- From: Justin Brookman via cvs-syncmail <cvsmail@w3.org>
- Date: Tue, 10 Jul 2012 17:03:28 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory hutz:/tmp/cvs-serv9169
Modified Files:
EditorsStrawmanComp.html
Log Message:
Pulled apart 1P, 3P, UA compliance, revised permitted uses, revised def of unlinkable
Index: EditorsStrawmanComp.html
===================================================================
RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/EditorsStrawmanComp.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- EditorsStrawmanComp.html 6 Jul 2012 21:26:53 -0000 1.5
+++ EditorsStrawmanComp.html 10 Jul 2012 17:03:26 -0000 1.6
@@ -552,44 +552,43 @@
</section>
</section>
- <section id="def-unident">
- <h3>Unidentified Data</h3>
+ <section id="def-unlinkable">
+ <h3>Unlinkable Data</h3>
<p class=note>There is debate about whether to use the terms unlinkable, unlinked, or unidentified to describe this type of data.</p>
- <p>A dataset is un-linkable when commercially reasonable steps have been taken to de-identify data such that there is confidence that it contains information which could not be linked to a specific user, user agent, or device in a production environment, and which the entity will commit to make no effort to re-identify, and prohibit downstream recipients of un-linkable data from re-identifying it.</p>
- <p class="note">{NOTE: Un-linkable Data is outside of the scope of the Tracking Preference standard as information is no longer reasonably linked to a particular user, user agent, or device. </p>
- <p class="informative">{NON-NORM:Non-normative explanatory text: There are many valid and technically appropriate methods to de-identify or render a data set "un-linkable". In all cases, there should be confidence the information is not easily reverted to a "linkable" state.</p>
- <p class="informative">{NON-NORM:Non-normative explanatory text: It is recommended that companies publically stating W3C Tracking Preference compliance provide transparency to their delinking process (to the extent that it will not provide confidential details into security practices) so external experts and auditors can assess if they feel these steps are reasonable given the risk of a particular dataset.</p>
+ <p class=option>A party render a dataset <dfn>unlinkable</dfn> when it<br>1. takes commercially reasonable steps have been taken to de-identify data such that there is confidence that it contains information which could not be linked to a specific user, user agent, or device in a production environment<br>2. publicly commits to retain and use the data in unlinkable fashion, and not to attempt to re-identify the data<br>3. contracually prohibits any third party that it transmits the unlinkable data to from attempting to re-identify the data. Parties SHOULD provide transparency to their delinking process (to the extent that it will not provided confidential details into security practices) so external experts and auditors can assess if the steps are reasonably given the particular data set.</p>
+ <p class=option>A dataset is <dfn>unlinkable</dfn> when there is a high probability that it contains only information that could not be linked to a particular user, user agents, or device by a skilled analyst. A party renders a dataset unlinkable when either:<br>1. it publicly publishes information that is sufficiently detailed for a skilled analyst to evaluate the implementation, or<br>2. ensure that the dataset is at least 1024-unlinkable.</p>
</section>
<section id="def-network-transaction">
<h3>Network Transaction</h3>
- <p class="note">{NOTE:Editor's note: This definition is consensus or near-consensus text from the pre-Seattle draft.</p>
+ <p class="note">This definition is consensus or near-consensus text from the pre-Seattle draft.</p>
<p>A "network interaction" is an HTTP request and response, or any other sequence of logically related network traffic.</p>
<p class="informative">{NON-NORM:Non-normative explanatory text: Determination of a party's status is limited to a single interaction because a party's status may be affected by time, context, or any other factor that influences user expectations.</p>
</section>
<section id="def-transactional-data">
<h3>Transactional data</h3>
- <p class="note">{NOTE:Editor's note: This definition is consensus or near-consensus text from the pre-Seattle draft. However, it is unclear that it is necessary to the document.</p>
+ <p class="note">This definition is consensus or near-consensus text from the pre-Seattle draft. However, it is unclear that it is necessary to the document.</p>
<p>Transactional data is information about the user's interactions with various websites, services, or widgets which could be used to create a record of a user's system information, online communications, transactions and other activities, including websites visited, pages and ads viewed, purchases made, etc.</p>
</section>
<section id="def-collection">
<h3>Data collection, retention, use, and sharing</h3>
