W3C home > Mailing lists > Public > public-tracking-commit@w3.org > September 2012

WWW/2011/tracking-protection/drafts tracking-compliance-20121002.html,1.1,1.2

From: Roy Fielding via cvs-syncmail <cvsmail@w3.org>
Date: Sat, 29 Sep 2012 08:53:15 +0000
To: public-tracking-commit@w3.org
Message-Id: <E1THsnT-0007vF-L6@lionel-hutz.w3.org>
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory hutz:/tmp/cvs-serv24941

Modified Files:
	tracking-compliance-20121002.html 
Log Message:
Use perl to post-process respec output to fix the bug with RFC2119 terms
being lowercased for the sake of stupid small-caps look on screen.

perl -pi -e 's:<em title="must" class="rfc2119">must</em>:<em title="MUST" class="rfc2119">MUST</em>:g; s:<em title="must not" class="rfc2119">must not</em>:<em title="MUST NOT" class="rfc2119">MUST NOT</em>:g; s:<em title="required" class="rfc2119">required</em>:<em title="REQUIRED" class="rfc2119">REQUIRED</em>:g; s:<em title="should" class="rfc2119">should</em>:<em title="SHOULD" class="rfc2119">SHOULD</em>:g; s:<em title="should not" class="rfc2119">should not</em>:<em title="SHOULD NOT" class="rfc2119">SHOULD NOT</em>:g; s:<em title="recommended" class="rfc2119">recommended</em>:<em title="RECOMMENDED" class="rfc2119">RECOMMENDED</em>:g; s:<em title="may" class="rfc2119">may</em>:<em title="MAY" class="rfc2119">MAY</em>:g; s:<em title="optional" class="rfc2119">optional</em>:<em title="OPTIONAL" class="rfc2119">OPTIONAL</em>:g;' tracking-compliance-20121002.html



Index: tracking-compliance-20121002.html
===================================================================
RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance-20121002.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- tracking-compliance-20121002.html	29 Sep 2012 08:46:13 -0000	1.1
+++ tracking-compliance-20121002.html	29 Sep 2012 08:53:13 -0000	1.2
@@ -434,7 +434,7 @@
 -->
 <!-- I have shuffled this language around for clarity and simplicity, but it should retain the same meaning. Previous language retained in comments. -->
 <section class="option" id="def-party-1"><h4><span class="secno">3.3.1 </span>Option 1</h4><p>A <dfn id="dfn-party">party</dfn> is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person which acts as a functional entity. A set of functional entities is considered affiliated when they are related by both common majority ownership and common control, and affiliation is made easily discoverable by a user.</p></section>
-<section class="option" id="def-party2"><h4><span class="secno">3.3.2 </span>Option 2</h4><p>A <dfn id="dfn-party-1">party</dfn> is any commercial, nonprofit, or governmental organization, a subsidiary or unit of&nbsp;such an organization, or a person. For unique corporate entities to qualify as a common party with respect to this document,&nbsp;those entities <em title="must" class="rfc2119">must</em> be commonly owned and commonly controlled (Affiliates) and&nbsp;<em title="must" class="rfc2119">must</em> provide “easy discoverability” of affiliate organizations. An “Affiliate List” <em title="must" class="rfc2119">must</em> be&nbsp;provided within one click from each page or the entity owner clearly identified within one&nbsp;click from each page.
+<section class="option" id="def-party2"><h4><span class="secno">3.3.2 </span>Option 2</h4><p>A <dfn id="dfn-party-1">party</dfn> is any commercial, nonprofit, or governmental organization, a subsidiary or unit of&nbsp;such an organization, or a person. For unique corporate entities to qualify as a common party with respect to this document,&nbsp;those entities <em title="MUST" class="rfc2119">MUST</em> be commonly owned and commonly controlled (Affiliates) and&nbsp;<em title="MUST" class="rfc2119">MUST</em> provide “easy discoverability” of affiliate organizations. An “Affiliate List” <em title="MUST" class="rfc2119">MUST</em> be&nbsp;provided within one click from each page or the entity owner clearly identified within one&nbsp;click from each page.
 </p><p class="example">A website with a clear labeled link to the Affiliate List within the privacy policy would
 meet this requirement or the ownership brand clearly labeled on the privacy policy
 itself and may choose to act as a single party.
@@ -485,7 +485,7 @@
 <p>This section applies to parties engaging in an outsourcing relationship, wherein one party "stands in the shoes" of another party to perform a specific task. Both parties have responsibilities, as detailed below.</p>
 
