This specification defines the compliance and scope for the Tracking Protection working group.

This is a very early rough draft, consisting of just an outline of the issues raised so far by the working group discussion with a few points raised during discussion. The editors plan to expand the outline into an initial straw-man specification prior to the working group meeting in Santa Clara.

Introduction

This document outlines the definitions and compliance for the Tracking Protection spec.

Scope and Goals

Goals

What are underlying consumer concerns, and goals that we hope a tracking preference recommendation will address?

ISSUE-6: What are the underlying concerns? Why are we doing this / what are people afraid of?

  1. Using the internet by definition involves the exchange of data across servers; the web cannot exist without it. In addition, commerce and the commercialization of content on the web often involves personalization of both content and advertising by websites, their advertisers, and their partners. Given the realities of this environment, this standard seeks to provide an exceedingly straightforward way for consumers to gain transparency and control over data usage and the personalization of content and advertising on the web.
  2. CDT doc: The user experience online involves the unintentional disclosure and commercial compilation of many different kinds of user data among different entities, comprising a wide range of practices that could be called "tracking." At the most basic level, online communication requires the exchange of IP addresses between two parties. Completion of e-commerce transactions normally involves the sending of credit card numbers and user contact information. Social networking sites often revolve around user-provided profiles. Much web content is supported by advertising and much of this advertising is linked to either the content of the page visited or to a profile about the particular user or computer. Complex business models have arisen around the online data flows. DNT mechanisms should, at their core, empower users to prevent the collection and correlation of data about Internet activities that occur on different sites. Users expect control over who is tracking them and how tracking data may be shared.
  3. Open issues:
    1. are there any harms, real or perceived, that can be reasonably articulated here?
    2. what is this solution attempting to address that has not been addressed by previous solutions such as opt-out cookies, browser-level cookie blocking, etc? (i.e. other technologies? something else?).
    3. are there any unintentional dangers/harms to either consumers or web commerce that the standard is seeking to avoid while achieving its primary goal?

ISSUE-8: How do we enhance transparency and consumer awareness? Explain the scope of this tracking document in the context of Do Not Track

Success Criteria

Explain the success criteria. What do we want this spec to achieve?

Definitions

First Party

ISSUE-10: What is a first party?

Options for discussion:

  1. The entity that is the owner of the website or has control over the website with which the consumer interacts and its affiliates.
  2. The owner of the domain of the page the user is currently viewing.
  3. The owner of the website that the consumer is currently viewing, including its third-party software tools.
  4. The entity that the consumers understand themselves to be interacting with on a given web page.
  5. The owner of either the website the user is currently visiting, or of the iframe within a given unit of content is delivered.
  6. An entity with which the user reasonably expects to exchange data. In most cases the functional entity responsible for the web page a user has navigated to is the first party.
  7. Commonly branded websites, including siloed analytics, research, and ad reporting for those websites.
  8. Amy Colando definition: A First Party is the entity (and its Affiliates) that owns or Controls the Web site the end user visits. A First Party also includes the owner of a widget, search box or similar service with which a consumer interacts, even if the First Party does not own or have Control over the Web site where its services are displayed to the consumer. An Affiliate is (1) an entity that Controls, or is Controlled by, or is under common Control with, another entity; or (2) an entity where the relationship to another entity is evident to end users through co-branding or similar means.
  9. IETF submission: A first party is a functional entity with which the user reasonably expects to exchange data. In most cases the functional entity responsible for the web page a user has navigated to is the sole first party.

Highlighted open questions:

  1. Ad networks that collate data and personalize cross-site are not first party according to much of the previous conversation. But what about the software tool vendors that the first party works with, who do none of the above but operate on third party domains? (Issue 49)
  2. Widgets from other domains that are embedded in a page: social media buttons, search boxes, etc.

Third Party

  1. A service not owned by the first party domain that the user is visiting that is not acting solely as a software tool for the benefit of the first party.
  2. An ad network that is collating user-level browsing data cross-site for the purpose of providing ad personalization or other personalization services.
  3. Anyone other than a first party as defined above.
  4. Any service from a domain other than the first party domain displayed at the top of the browser bar.

ISSUE-14: How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor?

Open questions:

  1. Third party data collection for first party use?

Behavioral Data

  1. Data that associates one or more pages viewed by a given browser instance with that user or browser instance, via a cookie or analogous technology, for the purpose of cross-site, cross-session personalization of advertising or content.
  2. What categories of data are within the scope of Do not Track?

Personally Identifiable Information

  1. anonymized data?
  2. aggregate data?

ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?

What is Data Collection? What is Data Use?

Our definition should be technology independent (cookies, flash cookies, etc)

ISSUE-16: What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)

ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?

ISSUE-74: Are surveys out of scope?

ISSUE-69: Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)

Compliance with an expressed tracking preference

What is tracking?

ISSUE-5: What is the definition of tracking?

