This specification defines the compliance and scope for the Tracking Protection working group.
This is a very early rough draft, consisting of just an outline of the issues raised so far by the working group discussion with a few points raised during discussion. The editors plan to expand the outline into an initial straw-man specification prior to the working group meeting in Santa Clara.
This document outlines the definitions and compliance for the Tracking Protection spec.
What are underlying consumer concerns, and goals that we hope a tracking preference recommendation will address?
ISSUE-6: What are the underlying concerns? Why are we doing this / what are people afraid of?
ISSUE-8: How do we enhance transparency and consumer awareness? Explain the scope of this tracking document in the context of Do Not Track
Explain the success criteria. What do we want this spec to achieve?
ISSUE-10: What is a first party?
Options for discussion:
Highlighted open questions:
ISSUE-14: How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor?
Open questions:
ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?
Our definition should be technology independent (cookies, flash cookies, etc)
ISSUE-16: What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)
ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?
ISSUE-74: Are surveys out of scope?
ISSUE-69: Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)
ISSUE-5: What is the definition of tracking?
Open questions (from various email threads):
ISSUE-7: What types of tracking exist, and what are the use cases for these types of tracking?
Not-Tracking examples raised:
ISSUE-6First parties MUST NOT transmit passively-collected (behavioral?) data in identifiable form to a third party with the intention or knowledge that the third party shall store and use the data in a way that links that data to other information about a specific person or device.
ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?
ISSUE-17: Data use by 1st Party
ISSUE-30: Will Do Not Track apply to offline aggregating or selling of data?
ISSUE-54: Can first party provide targeting based on registration information even while sending DNT
ISSUE-59: Should the first party be informed about whether the user has sent a DNT header to third parties on their site?
ISSUE-9: Understand all the different first- and third-party cases.
ISSUE-60: Will a recipient know if it itself is a 1st or 3rd party?
CDT definition: Third parties MUST NOT (behaviorally) track a user in responding to a DNT request where to (behaviorally) ÒtrackÓ means the collection and correlation of data about the web-based activities of a particular user, computer, or device across non-commonly branded websites, for any purpose other than specifically excepted third-party analytics, research, and ad reporting practices that do not correlate any individualÕs data across non-commonly branded websites, narrowly scoped fraud prevention, or compliance with law enforcement requests
ISSUE-19: Data collection / Data use (3rd party)
ISSUE-88: different rules for impression of and interaction with 3rd-party ads/content
ISSUE-73: In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract
ISSUE-26: Providing data to 3rd-party widgets -- does that imply consent?
ISSUE-32: Sharing of data between entities via cookie syncing / identity brokering
ISSUE-7: What types of tracking exist, and what are the use cases for these types of tracking?
ISSUE-22: Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.)
ISSUE-23: Possible exemption for analytics
ISSUE-74: Are surveys out of scope?
ISSUE-71: Does DNT also affect past collection or use of past collection of info?
ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.
ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.
ISSUE-71: Does DNT also affect past collection or use of past collection of info?
ISSUE-34: Possible exemption for aggregate analytics
ISSUE-24: Possible exemption for fraud detection and defense
ISSUE-25: Possible exemption for research purposes
ISSUE-28: Exception for mandatory legal process
ISSUE-75: How do companies claim exemptions and is that technical or not?
ISSUE-31: Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)
ISSUE-15: What special treatment should there be for children's data?
ISSUE-41: Consistent way to discuss tracking with users (terminology matters!)
ISSUE-37: Granularity based on business types and uses
ISSUE-38: Granularity for different people who share a device or browser
ISSUE-66: Can user be allowed to consent to both third party and first party to override general DNT?
ISSUE-67: Should opt-back-in be stored on the client side? [Not sure this doesnÕt belong in the technical spec]
ISSUE-83: How do you opt out if already opted in?
ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)?
ISSUE-52: What if conflict between opt-out cookie and DNT?
ISSUE-53: How should opt-out cookie and DNT signal interact?
ISSUE-58: What if DNT is explicitly set to 0 and an opt-out cookie is present?
ISSUE-56: What if DNT is unspecified and an opt-out cookie is present?
ISSUE-57: What if an opt-out cookie exists but an "opt back in" out-of-band is present?
ISSUE-33: Complexity of user choice (are exemptions exposed to users?)
ISSUE-65: How does logged in and logged out state work
ISSUE-69: Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)
What kind of enforcement does this spec indicate?
ISSUE-21: Enable external audit of DNT compliance
ISSUE-45: Companies making public commitments with a "regulatory hook" for US legal purposes
ISSUE-39: Tracking of geographic data (however it's determined, or used)
ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?
ISSUE-12: How does tracking require relation to unique identities, pseudonyms, etc.?