 <p>
-	A <a class="internalDFN" href="#dfn-first-party">first party</a> or a <a class="internalDFN" href="#dfn-third-party">third party</a> <em title="may" class="rfc2119">may</em> outsource functionality to another <a class="internalDFN" href="#dfn-party-1">party</a>, in which case the <a class="internalDFN" href="#dfn-third-party">third party</a> may act as the original <a class="internalDFN" href="#dfn-first-party">first party</a> or <a class="internalDFN" href="#dfn-third-party">third party</a> under this standard, with the following additional restrictions:
+	A <a class="internalDFN" href="#dfn-first-party">first party</a> or a <a class="internalDFN" href="#dfn-third-party">third party</a> <em title="MAY" class="rfc2119">MAY</em> outsource functionality to another <a class="internalDFN" href="#dfn-party-1">party</a>, in which case the <a class="internalDFN" href="#dfn-third-party">third party</a> may act as the original <a class="internalDFN" href="#dfn-first-party">first party</a> or <a class="internalDFN" href="#dfn-third-party">third party</a> under this standard, with the following additional restrictions:
 </p>
 <ul>
 	<li> Data collected by each outsourced company is separated for each party they collect data for by both technical means and organizational process, AND </li>
@@ -507,7 +507,7 @@
   <section id="technical-precautions">
 	<h5><span class="secno">3.4.1.2 </span>Technical Precautions</h5>
 <p>
-	Throughout all data <a>collection</a>, <a>retention</a>, and <a>use</a>, outsourced parties <em title="must" class="rfc2119">must</em> use all feasible technical precautions to both mitigate the identifiability of and prevent the identification of data from different first parties.
+	Throughout all data <a>collection</a>, <a>retention</a>, and <a>use</a>, outsourced parties <em title="MUST" class="rfc2119">MUST</em> use all feasible technical precautions to both mitigate the identifiability of and prevent the identification of data from different first parties.
 </p>
 	
 <p>
@@ -601,7 +601,7 @@
   <section id="internal-practices"> 	 
 	<h5><span class="secno">3.4.1.4 </span>Internal Practices</h5>
 <p>
-	Throughout all data collection, retention, and use, outsourced parties <em title="must" class="rfc2119">must</em> use sufficient internal practices to prevent the identification of data from different parties.
+	Throughout all data collection, retention, and use, outsourced parties <em title="MUST" class="rfc2119">MUST</em> use sufficient internal practices to prevent the identification of data from different parties.
 </p>
 
 		<section id="non-normative-discussion-1" class="informative"> <!-- Unclear whether this non-norm tagging works, may need to fix -->
@@ -644,8 +644,8 @@
 </p>
 
 <ol>
-	<li><em title="must" class="rfc2119">must</em> <a>use</a> data <a>retained</a> on behalf of a <a class="internalDFN" href="#dfn-party-1">party</a> ONLY on behalf of that <a class="internalDFN" href="#dfn-party-1">party</a>, and</li>
-	<li><em title="must not" class="rfc2119">must not</em> <a>use</a> data <a>retained</a> on behalf of a <a class="internalDFN" href="#dfn-party-1">party</a> for their own business purposes, or for any other reasons.</li>
+	<li><em title="MUST" class="rfc2119">MUST</em> <a>use</a> data <a>retained</a> on behalf of a <a class="internalDFN" href="#dfn-party-1">party</a> ONLY on behalf of that <a class="internalDFN" href="#dfn-party-1">party</a>, and</li>
+	<li><em title="MUST NOT" class="rfc2119">MUST NOT</em> <a>use</a> data <a>retained</a> on behalf of a <a class="internalDFN" href="#dfn-party-1">party</a> for their own business purposes, or for any other reasons.</li>
 </ol>
 