- <p class="note">{NOTE: The following text consists of proposed text that is meant to address<a href="http://www.w3.org/2011/tracking-protection/track/issues/16"> </a><a href="http://www.w3.org/2011/tracking-protection/track/issues/16">ISSUE-16.</a> This language is currently being actively debated. - I thought we came to a good solution on this - find in notes - Heather</p>
+ <p class="note">We have not had time to substantially edit the definitions of collection and tracking. These continue to be actively debated issues, as the resolution of the use of unique identifiers is likely to end up in these definitions.</p>
<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/16">ISSUE-16</a> : What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)</p> <ol start="1"><li>A party "collects" data if the data comes within its control.</li><li>A party "retains" data if data remains within a party's control.</li><li>A party "uses" data if the party processes the data for any purpose other than storage.</li><li>A party "shares" data if the party enables another party to collect the data.</li></ol><p>The definitions of collection, retention, use, and sharing are drafted expansively so as to comprehensively cover a party's user-information practices. These definitions do not require a party's intent; a party may inadvertently collect, retain, use, or share data. The definition of collection includes information that a party did not cause to be transmitted, such as protocol headers.</p>
</section>
<section id="def-tracking">
<h3>Tracking</h3>
+ <p class="note">We have not had time to substantially edit the definitions of collection and tracking. These continue to be actively debated issues, as the resolution of the use of unique identifiers is likely to end up in these definitions.</p>
<p class="note">{NOTE: We are still working through how, or if, to define tracking. Some suggest the phrase "cross-site tracking" only. We will need to ensure both final recommendations use the same terms in the same way, but may not explicitly define tracking.</p>
- <p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/trac/k/issues/117">ISSUE-117</a>: Terms: tracking v. cross-site tracking</p>
+ <p class="issue"><a href="http://www.w3.org/2011/tracking-protection/trac/k/issues/117">ISSUE-117</a>: Terms: tracking v. cross-site tracking</p>
<p>The WG has not come to consensus regarding the definition of tracking and whether the scope of DNT includes all forms of user-identifying data collection or just cross-site data collection/use. This issue will be resolved in the TCS document, though its resolution is a necessary prerequisite to understanding and correctly implementing the protocol defined by this document.</p>
<section id="def-tracking-1">
<h4>Option 1: Non-first Party Identifiers</h4>
<p class="note">{NOTE: Concerns with this section include undefined term "user data" plus as written, this may apply more broadly than the authors intended</p>
- <p>Tracking is the collection or use of user data via either a unique identifier or a correlated set of data points being used to approximate a unique identifier, in a context other than "first party" as defined in this document. This includes:</p><ol start="1"><li>a party collecting data across multiple websites, even if it is a first party in one or more (but not all) of the multiple contexts</li><li>a third party collecting data on a given website</li><li>a first party sharing user data collected from a DNT-on user with third parties "after the fact".</li></ol><p>Examples of tracking use cases include:</p><ol start="1"><li>personalized advertising</li><li>cross-site analytics or market research that has not been de-identified</li><li>automatic preference sharing by social applications</li></ol>
+ <p>Tracking is the collection or use of user data via either a unique identifier or a correlated set of data points being used to approximate a unique identifier, in a context other than "first party" as defined in this document. This includes:</p><ol start="1"><li>a party collecting data across multiple websites, even if it is a first party in one or more (but not all) of the multiple contexts</li><li>a third party collecting data on a given website</li><li>a first party sharing user data collected from a DNT:1 user with third parties "after the fact".</li></ol><p>Examples of tracking use cases include:</p><ol start="1"><li>personalized advertising</li><li>cross-site analytics or market research that has not been de-identified</li><li>automatic preference sharing by social applications</li></ol>
</section>
<section id="def-tracking-2">
@@ -619,19 +618,14 @@
</section>
</section>
- <p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/69">ISSUE-69</a> : Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)</p>
-
-</section>
-<section id="compliance">
-<h2>Compliance with an Expressed Tracking Preference</h2>
-<p class="note">{NOTE:Editor's note: Much of section 4 is non-consensus text based on discussions in Seattle.</p>
+ <p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/69">ISSUE-69</a> : Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)</p></section></section>
<section id="first-party-compliance">
<h3>First Party Compliance</h3>
-<p class="note">{NOTE:Editor's note: This section has been cleaned up in order to improve fluency, and is largely consensus text based on discussions in Seattle.</p>
