC, but this feels like churn for the sake of churn.
It also feels ridiculous that Mozilla can't just send both headers if the same browser preference is checked, rather than requiring websites to look for both. I get that they want stronger promises around "Sec-GPC" than around "DNT", but the latter is a subset of the former, so why not update the client-side checkbox description, and then send both?
Deprecated in 2018. Removed in 2024. That doesn't seem like a timeline to take anybody by surprise, for a thing that was used to do the exact opposite of its purpose.
Readit News
It was completely optional for websites to support this. A few did at first.
A lot of people internally wanted it to be on-by-default, but the argument was that if it was, nobody would respect it – after all, what tracking platform would willingly only track the 0.1% of people who went into the settings to enable it? (Internet Explorer did eventually enable it by default, which got them good press but ultimately killed the feature since everyone stopped respecting it.)
Overall, I'm happy to see this sunsetted. I don't think it actually did anything – in fact, I think it implies that it did way more than it did, so it was just a faux feeling of security.
(All that being said, I would love if the cookie modals on each site became browser-level, but I'm sure there's many reasons that hasn't happened yet. And I suspect a bit reason starts with a G and ends with an Oogle.)
They are, in a roundabout way. Hop into your uBlock Origin settings and enable the Cookie Banners and Annoyances filters. The modal gets silently nuked in the background and you can carry on with your browsing. Since you never consented, this ought to be functionally the same as Declining the banner.
The Kill Sticky bookmark works similarly, for crappy browsers that don't support uBlock Origin (eg iOS, Chrome for Android): https://www.smokingonabike.com/2024/01/20/take-back-your-web...
(Remember when web browsers used to treat their users first and implemented things like Popup Blocking, enabled by default? I miss those days.)
That's why RFC 35140 "Do-Not-Stab" specifies that the user agent MUST NOT enable it by default.
https://www.5snb.club/posts/2023/do-not-stab/
> The header has only one form, Do-Not-Stab: 1. This is because the lack of a header indicates a clear preference that the user wants to be stabbed.
> Exceptions to the Do-Not-Stab header are accepted when commercial interests outweigh safety concerns. These include: Stabbings requested by a government. Websites SHOULD NOT try to challenge the legality of any stabbings requested, the user probably deserved it.
Deleted Comment
But then Microsoft broke the agreement by enabling it by default, as part of their war with Google (and after their own adtech ambitions ended in a 6 billion dollar write down on their acquisition of aQuantive). This killed it for everyone.
The ad industry was never going to go for an opt-out version of DNT. It worked while only a minority that cared about it opted-in, but not when the (then) dominant web browser made that choice for all of its users.
I fully understand why people hate tracking and targeted advertising (which has if anything gotten more invasive in the past decade), but at least at the time it was essential to the commercial web.
https://www.theverge.com/2012/9/11/3314211/ie10-dnt-header-m...
What also would be legal is to offer the user a choice at the first startup.
The same could be said about slavery.
Flipping that bit increased your browser fingerprint a smidge, ironically :-)
https://www.macworld.com/article/232426/apple-safari-removin...
The only way to stop tracking is via laws or regulations. Technical solutions are, arguably, a never-ending arms race - probably a losing one for end users.
DNT was a way to demonstrate consumer interest in not being tracked, and it put businesses in the position of ignoring explicit requests from consumers for privacy.
Unfortunately, nobody effectively capitalized on that.
I genuinely doubt that anything could have caused them to respect it. Tracking without consent is the source of their money; they're not going to give that up just because you give a positive signal that you do not consent, rather than simply never asking you in the first place.
Microsoft is the main culprit of DNT failures.
[0] https://blog.privacyguides.org/2024/07/14/mozilla-disappoint...
[1] https://cybershow.uk/blog/posts/you-are-too-dumb-for-tech
Removing this feature now is completely the wrong move. Instead Mozilla should have invested money to use the courts to make the signal be respected, where it isn't already.
For me, this signals that finally, Mozilla has completely crossed the line. I will look into forks now that retain the signal.
if the EU regulators who wrote the cookie law had any competence, this is how it would have been implemented. browsers should have a cookie prompt in the UI, not websites.