 	</section> <!-- closes use direction, h2 -->
@@ -662,7 +662,7 @@
   <section id="contract">
   		<h6><span class="secno">3.4.1.6.2 </span>Contract</h6>
 <p>
-	A <a class="internalDFN" href="#dfn-first-party">first party</a> <em title="must" class="rfc2119">must</em> enter into a contract with an outsourced party that requires that outsourced party to comply with these requirements.
+	A <a class="internalDFN" href="#dfn-first-party">first party</a> <em title="MUST" class="rfc2119">MUST</em> enter into a contract with an outsourced party that requires that outsourced party to comply with these requirements.
 </p>
   		</section> <!-- closes contract, h3 -->
 	</section> <!-- closes first or third party requirements, h2 -->
@@ -861,7 +861,7 @@
 		<div class="note"><div class="note-title"><span>Note</span></div><p class="">There is debate about whether to use the terms unlinkable, unlinked, or unidentified to describe this type of data.</p></div>
 		<!-- <p class="note">JMayer would like an option that limits use of unlinkable data, but that should be in the compliance sections.</p> -->
 		<section id="option-1-unlinkable-data" class="option"><h4><span class="secno">3.6.1 </span>Option 1: Unlinkable Data</h4>
-		<p>A party render a dataset <dfn id="dfn-unlinkable">unlinkable</dfn> when it<br>1. takes commercially reasonable steps have been taken to de-identify data such that there is confidence that it contains information which could not be linked to a specific user, user agent, or device in a production environment<br>2. publicly commits to retain and use the data in unlinkable fashion, and not to attempt to re-identify the data<br>3. contracually prohibits any third party that it transmits the unlinkable data to from attempting to re-identify the data. Parties <em title="should" class="rfc2119">should</em> provide transparency to their delinking process (to the extent that it will not provided confidential details into security practices) so external experts and auditors can assess if the steps are reasonably given the particular data set.</p>
+		<p>A party render a dataset <dfn id="dfn-unlinkable">unlinkable</dfn> when it<br>1. takes commercially reasonable steps have been taken to de-identify data such that there is confidence that it contains information which could not be linked to a specific user, user agent, or device in a production environment<br>2. publicly commits to retain and use the data in unlinkable fashion, and not to attempt to re-identify the data<br>3. contracually prohibits any third party that it transmits the unlinkable data to from attempting to re-identify the data. Parties <em title="SHOULD" class="rfc2119">SHOULD</em> provide transparency to their delinking process (to the extent that it will not provided confidential details into security practices) so external experts and auditors can assess if the steps are reasonably given the particular data set.</p>
 		</section>
 		<section id="option-2-unlinkable-data" class="option"><h4><span class="secno">3.6.2 </span>Option 2: Unlinkable Data</h4>
 		<p>A dataset is <dfn id="dfn-unlinkable-1">unlinkable</dfn> when there is a high probability that it contains only information that could not be linked to a particular user, user agents, or device by a skilled analyst. A party renders a dataset unlinkable when either:<br>1. it publicly publishes information that is sufficiently detailed for a skilled analyst to evaluate the implementation, or<br>2. ensure that the dataset is at least 1024-unlinkable.</p>
@@ -935,7 +935,7 @@
 		<section class="option" id="def-consent-prescribe">
 		<h4><span class="secno">3.10.1 </span>Option 1: Prescriptive</h4>
 		
-		<p>Explicit and informed choice must satisfy the following bright-line requirements:<br><b>1. Actual presentation:</b> The choice mechanism <em title="must" class="rfc2119">must</em> be actually presented to the user. It <em title="must not" class="rfc2119">must not</em> be on a linked page, such as a terms of service or privacy policy.<br><b>2. Clear Terms:</b>The choice mechanism <em title="must" class="rfc2119">must</em> use clear, non-confusing technology.<br><b>3. Independent choice:</b> The choice mechanism <em title="must" class="rfc2119">must</em> be presented independent of other choices. It <em title="must not" class="rfc2119">must not</em> be bundled with other user preferences.<br><b>4. No default permission:</b> The choice <em title="must not" class="rfc2119">must not</em> have the user permission selected by default.</p>
+		<p>Explicit and informed choice must satisfy the following bright-line requirements:<br><b>1. Actual presentation:</b> The choice mechanism <em title="MUST" class="rfc2119">MUST</em> be actually presented to the user. It <em title="MUST NOT" class="rfc2119">MUST NOT</em> be on a linked page, such as a terms of service or privacy policy.<br><b>2. Clear Terms:</b>The choice mechanism <em title="MUST" class="rfc2119">MUST</em> use clear, non-confusing technology.<br><b>3. Independent choice:</b> The choice mechanism <em title="MUST" class="rfc2119">MUST</em> be presented independent of other choices. It <em title="MUST NOT" class="rfc2119">MUST NOT</em> be bundled with other user preferences.<br><b>4. No default permission:</b> The choice <em title="MUST NOT" class="rfc2119">MUST NOT</em> have the user permission selected by default.</p>
 		</section>
 		