+<p class="note">Heather: This section has been cleaned up in order to improve fluency, and is largely consensus text based on discussions in Seattle.<br>Justin: I still think this language needs work --- I still don't understand how it allows publishers to use third parties for anything, including ad delivery.</p>
-<p>If a First Party receives a network transaction to which a DNT-1 header is attached, First Parties may engage in their normal collection and use of information. This includes the ability to customize the content, services, and advertising in the context of the first party experience. </p>
+<p>If a First Party receives a network transaction to which a DNT:1 header is attached, First Parties may engage in their normal collection and use of information. This includes the ability to customize the content, services, and advertising in the context of the first party experience. </p>
<p>The First Party must not pass information about this transaction to non-service provider third parties who could not collect the data themselves under this Recommendation. </p>
</section>
@@ -656,12 +650,12 @@
<section id="geolocation">
<h4>Geolocation compliance by a third party</h4>
-<p class="note">This section does not reflect group consensus.</p>
+<p class="note">Unclear whether this section reflects group consensus.</p>
<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/39">ISSUE-39</a>: Tracking of geographic data (however it's determined, or used)</p>
-<p>If the operator of a third-party domain receives a communication to which a [DNT-ON] header is attached:</p>
+<p>If the operator of a third-party domain receives a communication to which a DNT:1 header is attached:</p>
<ol start="1"><li>Geo-location information that is more granular than postal code is too granular. Geolocation data must not be used at any level more granular than postal code. Note that while the number of people living in a postal code varies from country to country, postal codes are extant world-wide.</li><li>If specific consent has been granted for the use of more granular location data, than that consent prevails.</li></ol>
<p><i>Non-normative text</i><br><p>It is acceptable to use data sent as part of this particular network
-interaction when composing a response to a [DNT-ON] request, but it is
+interaction when composing a response to a DNT:1 request, but it is
not acceptable to store that data any longer than needed to reply. For
instance, it would be appropriate to use an IP address to guess which
country a user is in, to avoid showing them an advertisement for
@@ -697,7 +691,6 @@
<h3>Permitted Operational Uses for Third Parties and Service Providers</h3>
<p class="note">This section has been formatted, but I still need to rework all the language.<br><br> The scope of these exceptions and group consent for them is necessarily dependent upon the related question of how much information may be collected and retained for these uses (and whether they can be tied to unique identifiers).</p>
-<p class="c0 c11"></p>
<p class="note">The term "Permitted Operational Uses" is used to indicate a restricted set of conditions under which tracking is allowed in spite of the user's DNT preference. The term user-granted exception is used when the user has permitted tracking, usually in the form of a site-specific exception, for a given third-party. In general: permitted uses are additional permissions granted by the standard; user-granted exceptions are additional permissions granted by the user. The words "exception" and "exemption" have occasionally been used interchangably and inconsitently by the editors; we are now trying to be consistent in using the terms <strong>"permitted (operational) use"</strong> and <strong>"user-granted exceptions"</strong>.</p>
<p>If the operator of a third-party domain receives a communication to which a DNT:1 header is attached, that operator MAY nevertheless collect, use, and retain information related to that communication for the permitted uses enumerated below:</p>
@@ -705,23 +698,33 @@
<section id=enumerated-uses>
<h4>Enumerated Uses</h4>
+<section id=short-term>
+<h5>Short Term Collection and Use</h5>
+
+<p class=option>For any purpose, so long as the information is retained for no longer than N weeks and the information is not transmitted to a third party and the information is not used to build a profile about a user or otherwise alter any individual's user experience (apart from changes that are made based on aggregate data).</p>
+
+<p class=note>We have discussed allowing a N-week (anywhere from 1 week to 3 months) grace period where third parties could collect and use data, partly due to concerns , partly as a compromise to the market research/aggregate reporting issue. We do not have consensus on this permitted use at this point. If we decide to allow this, we would need to add non-normative text explaining the rationale and providing examples.</p></section>
+
<section id=contextual>
<h5>Contextual Content or Ad Delivery</h5>
-<p>The display of contextual content or advertisements, including content or advertisements based on the first-party domain that the user visited.</p>
