This specification defines the meaning of a Do Not Track (DNT) preference and sets out practices for websites to comply with this preference.
Do Not Track is designed to provide users with a simple preference expression mechanism to allow or limit online tracking globally or selectively.
The specification applies to compliance with requests through user agents that (1) can access the general browsable Web; (2) have a user interface that satisfies the requirements in Determining User Preference in the [[!TRACKING-DNT]] specification; (3) and can implement all of the [[!TRACKING-DNT]] specification, including the mechanisms for communicating a tracking status, and the user-granted exception mechanism.
A user is an individual human. When user agent software accesses online resources, whether or not the user understands or has specific knowledge of a particular request, that request is "made by the user."
The term user agent refers to any of the various client programs capable of initiating HTTP requests, including but not limited to browsers, spiders (web-based robots), command-line tools, native applications, and mobile apps [[!HTTP11]].
A network interaction is a single HTTP request and its corresponding response(s): zero or more interim (1xx) responses and a single final (2xx-5xx) response.
A user action is a deliberate action by the user, via configuration, invocation, or selection, to initiate a network interaction. Selection of a link, submission of a form, and reloading a page are examples of user actions.
A subrequest is any network interaction that is not directly initiated by user action. For example, an initial response in a hypermedia format that contains embedded references to stylesheets, images, frame sources, and onload actions will cause a browser, depending on its capabilities and configuration, to perform a corresponding set of automated subrequests to fetch those references using additional network interactions.
A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user. Common branding or providing a list of affiliates that is available via a link from a resource where a party describes DNT practices are examples of ways to provide this discoverability.
An outsourced service provider is considered to be the same party as its client if the service provider:
Within the context of a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content does not constitute a user's intent to interact with another party. In some cases, a resource on the Web will be jointly controlled by two or more distinct parties. Each of those parties is considered a first party if a user would reasonably expect to communicate with all of them when accessing that resource. For example, prominent co-branding on the resource might lead a user to expect that multiple parties are responsible for the content or functionality.
For any data collected as a result of one or more network interactions resulting from a user's action, a third party is any party other than that user, a first party for that user action, or a service provider acting on behalf of either that user or that first party.
Data is deidentified when a party:
Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.
This draft does not specify any separate definition for "not tracking".
A party collects data received in a network interaction if that data
remains within the party’s control after the network interaction is complete.
A party uses data if the party processes the data for any purpose other than storage or merely forwarding it to another party.
A party shares data if it transfers or provides a copy of data to any other party.
A party facilitates any other party’s collection of data if it enables such party to collect data and engage in tracking.
A graduated response a methodology where the action taken is proportional to the size of the problem or risk that is trying to be mitigated. In the context of this document, the term is used to describe an increase in the collection of data about a user or interaction in response to a specific problem that a party has become aware of, such as an increase in fraudulent activity originating from a particular network or IP address range resulting in increased logging of data relating to interactions from that specific range of IP addresses as opposed to increased logging for all users in general.
Only used in security, below, and may overlap with the explanation there. Delete the definition and let it be defined the only place it's used?
A user agent MUST offer users a minimum of two alternative choices for a Do Not Track general preference: unset or DNT: 1. A user agent MAY offer a third alternative choice: DNT: 0.
If the user's choice is DNT:1 or DNT:0, the tracking preference is enabled; otherwise, the tracking preference is not enabled.
A user agent MUST have a default tracking preference of unset (not enabled).
User agents and web sites are responsible for determining the user experience by which a tracking preference is controlled. User agents and web sites MUST ensure that tracking preference choices are communicated to users clearly and accurately and shown at the time and place the tracking preference choice is made available to a user. User agents and web sites MUST ensure that the tracking preference choices describe the parties to whom DNT applies and MUST make available brief and neutral explanatory text to provide more detailed information about DNT functionality.
That text MUST indicate that:
User agents and web sites MUST obtain an explicit choice made by a user when setting controls that affect the tracking preference expression.
A user agent MUST transmit the tracking preference according to the [[!TRACKING-DNT]] specification.
Implementations of HTTP that are not under control of the user MUST NOT generate or modify a tracking preference.
If a first party receives a DNT:1 signal the first party MAY engage in its normal collection and use of data. This includes the ability to customize the content, services, and advertising in the context of the first party experience.
The first party MUST NOT share data about this network interaction with third parties who could not collect the data themselves under this recommendation. Data about the interaction MAY be shared with service providers acting on behalf of the first party.
A first party MAY elect to follow the rules defined here for third parties.
If a third party receives a DNT: 1 signal, then:
The third party MAY nevertheless collect, use, and retain such data for the set of permitted uses described below.
Outside the permitted uses listed below, the third party MUST NOT collect, retain, share, or associate with the network interaction identifiers that identify the specific user, user agent, or device. For example, a third party that does not require unique user identifiers for one of the permitted uses must not place a unique identifier in cookies or other browser-based local storage mechanisms.
Third parties that disregard a DNT signal MUST signal so to the user agent, using the response mechanism defined in the [[!TRACKING-DNT]] specification.
When a third party receives a DNT:1 signal, that third party MAY nevertheless collect, retain, share or use data related to that network interaction if the data is de-identified as defined in this specification.
It is outside the scope of this specification to control short-term, transient collection and use of data, so long as the data is not shared with a third party and is not used to build a profile about a user or otherwise alter an individual user’s user experience outside the current network interaction. For example, the contextual customization of ads shown as part of the same network interaction is not restricted by DNT: 1.
