Mozilla Connect

Firefox 135 has removed the feature of sending a "do not track" header, as it was not respected by most websites. To clarify, DNT is still available through about:config and is automatically enabled in "Strict" tracking protection and private windows, but it has been removed from the normal browser settings, where it now only shows the option to enable GPC.

My idea is to merge DNT and GPC into one visible settings. So you would have "GPC & DNT both enabled" or "both disabled". I understand the concern of the DNT signal adding further fingerprinting potential. However, if we just merged DNT into the GPC feature, this should not be a problem. 

Some context why DNT is still worthwhile to keep as a privacy feature:

In 2011, Mozilla brought us the wonderful Do Not Track feature. It was soon adopted by other major browser makers. In 2014, it became law for any website offering service to Californians to include a Do Not Track disclosure in its privacy policy. Do Not Track became a standard aspect of privacy policies. Today privacy policy generating tools have made it easy for a website to disclose a Do Not Track stance. Today numerous analytics tools make it simple for a website to implement a Do Not Track choice. Multiple websites demonstrate example code for how websites can implement a Do Not Track choice for the remaining analytics tools. At least one cookies consent tool will silently obey Do Not Track to avoid an annoying user prompt.

Many websites have disclosed a stance of not obeying Do Not Track. This disclosure is very useful because it can give users a consistent and efficient way of evaluating a website's stance on using user data. With a web search for "name-of-website do not track privacy policy" a user can perform this evaluation before even deciding to visit a website.

Hundreds of websites have instead chosen to disclose a stance of obeying Do Not Track. These websites include medical offices, restaurants, websites for children, government websites, and many other subjects. Some of these websites may not ever service Californians but perhaps those websites like the principle of Do Not Track and have chosen to adopt it.

Statistics over the last 6 years demonstrate more than 22% of Internet users enabling Do Not Track. Statistics from 2024 indicate 32.5% of users use an addon to block JavaScript. Taking an estimate of 75% of users who enable Do Not Track also being users who would use an addon to block JavaScript would mean 16.5% of users doing both. 16.5 is more than half of 32.5. For fingerprinting, all users are recommended to enable Do Not Track, to blend in with the majority for users who block JavaScript or because other forms of JavaScript fingerprinting can already uniquely identify users who do not block JavaScript.

Mozilla statistics for Firefox Do Not Track usage may be lower due to possible forms of bias and any percentage tracked by Mozilla can be considered a minimum value. Bias can come from multiple scenarios. Users who use DNS to block Firefox telemetry are likely the type of people who will enable Do Not Track and Mozilla will not record these users. Public institutions offering computers for public usage and school computer rooms may restore a default profile for each user, meaning Mozilla may collect the default Do Not Track value before a user has a chance to enable the setting, and the Firefox profile may be reset when the user logs out before Mozilla has a chance to record the user's choice.

California law apparently allows users rights regarding sensitive personal information. Four categories are relevant: a) selling user data to fourth parties, b) sharing user data with fourth parties, c) sharing user data with third party analytics products, and d) the website's use of user data. For the purpose of discussion, the wording "fourth parties" is used to indicate third parties which are not analytics services.

According to research by Steve Gibson from visiting a popular technology website, an enabled Global Privacy Control signal limits a) and b) but does not limit c) and d). Examined implementations of Do Not Track limit c), meaning a), b), and d) are implicitly limited when a website obeys Do Not Track signals since you cannot sell, share, or use what you did not collect.

Steve Gibson also described how Global Privacy Control was developed on that popular website to examine a user's location and only apply the minimum legal requirements. At the time of his research, privacy law in Virginia existed but since it did not explicitly mention Global Privacy Control, the website was not expected to obey a Global Privacy Control signal from a user in Virginia. Examined implementations of Do Not Track apply the setting universally to all Internet users on websites which obey Do Not Track signals.

Steve Gibson further clarifies by saying in contrast to Do Not Track, Global Privacy Control is explicitly not about preventing tracking.

Businesses in Germany are legally required to obey Do Not Track signals.

There are sufficient reasons to maintain both Do Not Track and Global Privacy Control in Firefox's user interface, with them serving different roles and being supported by different legal frameworks.

Related bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1936761 and https://bugzilla.mozilla.org/show_bug.cgi?id=1949550