+<p>For the display of contextual content or advertisements, including content or advertisements based on the first-party domain that the user visited.</p>
<p><i>Examples</i></p>
-<p class=informative><ol><li>A user visits ExampleSports.com with DNT:1 enabled to read a news article about a baseball game. ExampleSports uses the third party ExampleAds to serve ads on ExampleSports.com. ExampleAds is not an outsourcing partner of ExampleSports, and often uses third-party behavioral data to serve targeted ads to users who have not enabled DNT:1. ExampleAds may collect and use inforation about the user in order to render an advertisement (including IP address and information about the user agent) and information about the url of the news article in order to render an advertisement related to the baseball game.</li><br><li>A user visits ExampleLocalNews.com with DNT:1 enabled to read a news article about a local fire. ExampleLocalNews uses the third party ExampleWeather to display a weather widget on its site. ExampleWeather is not an outsourcing partner of ExampleLocalNews. ExampleWeather may collect and user information about the user in order to render the weather widget (includig IP address and information about the user agent) and information about the domain of the news site in order to render weather information related to the city which ExampleLocalNews reports on.</li><br></ol></p>
+<p class=informative><ol><li>A user visits ExampleSports.com with DNT:1 enabled to read a news article about a baseball game. ExampleSports uses the third party ExampleAds to serve ads on ExampleSports.com. ExampleAds is not an outsourcing partner of ExampleSports, and often uses third-party behavioral data to serve targeted ads to users who have not enabled DNT:1. ExampleAds may collect and use inforation about the user in order to render an advertisement (including IP address and information about the user agent) and information about the url of the news article in order to render an advertisement related to the baseball game.</li><br><li>A user visits ExampleLocalNews.com with DNT:1 enabled to read a news article about a local fire. ExampleLocalNews uses the third party ExampleWeather to display a weather widget on its site. ExampleWeather is not an outsourcing partner of ExampleLocalNews. ExampleWeather may collect and user information about the user in order to render the weather widget (includig IP address and information about the user agent) and information about the domain of the news site in order to render weather information related to the city which ExampleLocalNews reports on.</li><br></ol></p></section>
-<p class=option>The display of content or advertisements based in part of data that the third party previously collected from the user when acting as a first party.</p>
+<section id=first-party-data>
+<h5>Content or Ad Delivery Based on First Party Data</h5>
+
+<p class=option>For the display of content or advertisements based in part of data that the third party previously collected from the user when acting as a first party.</p>
<p class=informative><i>Examples</i><br><ol><li>A user visits ExampleNews.com with DNT:1 enabled to read a story about a national election. ExamplesNews uses the third party ExamplePortal to serve content and advertisements on its site. ExamplePortal is not an outsourcing partner of ExampleNews. The user had previously visited ExamplePortal.com with DNT:1 enabled and read several stories about golf. ExamplePortal may serve an advertisement related to golf to that same user on ExampleNews. However, ExamplePortal may not use the fact that user went to ExampleNews to add to the user's ExamplePortal profile, and may only retain and use information about that fact for a permitted operational use.</li><br><li>A user visits Example Music with DNT:1 enabled to listen to recently released albums streamed online. Example Music uses the third party Example Social to provide a widget that shows users what their Example Social friends have done on ExampleMusic. ExampleSocial is not an outsourcing partner of ExamleMusic. The user is a member of ExampleSocial and has several friends who also share information about what they do on ExampleMusic on ExampleSocial. ExampleSocial may display information that the users' friends had shared on ExampleSocial related to ExampleMusic within its third-party widget on ExampleMusic. However, ExampleSocial may not use the fact that user went to ExampleMusic to add to the user's ExampleSocial profile, and may only retain and use information about that fact for a permitted operational use.</li></ol></p></section>
<section id="frequency-capping">
<h5>Frequency Capping</h5>
-<p>Limiting the number of times that a user sees a particular advertisement.</p>
+<p>For limiting the number of times that a user sees a particular advertisement.</p>
<p><i>Example</i></p>
@@ -744,48 +747,73 @@
<h5>Security and Fraud Prevention</h5>
<p>For detecting security risks and fraudulent activity, defending from attacks and fraud, and maintaining integrity of the service. This includes data reasonably necessary for enabling authentication/verification, detecting hostile transactions and attacks, providing fraud prevention, and maintaining system integrity.</p>
