What *Do Not Track* really does (and what it doesn’t)

Despite instructing a Marketo Community member to “search my posts” the other day, I ran a search myself and there wasn’t a one-stop explanation of what Do Not Track (DNT) means in Marketo (on a deeper technical level than you get on the official doc page). So here goes.

As you probably know already, there are 2 DNT options, Ignore and Support:


We won't worry about Ignore.

But what does it really mean to select Support? On a technical level, it means one specific thing:

If a user's browser sends the DNT: 1 HTTP request header along with a Munchkin-logged pageview or link click, Marketo will not save the activity to the Activity Log database.

So here are some things Do Not Track = Support does not do:

  • it does not stop gathering Clicked Email stats: email clicks are still tracked unless you separately turn off link tracking
  • it does not stop the Munchkin JS components (.js files) from loading
  • it does not stop Munchkin from setting its tracking cookie (_mkto_trk)
  • it does not stop Munchkin from initializing and sending a Visit Web Page hit (assuming you're using the default configuration which always sends a VWP on startup)
  • it does not stop Munchkin from sending Clicked Link hits for <a> tags on the page

But again, here's the very important thing it does do:

  • it does stop the Marketo platform from storing the hits sent by Munchkin for Visit Web Page and Clicked Link

Why not stop Munchkin completely?

It’s not that Marketo would not like to be more proactive on the browser side, I’m sure. But the weirdest thing about DNT is there's no JavaScript-land (let alone cross-browser) way to know if the user has set a preference!

Ergo, you cannot know if the person would've wanted you to turn off Munchkin downloading/​initialization/​hit logging. You have to dumbly send the hit in all cases and the server will discard it if it's accompanied by the “please ignore me” header.

The privacy appeal of having the DNT setting be unreadable in the browser is clear — it's the equivalent of an HTTP-only cookie that can't be seen from JavaScript — but it certainly creates confusion. For example, someone with DNT enabled and also running Ghostery or similar will still see that the Munchkin tracking JS was blocked, which is suboptimal: ideally, it wouldn’t show up at all. You can seem like you’re being worse citizens than you actually are. (A section in your Privacy Policy explaining that you honor Do Not Track is therefore useful.)

The browser’s-eye view

The browser sending the DNT: 1 header is a prerequisite, of course. Privacy-oriented browsers do this by default; other browsers send the header in Private/​Incognito/​InPrivate mode only; the rest send it for all pages/tabs/windows if the user wants.

Here's the setting in an older version of Chrome, for one of a zillion examples, which will send DNT: 1 for all pages viewed in this user profile:


And here’s a screenshot of the HTTP request for the main document, showing the header:


And Munchkin’s Visit Web Page XMLHttpRequest, showing the same HTTP request header and its acknowledgment in the response: