Copyright © 2019 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply.
This specification defines a set of practices for compliance with a user's Do Not Track (DNT) tracking preference to which a server may claim adherence.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
Since its last publication as a Candidate Recommendation in April 2016, there has not been sufficient adoption of the defined compliance practices to justify further advancement, nor have there been widespread indications of planned support among first parties, third parties and service providers. The Tracking Protection Working Group has decided to conclude its work and republish the Compliance document as this Note, with any future addendums to be published separately.
This document was published by the Tracking Protection Working Group as a Working Group Note.
Comments regarding this document are welcome. Please send them to public-tracking@w3.org (archives).
Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the W3C Patent Policy.
This document is governed by the 1 February 2018 W3C Process Document.
Do Not Track is designed to provide users with a simple mechanism to express a preference to allow or limit online tracking. Complying with the user's preference as described in this document includes limits on the collection, retention and use of data collected as a third party to user actions and the sharing of data not permanently de-identified.
This specification is intended for compliance with expressed user preferences via user agents that (1) can access the general browsable Web; (2) have a user interface that satisfies the requirements in Determining User Preference in the [tracking-dnt] specification; and, (3) can implement all of the [tracking-dnt] specification, including the mechanisms for communicating a tracking status, and the user-granted exception mechanism.
It is outside the scope of this specification to control short-term,
transient collection and use of data, so long as the data is not shared
with a third party and is not used to build a profile about a user or
otherwise alter an individual user’s experience outside the current network
interaction. For example, the contextual customization of ads shown as part
of the same network interaction is not restricted by a DNT:1
signal.
A user is a natural person who is making, or has made, use of the Web.
The term user agent refers to any of the various client programs capable of initiating HTTP requests, including but not limited to browsers, spiders (web-based robots), command-line tools, native applications, and mobile apps [RFC7230].
A network interaction is a single HTTP request and its corresponding response(s): zero or more interim (1xx) responses and a single final (2xx-5xx) response.
A user action is a deliberate action by the user, via configuration, invocation, or selection, to initiate a network interaction. Selection of a link, submission of a form, and reloading a page are examples of user actions.
A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user. Common branding or providing a list of affiliates that is available via a link from a resource where a party describes DNT practices are examples of ways to provide this discoverability.
When data pertaining to a user action is collected as a result of one or more network interactions, a party acts in one of roles defined below, i.e. as a first party or as a third party to a given user action. These terms are not meant to denote the business practices of a party as a whole, but rather to describe a party's role in a particular network interaction.
Access to Web resources often involves multiple parties that might process the data received in a network interaction. For example, domain name services, network access points, content distribution networks, load balancing services, security filters, cloud platforms, and software-as-a-service providers might be a party to a given network interaction because they are contracted by either the user or the resource owner to provide the mechanisms for communication. Likewise, additional parties might be engaged after a network interaction, such as when services or contractors are used to perform specialized data analysis or records retention.
For the data received in a given network interaction, a service provider is considered to be the same party as its contractee if the service provider:
With respect to a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content does not constitute a user's intent to interact with another party.
In some cases, a resource on the Web will be jointly controlled by two or more distinct parties. Each of those parties is considered a first party to a given user action if a user would reasonably expect to communicate with all of them when accessing that resource. For example, prominent co-branding on the resource might lead a user to expect that multiple parties are responsible for the content or functionality.
Network interactions related to a given user action may not constitute intentional interaction when, for example, the user is unaware or only transiently informed of redirection or framed content.
For any data collected as a result of one or more network interactions resulting from a user's action, a third party is any party other than that user, a first party for that user action, or a service provider acting on behalf of either that user or that first party.
Data is permanently de-identified when there exists a high level of confidence that no human subject of the data can be identified, directly or indirectly (e.g., via association with an identifier, user agent, or device), by that data alone or in combination with other retained or available information.
This section is non-normative.
In this specification the term permanently de-identified is used for data that has passed out of the scope of this specification and can not, and will never, come back into scope. The organization that performs the de-identification needs to be confident that the data can never again identify the human subjects whose activity contributed to the data. That confidence may result from ensuring or demonstrating that it is no longer possible to:
Regardless of the de-identification approach, unique keys can be used to correlate records within the de-identified dataset, provided the keys do not exist and cannot be derived outside the de-identified dataset and have no meaning outside the de-identified dataset (i.e. no mapping table can exist that links the original identifiers to the keys in the de-identified dataset).
