Privacy/TPWG/Change Proposal Tracking Third Party Compliance

From W3C Wiki
< Privacy‎ | TPWG
Jump to: navigation, search

This wiki page lists text proposals for ISSUE-203

Proposal 1: only applies to tracking data

Proposal from David Singer: email Suggested update from Nick Doty: email

Old Text

Section 3.3 of prior WD.

When a third party to a given user action receives a DNT:1 signal in a related network interaction:

  • that party MUST NOT collect, share, or use data related to that interaction;
  • that party MUST NOT use data about previous network interactions in which it was a third party.

New Text

When a third party to a given user action receives a DNT:1 signal in a related network interaction:

  • that party MUST NOT collect, share, or use tracking data related to that interaction;
  • that party MUST NOT use data about previous network interactions in which it was a third party.

where "tracking data" is defined as "data that could be combined with other data to engage in tracking a user across different contexts".

Except for deidentified data and permitted uses, etc. Surrounding text remains the same.

Proposal 4: first-party permitted use

Proposal from Roy Fielding via email

A somewhat comprehensive rewrite of the compliance document from the perspective of TPE is provided in

http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html

that uses first and third party terms, permits first party tracking in general (including data append) as a permitted use, and keeps the (redundant) text on user identifiers and the unclear-consensus text on the scope being limited to user agents that look like browsers. The result is mostly editorial changes to what is currently in TCS, except for what is necessary to reflect the normative decisions in TPE, and adds a "1" qualifier for first party use (previously discussed when we eliminated it as a TSV).


After existing section on indicating compliance, add a section on adhering to tracking status. (Text on DNT: 0 and not enabled may be the same per issue-148, but initial paragraph on requirements of not tracking/tracking would be new.)

An origin server that sends a TSV of N (not tracking) MUST NOT engage tracking if a similar request is made to the designated resource while that tracking status remains fresh. A tracking status remains fresh until 24 hours after retrieval or, if later, until the HTTP response metadata indicates that it is stale (see Section 6.4.4 Caching of [TRACKING-DNT]). In other words, the party MUST NOT knowingly collect, retain, use, or share data from a network interaction with the designated resource that would allow that party to associate the same user with tracking data it has previously obtained from user activity in other contexts, MUST NOT retain, use, or share data derived from this user activity outside the context in which this activity occurred, and MUST NOT tailor or personalize the response from the designated resource based on data derived from this user's activity in other contexts (aside from contextual data provided by the user in the current request).

An origin server that sends a TSV of T (tracking) MAY engage tracking if a similar request is made to the designated resource. Further limitations on that tracking depend on the received tracking preference expression, if any:

DNT 0
The user is expressing a preference for a personalized experience and this signal indicates explicit consent for data collection, retention, use, and sharing by the recipient of this signal to provide a personalized experience for the user. This specification does not limit tracking in the presence of DNT:0. Note, however, a party might be limited by its own statements to the user, if any, regarding the DNT:0 setting.
DNT 1
The party MUST limit its tracking to the permitted uses defined in section 3.4 Limited Tracking Permitted under DNT:1. The party MAY provide additional information in the qualifiers property of a tracking status representation to indicate what permitted uses of tracking are engaged while under DNT:1, as described in section 3.4.3 Sending Qualifiers to Indicate Permitted Uses. The party MUST NOT share data about this network interaction with any party other than the controller(s) of the context in which this activity occurred, service providers to said controller(s), or service providers to the party.
not enabled
In the absence of regulatory, legal, or other requirements, a party MAY interpret the lack of an expressed tracking preference as they find most appropriate for the given user, particularly when considered in light of the user's privacy expectations and cultural circumstances. Likewise, origin servers might make use of other preference information outside the scope of this specification, such as site-specific user preferences or third-party registration services, to inform or adjust their behavior when no explicit preference is expressed in a request.

Remove separate section on third party compliance.

Permitted uses (and general requirements for permitted uses) would be under a top-level heading: "Limited Tracking Permitted under DNT:1"

Move text from first-party compliance section to a first party permitted use, with an introduction:

A first party is expected to provide functionality requested by the user even if that functionality makes use of tracking. This includes customizing content, services, and advertising with respect to such user actions.

and add a corresponding '1' qualifier to the list of qualifiers.

Old Proposals

Proposal 3: adhering to tracking status

Proposal from Roy Fielding via email

A comprehensive rewrite of the compliance document from the perspective of TPE is provided in

http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203.html