Privacy/TPWG/Change Proposal Retention Permitted Uses

From W3C Wiki
< Privacy‎ | TPWG

Proposal: Limits on unique identifiers in permitted uses

Proposal from Dan Auerbach; issue-211

New text

For each permitted use, the proposal adds a retention limit with the requirement that retention beyond a limit be justified in a privacy policy. Key changes around that are italicized below.

A third party MAY also use protocol information (e.g. HTTP header information and IP information) for any purpose, subject to a one week retention period. Limited retention of data beyond this period for debugging purposes may occur, provided the data is only used for debugging purposes and only retained as long as necessary for those purposes. If data is being retained for more than 6 months for debugging purposes, notice must be given in the privacy policy that some data is being retained for greater than 6 months for debugging.

Frequency capping

Regardless of DNT signal, protocol information may be collected, retained and used for up to 4 weeks to limit the number of times that a user sees a particular advertisement, often called frequency capping, as long as the data retained do not reveal the user’s browsing history. Parties must not construct profiles of users or user behaviors based on their ad frequency history, or otherwise alter the user’s experience.

Billing and auditing

Regardless of DNT signal, protocol information may be collected, retained and used for billing and auditing for up to 6 months, or longer if notice is given in the privacy policy with an explanation of why the extra retention is necessary. This may include, for example, counting ad events, verifying positioning and quality of ad impressions, or data that an auditor explicitly requires to be held.

Security and Fraud

To the extent proportionate and reasonably necessary for detecting security risks and fraudulent or malicious activity, parties may collect, retain, and use protocol data regardless of a DNT signal for up to 6 months, or longer if notice is given in the privacy policy with an explanation of why the extra retention is necessary. This includes data reasonably necessary for enabling authentication/verification, detecting hostile and invalid transactions and attacks, providing fraud prevention, and maintaining system integrity. In the context of this specific permitted use, this information may be used to alter the user's experience in order to reasonably keep a service secure or prevent fraud. Data may be kept beyond 6 months or the published retention period for a specific ongoing investigation or for legal purposes, but general data collection for security and fraud must be limited to 6 months or the published retention period.

It is a best practice to approach security and fraud issues with a graduated response where appropriate, retaining the minimal amount of data that is necessary for security and fraud purposes, and expanding the scope of data retention only when it becomes necessary to do so once a particular issue has been discovered.

Proposal: Limit duration of persistent identifiers

Proposal from Mike O'Neill

New text

To be added to the section "Data Minimization, Retention and Transparency":

If persistent identifiers are used then their duration SHOULD be limited to the maximum necessary for such permitted use.