In the case of records in such data that relate to a single user or a small number of users, usage and/or distribution restrictions are advisable; experience has shown that such records can, in fact, sometimes be used to identify the user or users despite technical measures taken to prevent re-identification. It is also a good practice to disclose (e.g. in the privacy policy) the process by which de-identification of these records is done, as this can both raise the level of confidence in the process, and allow for for feedback on the process. The restrictions might include, for example:
Geolocation data (of a certain precision or over a period of time) may itself identify otherwise de-identified data.
Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties.
A party collects data received in a network interaction if that data remains within the party’s control after the network interaction is complete.
A party uses data if the party processes the data for any purpose other than storage or merely forwarding it to another party.
A party shares data if it transfers or provides a copy of data to any other party.
In order to indicate a party's compliance with a user's expressed tracking preference as described in this specification for a given resource, an origin server:
!
(under
construction) or D
(disregarding) for that resource;
and
https://www.w3.org/TR/2018/NOTE-tracking-compliance-2018XXXX/
When a user sends a DNT:0
signal, the user is expressing
a preference to allow tracking. This specification places no restrictions
on collection or use of data from network interactions with
DNT:0
signals. Note, however, that a party might be limited
by its own statements to the user regarding the DNT:0
setting. For more information, see Section 4. Consent.
A party to a given user action which receives a DNT:1
signal and is tracking that action MUST indicate so to the user
agent. A party that is tracking a user with that user's consent to
override an expressed DNT:1
preference MUST indicate so with
the corresponding C
or P
tracking status values. A party that is tracking a user for reasons
allowable under this specification (for example, for one of the permitted
uses described below) MUST use the T
value. A party to a
given user action that is not engaged in tracking SHOULD use the
N
value (a T
value is also conformant but not
as informative).
A party to a given user action that disregards a DNT:1
signal MUST indicate that non-compliance to the user agent, using the
response mechanism defined in the [tracking-dnt] specification. The party MUST
provide information in its privacy policy listing the specific reasons
for not honoring the user's expressed preference. The party's
representation MUST be clear and easily discoverable.
In the interest of transparency, especially where multiple reasons are listed, a server might use the [tracking-dnt] qualifiers or config properties to indicate a particular reason for disregarding or steps to address the issue. A user agent can parse this response to communicate the reason to the user or direct the user to the relevant section of a privacy policy. This document does not define specific qualifiers for different reasons servers might have for disregarding signals.
With respect to a given user action, a first party to that action
which receives a DNT:1
signal MAY collect, retain and use
data received from those network interactions. This includes customizing
content, services and advertising with respect to those user actions.
A first party to a given user action MUST NOT share data about those network interactions with third parties to that action who are prohibited from collecting data from those network interactions under this specification. Data about the interaction MAY be shared with service providers acting on behalf of that first party.
Compliance rules in this section apply where a party determines that it is a first party to a given user action — either because network resources are intended only for use as a first party to a user action or because the status is dynamically discerned. For cases where a party later determines that data was unknowingly collected as a third party to a user action, see Section 6. Unknowing Collection.
A first party to a given user action MAY elect to follow the rules defined under this specification for third parties.
When a third party to a given user action receives a
DNT:1
signal in a related network interaction, that party
MAY collect and use data about those network interactions when:
Other than under those enumerated conditions, that party:
Outside the permitted uses and explicitly-granted exceptions listed below, a third party to a given user action MUST NOT collect, share, or associate with related network interactions any identifiers that identify a specific user, user agent, or device. For example, a third party that does not require unique user identifiers for one of the permitted uses MUST NOT place a unique identifier in cookies or other browser-based local storage mechanisms.
Some collection and use of data by third parties to a given user
action is permitted, notwithstanding receipt of DNT:1
in a
network interaction, as enumerated below. Different permitted uses may
differ in their permitted items of data collection, retention times,
and consequences. In all cases, collection and use of data must be
reasonably necessary and proportionate to achieve the purpose for which
it is specifically permitted; unreasonable or disproportionate
collection, retention, or use are not "permitted uses".
The requirements in the following sub-sections apply to a party that collects data for a permitted use and that would otherwise be prohibited from collecting, retaining or using that data under the third-party compliance requirements above. Where a first party to a given user action, for example, collects some data for a purpose listed among the permitted uses (e.g. security of network services), these requirements do not apply.
A party MUST NOT use data collected for permitted uses for purposes other than the permitted uses for which each datum was permitted to be collected.
Data collected by a party for permitted uses MUST be minimized to the data reasonably necessary for such permitted uses. Such data MUST NOT be retained any longer than is proportionate to, and reasonably necessary for, such permitted uses. A party MUST NOT rely on unique identifiers if alternative solutions are reasonably available.
A party MUST publicly describe definite time periods for which data collected for permitted uses are retained. The party MAY enumerate different retention periods for different permitted uses. Data MUST NOT be used for a permitted use once the data retention period for that permitted use has expired. After there are no remaining permitted uses for given data, the data MUST be deleted or permanently de-identified.
