readthedocs · ericholscher · May 30, 2018 · May 1, 2018 · May 1, 2018 · May 1, 2018
diff --git a/docs/advertising-details.rst b/docs/advertising-details.rst
@@ -110,13 +110,50 @@ However, we always give advance notice in our issue tracker
 and via email about showing ads where none were shown before.
 
 
+.. _do-not-track:
+
+Do Not Track Policy
+-------------------
+
+Read the Docs supports Do Not Track (DNT) and respects users' tracking preferences.
+Specifically, we support the `W3C's tracking preference expression`_
+and the `EFF's DNT Policy`_.
+
+This means:
+
+* We **do not** do behavioral ad targeting regardless of your DNT preference.
+  You probably already knew that from reading the rest of this document.
+* When DNT is enabled, both logged-in and logged-out users
+  are considered opted-out of analytics.
+* Regardless of DNT preference, our logs that contain IP addresses
+  and user agent strings are deleted after 10 days unless a DNT exception applies.
+* Our full DNT policy is `available here`_.
+
+For more details about DNT, visit `All About Do Not Track`_.
+
+Our DNT policy applies without reservation to ``readthedocs.org``.
+A best effort is made to apply this to documentation sites hosted for authors
+(typically ``*.readthedocs.io``, but also other domains),
+but we do not have complete control over the contents of these sites.
+
+.. _W3C's tracking preference expression: https://www.w3.org/TR/tracking-dnt/
+.. _EFF's DNT Policy: https://www.eff.org/issues/do-not-track
+.. _available here: https://readthedocs.org/.well-known/dnt-policy.txt
+.. _All About Do Not Track: http://www.allaboutdnt.com
+
+.. important::
+
+   Due to the nature of our environment where documentation is built as necessary,
+   the analytics opt-out only applies to documentation sites built after May 1, 2018.
+
+
 .. _advertising-analytics:
 
 Analytics
 ---------
 
 Analytics are a sensitive enough issue that they require their own section.
-In the spirit of full transparency, Read the Docs currently uses Google Analytics (GA).
+In the spirit of full transparency, Read the Docs uses Google Analytics (GA).
 
 GA is a contentious issue inside Read the Docs and in our community.
 Some users are very sensitive and privacy conscious to usage of GA.
@@ -125,14 +162,22 @@ The developers at Read the Docs understand that different users have different p
 and we try to respect the different viewpoints as much as possible while also accomplishing
 our own goals.
 
+We have taken steps to address some of the privacy concerns surrounding GA.
+These steps apply both to analytics collected by Read the Docs and when
+:doc:`authors enable analytics on their docs <guides/google-analytics>`.
+
+* Users can opt-out of analytics by using the Do Not Track feature of their browser.
+* Read the Docs instructs Google to anonymize IPs sent to them before they are stored.
+* The cookies set by GA expire more rapidly (30 days) than the default.
+
+Why we use analytics
+~~~~~~~~~~~~~~~~~~~~
+
 Advertisers ask us questions that are easily answered with an analytics solution like
 "how many users do you have in Switzerland browsing Python docs?". We need to be able
 to easily get this data. We also use data from GA for some development decisions such
 as what browsers to support (or not) or how much usage a particular page or feature gets.
 
