May 14, 2018
Respect “Do Not Track” Parameter with Google Tag Manager
Updated: May 14th, 2018 (added support for Internet Explorer and Edge).
Since the dawn of GDPR is getting really close, marketers, web analysts and others are rushing to be compliant. I have to be honest, I still feel confused a bit about how this (so you’re not alone), therefore do not ask for a legal compliance advice from me. I’m not the right person.
By the way, if by any accident you had been living on an uninhabited island for the last several years and just returned to the civilization today, here’s a pretty detailed but easy-to-digest guide to GDPR (prepared by my colleagues at Omnisend).
Anyway, back to the main topic of this blog post. For those who didn’t know, there’s a parameter that internauts can enable in their browsers called Do Not Track. And in this quick guide, I’ll show you how to honor that parameter in GTM and block tracking scripts accordingly.
What is Do Not Track?
Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. You can find a more technical description here.
As far as I know, web tracking tools usually ignore this setting (GA is not an exception), therefore, if you want to respect it, you (or your developer) should set things up by yourself (directly in the code or via Google Tag Manager).
Do Not Track is a nice way to be more honest and fair as a marketer (or web analyst, or whatever) to people who have specifically requested not to be tracked, and you’ll give those people faster page load times to boot.
Anyway, correct me if I’m wrong (which is totally possible in this context), but I’m pretty sure that respecting this parameter is not required by the GDPR. There are other measures that businesses around the globe must implement, like a consent to track + manage personal data.
In this case, Do Not Track is like an additional nice-to-have instrument not to get screwed by the regulations (you know, just in case). Once again, I might be wrong but after doing various searches, I did not find Do Not Track being explicitly mentioned.
Update: One of the readers, Vincent, chimed in and gave his version of the Do Not Track and its necessity in the context of GDPR. He quotes GDPR’s Article 25:
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
Vincent believes that DNT is within the scope of an automated means using technical specifications. And you know what, that sounds convincing, therefore, I updated this blog post with his comment.
Nevertheless, you should not follow this blog post as a legal advice, always consult real lawyers first. The purpose of my post is to show the technical possibilities and how GTM can help you achieve them.
How do people enable it?
By default, Do Not Track is disabled in the modern browsers but users can enable it right away. Here are several instructions, you can check if you like: Chrome, Firefox, IE, Edge, Safari, Opera.
After this is done, with every HTTP request, your browser will also send a parameter DNT: 1 (which means Do Not Track: True).
Setting Google Tag Manager to Respect Do Not Track
So here’s the plan. We’ll somehow identify whether a visitor is willing to be tracked or not (in other words, whether Do Not Track is enabled). Then we’ll use this fact in triggers which fire tracking tags.
In fact, identifying a browser with Do Not Track enabled is pretty easy. Just create a JavaScript Variable with value navigator.doNotTrack. That’s one more use case for the underrated JavaScript Variable (by the way, I’ve posted a guide about it).
In Google Tag Manager, open a Container where you’ll be implementing this feature. Go to Variables > New, then click Variable Configuration.
Choose JavaScript Variable as a Variable Type and enter navigator.doNotTrack (just like in the screenshot below):
If you want to test it, go ahead and enable GTM Preview and Debug mode (or refresh it). If you haven’t enabled the Do Not Track before, then this JavaScript variable will return null.
Now enable that Do Not Track parameter in the browser and refresh the page where you’ve enabled GTM Preview Console. Reminder – here are the links to the most popular browsers: Chrome, Firefox, IE, Edge, Safari, Opera.
Now, the value of that JavaScript variable should be “1”.
Update #2! READ THIS! In the comment section of this blog post, Jen pointed out that navigator.doNotTrack works only with non-Microsoft browsers. In other words, Internet Explorer and Edge would still be tracking visitors.
In response, here’s a more robust solution, custom JavaScript variable which also supports the latter two browsers. Instead of the aforementioned JavaScript variable create this one:
- Type: Custom JavaScript
- Paste this code (if the variable returns “1”, then Do Not Track is enabled, otherwise it will be undefined<script>
function () {
if (navigator.doNotTrack == "1" || window.doNotTrack == "1") {
return "1";
}
}
Blocking tracking scripts
The last step, let’s block all tracking scripts if Do Not Track JavaScript variable equals to one. There are two ways how you can do that:
#1. Update all current triggers by adding an additional condition to each one of them: JavaScript – doNotTrack does not equal to 1.
#2. Or create a blocking trigger and add it as an exception to all tracking tags within GTM container. Here’s a trigger:
This trigger meets the criterion of EVERY event when Do Not Track is enabled. Now add this trigger as an exception to EVERY tracking tag (GA, Adwords, etc.) that you have in the Google Tag Manager container.
Done! Whenever a visitor has enabled the Do Not Track parameter, all updated tags will not fire.
Final words regarding Do Not Track Parameter in Google Tag Manager
User and visitor privacy is becoming a greater concern every day (especially in the current context of GDPR, Facebook scandal, etc.) and Do Not Track parameter is one of the things you should take into the account while implementing tracking features on a website/web app.
If a visitor lands on a page and his browser sends “Do Not Track” parameter, this should be considered as an explicit opt-out and you should disable all tracking. Thanks to GTM, that’s pretty easy to do.
11 COMMENTS
In my opinion, GDPR does require honouring DNT. A DNT:1 signal is a valid browser setting communicating a visitor preference. It could also be interpreted by regulators as an exercise of the right to object to profiling.
There only need be one complaint to any of the EU regulators concerning a DNT signal being ignored for the prosecution process to begin. This will eventually establish case law on the subject. Any website operator choosing to ignore DNT does so at their peril.
I will not argue that and you might be right. It would be even better if you could give me a reference where this is mentioned in the GDPR (at least in which recital) so I could update the blog post and inform the readers.
GDPR does not describe DNT specifically. It is down to an individual's intepretation until case law exists on the subject. My intepretation is based on the following, but mostly Article 21, 5.
Article 25, Data protection by design and by default,
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects
- Web browsers started supporting DNT in 2010
- DNT can additionally be considered an instruction to perform minimisation
Article 18, Right to restriction of processing,
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
- Not honouring DNT status may have to be notified.
Article 21, Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
- I believe that Google ads are an information society service
- I believe DNT is within the scope of an automated means using technical specifications
Make sense, thanks. I'll update the blog post accordingly later today.
Updated. Thanks again!
Hi Julius,
Thanks for this post. I just checked this on my blog and yes, GA PV tag was still firing even though I turned the DNT option in Chrome. Would you know why GA is able to circumvent this privacy option in their own browser?
Also, post 25th May - do you know if this will change or will we still need to setup the exceptions as per the instructions shared above?
Hey, unfortunately, I don't know the reason behind this and I'm not aware what will happen after May 25th, so the best option would be to prepare on your own and follow tips I've listed in this guide.
Cheers
Hi Julius,
Just created a thread on GTM product forum. It can be followed on the below link. Hopefully, somebody can weigh in on why GA/GTM is able to fire even with this privacy setting on.
https://productforums.google.com/forum/#!topic/tag-manager/ZuKHly0-c10;context-place=forum/tag-manager
Good idea, thanks! Let's see what others have to say.
navigator.doNotTrack does not work in IE and Edge, right? they use window.doNotTrack. Is there a way to combine this?
Good catch, Jen! I've just updated the post with Custom JavaScript variable which supports Microsoft and Non-Microsoft browsers