A browser feature to control cookies wouldn't cover everything the law does.
A browser level opt-in would be even more useless than a website prompt. Demonstrably almost no end users understand what they opt in to, and that type of contract should therefore carry close to zero weight.
I'm sad to see this, as many sites actually used it.
Geizhals.de, a major european price comparison site, uses DNT as cookie opt out.
My personal sites, but also the official websites from a few companies I worked at used umami or plausible metrics, configured to obey the DNT header for opt out handling.
And only recently German courts have ruled that the DNT header is legally considered rejection of tracking (Az.: 16 O 420/19)
It's actively used across the web, and Mozilla just decides to kill it? What the heck?
Google will never touch it with a hundred-foot pole due to antitrust concerns, they're effectively banned from making any significant, user-experience-affecting changes to Chrome at this point.
Many people would immediately switch to a browser with 1) reliable Youtube ad blocking, 2) no cookie modals, and possibly 3) no other "distractors", like subscription pop-ups or "related articles" widgets.
Yes, ad blockers and reader mode can sort-of do all three, mostly, ish, but they're not easy to set up for non-techies, particularly on smartphones, even more particularly on iPhones, so a simple marketing pitch of "get this app, have these features" would probably work.
One would have to default to accepting cookies, though. Most users don't care either way, while website owners do. If you defaulted to refusing, they'd try to fight you and make their popups harder to auto dismiss, while auto-accepting would do the opposite.
There's been a few attempts (Brave wants to monetize via crypto, Arc is pivoting away), but it's really hard. People don't want to pray for a browser – 99% of people are apathetic, and the 1% that cares aren't known for paying for things.
Based on Chromium
Does the reliance on Firefox ESL or based on Gecko rule this one out?
Personally I use FF with lots of blockers and settings on my laptop/desktop, and DDG browser on my mobile.
Getting rid of it for being "ignored" is ignoring that it is a means for the User to signal to the rest of us they do not wish to take part in tracking. Which in our world, is the important bit. A provider not being challenged with this bit can argue that the user doesn't mind being tracked because they didn't explicitly say so.
Mozilla is being a complete moron.
Dead Comment
Firefox has implemented the replacement, Global Privacy Control. It has the exact same problems and isn't respected either, except even fewer websites have implementations that respect GPC.
It's not a real solution to the normalised cyberstalking websites practice today, but it's also not entirely useless.
See: https://www.dataprotectioncontrol.org/
Deleted Comment
Deleted Comment
But as it stands do-not-track never had a chance to succeed - I believe that was by intention.
I would say this needs to start with a law, more or less.
In that light removing it might push a few people to apply more protections to their browser and be an overall (if extremely minor) win for privacy.
Although, anti-tracking in general is basically fighting a losing battle. Go to https://amiunique.org/ and you'll see why. I use Firefox with all possible protection mechanics -- "strict" tracking protection mode, uBlock origin, yet I cannot escape first-party tracking.
One striking example: These days browsers may expose how many cores your device's CPU has to websites. That alone could eliminate 80%-90% of users. Combined with user agent, IP, language etc you are pretty much uniquely identified.
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/h...
Low script rather than no script, if you will.
The goal shouldn't be to appear non-unique. There are too many little things that will out you. Even if you somehow account for every single one of them today your next browser update could enable more and you can't trust that amiunique.org is looking at every identifying data point either. It's an arms race you're going to lose.
What you want is to be differently unique for each website you visit. Even better if you have JS disabled by default and sites can't collect 90% of the data points your browser exposes at all. The best protection you could get would be to change up IP addresses via VPN and randomize your user-agent and other tells.
There's two gigantic issues with that:
1. Most websites won't work
2. Most people like websites to work, and so they have JS turned on. If you don't, you'll stick out like a sore thumb.
Dead Comment
I feel like DNT was a "rushed" (i.e. with no legal backing) attempt to achieve the latter.
This information could be determined prior to the introduction of navigator.hardwareConcurrency.
I published a timing attack polyfill that derives this information and initially proposed the navigator.hardwareConcurrency API as a replacement for this timing attack polyfill.
In addition to the fundamental utility of this API, browser vendors also saw implementing this as a way to save battery life by making it no longer necessary for websites to benchmark user devices to determine this value.
