The Do-Not-Track protocol both enables user control over tracking, and the delivery of "machine-readable claims" regarding the tracking behaviour of servers or web applications. This document addresses the latter transparency aspects, in light of European legal requirements.


EU Privacy law requires that access to user agent storage is only allowed if the user has given consent, or that the storage is used for a limited set of exempted purposes. In addition EU Data Protection law says that personal data cannot be processed unless the purpose for the processing is claimed from the outset to be covered by at least one of 6 legal bases, the first of which being consent. In either case consent must be "freely given, specific, informed and unambiguous and based on a user's actions", and (under the draft ePrivacy Regulation (ePR) proposal), "may be expressed by using the appropriate technical settings of a software application enabling access to the internet", and that "users shall be given the possibility to withdraw their consent at any time".

The information given to the user must therefore:

In addition Data Controllers have a responsibility to ensure that personal data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing" (GDPR A.1(f)) and "in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing" (GDPR Recital 39). This is directly applicable to the risk of delivery of malware onto user agents, especially when this results from deliberate insertion of subresource elements within website content.

Information about the potential tracking behaviour of resources can be delivered to the user within website content or by intrinsic user agent functionality. Websites can obtain the required information to do this relatively easily, whereas user agents can only present information gleaned from the automated examination of responses e.g. limited technical details about cookies and subresources. There is no standardised way for user agents alone to impart information that can only be known by an application's developers, such as the identity of the data controller(s) or of any data processors, their purposes for data collection and contracted relationships with other parties that may be present.

The TPE enables information to be available at arbitrary times by specifying it in the Tracking Status Resource, or presented at the time consent is registered within parameters to the API.

The need for changes to the existing TPE

The properties currently defined in the TSR need improvement in the following areas:

User agents are already able to act on information presented in the TSR

A site-wide tracking status resource provides information about the potential tracking behaviour of resources located at that origin server. For example, in the current TPE, a user agent might choose to exclude, or perform additional pre-flight verification of, requests to other domains that have not been claimed as same-party by the referring site.

The proposed ePrivacy Regulation will apply to user agent providers ("software providers permitting electronic communications"), where Article 10 requires them to help protect data stored there. In order to accurately recognise this data, and to minimise the need for arbitrary domain blocking or other withdrawal of functionality, the TSR can be a useful conduit for web application declarations about data use.

Tracking Status Representation - Additional Properties

Status Object

The tracking status representation can have the following additional properties, as illustrated by the following Orderly schema [Orderly]:

object {
    string tracking;                 // as per the Orderly schema in the TPE
    array { string; } compliance?;   //                 ''                   
    string qualifiers?;              //                 '' 
    array { string; } controller?;   //                 ''
    array { string; } same-party?;   //                 '' 
    array { string; } audit?;        //                 '' 
    string policy?;                  //                 '' 
    string config?;                  //                 '' 
    array { object { string name;                // Legal name of the data controller
                     string address?;            // postal address of head office of controller
                     string email?;              // email address for main contact
                     string tel?;                // main telephone number for controller
                     string about?;              // URI of a web page describing the Data Controller
                     object {
                                name?;           // name of person primarily responsible for data protection or privacy issues
                                address?;        // postal address of this person
                                email;           // contact email address of this person
                                tel?:            // contact telephone number of this person;
                            } DPO?;              // details of primary Data Protection or Privacy Officer
          } controllerDescription;   // object identifying the data controller(s) (perhaps jointly) responsible for this website;
    array { object { string domain;  // domain name for a known embedded resource i.e. managed by the first-party sites, its data processors or any other entity
                     string category? ["P", "N", "S"] 
          } otherParties?; // an object declaring the domains of all the resources (other than the first-party top-level domain) embedded by the site
    object { long overall_retention?; // A positive number of seconds indicating the overall maximum lifetime of all client storage used by this origin.
             array object { string name; // the user readable name for this storage item, e.g. for a cookie this could be the "name" component.
                            string type ["C","L","I","E","O"]; // storage type C = a cookie, L = localStorage item, I = indexdedDB table, "E" = cache item e.g. ETag, "O" = other storage. 
                            string match; // a regular expression used to match an item of storage when applied to the item name or cookie name and value pair
                            array { object { string ["S","F","A","T","Pf","Pl","Ps"]* code; // codified purpose for this storage item- see below
                                             string description? } // optional further text for further describing the purpose of this storage item
                                    purpose; }; // object for defining purpose for using this client data item
                            array { string sharedWith; }; // the main domains names managed by the entities the data may be shared with.
                            long retention?; // A positive number of seconds indicating the maximum lifetime of the storage item.
                            string deleteDataUri; // URI of resource that if sent a POST causes this data item on this origin to be deleted
           } declaredData; // matches any client data item e.g. a cookie, item in localStorage etc., used by the origin server
    string deleteAllDataUri?; // URI of resource that if sent a POST causes all tracking data on this origin to be deleted


