- From: Erica Newland via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 26 Mar 2012 02:35:43 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory hutz:/tmp/cvs-serv24131
Modified Files:
tracking-compliance.html
Log Message:
Changed language around Issue 28 and removed issue 28, removed cookie syncing as it has been postponed, removed language around data processors and controllers, and changed exemptions to permitted uses and exceptions to user-granted exceptions. Also removed logged in-out text
Index: tracking-compliance.html
===================================================================
RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -d -r1.51 -r1.52
--- tracking-compliance.html 24 Mar 2012 00:46:52 -0000 1.51
+++ tracking-compliance.html 26 Mar 2012 02:35:41 -0000 1.52
@@ -137,7 +137,7 @@
offer content without such targeted advertising or data collection
need a mechanism to indicate those requirements to the user and allow
them (or their user agent) to make an individual choice regarding
- exceptions.
+ user-granted exceptions.
</p>
<p>
This specification defines
@@ -158,7 +158,7 @@
header field <a>Tk</a> for resources to communicate their compliance
or non-compliance with the user's expressed preference, and
JavaScript APIs for determining DNT status and requesting a
- site-specific exception.
+ site-specific, user-granted exception.
</p>
<p class='issue'><a href="http://www.w3.org/2011/tracking-protection/trac\
@@ -421,14 +421,14 @@
considered definitive or final.</p>
<p class="note">
- The term <dfn>exemption</dfn> is used to indicate a restricted set of
+ The term <dfn>permitted use</dfn> is used to indicate a restricted set of
conditions under which tracking is allowed in spite of the user's DNT
preference.
- The term <dfn>exception</dfn> is used when the user has permitted tracking,
+ The term <dfn>user-granted exception</dfn> is used when the user has permitted tracking,
usually in the form of a site-specific exception, for a given third-party.
In general:
- exemptions are additional permissions granted by the standard;
- exceptions are additional permissions granted by the user.
+ permitted uses are additional permissions granted by the standard;
+ user-granted exceptions are additional permissions granted by the user.
These words are often confused when drafting new text.
</p>
@@ -782,7 +782,7 @@
</section>
</section>
</section>
-
+<!--
<section id="EUterms">
<h2>Data Controller and Processor</h2>
@@ -794,7 +794,7 @@
<p class="note">The text that follows may move elsewhere or may
ultimately be removed from the document. </p>
-<!-- <p>In essence there are three categories of entities, as discussed in
+ <p>In essence there are three categories of entities, as discussed in
European privacy parlance, that map onto the parties in the DNT
debate:</p><ol>
<li>The party who determines the purposes, conditions and means of the data
@@ -821,7 +821,7 @@
Data Controller</li>
<li>3rd Party (3rd Party)</li>
<p class="issue">Do we need a section on existing law/relationships
-etc?</p> -->
+etc?</p>
<p> For the EU, the outsourcing scenario is clearly regulated. In the
current EU Directive 95/46/EC, but also in the suggested regulation
reforming the data protection regime, an entity using or processing
@@ -840,13 +840,14 @@
legitimacy or authorization in processing personal data. If the
third party has own rights and privileges concerning the processing
of the data collected by the first party, it isn't a data processor
- anymore and thus not covered by exemptions. This third party is then
+ anymore and thus not covered by permitted uses. This third party is then
considered as a second data controller with all duties attached to
that status. As the pretensions of users are based on law, they
apply to first and third party alike unless the third party acts as
a mere data processor.</p>
</section>
+-->
<section id="networkInteraction">
<h1>Network Interaction</h1>
@@ -966,7 +967,7 @@
for performing tracking, any use of data retained from prior tracking,
and any retention or sharing of data from this request for the purpose
of future tracking, beyond what is necessary to enable:</p>
-<ol> <li> the limited exemptions defined in this specification; </li>
+<ol> <li> the limited permitted uses defined in this specification; </li>
<li> the first-party (and third-parties acting as the first-party)
to provide the service intentionally requested by the user; and </li>
<li> other services for which the user has provided prior,
@@ -986,7 +987,7 @@
<!-- Removing for now since we closed issue-20 - Aleecia
<section id="deidentified">
<h3>De-identified data</h3>
- <p class = "issue"> If we provide an exemption for de-identified
+ <p class = "issue"> If we provide an permitted use for de-identified
cross-site research/analytics, we will need to define de-identified data .</p>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/20">ISSUE-20</a>
