This specification defines the compliancemeaning of a Do Not Track preference and scopesets out practices for the Tracking Protection working group.websites to comply with this preference.
This is a very early rough draft, consisting of just an outline of the issues raised so far by the working group discussion with a few points raised during discussion. The editors plan to expand the outline into an initial straw-man specification prior to the working group meeting in Santa Clara.
This document outlines the definitionsspecification defines the meaning of a Do Not Track preference and compliancesets out practices for the Tracking Protection spec.websites to comply with this preference.
What are underlying user concerns, and goalsgoals, that we hope a tracking preference recommendation will address?
ISSUE-6: What are the underlying concerns? Why are we doing this / what are people afraid of?
ISSUE-8: How do we enhance transparency and user awareness? Explain the scope of this tracking document in the context of Do Not Track
Explain the success criteria. What do we want this specspecification to achieve?
ISSUE-10: What is a first party?
ISSUE-49: Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party?
ISSUE-26: Providing data to 3rd-party widgets -- does that imply consent?
Options for discussion:
In addition, a domain that hosts a third-party visible widget or window that is clearly identified and branded as being controlled and operated by a party separate and distinct from the first party becomes a first party itself when a user engages in "meaningful interaction" with the window or widget.
There has also been a discussion whether we should distinguish between first and third party. Is this a useful road to go down?
A third party is anyoneany entity other than a first party as defined above. [Note: Users are not consideredA user is neither a first orparty nor a third parties. How should we call that out? Definition of the first party scoped to web services/transactions?]party.
Transactional data is information about the user's interactions with various web sites,websites, services, or widgets which could be used to create a record of a user’s system information, online communications, transactions and other activities, including websites visited, pages and ads viewed, purchases made, etc.[issue]
Our definition should be technology independent (cookies, flash cookies, etc)
ISSUE-16: What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)
ISSUE-5: What is the definition of tracking?
Note: This section will obviously be the topic of conversation and will need significant work; the current text merely represents a straw man and a starting point. It may be useful to decide, first, whether we are working to prevent XYZ or allow only ABC.
For now, we are using "behavioral tracking" as the term of interest in the scope of this is just a straw-man starting point. [issue] Itdocument, though we may be useful to decide, first, whether we are working to prevent XYZ or allow only ABC.want to refer in all cases to "tracking" instead.
Behavioral tracking is the collection and retention of transactional data about the web-based activities of a particular user, computer, or device across non-commonly branded websitesentities in a form that allows activities across non-commonly branded sitesentities to be attributed to a particular user, computer, or device, over time, for any purpose other than the specifically-exceptedexplicitly-excepted purposes specified below.
Depending on the conclusion of first vs. third parties issues, this definition of tracking may not include references to common branding.
The followingWe expect to discuss several activities are considered specifically-excepted purposes for this specification:as potential exemptions including the following:
Should we explicitly identify goals and use cases in order to evaluate these exemptions?
We may want to talk about including a data minimization piece to these exceptions]exceptions
For the purposes of this spec, thesespecification, here are some examples of activities associated with tracking:
ISSUE-7: What types of tracking exist, and what are the use cases for these types of tracking?[issue]
Should we address the association of first party data with third party data? What does this standard say about a first party associating offline data from a third party with their own data and then using that in targeting? How about the first party associating it with third party data and/or selling it to a third party?
ISSUE-34: Possible exemption for aggregate analytics
ISSUE-22: Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.)
ISSUE-23: Possible exemption for analytics
ISSUE-73: In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract
ISSUE-24: Possible exemption for fraud detection and defense
ISSUE-25: Possible exemption for research purposes
ISSUE-28: Exception for mandatory legal process
ISSUE-75: How do companies claim exemptions and is that technical or not?
ISSUE-31: Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)
ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?
ISSUE-74: Are surveys out of scope?
ISSUE-92: If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?
ISSUE-72: Basic principle: independent use as an agent of a first party
ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.
ISSUE-97: Re-direction, shortened URLs, click analytics -- what kind of tracking is this?
If we provide an exception for de-identified cross-site research/analytics, we will need to define de-identified data if we provide an exception for de-identified cross-site research/analytics..
ISSUE-20: Different types of data, what counts as PII, and what definition of PII[Note:
Note: this may be irrelevant - the rest of the spec does not mention PII]PII
[issue] It is possible that we will need to define consent in the terms of the rest of the document.Option:
[issue] We will need to defineOne option for the definition of meaningful interaction. Option:interaction is:
ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?
ISSUE-17: Data use by 1st Party
ISSUE-30: Will Do Not Track apply to offline aggregating or selling of data?