-<p class=note>While it is hard to determine in advance what data will be needed for security and fraud protection, it is worth careful consideration how to best collect only useful information for these purposes.</p>
-<p class="informative">Non-normative explanatory text: Restricting security and fraud detection and defense efforts could harm users. We do not want to mistakenly turn Do Not Track into a signal for user vulnerability.</p>
+<p class="note">In Seattle, we discussed a compromise"graduated response" approach that allows third parties to retain data for a short period if no problems are apparent, and to use/retain longer only if there is reason to believe there is a problem.</p>
+
<p><i>Examples</i></p>
<p class=note>Add examples</p></section>
<section id=debugging>
<h5>Debugging</h5>
-<p class="note">{NOTE:Editor's note: This is non-consensus text from Seattle meeting.</p>
-<p>Data MAY be collected and used for the limited purpose of identifying and repairing site errors to intended functionality (“Debugging”). </p>
-<p class="note">{NOTE: While it is hard to determine in advance what data will be needed for product debugging, it is worth careful consideration how to best collect only useful information for these purposes. One approach may be a ‘graduated response' strategy to retain data for a short period if no problems are apparent.</p>
+<p>For identifying and repairing errors that impair existing intended functionality.</p>
+<p class="note">In Seattle, we discussed a compromise"graduated response" approach that allows third parties to retain data for a short period if no problems are apparent, and to use/retain longer only if there is reason to believe there is a problem.</p>
-<p class="informative">{NON-NORM:Non-normative explanatory text: Detailed information is often necessary to replicate a specific user's experience to understand why their particular set of variables is resulting in a failure of expected functionality or presentation. These variables could include items such as cookie IDs, page URLs, device or UA details, content specifics, and activity/event specifics to narrow in on the cause of the discrepancy.</p></section>
+<p class="informative">Non-normative explanatory text: Detailed information is often necessary to replicate a specific user's experience to understand why their particular set of variables is resulting in a failure of expected functionality or presentation. These variables could include items such as cookie IDs, page URLs, device or UA details, content specifics, and activity/event specifics to narrow in on the cause of the discrepancy.</p></section>
+
+<p class=note>Add examples</p>
<section id=aggregate-reporting>
<h5>Aggregate Reporting</h5>
-<p class="note">{NOTE:Editor's note: Text is based on breakout group discussion, and large group presentation, at the Seattle meeting.</p>
+<p class=note>Text is based on breakout group discussion, and large group presentation, at the Seattle meeting. However, there is not group consensus that this should be a permitted operational use.</p>
-<p>Data MAY be collected and used for the express and limited purpose of aggregate reporting. Aggregate reporting end-points should meet the objectives of “unlinkability” (see below) and therefore are outside of the scope of the DNT standard. There is a time interval necessary to retain event level records to aggregate across the necessary time spans accurately (daily, weekly, monthly, quarterly, etc.). </p>
+<p class=option>For aggregate reporting, such as market research and product improvement. Data MAY be collected and retained on an individual level, but the use of the data must only be aggregate reporting, and the products of the reporting MUST be unlinkable as defined in this document.</p>
-<p class="note">{NOTE:Editor's note: It is unclear whether this paragraph needs to be here, especially given that there is debate over the period in which a party may use protocol information for any purpose.</p>
-<p>During the period in which a third party may use protocol information for any purpose, it may aggregate protocol information and un-linkable data into an un-linkable dataset. Such a dataset may be retained indefinitely and used for any purpose.</p>
-<p class="informative">{NON-NORM:Non-normative explanatory text: While detailed event level data is not present at the outcome of aggregated reporting it is a necessary ingredient to arrive there. Aggregate reporting may be used for many purposes, including but not limited to product improvement, analytics, visitor counts, market research.</p></section></section>
+<p class=option>For aggregate reporting, such as market research and product improvement, if that information is collected and retained for another enumerated permitted use. Data MAY be collected and retained on an individual level, but the use of the data must only be aggregate reporting, and the products of the reporting MUST be unlinkable as defined in this document. If the operator no longer has another enumerated permitted use for which to use and retain the data, the operator MAY NOT use and retain the data for aggregat reporting unless the data has been rendered unlinkable as defined in this document.</p>
