I would like to raise two somewhat related reasons for keeping Do Not Track which I have not yet seen discussed.
Reason 1: The analytics industry has made it easy for webmasters to make an explicit choice.
More than 15 analytics tools support the ability to obey Do Not Track signals as a setting for webmasters. Instead of leaving it up to webmasters to code a solution, the analytics industry has stepped up and has made it easy for a webmaster to make an explicit choice. A webmaster can migrate from one analytics tool to another tool while still being able to easily apply the same choice.
Reason 2: A significant number of websites have added text in their privacy policies indicating an explicit choice regarding Do Not Track signals.
Privacy policies are difficult to read and interpret. There are not many standards for privacy policies, making them typically very hard to compare against each other.
If we put our creative minds to the task, we might see that Do Not Track offers us a solution by providing a reasonably consistent way to QUICKLY EVALUATE a company's explicitly chosen practice by looking at only a small portion of a privacy policy.
We can either spend the time to open up a privacy policy and search for the Do Not Track section or we can perform a web search with the website's name and the "Do Not Track" text.
It is not important whether we actually set the Do Not Track setting in our web browser! What is important is that the setting actually exists in our web browser as a potential choice. By keeping that setting available as a choice for users, some webmasters may continue to feel compelled to describe the explicit choice made for their websites, and we gain the ability to quickly understand the INTENTIONS of a given website. Do Not Track grants us the ability to be able to SAVE TIME by having a common way to evaluate multiple websites.
Here is a list of analytics services which offer a setting to enable or disable the obeying of Do Not Track signals.
https://docs.simpleanalytics.com/dnt
"By default the data will not include visitors with the Do Not Track enabled. To also record DNT visitors you can add data-collect-dnt='true' to the script tag"
"If you don't add the data-collect-dnt attribute we will not record visits from users who have DNT enabled."
https://help.mouseflow.com/en/articles/4325367-the-privacy-settings
"Honor Do-Not-Track"
"This setting allows you to honor the Do-Not-Track (DNT) signal. When enabled, Mouseflow will listen for the signal and if it is found, prevent the user session from being recorded."
Nah, the idea was sound. When Do Not Track was introduced, most jurisdictions had privacy laws which required users to opt-out. Sending this DNT header could have been an indication of users not wanting to be tracked and therefore would have served as legally binding opt-out.
It was Microsoft that killed it, by having Internet Explorer send the DNT header by default. When it's sent by default, without users actively choosing to activate it, then it cannot serve as a legally binding opt-out anymore.
If you wish to ask websites to respect your privacy, you can use the “Tell websites not to sell or share my data” setting. This option is built on top of the Global Privacy Control (GPC). GPC is respected by increasing numbers of sites and enforced with legislation in some regions.
After reading the article and the spec, it looks like GPC is another header (like DNT) and a JavaScript variable the client would set. I don't see why this couldn't be used for tracking too.
For HTTP:
A user agent MUST generate a Sec-GPC header... if... gpcAtNavigation is true.
For JavaScript:
The globalPrivacyControl property is available on the navigator object
GPC also looks like a watered down version of DNT.
DNT was "do not track," and GPC is "do not sell:
GPC is also not intended to limit a first party’s use of personal information within the first-party context (such as a publisher targeting ads to a user on its website based on that user’s previous activity on that same site).