Open questions (from various email threads):

  1. To what extent does the definition of tracking need to equal the dictionary definition?
    1. Could create consumer confusion if the definition does not comport with dictionary.
    2. Could deal with confusion through education and messaging; we’re dealing with a technical standard here, not a dictionary of common usage. User is never going to guess the meaning correctly all the time.
    3. From the outset almost every stakeholder has been clear this is about third-party tracking only.
  2. To what extent does the term “Do Not Track” have investment behind it, and to what extent must it reflect the end spec? Should the phrase as slogan stay if the end definitions do not support it exactly?
    1. Momentum behind the name as a slogan
    2. The urge to define "tracking" stems from the concern that "do not track" sounds like it will forbid all tracking. That, of course, also is not our intention so we feel compelled to redefine the word "track" to curtail its scope (in more of a legal document type of context).
  3. To what extent must the definition minimize confusion?

ISSUE-7: What types of tracking exist, and what are the use cases for these types of tracking?

What is not tracking?

Not-Tracking examples raised:

  1. First party interactions
  2. Third party ad and content delivery
  3. Third party analytics and other siloed service providers
  4. Third party contextual advertising
  5. First party data collection and first party use
  6. Specially excepted third party ad reporting
proposed language from jmayer: This standard imposes no requirements on first-party websites. A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request.

ISSUE-6First parties MUST NOT transmit passively-collected (behavioral?) data in identifiable form to a third party with the intention or knowledge that the third party shall store and use the data in a way that links that data to other information about a specific person or device.

ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?

ISSUE-17: Data use by 1st Party

ISSUE-30: Will Do Not Track apply to offline aggregating or selling of data?

ISSUE-54: Can first party provide targeting based on registration information even while sending DNT

ISSUE-59: Should the first party be informed about whether the user has sent a DNT header to third parties on their site?

ISSUE-9: Understand all the different first- and third-party cases.

ISSUE-60: Will a recipient know if it itself is a 1st or 3rd party?

Compliance by a third party

CDT definition: Third parties MUST NOT (behaviorally) track a user in responding to a DNT request where to (behaviorally) “track” means the collection and correlation of data about the web-based activities of a particular user, computer, or device across non-commonly branded websites, for any purpose other than specifically excepted third-party analytics, research, and ad reporting practices that do not correlate any individual’s data across non-commonly branded websites, narrowly scoped fraud prevention, or compliance with law enforcement requests

ISSUE-19: Data collection / Data use (3rd party)

ISSUE-88: different rules for impression of and interaction with 3rd-party ads/content

ISSUE-73: In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract

ISSUE-26: Providing data to 3rd-party widgets -- does that imply consent?

ISSUE-32: Sharing of data between entities via cookie syncing / identity brokering

ISSUE-7: What types of tracking exist, and what are the use cases for these types of tracking?

ISSUE-22: Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.)

ISSUE-23: Possible exemption for analytics

ISSUE-74: Are surveys out of scope?

ISSUE-71: Does DNT also affect past collection or use of past collection of info?

ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.

ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.

ISSUE-71: Does DNT also affect past collection or use of past collection of info?

Potential exceptions to preference in regards to third-party behavioral tracking

ISSUE-34: Possible exemption for aggregate analytics

ISSUE-24: Possible exemption for fraud detection and defense

ISSUE-25: Possible exemption for research purposes

ISSUE-28: Exception for mandatory legal process

ISSUE-75: How do companies claim exemptions and is that technical or not?

ISSUE-31: Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)

ISSUE-6

Sensitive Information

ISSUE-15: What special treatment should there be for children's data?

User interactions

How should tracking, tracking choices, and preferences be conveyed to users?

ISSUE-41: Consistent way to discuss tracking with users (terminology matters!)

ISSUE-37: Granularity based on business types and uses

ISSUE-38: Granularity for different people who share a device or browser

Interaction with other tools

How should a tracking preference interact with user overrides?

ISSUE-66: Can user be allowed to consent to both third party and first party to override general DNT?

ISSUE-67: Should opt-back-in be stored on the client side? [Not sure this doesn’t belong in the technical spec]

ISSUE-83: How do you opt out if already opted in?

Interaction with existing consumer privacy controls?

ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)?

ISSUE-52: What if conflict between opt-out cookie and DNT?

ISSUE-53: How should opt-out cookie and DNT signal interact?

ISSUE-58: What if DNT is explicitly set to 0 and an opt-out cookie is present?

ISSUE-56: What if DNT is unspecified and an opt-out cookie is present?

ISSUE-57: What if an opt-out cookie exists but an "opt back in" out-of-band is present?

ISSUE-33: Complexity of user choice (are exemptions exposed to users?)

ISSUE-65: How does logged in and logged out state work

User Education and Communication

ISSUE-69: Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)

Enforcement/Compliance

What kind of enforcement does this spec indicate?

ISSUE-21: Enable external audit of DNT compliance

ISSUE-45: Companies making public commitments with a "regulatory hook" for US legal purposes

Random issues for triage

ISSUE-39: Tracking of geographic data (however it's determined, or used)

ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?

ISSUE-12: How does tracking require relation to unique identities, pseudonyms, etc.?