It is outside the scope of this specification to control the collection and use of de-identified data.
If a third party is part of a network interaction with a DNT: 1 signal, then geolocation data MUST NOT be used in that interaction at any level more granular than postal code, unless specific consent has been granted for the use of more granular location data.
Some collection, retention and use of data is permitted, notwithstanding DNT: 1, as enumerated below. Different permitted uses may differ in their permitted items of data collection, retention times, and consequences. In all cases, collection, retention, and use of data must be reasonably necessary and proportionate to achieve the purpose for which it is specifically permitted; unreasonable or disproportionate collection, retention, or use are not “permitted uses”.
Third Parties MUST NOT use data retained for permitted uses for purposes other than the permitted uses for which each datum was permitted to be collected.
Data retained by a party for permitted uses MUST be limited to the data reasonably necessary for such permitted uses. Such data MUST NOT be retained any longer than is proportionate to and reasonably necessary for such permitted uses.
Third parties MUST provide public transparency of the time periods for which data collected for permitted uses are retained. The third party MAY enumerate different retention periods for different permitted uses. Data MUST NOT be used for a permitted use once the data retention period for that permitted use has expired. After there are no remaining permitted uses for given data, the data MUST be deleted or de-identified.
Third parties MUST make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained, and MUST NOT rely on unique identifiers for users or devices if alternative solutions are reasonably available.
Data retained for permitted uses MUST NOT be used to alter a specific user's online experience based on multi-site activity, except as specifically permitted below.
Third parties MUST use reasonable technical and organizational safeguards to prevent further processing of data retained for permitted uses. While physical separation of data maintained for permitted uses is not required, best practices SHOULD be in place to ensure technical controls ensure access limitations and information security. Third parties SHOULD ensure that the access and use of data retained for permitted uses is auditable.
Regardless of DNT signal, data MAY be collected, retained and used to limit the number of times that a user sees a particular advertisement, often called frequency capping, as long as the data retained do not reveal the user’s browsing history. Parties MUST NOT construct profiles of users or user behaviors based on their ad frequency history, or otherwise alter the user’s experience.
Regardless of DNT signal, data MAY be collected, retained and used for billing and auditing related to the current network interaction and concurrent transactions. This may include counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this and other standards.
Regardless of the tracking preference expressed, data MAY be collected, retained, and used to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity, provided that such data is not used for operational behavior (profiling or personalization) beyond what is reasonably necessary to protect the service or institute a graduated response.
When feasible, a graduated response to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of User Agent and other protocol information, the party could retain logs on all interactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.
Regardless of DNT signal, data MAY be collected, retained and used for debugging purposes to identify and repair errors that impair existing intended functionality.
Expecting further text on audience measurement.
When a user sends a DNT: 0 signal, the user is expressing a preference for a personalized experience. This signal indicates explicit consent for data collection, retention, processing, disclosure, and use by the recipient of this signal to provide a personalized experience for the user. This recommendation places no restrictions on data collected from requests received with DNT: 0.
A party may engage in practices otherwise proscribed by this recommendation if the user has given explicit and informed consent. This consent may be obtained through the API defined in the companion [[!TRACKING-DNT]] document, or a party may also obtain out of band consent to disregard a Do Not Track preference using a different technology. If a party is relying on out of band consent to disregard a Do Not Track preference, the party must indicate this consent to the user agent as described in the companion [[!TRACKING-DNT]] document.
Multiple systems may be setting, sending, and receiving DNT and/or opt-out signals at the same time. As a result, it will be important to ensure industry and web browser vendors are on the same page with respect to honoring user choices in circumstances where "mixed signals" may be received.
As a general principle, more specific settings override less specific settings.
If a party learns that it possesses data in violation of this recommendation, it MUST, where reasonably feasible, delete or de-identify that data at the earliest practical opportunity, even if it was previously unaware of such information practices despite reasonable efforts to understand its information practices.
Notwithstanding anything in this recommendation, parties MAY collect, use, share, and retain data required to comply with applicable laws, regulations, and judicial processes.
This specification consists of input from many discussions within and around the W3C Tracking Protection Working Group, along with written contributions from Haakon Flage Bratsberg (Opera Software), Amy Colando (Microsoft Corporation), Nick Doty (W3C), Roy T. Fielding (Adobe), Yianni Lagos (Future of Privacy Forum), Tom Lowenthal (Mozilla), Ted Leung (The Walt Disney Company), Jonathan Mayer (Stanford University), Ninja Marnau (Invited Expert), Thomas Roessler (W3C), Matthias Schunter (IBM), Wendy Seltzer (W3C), John M. Simpson (Invited Expert), Kevin G. Smith (Adobe), Peter Swire (Invited Expert), Rob van Eijk (Invited Expert), David Wainberg (Network Advertising Initiative), Rigo Wenning (W3C), and Shane Wiley (Yahoo!).
The DNT header field is based on the original Do Not Track submission by Jonathan Mayer (Stanford), Arvind Narayanan (Stanford), and Sid Stamm (Mozilla). The DOM API for NavigatorDoNotTrack is based on the Web Tracking Protection submission by Andy Zeigler, Adrian Bateman, and Eliot Graff (Microsoft). Many thanks to Robin Berjon for ReSpec.js.