@@ -1100,7 +1101,7 @@
<li><b>Only share if (1):</b> If an operator of a first party domain stores a request to
which a [DNT-ON] header is attached, that operator MUST NOT share information
about that stored communication to a third party, outside of the
-exemptions as defined in this standard or specific exceptions
+permitted uses as defined in this standard or specific, user-granted exceptions
granted. </li>
<li><b>Only share if (2):</b> For those users who send the DNT signal and have not granted a
site-specific exception to the first party, first parties must NOT share
@@ -1162,15 +1163,15 @@
which a [DNT-ON] header is attached:</p>
<ol>
<li>that operator MUST NOT collect, share, or use information related to that
-communication outside of the exemptions as defined
+communication outside of the permitted uses as defined
within this standard and any explicitly-granted exceptions, provided in
accordance with the requirements of this standard;</li>
<li> that operator MUST NOT use information about previous communications
in which the operator was a third party, outside of the explicitly
-expressed exemptions as defined within this standard;</li>
+expressed permitted uses as defined within this standard;</li>
<li> that operator [MUST NOT or SHOULD NOT] retain information about
previous communications in which the operator was a third party, outside
-of the explicitly expressed exemptions as defined within this standard.</li>
+of the explicitly expressed permitted uses as defined within this standard.</li>
</ol>
</section>
<section id = "compl2"><h3>Option 2: More Detailed Formulation </h3>
@@ -1188,20 +1189,20 @@
<li>When a third party receives a DNT signal, it MUST NOT relate additional
data from that HTTP request to existing profiles associated with that
user-agent that are based on data that the third party has previously
- collected across sites over time; this is except as permitted by exemptions
+ collected across sites over time; this is except as allowed by permitted uses
stated elsewhere in this specification </li>
<li>Three alternatives:
<ol><li>Additionally, the entity MUST NOT use identifiers that it can
determine were collected from the same user agent before the DNT signal was
- received, except as permitted by exemptions, for as long as it continues to
+ received, except as allowed by permitted uses, for as long as it continues to
receive a DNT signal from that user-agent. </li>
<li> A third party MUST NOT associate collected data with either previous or
future user profiles. Any third party data collected under operational
- purpose exemptions MUST NEVER be profiled independently or associated with
+ purpose permitted uses MUST NEVER be profiled independently or associated with
previous or future user profiles. </li>
<li>When a third party receives a DNT signal, it MUST NOT retain data from
that HTTP request that could be associated with an existing profile,
- except as permitted by exemptions stated elsewhere in this
+ except as allowed by permitted uses stated elsewhere in this
specification.</li></ol>
<li>The entity MAY take additional steps with respect to previously collected
DNXT data such as deleting data before its usual expiration. However, as DNT
@@ -1220,7 +1221,7 @@
Site A session to any profile it maintains on User. Since it must
not collect and any data from this session and relate it to
previously collected data, Network B must regard and treat him
- like completely unknown user to them, absent any exemptions or
+ like completely unknown user to them, absent any permitted uses or
override from user.</li>
<li>Same as above scenario. Based on transactional information collected
about User’s visits to non-affiliated sites in the past, Ad Network B has
@@ -1306,7 +1307,7 @@
: different rules for impression of and interaction with 3rd-party
ads/content</p>
</section>
- <section id="cookieSync">
+<!-- <section id="cookieSync">
<h2>Cookie Syncing</h2>
<p class="note">The following consists of proposed text under
@@ -1345,7 +1346,7 @@
loaded from an unaffiliated entity acting as a third party MUST NOT
associate the ID of the cookie sent in the request to the user ID
transmitted in the URL and MUST NOT collect or use other information related
-to that communication and not covered by the 3rd party exemption.</p>
+to that communication and not covered by the 3rd party permitted use.</p>
<p class="note">Open issues:
<ol><li>This text does not cover Cross-Origin Resource Sharing (CORSE)
@@ -1355,15 +1356,14 @@
This section may be redundant.</li>
<li>Ad Exchanges use cookie synching for business purposes, including
third-party auditing to verify ad impressions. However, this might be
-resolved with a service provider exemption.</li></ol> </p>
-</section></section>
+resolved with a service provider permitted use.</li></ol> </p>
+</section></section> -->
- <section id="UseExemptions"><h2>Usage Exemptions</h2>