 		<section class="option" id="def-consent-silence">
@@ -963,7 +963,7 @@
 
 <section id="user-agent-compliance">
 <!--OddPage--><h2><span class="secno">5. </span>User Agent Compliance</h2>
-<p>A user agent <em title="must" class="rfc2119">must</em> offer a control to express a tracking preference to third parties.  The control <em title="must" class="rfc2119">must</em> communicate the user's preference in accordance with the [<cite><a href="#bib-TRACKING-DNT" class="bibref">TRACKING-DNT</a></cite>] recommendation and otherwise comply with that recommendation.  A user agent <em title="must not" class="rfc2119">must not</em> express a tracking preference for a user unless the user has given express and informed consent to indicate a tracking preference.</p>
+<p>A user agent <em title="MUST" class="rfc2119">MUST</em> offer a control to express a tracking preference to third parties.  The control <em title="MUST" class="rfc2119">MUST</em> communicate the user's preference in accordance with the [<cite><a href="#bib-TRACKING-DNT" class="bibref">TRACKING-DNT</a></cite>] recommendation and otherwise comply with that recommendation.  A user agent <em title="MUST NOT" class="rfc2119">MUST NOT</em> express a tracking preference for a user unless the user has given express and informed consent to indicate a tracking preference.</p>
 <p>We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent's configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., "Privacy settings: high"). Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests.</p>
 <p class="option">Shane's proposal has suggested the additional compliance requirements of user agents:<br>1. The User Agent must also make available via a link in explanatory text where DNT is enabled to provide more detailed information about DNT functionality<br>2. Any User Agent claiming compliance must have a functional implementation of the browser exceptions in this specification</p>
 
@@ -979,11 +979,11 @@
 http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0141.html</p></div>
 
 <p>If a third party receives a communication to which a DNT:1 header is attached:</p>
-<ol start="1"><li>that third party <em title="must not" class="rfc2119">must not</em> collect, share, or use information related to that communication outside of the permitted uses
+<ol start="1"><li>that third party <em title="MUST NOT" class="rfc2119">MUST NOT</em> collect, share, or use information related to that communication outside of the permitted uses
 as defined within this standard and any explicitly-granted exceptions, provided in accordance with the requirements of this standard;</li>
-<li>that third party <em title="must not" class="rfc2119">must not</em> use information about previous communications in which it was a third party, outside of the permitted uses as
+<li>that third party <em title="MUST NOT" class="rfc2119">MUST NOT</em> use information about previous communications in which it was a third party, outside of the permitted uses as
 defined within this standard and any explicitly-granted exceptions, provided in accordance with the requirements of this standard;</li>
-<li>that third party <em title="may" class="rfc2119">may</em> delete information about previous communications in which it was a third party.</li></ol>
+<li>that third party <em title="MAY" class="rfc2119">MAY</em> delete information about previous communications in which it was a third party.</li></ol>
 
 <!-- All these issues are listed as closed, so commenting them out for now
 <p class="issue" data-number="71" title="Does DNT also affect past collection or use of past collection of info?"></p>
@@ -999,7 +999,7 @@
 <p class="note">The term "Permitted Operational Uses" is used to indicate a restricted set of conditions under which tracking is allowed in spite of the user's DNT preference. The term user-granted exception is used when the user has permitted tracking, usually in the form of a site-specific exception, for a given third-party. In general: permitted uses are additional permissions granted by the standard; user-granted exceptions are additional permissions granted by the user. The words "exception" and "exemption" have occasionally been used interchangably and inconsistently by the editors; we are now trying to be consistent in using the terms <strong>"permitted (operational) use"</strong> and <strong>"user-granted exceptions"</strong>.</p>
 -->
 
-<p>If a third-party  receives a communication to which a DNT:1 header is attached, that third party <em title="may" class="rfc2119">may</em> nevertheless collect, use, and retain information related to that communication for these permitted uses:
+<p>If a third-party  receives a communication to which a DNT:1 header is attached, that third party <em title="MAY" class="rfc2119">MAY</em> nevertheless collect, use, and retain information related to that communication for these permitted uses:
 </p><ul>
 <li>Short term collection and use, where information is not transmitted to a third party or used to profile or personalize a user's experience;</li>
 <li>Contextual content or ad delivery;</li>
@@ -1100,9 +1100,9 @@
 <p class="note">Text is based on breakout group discussion, and large group presentation, at the Seattle meeting.  However, there is not group consensus that this should be a permitted operational use.</p>
 -->
 