A party that collects data for a permitted use MUST NOT use that data to alter a specific user's online experience, except as specifically permitted below.
A party that collects data for a permitted use MUST use reasonable technical and organizational safeguards to prevent further processing of data retained for permitted uses. While physical separation of data maintained for permitted uses is not required, best practices SHOULD be in place to ensure technical controls ensure access limitations and information security.
Regardless of the tracking preference expressed, data MAY be collected, retained and used to limit the number of times that a user sees a particular advertisement, often called frequency capping, as long as the data retained do not reveal the user’s browsing history.
Regardless of the tracking preference expressed, data MAY be collected and used for billing and auditing related to the current network interaction and concurrent transactions. This may include counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards.
Regardless of the tracking preference expressed, data MAY be collected and used to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity, provided that such data is not used for operational behavior beyond what is reasonably necessary to protect the service or institute a graduated response.
When feasible, a graduated response to a detected security incident is preferred over widespread data collection. In this specification, a graduated response is a data minimization methodology where actions taken are proportional to the problem or risk being mitigated.
Regardless of the tracking preference expressed, data MAY be collected, retained and used for debugging purposes to identify and repair errors that impair existing intended functionality.
A party MAY indicate which of the listed permitted uses apply to tracking of a user with the qualifiers mechanism defined in the [tracking-dnt] document. While providing qualifiers is OPTIONAL, a party that wishes to indicate particular permitted uses MUST use the corresponding characters as indicated in the table below.
qualifier | permitted use |
---|---|
c | frequency capping |
f | financial logging |
s | security |
d | debugging |
A party MAY use multiple qualifiers to indicate that multiple permitted uses of tracking might be ongoing and that each such use conforms to any corresponding requirements. Where qualifiers are present, a party MUST indicate all claimed permitted uses.
A party MAY engage in practices otherwise proscribed by this specification when the user has given explicit and informed consent. After consent is received, it might be subsequently registered through the User-Granted Exceptions API defined in the companion [tracking-dnt] document or recorded out of band using a different technology. A party MUST indicate when it is relying on out of band consent to override a Do Not Track preference, as described in the companion [tracking-dnt] document.
When a party requests consent from the user as described above, it might include consent for sharing data with its service providers. This transitive permission might apply even to those parties to which the user has not separately granted consent to be tracked.
A party that transfers consent in this way MUST ensure that its
service providers acknowledge this
consent by use of the corresponding
tracking status value of C
and a
qualifier of t
("transferred").
Multiple systems may be setting, sending, and receiving DNT and/or opt-out signals at the same time. As a result, it will be important to ensure industry and web browser vendors are on the same page with respect to honoring user choices in circumstances where "mixed signals" may be received.
As a general principle, more specific settings override less specific settings, as where the specific consent in user-granted exceptions overrides a general preference. If a party perceives a conflict between settings, a party MAY seek clarification from the user or MAY honor the more restrictive setting.
If a party learns that it possesses data in violation of this specification, it MUST, where reasonably feasible, delete or de-identify that data at the earliest practical opportunity, even if it was previously unaware of such information practices despite reasonable efforts to understand its information practices.
Notwithstanding anything in this specification, a party MAY collect, use, and share data required to comply with applicable laws, regulations, and judicial processes.
Implementers might find the following resources useful in determining how use of Tracking Compliance interacts with requirements in various jurisdictions:
This specification consists of input from many discussions within and around the W3C Tracking Protection Working Group, along with written contributions from: Haakon Flage Bratsberg (Opera Software), Amy Colando (Microsoft), Rob van Eijk (Invited Expert), Roy T. Fielding (Adobe), Vinay Goel (Adobe), Yianni Lagos (Future of Privacy Forum), Tom Lowenthal (Mozilla), Ted Leung (The Walt Disney Company), Jonathan Mayer (Stanford), Ninja Marnau (Invited Expert), Mike O'Neill (Baycloud Systems), Thomas Roessler (W3C), Wendy Seltzer (W3C), Rob Sherman (Facebook), John M. Simpson (Invited Expert), David Singer (Apple), Kevin G. Smith (Adobe), Vincent Toubiana (Invited Expert), Rigo Wenning (W3C), and Shane Wiley (Yahoo!). The co-chairs of the group have helped guide those discussions: Justin Brookman (CDT), Carl Cargill (Adobe), Aleecia M. McDonald (Stanford), Matthias Schunter (Intel), and Peter Swire (Invited Expert).
Many thanks to Robin Berjon for ReSpec.