+ <section id="UsePermittedUses"><h2>Usage-based Permitted Uses</h2>
- <p>This section outlines potential exemptions to the standard
-based on necessary business use. For all of these exemptions, the complying
+ <p>This section outlines potential permitted uses based on necessary business use. For all of these permitted uses, the complying
entity must make reasonable data minimization efforts to ensure that only the
-data necessary for the exempted purpose be retained. </p>
+data necessary for the permitted use be retained. </p>
<p class="note">The following text consists of proposed text that
is meant to address <a
@@ -1381,9 +1381,9 @@
and is pending discussion and <strong>[PENDING REVIEW]</strong>.</p>
<p class="issue">Should we explicitly identify goals and use
-cases in order to evaluate these exemptions?</p>
+cases in order to evaluate these permitted uses?</p>
-<section id="TypesofTrackingOperational"> <h3>Exemptions for
+<section id="TypesofTrackingOperational"> <h3>Permitted uses for
operational use of data</h3>
<p class="note">This section consists of proposed text that is
@@ -1402,11 +1402,11 @@
<p>In order to preserve certain common and important data usages, while
still protecting consumer privacy concerns, it will be necessary to provide
-operational purpose exemptions for necessary business activities when the DNT
+operational purpose permitted uses for necessary business activities when the DNT
signal is on. There are several key categories of data collection and
use that must remain intact such that web site operators who are (in
the vast majority) offering their services free of charge in exchange
-for advertising on their properties. Proposed exemptions include:</p>
+for advertising on their properties. Proposed permitted uses include:</p>
<ol>
<li>Frequency Capping - A form of historical tracking to ensure the number
@@ -1440,14 +1440,14 @@
<li>Product Improvement, or, more narrowly, Debugging</li>
</ol>
-<p>Discussion is ongoing as to how to define these exemptions and whether or
-not all should be included in an exemptions list.</p>
+<p>Discussion is ongoing as to how to define these permitted uses and whether or
+not all should be included in an permitted uses list.</p>
</section>
</section>
- <section id="TypesofTrackingOutsourcing"> <h2>Exemption for
+ <section id="TypesofTrackingOutsourcing"> <h2>Permitted use for
Outsourcing</h2>
<p class="note">This section consists of proposed text that is meant to address <a
@@ -1525,7 +1525,7 @@
</section> </section>
- <section id="TypesofTrackingUnident"><h2>Exemption for unidentifiable
+ <section id="TypesofTrackingUnident"><h2>Permitted use for unidentifiable
data</h2>
<p class="note">This section consists of proposed text that is meant
@@ -1535,7 +1535,7 @@
REVIEW]</strong>.</p>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/34">ISSUE-34</a>
-: Possible Exemption for aggregate analytics</p>
+: Possible permitted use for aggregate analytics</p>
<section id = "TypesofTrackingUnidentNorm"> <h2>Normative
Discussion</h2>
@@ -1554,13 +1554,13 @@
<section id="TypesofTrackingUnidentOverview"><h2>Overview</h2>
<p class="note"> Clarification is needed with regard to what is
meant by the following text</p>
-<p>This exemption (like all exemptions) may not be combined with other
-exemptions unless specifically allowed. A third party acting within the
-outsourcing exemption, for example, may not make independent use of the data
+<p>This permitted use (like all permitted uses) may not be combined with other
+permitted uses unless specifically allowed. A third party acting within the
+outsourcing permitted use, for example, may not make independent use of the data
it has collected even though the use involves unidentifiable data. </p>
<p>A rule to the contrary would provide a perverse incentive for third
-parties to press all exemptions to the limit and then use the collected data
-within this exemption.</p>
+parties to press all permitted uses to the limit and then use the collected data
+within this permitted use.</p>
<p>A potential 'safe harbor' under this clause could be to retain only
aggregate counts, not per-transaction records.</p></section>
@@ -1579,45 +1579,27 @@
- <section id="ExemptionIssues"><h2>Other issues raised around
-exemptions</h2>
+ <section id="PermittedUseIssues"><h2>Other issues raised around
+permitted uses</h2>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/24">ISSUE-24</a>
-: Possible exemption for fraud detection and defense</p>
+: Possible permitted use for fraud detection and defense</p>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/25">ISSUE-25</a>
-: Possible exemption for research purposes</p>
-
- <p class="note">The following consists of proposed text
-that is meant to address <a
-href="http://www.w3.org/2011/tracking-protection/track/issues/28">ISSUE-28</a>
-and is pending discussion and <strong>[PENDING REVIEW]</strong>.</p>
-
- <p class="issue"><a