Transcend Consent Management's default configuration opts users out of every unessential tracking purpose (and suppresses automatic consent prompts) whenever DNT is enabled, but only opts users out of "Sale/sharing of info" when only GPC is enabled.
Removing this centralized privacy signal means some users cannot express full opt outs to Transcend Consent Management by default without having to interact with annoying banners.
I believe this change was steamrolled without taking in proper consideration and feedback from the web community. Mozilla made this change so fast that barely anyone noticed the issue before it got closed[1]. To add insult to injury, they've configured their Bugzilla to disallow further comments from non-Mozilla employees after issues are closed.
I shared similar feedback with the Chrome team in 2023 when they were proposing to remove DNT[2]. They considered my feedback and currently DNT is still in Chrome, with its removal indefinitely postponed.
1. https://bugzilla.mozilla.org/show_bug.cgi?id=1928087
2. https://issues.chromium.org/issues/41440843#comment12
There's better ways to protect your privacy that don't rely on a best effort voluntary flag that you send to advertisers and hope they accept it.
Separately, privacy signals are being required by law in some regions. If we're going to have browser level privacy signals in the first place, we might as well support and use them as intended.
Major sites like Geizhals.de actively use it.
It's been ruled to legally be considered rejection of tracking by German courts (Az.: 16 O 420/19)
Does every feature need 100% market share to be viable?
It doesn't, because nobody respects it.
It is actually harmful to have a feature that misrepresents its efficiency to users, especially when it comes to privacy and security.
Nobody should ever feel that they will not be tracked because they enabled do-not-track, because it's wrong.
Removing it is the right thing to do because of this.
The other option, Mozilla should have done, is shame companies that did not respect it. A continually updated list, a notification when browsing a site that did not, etc, but the problem comes from this being a vendor issue and that it would not be 100% accurate.
Shaming is the only way this would have worked out, but they didn't, but for the ones who did this out of being a decent organization, they now no longer have a standard to base it on.
Edit: I just saw that Firefox supports GPC, which seems a better alternative to DNT.
Deleted Comment
- Legal backing: Unlike DNT, GPC is supported by more laws, like the CCPA, which requires businesses to honor these signals.
- Targeted approach: While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
- Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
But essentially, it's more or less the same.
So it seems it's less "Firefox removes DNT" and more "Firefox deprecates earlier ineffective version of GPC".
[1]: https://www.cookiebot.com/en/global-privacy-control/
Because it's off by default? It's the exact same thing, a header with a preset value.
> While DNT broadly addressed tracking, GPC focuses specifically on stopping data from being sold or shared, making it more relevant to today’s privacy needs.
My needs are not being tracked. The tracking is what comes before the selling. I don't want to opt out of selling, I want to opt out of tracking.
> Better adoption potential: GPC was created with input from regulators, privacy advocates, and industry leaders, to align it with existing laws and address previous gaps in functionality.
"Gaps in functionality"? The difference between GPC and DNT is that DNT sends "DNT: 1" and GPC sends "Sec-GPC: 1".
Companies that never respected DNT aren't going to respect GPC. The only difference here is that IE doesn't have GPC enabled by default, but it does have DNT enabled by default.
It depends. While I agree that GPC is technically just a more complicated form of DNT, the major difference is that DNT is 100% optional for websites to honor, which is why they don't, but GPC becomes mandatory for nations that have reasonable laws around tracking. Companies operating in those nations will honor it because there are legal penalties if they don't.
So instead of sending the header:
DNT: 1
Firefox will now optionally (via a different setting than was used for DNT) send:
Sec-GPC: 1
I'm unclear on why anyone thinks this is a useful change. As a website owner who previously implemented anonymization code activated in the presence of a DNT header, I guess I can add code to also look for Sec-GPC, but this feels like churn for the sake of churn.
It also feels ridiculous that Mozilla can't just send both headers if the same browser preference is checked, rather than requiring websites to look for both. I get that they want stronger promises around "Sec-GPC" than around "DNT", but the latter is a subset of the former, so why not update the client-side checkbox description, and then send both?
Perhaps now we can get something more robust in the works.