-<section class="option" id="pu-aggregate-opt-1"><h6><span class="secno">6.1.1.8.1 </span>Option 1: Aggregate Reporting</h6><p>Regardless of DNT signal, information may be collected, retained and used for aggregate reporting, such as market research and product improvement.  Data <em title="may" class="rfc2119">may</em> be collected and retained on an individual level, but the use of the data must only be aggregate reporting, and the products of the reporting <em title="must" class="rfc2119">must</em> be unlinkable as defined in this document.</p></section>
+<section class="option" id="pu-aggregate-opt-1"><h6><span class="secno">6.1.1.8.1 </span>Option 1: Aggregate Reporting</h6><p>Regardless of DNT signal, information may be collected, retained and used for aggregate reporting, such as market research and product improvement.  Data <em title="MAY" class="rfc2119">MAY</em> be collected and retained on an individual level, but the use of the data must only be aggregate reporting, and the products of the reporting <em title="MUST" class="rfc2119">MUST</em> be unlinkable as defined in this document.</p></section>
 
-<section class="option" id="pu-aggregate-opt-2"><h6><span class="secno">6.1.1.8.2 </span>Option 2: Aggregate Reporting</h6><p>Regardless of DNT signal, information may be collected, retained and used for aggregate reporting, such as market research and product improvement, if that information is collected and retained for another enumerated permitted use. Data <em title="may" class="rfc2119">may</em> be collected and retained on an individual level, but the use of the data must only be aggregate reporting, and the products of the reporting <em title="must" class="rfc2119">must</em> be unlinkable as defined in this document. If the operator no longer has another enumerated permitted use for which to use and retain the data, the operator <em title="may" class="rfc2119">may</em> NOT use and retain the data for aggregate reporting unless the data has been rendered unlinkable as defined in this document.</p></section>
+<section class="option" id="pu-aggregate-opt-2"><h6><span class="secno">6.1.1.8.2 </span>Option 2: Aggregate Reporting</h6><p>Regardless of DNT signal, information may be collected, retained and used for aggregate reporting, such as market research and product improvement, if that information is collected and retained for another enumerated permitted use. Data <em title="MAY" class="rfc2119">MAY</em> be collected and retained on an individual level, but the use of the data must only be aggregate reporting, and the products of the reporting <em title="MUST" class="rfc2119">MUST</em> be unlinkable as defined in this document. If the operator no longer has another enumerated permitted use for which to use and retain the data, the operator <em title="MAY" class="rfc2119">MAY</em> NOT use and retain the data for aggregate reporting unless the data has been rendered unlinkable as defined in this document.</p></section>
 
 <section class="option" id="pu-aggregate-opt-3"><h6><span class="secno">6.1.1.8.3 </span>Option 3: No Aggregate Reporting</h6><p>There is no permitted use for aggregate reporting outside of the grace period described earlier.</p></section></section>
 
@@ -1124,25 +1124,25 @@
 
 <section id="no-secondary-uses">
 <h5><span class="secno">6.1.2.1 </span>No Secondary Uses</h5>
-<p>Third Parties <em title="must not" class="rfc2119">must not</em> use data retained for permitted uses for non-permitted uses.</p></section>
+<p>Third Parties <em title="MUST NOT" class="rfc2119">MUST NOT</em> use data retained for permitted uses for non-permitted uses.</p></section>
 
 <section id="data-minimization-and-transparency">
 <h5><span class="secno">6.1.2.2 </span>Data Minimization and Transparency</h5>
-<p>A third party <em title="must" class="rfc2119">must</em> ONLY retain information for a Permitted Use for as long as is reasonably necessary for that use.  Third parties <em title="must" class="rfc2119">must</em> make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained.  A third party <em title="must" class="rfc2119">must</em> provide public transparency of their data retention period. The third party <em title="may" class="rfc2119">may</em> enumerate each individually if they vary across Permitted Uses.  Once the period of time for which you have declared data retention for a given use, the data <em title="must not" class="rfc2119">must not</em> be used for that permitted use. After there are no remaining Permitted Uses for given data, the data must be deleted or rendered unlinkable.</p>
+<p>A third party <em title="MUST" class="rfc2119">MUST</em> ONLY retain information for a Permitted Use for as long as is reasonably necessary for that use.  Third parties <em title="MUST" class="rfc2119">MUST</em> make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained.  A third party <em title="MUST" class="rfc2119">MUST</em> provide public transparency of their data retention period. The third party <em title="MAY" class="rfc2119">MAY</em> enumerate each individually if they vary across Permitted Uses.  Once the period of time for which you have declared data retention for a given use, the data <em title="MUST NOT" class="rfc2119">MUST NOT</em> be used for that permitted use. After there are no remaining Permitted Uses for given data, the data must be deleted or rendered unlinkable.</p>
 