+
+<p class=option>No permitted use for aggregate reporting outside of the grace period described earlier.</p>
+
+<p class=note>Add examples</p></section>
+
+<p class="note">While definitely a Permitted Use, compliance with local laws and public purposes, such as copyright protection and delivery of emergency services, is not listed separately. It is unclear whether this should be specified in the draft.</p></section>
<section id=permitted-use-requirements>
<h4>Additional Requirements for Permitted Uses</h4>
<p>For each of the Permitted Uses outlined, the following requirements apply:</p>
-<ol start="1"><li>Each party engaging in Permitted Uses and claiming W3C DNT compliance, MUST provide public transparency of their data retention period</li></ol><ol start="1"><li class="c23 c0 c28">Party MAY enumerate each individually if they vary across Permitted Uses</li></ol><ol start="2"><li>Reasonable technical and organizational safeguards must be in place to prevent further processing. </li></ol><ol start="1"><li class="c23 c0 c28">[Note: While physical separation of data maintained for permitted uses is not required, best practices should be in place to ensure technical controls ensure access limitations and information security.]</li></ol><ol start="3"><li>Outside of Security, data retained for Permitted Uses must not be used to alter a specific user's online experience based on multi-site activity. Customization outside of multi-site activity profiles is acceptable, but should be considered in light of DNT:1 signals.</li></ol><ol start="1"><li>Entities should ensure that data access and use isauditable. </li></ol><ol start="1"><li class="c23 c0 c28">[Editor's note: Whether or not the type of audit is mandated is still in discussion; an optional field exists in the TPE spec for auditors and self-regulatory commitments.]</li></ol><ol start="2"><li>Entities should publish their retention periods and specific permitted uses for which data is maintained. If necessary, the entity should explain why they retain data for permitted uses from DNT:1 transactions. Entities should maintain information for permitted uses only as long as necessary for that use; entities must make reasonable data minimization efforts to ensure that only the data necessary for the permitted use be retained.</li></ol><ol start="1"><li class="c23 c0 c28">[Editor's note: May be worthwhile to put some examples in around when it is or isn't a good idea to explain use, ie, Commonly Accepted Practices vs. security data to address unique businesses]</li></ol><ol start="3"><li>Entities must not use data retained for permitted uses in fornon-permitted uses. Once the period of time for which you have declared data retention for a given use, the data must not be used for that permitted use. After there are no remaining permitted uses for given data, the data must be rendered out of scope of this draft.</li></ol><ol start="1"><li class="c23 c0 c28">[Note: Examples of rendering data out of scope are making it unidentifiable, not linked to identifiers, or deleted. Creating an aggregate report from the data prior to rendering the data out of scope is acceptable.]</li></ol><ol start="4"><li>In most cases, the user experience should not be altered using data maintained for permitted uses. </li></ol><ol start="1"><li class="c23 c0 c28">[Note: Telling a user that you have detected behavior that has triggered a security process is acceptable, as is non-covered data like city level geolocation.]</li><li class="c23 c0 c28">[Editor's note: Frequency capping and other content delivery may alter user experience as well, but are largely not based on individalized delivery.]</li></ol><p class="note">{NOTE: While definitely a Permitted Use, compliance with local laws and public purposes, such as copyright protection and delivery of emergency services, is not listed separately. It is unclear whether this should be specified in the draft.</p></section>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/24">ISSUE-24</a> : Possible permitted use for fraud detection and defense</p>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/25">ISSUE-25</a> : Possible permitted use for research purposes</p>
+<section id=no-secondary-uses>
+<h5>No Secondary Uses</h5>
+<p>Third Parties MUST NOT use data retained for permitted uses for non-permitted uses.</p></section>
+
+<section id=data-minimization-and-transparency>
+<h5>Data Minimization and Transparency</h5>
+<p>A third party MUST ONLY retain information for a Permitted Use for as long as is reasonably necessary for that use. Third parties MUST make reasonable data minimization efforts to ensure that only the data necessary for the permittted use is retained. A third party MUST provide public transparency of their data retention period. The third party MAY enumerate each individually if they vary across Permitted Uses. Once the period of time for which you have declared data retention for a given use, the data MUST NOT be used for that permitted use. After there are no remaining Permitted Uses for given data, the data must be deleted or rendered unlinkable.</p>
