Privacy/TPWG/Change Proposal Principles for Permitted Uses
Strictly Necessary
Proposal from Mayer; ISSUE-231
New Text
5.1.2 Data Minimization, Retention and Transparency
Data retained by a party for permitted uses must be limited to the data strictly necessary for such permitted uses. Such data must not be retained any longer than is proporationate and strictly necessary for such permitted uses.
Third parties must provide public transparency of the time periods for which data collected for permitted uses are retained. The third party may enumerate different retention periods for different permitted uses. Data must not be used for a permitted use once the data retention period for that permitted use has expired. After there are no remaining permitted uses for given data, the data must be deleted or de-identified.
Third parties must make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained, and must not rely on unique identifiers for users or devices if alternative solutions are reasonably available.
Allowed Example: A third-party advertising network uses a minimal set of deidentified data to frequency cap advertisements.
Disallowed Example: A third-party analytics service generates public reports about aggregate page impressions. It retains full protocol logs for two weeks, even though it has no need for them.
Technically feasible
New Text
End of section 5.1.2:
Third parties MUST make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained, and MUST NOT rely on unique identifiers for users or devices if alternative solutions are reasonably available and technically feasible.
Internally verifiable
New Text
End of section 5.1.4:
Third parties must use reasonable technical and organizational safeguards to prevent further processing of data retained for permitted uses. While physical separation of data maintained for permitted uses is not required, best practices should be in place to ensure technical controls ensure access limitations and information security. Third parties should ensure that the access and use of data retained for permitted uses is internally verifiable.
Editor's Draft
5.1.2 Data Minimization, Retention and Transparency
Data retained by a party for permitted uses must be limited to the data reasonably necessary for such permitted uses. Such data must not be retained any longer than is proporationate and reasonably necessary for such permitted uses.
Third parties must provide public transparency of the time periods for which data collected for permitted uses are retained. The third party may enumerate different retention periods for different permitted uses. Data must not be used for a permitted use once the data retention period for that permitted use has expired. After there are no remaining permitted uses for given data, the data must be deleted or de-identified.
Third parties must make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained, and must not rely on unique identifiers for users or devices if alternative solutions are reasonably available.
5.1.4 Reasonable Security
Third parties must use reasonable technical and organizational safeguards to prevent further processing of data retained for permitted uses. While physical separation of data maintained for permitted uses is not required, best practices should be in place to ensure technical controls ensure access limitations and information security. Third parties should ensure that the access and use of data retained for permitted uses is auditable.
New general principle for permitted uses
New Text
5.2.5 no matching/syncing between permitted uses
Data collected or retained by a party for a specific permitted use must not be matched or synced with data from other permitted uses.
Disallowed Example: cookie syncing between permitted uses.