 <div class="note"><div class="note-title"><span>Note</span></div><p class="">May be worthwhile to put some examples in around when it is or isn't a good idea to explain use, ie, Commonly Accepted Practices vs. security data to address unique businesses</p></div></section>
 
 <section id="reasonable-security">
 <h5><span class="secno">6.1.2.3 </span>Reasonable Security</h5>
 
-<p>Third parties <em title="must" class="rfc2119">must</em> use reasonable technical and organizational safeguards to prevent further processing of data retained for Permitted Uses. While physical separation of data maintained for permitted uses is not required, best practices should be in place to ensure technical controls ensure access limitations and information security. Third parties <em title="should" class="rfc2119">should</em> ensure that the access and use of data retained for Permitted Uses is auditable.</p>
+<p>Third parties <em title="MUST" class="rfc2119">MUST</em> use reasonable technical and organizational safeguards to prevent further processing of data retained for Permitted Uses. While physical separation of data maintained for permitted uses is not required, best practices should be in place to ensure technical controls ensure access limitations and information security. Third parties <em title="SHOULD" class="rfc2119">SHOULD</em> ensure that the access and use of data retained for Permitted Uses is auditable.</p>
 
 <div class="note"><div class="note-title"><span>Note</span></div><p class="">Whether or not an audit, or the type of audit, is mandated is still in discussion; an optional field exists in the TPE spec for auditors and self-regulatory commitments. The audit section of the TPE should be cross-referenced here.</p></div></section>
 
 <section id="no-personalization">
 <h5><span class="secno">6.1.2.4 </span>No Personalization</h5>
 
-<p>Outside of Security and Frequency Capping, data retained for Permitted Uses <em title="must not" class="rfc2119">must not</em> be used to alter a specific user's online experience based on multi-site activity.</p>
+<p>Outside of Security and Frequency Capping, data retained for Permitted Uses <em title="MUST NOT" class="rfc2119">MUST NOT</em> be used to alter a specific user's online experience based on multi-site activity.</p>
 </section>
 
 <section id="no-persistent-identifiers">
@@ -1261,8 +1261,8 @@
 <h3><span class="secno">6.4 </span>Disregarding Non-Compliant User Agents</h3>
 <div class="note"><div class="note-title"><span>Note</span></div><p class="">this section is the topic of active debate.</p></div>
 
-<p class="option">Third parties <em title="must not" class="rfc2119">must not</em> disregard DNT:1 headers whose syntax is correctly formed even if the third party does not believe that the DNT:1 header was set with the explicit and informed consent of the user.</p>
-<p class="option">If the operator of a third-party domain has a good faith belief that a user agent is sending a DNT:1 without the explicit and informed consent of the user, the operator <em title="may" class="rfc2119">may</em> disregard the DNT:1 header and collect, use, and retain information about the user as if no DNT signal had been sent.  If the operator disregards the DNT signal, the operator <em title="must" class="rfc2119">must</em> signal to the user agent that it is disregarding the header as described in the companion [<cite><a href="#bib-TRACKING-DNT" class="bibref">TRACKING-DNT</a></cite>] document.</p>
+<p class="option">Third parties <em title="MUST NOT" class="rfc2119">MUST NOT</em> disregard DNT:1 headers whose syntax is correctly formed even if the third party does not believe that the DNT:1 header was set with the explicit and informed consent of the user.</p>
+<p class="option">If the operator of a third-party domain has a good faith belief that a user agent is sending a DNT:1 without the explicit and informed consent of the user, the operator <em title="MAY" class="rfc2119">MAY</em> disregard the DNT:1 header and collect, use, and retain information about the user as if no DNT signal had been sent.  If the operator disregards the DNT signal, the operator <em title="MUST" class="rfc2119">MUST</em> signal to the user agent that it is disregarding the header as described in the companion [<cite><a href="#bib-TRACKING-DNT" class="bibref">TRACKING-DNT</a></cite>] document.</p>
 <p class="option">No provision on Disregarding Non-Compliant User Agents.</p></section>
 
 <section id="degrade">
Received on Saturday, 29 September 2012 08:53:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 29 September 2012 08:53:17 GMT