-We have taken steps to address some of the privacy concerns.
-Read the Docs instructs Google to anonymize IPs sent to them before they are stored.
-
 Alternatives
 ~~~~~~~~~~~~
 

diff --git a/docs/ethical-advertising.rst b/docs/ethical-advertising.rst
@@ -96,7 +96,7 @@ Additional details
 
 * We have additional documentation on the
   :doc:`technical details of our advertising <advertising-details>`
-  including our use of analytics.
+  including our Do Not Track policy and our use of analytics.
 * We have an `advertising FAQ`_ written for advertisers.
 * We have gone into more detail about our views in our
   `blog post <https://blog.readthedocs.com/ads-on-read-the-docs/>`_ about this topic.

diff --git a/docs/guides/google-analytics.rst b/docs/guides/google-analytics.rst
@@ -9,4 +9,12 @@ You can enable it by:
 
 Once your documentation rebuilds it will include your Analytics tracking code and start sending data.
 Google Analytics usually takes 60 minutes,
-and sometimes can take up to a day before it starts reporting data.
+and sometimes can take up to a day before it starts reporting data.
+
+.. note::
+
+   Read the Docs takes some extra precautions with analytics to protect user privacy.
+   As a result, users with Do Not Track enabled will not be counted
+   for the purpose of analytics.
+
+   For more details, see our :ref:`Do Not Track Policy <do-not-track>`.
diff --git a/media/javascript/readthedocs-analytics.js b/media/javascript/readthedocs-analytics.js
@@ -2,33 +2,40 @@
 // https://docs.readthedocs.io/en/latest/advertising-details.html#analytics
 
 
-// RTD Analytics Code
+// Skip analytics for users with Do Not Track enabled
+if (window.doNotTrack === '1' || navigator.doNotTrack === '1') {
+    console.log('Respecting DNT with respect to analytics...');
+} else {
+    // RTD Analytics Code
+    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+    })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
 
-(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+    if (typeof READTHEDOCS_DATA !== 'undefined') {
+        if (READTHEDOCS_DATA.global_analytics_code) {
+            ga('create', READTHEDOCS_DATA.global_analytics_code, 'auto', 'rtfd', {
+              'cookieExpires': 30 * 24 * 60 * 60
+            });
+            ga('rtfd.set', 'dimension1', READTHEDOCS_DATA.project);
+            ga('rtfd.set', 'dimension2', READTHEDOCS_DATA.version);
+            ga('rtfd.set', 'dimension3', READTHEDOCS_DATA.language);
+            ga('rtfd.set', 'dimension4', READTHEDOCS_DATA.theme);
+            ga('rtfd.set', 'dimension5', READTHEDOCS_DATA.programming_language);
+            ga('rtfd.set', 'dimension6', READTHEDOCS_DATA.builder);
+            ga('rtfd.set', 'anonymizeIp', true);
+            ga('rtfd.send', 'pageview');
+        }
 
-if (typeof READTHEDOCS_DATA !== 'undefined') {
-    if (READTHEDOCS_DATA.global_analytics_code) {
-        ga('create', READTHEDOCS_DATA.global_analytics_code, 'auto', 'rtfd');
-        ga('rtfd.set', 'dimension1', READTHEDOCS_DATA.project);
-        ga('rtfd.set', 'dimension2', READTHEDOCS_DATA.version);
-        ga('rtfd.set', 'dimension3', READTHEDOCS_DATA.language);
-        ga('rtfd.set', 'dimension4', READTHEDOCS_DATA.theme);
-        ga('rtfd.set', 'dimension5', READTHEDOCS_DATA.programming_language);
-        ga('rtfd.set', 'dimension6', READTHEDOCS_DATA.builder);
-        ga('rtfd.set', 'anonymizeIp', true);
-        ga('rtfd.send', 'pageview');
+        // User Analytics Code
+        if (READTHEDOCS_DATA.user_analytics_code) {
+            ga('create', READTHEDOCS_DATA.user_analytics_code, 'auto', 'user', {
+              'cookieExpires': 30 * 24 * 60 * 60
+            });
+            ga('user.set', 'anonymizeIp', true);
+            ga('user.send', 'pageview');
+        }
+        // End User Analytics Code
     }
-
-    // User Analytics Code
-    if (READTHEDOCS_DATA.user_analytics_code) {
-        ga('create', READTHEDOCS_DATA.user_analytics_code, 'auto', 'user');
-        ga('user.set', 'anonymizeIp', true);
-        ga('user.send', 'pageview');
-    }
-    // End User Analytics Code
+    // end RTD Analytics Code
 }
-
-// end RTD Analytics Code
diff --git a/readthedocs/core/views/__init__.py b/readthedocs/core/views/__init__.py
@@ -12,7 +12,7 @@
 import logging
 
 from django.conf import settings
-from django.http import HttpResponseRedirect, Http404
+from django.http import HttpResponseRedirect, Http404, JsonResponse
 from django.shortcuts import render, get_object_or_404, redirect
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import TemplateView
@@ -115,3 +115,17 @@ def server_error_404(request, exception, template_name='404.html'):  # pylint: d
     r = render(request, template_name)
     r.status_code = 404
     return r
+
+
+def do_not_track(request):
+    dnt_header = request.META.get('HTTP_DNT')
+
+    # https://w3c.github.io/dnt/drafts/tracking-dnt.html#status-representation
+    return JsonResponse({   # pylint: disable=redundant-content-type-for-json-response
+        'policy': 'https://docs.readthedocs.io/en/latest/privacy-policy.html',
+        'same-party': [
+            'readthedocs.org',
+            'readthedocs.io',
+        ],
+        'tracking': 'N' if dnt_header == '1' else 'T',
+    }, content_type='application/tracking-status+json')
diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py
@@ -59,6 +59,8 @@ class CommunityBaseSettings(Settings):
     SESSION_COOKIE_DOMAIN = 'readthedocs.org'
     SESSION_COOKIE_HTTPONLY = True
     CSRF_COOKIE_HTTPONLY = True
+    # See: docs/advertising-details.rst
+    CSRF_COOKIE_AGE = None  # session cookie (expires on browser quit)
 
     # Application classes
     @property

diff --git a/readthedocs/templates/base.html b/readthedocs/templates/base.html
@@ -17,22 +17,32 @@
 
   <!-- Google Analytics -->
   <script>
-    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-    })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
-
-    ga('create', '{{ GLOBAL_ANALYTICS_CODE }}', 'auto', 'rtfd');
-    ga('rtfd.set', 'anonymizeIp', true);
-    ga('rtfd.send', 'pageview');
-
-    {% if DASHBOARD_ANALYTICS_CODE %}
-      // Dashboard Analytics Code
-      ga('create', '{{ DASHBOARD_ANALYTICS_CODE }}', 'auto', 'user');
-      ga('user.set', 'anonymizeIp', true);
-      ga('user.send', 'pageview');
-      // End Dashboard Analytics Code
-    {% endif %}
+    if (window.doNotTrack === '1' || navigator.doNotTrack === '1') {
+      console.log('Respecting DNT with respect to analytics...');
+    } else {
+      // For more details on analytics at Read the Docs, please see:
+      // https://docs.readthedocs.io/en/latest/advertising-details.html#analytics
+      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+
+      ga('create', '{{ GLOBAL_ANALYTICS_CODE }}', 'auto', 'rtfd', {
+        'cookieExpires': 30 * 24 * 60 * 60
+      });
+      ga('rtfd.set', 'anonymizeIp', true);
+      ga('rtfd.send', 'pageview');
+
+      {% if DASHBOARD_ANALYTICS_CODE %}
+        // Dashboard Analytics Code
+        ga('create', '{{ DASHBOARD_ANALYTICS_CODE }}', 'auto', 'user', {
+          'cookieExpires': 30 * 24 * 60 * 60
+        });
+        ga('user.set', 'anonymizeIp', true);
+        ga('user.send', 'pageview');
+        // End Dashboard Analytics Code
+      {% endif %}
+    }
   </script>
   <!-- End Google Analytics -->