- From: Vincent Toubiana <v.toubiana@free.fr>
- Date: Thu, 02 Feb 2012 18:28:00 +0100
- To: "public-tracking@w3.org" <public-tracking@w3.org>
- CC: karld@opera.com
- Message-ID: <4F2AC7A0.3090000@free.fr>
Description: Write-up of the "Remember to forget me" definition. This first draft focuses on a definition addressing the collection of data by third parties. The main idea is to keep the log entries with DNT:1 and to flag them to quickly de-identify them when they are not longer covered by an exemption. Server Logs - A 3rd party MAY log request received with DNT:1. If such request is logged, the third party MUST keep the header DNT:1 in the logs. - A 3rd party operator SHOULD not infer information from/about a user who send DNT=1. - After the retention period corresponding to each of the exemption has been reached, the 3rd party operator MUST erase the referrer header of entries flagged with DNT:1 and either erase or de-identify the rest of the entry. - To de-identify the data, the 3rd party operator MUST replace semi-identifiers by fix values (i.e IP=0.0.0.0, UA=ZZZ). - When a 3rd party aggregates logs, it MUST either not process the entries flagged with DNT:1 or de-identify them beforehand. - A 3rd party receiving DNT:1 MUST not personalize the response based in user ID. User Agent - A User-Agent sending DNT:1 MAY prevent the transmission of cookies and other identifiers that are sent with the request. -- A User-Agent receiving a "non tracking" response from a 3rd party operator SHOULD not modify its state regarding this 3srd party (local storage, cookie, cache,...).
Received on Thursday, 2 February 2012 17:28:33 UTC