ISSUE-54: Can first party provide targeting based on registration information even while sending DNT
ISSUE-59: Should the first party be informed about whether the user has sent a DNT header to third parties on their site?
ISSUE-9: Understand all the different first- and third-party cases.
ISSUE-91: Might want prohibitions on first parties re-selling data to get around the intent of DNT
This issue is being addressed in the Tracking Preference Expression specification.
ISSUE-95: May an institution or other intermediary MUST NOT add, remove, or modify a "Do Not Track" header without the affirmative, informed explicit consent of the user. network provider set a tracking preference for a user?
If the operator of a third-party domain receives a request to which a "Do Not Track"DNT header is attached, that operator MUST NOT engage in behavioral tracking of that user UNLESS that operator has received the affirmative, informed consent of that user to be tracked and such consent has not been subsequently rescinded. If data is collected for an excepted purpose, the operator MUST NOT use that data for any other purpose.
If the operator of a third-party domain receives a request to which a "Do Not Track"DNT header is attached, that operator MUST NOT use previously collected behavioral tracking data to inform the third party's decision as to what content to render for the user in response to the request, or otherwise alter the user's experience based on the previously collected behavioral tracking data UNLESS that operator has received the affirmative, informed consent of that user to be tracked and such consent has not been subsequently rescinded.
If the operator of a third-party domain receives a request to which a "Do Not Track"DNT header is attached, that operator MUST/SHOULD/MAY delete previously collected behavioral tracking data about that user, EXCEPT that operator MAY retain previously generated reports based on data about aggregated behavioral tracking data from multiple users' data even if those reports were based in part on previously collected behavioral tracking data about that user.
ISSUE-19: Data collection / Data use (3rd party)
ISSUE-88: different rules for impression of and interaction with 3rd-party ads/content
ISSUE-32: Sharing of data between entities via cookie syncing / identity brokering
ISSUE-71: Does DNT also affect past collection or use of past collection of info?
This specification does not provide for heightened levels of protection for sensitive categories of data, including children's data.
ISSUE-15: What special treatment should there be for children's data?
How should tracking, tracking choices, and preferencesthe availability of choices regarding tracking be conveyed to users?[issue]
Is this in scope for the document?
ISSUE-41: Consistent way to discuss tracking with users (terminology matters!)
ISSUE-37: Granularity based on business types and uses
ISSUE-38: Granularity for different people who share a device or browser
ISSUE-66: Can user be allowed to consent to both third party and first party to override general DNT?
ISSUE-67: Should opt-back-in be stored on the client side? [Not sure this doesn't belong in the technical spec]
ISSUE-83: How do you opt out if already opted in?
ISSUE-93: Should 1st parties be able to degrade a user experience or charge money for content based on DNT?
If the operator of a third-party domain receives a request to which there is no "Do Not Track"DNT header attached but detects that it has set an "opt-out" cookie for that particular device, the operator MAY comply with the behavioral tracking prohibitions on third-party domains that receive the "Do Not Track"DNT header as specified in x.x (currently 4.3) of this specification, and MUST comply with the assurances that the operator previously made to the user in association with the user "opting out" from the third party and the setting of the opt-out cookie. The mechanism for third parties to obtain and retain consent is out of scope for this document.
ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)?
ISSUE-52: What if conflict between opt-out cookie and DNT?
ISSUE-53: How should opt-out cookie and DNT signal interact?
ISSUE-58: What if DNT is explicitly set to 0 and an opt-out cookie is present?
ISSUE-56: What if DNT is unspecified and an opt-out cookie is present?
ISSUE-57: What if an opt-out cookie exists but an "opt back in" out-of-band is present?
ISSUE-33: Complexity of user choice (are exemptions exposed to users?)
ISSUE-65: How does logged in and logged out state work
How do we educate and communicate with users? Is that out of scope?
If there is a response header, this is likely unnecessary if there is a response header]
ISSUE-21: Enable external audit of DNT compliance
ISSUE-45: Companies making public commitments with a "regulatory hook" for US legal purposes
This specification does not place limitations on the use of geolocation technologies by the operators of third-party domains.
ISSUE-39: Tracking of geographic data (however it's determined, or used)
ISSUE-12: How does tracking require relation to unique identities, pseudonyms, etc.?Do we need to deal with "third party software tools"?
ISSUE-14: How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor?
Do we need a section on existing law/relationships etc?ISSUE-14: How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor? Do we need a section on existing law/relationships etc?
ISSUE-94: Is "Do Not Track" the right name to use?