An origin server MAY send a property named controllerDescription containing an array of objects representing one or more Data Controllers jointly responsible for an origin. If a controllerDescription exists it MUST contain a string property name indicating the legal name of the Data Controller entity. Additional optional properties are:


An origin server MAY send a property named otherParties containing an array of objects representing the domains of all resources that the controller has determined may be embedded by any resource with this origin. Each object contains a string domain indicating the URI authority name of an embedded party target, along with an optional category value of either "P", "N" or "S".

A category of "P" indicates that the party owning the domain can receive personal data and has contracted with the origin server as a Data Processor. If the party owning the domain is known not to receive personal data from the interaction the code is "N". "S" indicates that the domain is managed by the site owner (i.e. one of the entities indicated by the controllerDescription array). Each embedded domain should contain a TSR with an otherParties property declaring its own expected embedded resources. This information can be used by browsers, browser extensions or script libraries to help protect user privacy by blocking, inhibiting or managing the actions of resources that are not so declared by the embedding site.


This is an object representing user agent storage employed by the origin server for tracking or other purposes. This gives the origin server the ability to transparently describe in a standardised way the overall retention time for client storage and the purpose and retention period for each storage item.

User agents MAY present this information to the user, and privacy regulators, audit services etc. will be able use website scanning tools to verify it. In addition Privacy Enhancing Technology components, such as TrackingBlocker or AdBlocker extensions, can make intelligent decisions regarding content blocking or storage removal when enforcing a user's privacy preferences.

The object contains a long integer overall_retention a positive number of seconds indicating the maximum lifetime of all the declared data, and an array of objects describing individual storage items controlled by the origin server. Each of these contains a selector string used to match the name or name-value pair of a particular item , a string type representing the class of storage used where "C" is an HTTP cookie, "L" is local HTML5 storage, "I" is indexedDB, "E" is information stored in the browser cache such as "If-Then-Else/Etag" values, and "O" is any other form of storage. The selector string MAY contains a = character to demarcate between Regex match strings for the name and value of a name-value pair. The purposes for each item is encoded in the purpose array of objects. Each purpose object contains a short purpose identifier code and an option string description further describing the purpose. The code property MUST contain one or more of the following purpose identifiers.

N.B. Maybe the Qualifiers property should have the same coding.
Code Purpose Definition
S Necessary Strictly necessary to fulfil a service requested by the user.
F Functional Retains information in the user agent solely used to retain state between HTTP transactions without a unique user identifier. Any data retained is generic in nature and will not be used to profile the user.
A Analytics Used to collect anonymous statistical information about visitors to a web site. No attempt will be made to single-out the user for profiling purposes. Any unique identifier used will not be shared with any other party.
T Tracking Used to single-out or track a user, i.e. a unique user identifier. If this is shared with another party their domain MUST be indicated in the sharedWith attribute below.
O Opt-out This identifies an HTTP cookie used by some non-standard systems to indicate that a user has opted-out from tracking. If the same cookie name is also used as a UID tracking identifier then the selector must uniquely identify the opt-out case e.g. UID=opted-out. A properly identified opt-out cookie MUST not be deleted by a user agent when other storage is deleted, for example when the overall_retention period expires.
Pf Permitted frequency capping Used for frequency capping, i.e. to limit the number of times that a user sees a particular advertisement, as long as the data retained do not reveal the user’s browsing history.
Pl Permitted financial logging Used for financial logging, i.e. for billing and auditing related to the current network interaction and concurrent transactions. This may include counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards.
Ps Permitted security Used for security, i.e. to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity, provided that such data is not used for operational behaviour beyond what is reasonably necessary to protect the service or institute a graduated response.
The long integer retention contains a positive number of seconds indicating the maximum lifetime of the storage item. The optional array of strings sharedWith represents the main domains of any entities that this data item is shared with.


An origin server MAY send a property named deleteDataUri indicating the URI (relative to the origin domain) of a resource that will, in response to a PUSH, PUT or DELETE request, delete all data held for this origin in the user agent. In many cases this would be the resource advertiser exchanges use for the self-regulatory Opt-out iframe.