Do Not Track (DNT) let browsers ask sites not to track you, but adoption collapsed. See how the header worked, why it failed, and how GPC replaced it.
For a few years, most browsers shipped a checkbox that promised something simple: tell websites not to track you, and they'll listen. That was Do Not Track (DNT) — a single HTTP header and a matching JavaScript property, navigator.doNotTrack. It never had any technical enforcement behind it; it worked only if the receiving site chose to honor it. Almost none did, and by the mid-2020s every major browser had removed the setting. Its successor, Global Privacy Control (GPC), is built on the same one-bit signal but backed by actual law in a growing number of jurisdictions.
Key Takeaways
- DNT was a voluntary HTTP header (
DNT: 1) plus a JavaScript property (navigator.doNotTrack) — a request, not an enforcement mechanism. - The W3C Tracking Preference Expression spec that formalized DNT was abandoned in 2019 without reaching full standardization.
- Sites had no legal obligation to honor DNT, adoption among ad-tech and publishers stayed negligible, and Apple, Google, and Mozilla have all since removed or deprecated the browser setting.
- Turning DNT on made you more identifiable, not less: it added one more bit of entropy to your fingerprint precisely because so few users enabled it.
- Global Privacy Control (GPC) reuses the same header/signal idea but is recognized as a valid opt-out request under laws like the CCPA/CPRA in California, giving it teeth DNT never had.
What the DNT header actually is
Do Not Track works at two layers that mirror each other. On the wire, a browser that has the setting enabled sends a header on every HTTP request:
DNT: 1
A value of 0 explicitly signals "you may track me," and omitting the header entirely means "no preference expressed." Client-side, the same state is exposed to JavaScript so a page can read it without inspecting headers:
console.log(navigator.doNotTrack); // "1", "0", or null depending on browser/setting
That's the entire mechanism. There is no cryptographic proof, no server-side check, and no consequence for a site that reads DNT: 1 and ignores it. DNT was, by design, a polite request layered on top of an ordinary HTTP header — its success depended entirely on voluntary compliance from the sites receiving it.
navigator.doNotTrack vs. the header, and a short history
The header and the JavaScript property were meant to stay in sync, but browsers didn't converge on the same return values or default states, which made feature-detecting DNT reliably annoying for developers. Firefox returned "yes"/"no"/"unspecified" for a time before aligning closer to the "1"/"0"/null convention other browsers used.
The timeline, broadly:
- 2009 — Researchers and privacy advocates proposed a "Do Not Track" HTTP header, modeled loosely on the FTC's "Do Not Call" registry.
- 2011 — Firefox shipped the first built-in DNT toggle; Internet Explorer, Safari, and Chrome followed within a couple of years.
- 2011–2019 — The W3C's Tracking Protection Working Group tried to standardize the semantics and a compliance spec, but advertising-industry members and privacy advocates never converged on what "compliance" meant.
- 2019 — The W3C formally closed the working group; the Tracking Preference Expression spec was never advanced past Candidate Recommendation.
- 2020s — Apple removed the Safari DNT setting in 2019 (calling it a fingerprinting risk), and other browsers followed suit or quietly stopped surfacing it in settings UI, even though
navigator.doNotTrackmostly still exists for compatibility.
Why websites ignored it
DNT asked sites to change business-critical behavior — stop tracking, stop building ad profiles — with nothing enforcing the request beyond goodwill. A handful of publishers and analytics vendors respected it, but the ad-tech industry broadly did not, and no law required them to. Standardization stalled for the same reason: the working group needed agreement on what "tracking" even meant and what a compliant response looked like, and advertisers had every commercial incentive to resist a strict definition. A voluntary opt-out with no penalty for ignoring it, aimed at an industry whose revenue model depends on tracking, was never going to reach meaningful adoption. That mismatch between the technical concept, deployed browser support, and legal enforcement is the actual reason DNT died — not a missing feature in the header itself.