+
+<p class=note>May be worthwhile to put some examples in around when it is or isn't a good idea to explain use, ie, Commonly Accepted Practices vs. security data to address unique businesses</p></section>
+
+<section id=reasonable-security>
+<h5>Reasonable Security</h5>
+
+<p>Third parties MUST use reasonable technical and organizational safeguards to prevent further processing of data retained for Permitted Uses. While physical separation of data maintained for permitted uses is not required, best practices should be in place to ensure technical controls ensure access limitations and information security. Third parties SHOULD ensure that the access and use of data retained for Permitted Uses is auditable.</p>
+
+<p class=note>Whether or not the type of audit is mandated is still in discussion; an optional field exists in the TPE spec for auditors and self-regulatory commitments.</p></section>
+
+<section id=no-personalization>
+<h5>No Personalization</h5>
+
+<p>Outside of Security and Frequency Capping, data retained for Permitted Uses MUST NOT be used to alter a specific user's online experience based on multi-site activity.</p></section>
+
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/24">ISSUE-24</a> : Possible permitted use for fraud detection and defense</p>
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/25">ISSUE-25</a> : Possible permitted use for research purposes</p>
<p>[Adherence to laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not.</p>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/75">ISSUE-75</a> : How do companies claim permitted uses and is that technical or not?</p>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/31">ISSUE-31</a> : Minimization -- to what extent will minimization be required for use of a particular permitted use? (conditional permitted uses)</p>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/92">ISSUE-92</a> : If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?</p>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/89">ISSUE-89</a> : Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.</p>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/97">ISSUE-97</a>: Re-direction, shortened URLs, click analytics &emdash; what kind of tracking is this?</p>
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/75">ISSUE-75</a> : How do companies claim permitted uses and is that technical or not?</p>
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/31">ISSUE-31</a> : Minimization -- to what extent will minimization be required for use of a particular permitted use? (conditional permitted uses)</p>
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/92">ISSUE-92</a> : If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?</p>
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/89">ISSUE-89</a> : Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.</p>
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/97">ISSUE-97</a>: Re-direction, shortened URLs, click analytics &emdash; what kind of tracking is this?</p></section></section>
-</section>
<section id="user-granted-exceptions">
<h2>User-Granted Exceptions</h2>
<p class="note">Heather: Unclear to me whether this even belongs in the compliance doc at this point.</p>
@@ -813,12 +841,18 @@
</section></section>
+<section id=bad-UA>
+<h3>Disregarding Non-Compliant User Agents</h3>
+<p class=option>Third parties MUST NOT disregard DNT:1 headers whose syntax is correctly formed even if the third party does not believe that the DNT:1 header was set with the explicit and informed consent of the user.</p>
+<p class=option>If the operator of a third-party domain has a good faith belief that a user agent is sending a DNT:1 without the explicit and informed consent of the user, the operator MAY disregard the DNT:1 header and collect, use, and retain information about the user as if no DNT signal had been sent. If the operator disregards the DNT signal, the operator MUST signal to the user agent that it is disregarding the header as described in the companion [[!!DNT-TRACKING]] document.</p>
+<p class=option>No provision on Disregarding Non-Compliant User Agents.</p></section>
+
<section id="degrade">
<h3>Degrading User Experience for DNT:1 users</h3>
-<p class="note">{Heather:I thought we had consensus that it's fine to degrade the experience for DNT:1 transactions, but need to find the text.</p>
+<p class="note">Heather:I thought we had consensus that it's fine to degrade the experience for DNT:1 transactions, but need to find the text.</p>
-<p class="issue">{ISSUE:<a href="http://www.w3.org/2011/tracking-protection/track/issues/93">ISSUE-93</a> : Should 1st parties be able to degrade a user experience or charge money for content based on DNT?</p>
+<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/93">ISSUE-93</a> : Should 1st parties be able to degrade a user experience or charge money for content based on DNT?</p>
</section>
<section id=enforcement>
Received on Tuesday, 10 July 2012 17:03:31 UTC