-href="http://www.w3.org/2011/tracking-protection/track/issues/28">ISSUE-28</a>
-: Exemption for mandatory legal process</p>
+: Possible permitted use for research purposes</p>
- <p>This specification is not intended to override
-applicable laws and regulations.</p>
- <p>Indeed, a party MAY take action contrary to the requirements of
-this standard if compelled by applicable law. If compelled by applicable law
-to collect, retain, or transmit data despite receiving a DNT:1 signal for
-which there is no exemption, the party SHOULD notify affected
-users to the extent practical and allowed by law.</p>
-
- <p>It should be noted that this allowance does not extend to the
-fulfillment of a contractual obligation. </p>
+ <p>Adherence to laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not.</p>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/75">ISSUE-75</a>
-: How do companies claim exemptions and is that technical or not?</p>
+: How do companies claim permitted uses and is that technical or not?</p>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/31">ISSUE-31</a>
: Minimization &emdash; to what extent will minimization be required for use of a
-particular exemption? (conditional exemptions)</p>
+particular permitted use? (conditional permitted uses)</p>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/92">ISSUE-92</a>
@@ -1673,7 +1655,7 @@
-->
- <section id="Exceptions"> <h2>Exceptions</h2>
+ <section id="User-Granted Exceptions"> <h2>User-Granted Exceptions</h2>
<p class="issue"><a
href="http://www.w3.org/2011/tracking-protection/track/issues/66">ISSUE-66</a>
@@ -1686,34 +1668,34 @@
content based on DNT?</p>
<section id="IntroToExceptions">
- <h3>Introduction to exceptions</h3>
- <p>For the purposes of this document, an exception is a
+ <h3>Introduction to user-granted exceptions</h3>
+ <p>For the purposes of this document, a user-granted exception is a
user-granted override of their default DNT status for one or more third
parties within a given first party context.</p>
-<p>It is possible for first parties to request, and users to set,
+<p>It is possible for first parties to request, and users to set, user-granted
exceptions to their default DNT status on a per-first party basis
for the third parties that the first party works with. The goal of
this is to allow first parties to communicate with their users about
their options with respect to DNT within the context of that first
party's web pages. </p>
- <p class="note"> Should Market Research be deemed an
-exception rather than an exemption?</p>
+ <p class="note"> Should Market Research be deemed a user-granted
+exception rather than a permitted use?</p>
</section>
<section id="ExceptionsOptIn">
- <h3>Opt-In to site-specific exceptions</h3>
+ <h3>Opt-In to site-specific, user-granted exceptions</h3>
<p class="note">The following consists of proposed text and is
pending discussion and <strong>[PENDING REVIEW]</strong>.</p>
-<p> When a DNT enabled user agent grants a site-specific exception,
+<p> When a DNT enabled user agent grants a site-specific, "user-granted" exception,
the site places a site-specific opt-in mechanism on the user agent allowing
the site to respond as a First Party. The DNT header must remain enabled so
that if the user returns to the site, both the user's general preference for
-DNT and the site-specific exception will be clear. When seeking a
+DNT and the site-specific, user-granted exception will be clear. When seeking a
site-specific exception from the user, the site must describe to the user, via
-a direct link from the exception page, all purposes for which the tracking
+a direct link from the user-granted exception page, all purposes for which the tracking
will be used. </p> </section>
<section id="interactions">
@@ -1763,11 +1745,11 @@
<li> No DNT Signal / No Opt-Out: Treat as DNT unset</li>
<li>DNT Signal / No Opt-Out: Treat as DNT:1</li>
<li>Opt-Out / No DNT Signal: Treat as DNT:1</li>
-<li> Opt-Out / DNT Exception: Treat as DNT:0 for that site; DNT Exception is
+<li> Opt-Out / DNT User-Granted Exception: Treat as DNT:0 for that site; DNT User-Granted Exception is
honored</li></ul>
<p>NOTE: The above text will need to be modified to include the appropriate
-terminology as this is decided upon by the working group. For example, DNT
+terminology as this is decided upon by the working group. For example, DNT User-Granted
Exception would need to be replaced with "Site-Specific Exception"
depending on the outcome of that discussion.</p>
@@ -1792,7 +1774,7 @@
: Complexity of user choice (are exemptions exposed to users?)</p>
-->
</section>
-
+<!--
<section id="loggedIn">
<h3>Logged In</h3>
@@ -1844,7 +1826,7 @@
<p>No text on this topic at all, and let the existing rules work it
out.</p>
</section>
-</section>
+</section> -->
<!-- <section id="education">
<h3>User Education and Communication</h3>
Received on Monday, 26 March 2012 02:35:46 UTC