The fingerprinting irony
Here's the twist that makes DNT relevant to a fingerprinting discussion at all: enabling it could make you easier to single out. Any signal that most users leave at its default value adds entropy when a smaller group deviates from that default. Because so few users ever turned DNT on, DNT: 1 (or navigator.doNotTrack === "1") became a rare, distinguishing value rather than an anonymizing one — it's just one more attribute a fingerprinting script can fold into a combined identifier, alongside your User-Agent Client Hints, canvas output, and installed fonts. A privacy setting that only a small, self-selected minority enables works against its own goal: the more uncommon a signal is, the more it narrows down who you are. This is the same entropy principle covered in our complete guide to browser fingerprinting — uniqueness, not the content of any single bit, is what makes a fingerprint effective.
Global Privacy Control (GPC): DNT's legally-backed successor
GPC keeps the same shape as DNT — a browser sends a lightweight signal (an HTTP header, Sec-GPC: 1, plus a matching navigator.globalPrivacyControl JavaScript property) — but changes what backs it. The GPC specification, developed under the W3C's Privacy Community Group, was designed from the outset to map onto existing "Do Not Sell or Share My Personal Information" opt-out rights created by laws such as California's CCPA/CPRA. In jurisdictions where those laws apply, a site receiving Sec-GPC: 1 has a legal obligation to treat it as a valid opt-out request — the same one-bit signal DNT sent, but now with regulatory consequences attached to ignoring it.
That legal backing is the entire difference. GPC didn't need new tracking-detection technology or a smarter protocol; it needed a jurisdiction willing to say a browser signal counts as an enforceable consumer request. Several browsers and privacy extensions — including Brave, DuckDuckGo, and the EFF's Privacy Badger — enable GPC by default or offer a one-click toggle, which is itself a lesson from DNT's failure: a default-off, opt-in signal that almost nobody enables carries little practical weight, legal backing or not.
How to check whether GPC is active in your browser
console.log(navigator.globalPrivacyControl); // true if GPC is enabled and being sent
If this returns true, your browser is sending Sec-GPC: 1 on outgoing requests. Not all browsers support the property or the header yet, so undefined doesn't necessarily mean tracking is happening — it may just mean the browser hasn't implemented GPC.
Frequently Asked Questions
Is Do Not Track still supported by browsers?
The navigator.doNotTrack property still exists in most browsers for backward compatibility, but the user-facing setting has been removed or hidden in Safari, and Chrome and Firefox no longer promote it as a meaningful privacy control. Even where it's technically present, expect it to be ignored by the vast majority of sites.
Does GPC actually work better than DNT?
Legally, yes, in jurisdictions that recognize it — GPC counts as a valid opt-out request under laws like California's CCPA/CPRA, meaning covered businesses face real compliance obligations if they ignore it. Technically, it's the same kind of lightweight signal DNT was; the difference is entirely in what backs enforcement, not in the protocol.
Should I turn on DNT or GPC to reduce my browser fingerprint?
Enabling GPC where your browser supports it is worth doing for its legal opt-out effect in covered jurisdictions, but neither DNT nor GPC reduces your fingerprint — both add one more distinguishing bit read by any script that checks for them. If your goal is minimizing fingerprint surface specifically, addressing canvas, WebGL, font, and audio signals matters far more; see our browser fingerprinting guide for the full picture.
Why did Apple remove the DNT toggle from Safari?
Apple stated in 2019 that because so few users changed the setting from its default, DNT had become a way to help identify and track users — the opposite of its intent — and removed the UI toggle from Safari as a result.
Test what your browser sends
You can check your own DNT and GPC signals directly in your browser's console with navigator.doNotTrack and navigator.globalPrivacyControl. BrowserInsight's fingerprint check surfaces these values alongside the rest of your fingerprint, and our privacy tools comparison covers the VPN, proxy, and Tor options that address IP-level tracking that a header-based signal like DNT or GPC never touched in the first place.

