W3C home > Mailing lists > Public > public-tracking-commit@w3.org > March 2013

CVS WWW/2011/tracking-protection/drafts

From: CVS User npdoty <cvsmail@w3.org>
Date: Wed, 06 Mar 2013 23:02:27 +0000
Message-Id: <E1UDNLv-0003wC-Ms@gil.w3.org>
To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv15136

Added Files:
Log Message:
snapshot of the October draft

--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance-20121030.html	2013/03/06 23:02:27	NONE
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance-20121030.html	2013/03/06 23:02:27	1.1
<!DOCTYPE html>
<html lang="en" dir="ltr">
  <title>Tracking Compliance and Scope</title>
  <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
  <script src='http://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script>
  <script class="remove">
    var respecConfig = {
      specStatus:          "ED",
      shortName:           "tracking-compliance",
      previousPublishDate: "2012-05-23",
      publishDate: "2012-10-30",
      previousMaturity:    "ED",
      previousURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-20120523.html",
      edDraftURI:  "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html", 
      editors:  [
        { name: "Justin Brookman", url: "http://cdt.org/",
          company: "CDT", companyURL: "http://cdt.org/" }, 
        { name: "Sean Harvey", url: "http://google.com/",
          company: "Google", companyURL: "http://google.com/" }, 
        { name: "Erica Newland", url: "http://cdt.org/",
          company: "CDT", companyURL: "http://cdt.org/" }, 
        { name: "Heather West", url: "http://Google.com/",
          company: "Google", companyURL: "http://google.com/" }, 
      wg:      "Tracking Protection Working Group",
      wgURI:   "http://www.w3.org/2011/tracking-protection/",
      wgPublicList: "public-tracking",
      wgPatentURI: "http://www.w3.org/2004/01/pp-impl/49311/status",
      issueBase:   "http://www.w3.org/2011/tracking-protection/track/issues/",
  <link rel="stylesheet" href="additional.css" type="text/css" media="screen"
        title="custom formatting for TPWG editors">
  <section id="abstract">
      This specification defines the meaning of a Do Not Track (DNT)
      preference and sets out practices for websites to comply with this

  <section id="sotd">
      This document is an editors' strawman reflecting a snapshot of live
      discussions within the
      <a href="http://www.w3.org/2011/tracking-protection/">Tracking Protection
      Working Group</a>. It does not yet capture all of our work. For
      example, we have issues that are [PENDING REVIEW] with complete text
      proposals that have not yet made it into this draft. Text in blue boxes
      presents multiple options the group is considering. Options included in
      this draft should not be read as limitations on the potential outcome,
      but rather simply as possible options that are currently under
      consideration by the working group. An
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/">issue
      tracking system</a> is available for recording
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/raised">raised</a>,
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/open">open</a>,
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/pendingreview">pending review</a>,
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/closed">closed</a>,
      and <a href="http://www.w3.org/2011/tracking-protection/track/issues/postponed">postponed</a>
      issues regarding this document.

  <section id="introduction">

    <p class="note">
      This introduction will be re-worked after details of substantive text
      is closer to being finalized.
      The World Wide Web (WWW, or Web) consists of millions of sites
      interconnected through the use of hypertext. Hypertext provides a
      simple, page-oriented view of a wide variety of information that can be
      traversed by selecting links, manipulating controls, and supplying data
      via forms and search dialogs. A Web page is usually composed of many
      different information sources beyond the initial resource request,
      including embedded references to stylesheets, inline images,
      javascript, and other elements that might be automatically requested as
      part of the rendering or behavioral processing defined for that page.
      Each of the hypertext actions and each of the embedded resource
      references might refer to any site on the Web, leading to a seamless
      interaction with the user even though the pages might be composed of
      information requested from many different and possibly independent Web
      sites. From the user's perspective, they are simply visiting and
      interacting with a single brand -- the first-party Web property -- and
      all of the technical details and protocol mechanisms that are used to
      compose a page representing that brand are hidden behind the scenes.
      It has become common for Web site owners to collect data regarding the
      usage of their sites for a variety of purposes, including what led the
      user to visit their site (referrals), how effective the user experience
      is within the site (web analytics), and the nature of who is using
      their site (audience segmentation). In some cases, the data collected
      is used to dynamically adapt the content (personalization) or the
      advertising presented to the user (targeted advertising). Data
      collection can occur both at the first-party site and via third-party
      providers through the insertion of tracking elements on each page. A
      survey of these techniques and their privacy implications can be found
      in [[KnowPrivacy]].
      People have the right to know how data about them will be collected and
      how it will be used. Empowered with that knowledge, individuals can
      decide whether to allow their online activities to be tracked and data
      about them to be collected. Many Internet companies use data gathered
      about people's online activities to personalize content and target
      advertising based on their perceived interests. While some people
      appreciate this personalization of content and ads in certain contexts,
      others are troubled by what they perceive as an invasion of their
      privacy. For them, the benefit of personalization is not worth their
      concerns about allowing entities with whom they have no direct
      relationship to amass detailed profiles about their activities.
      Therefore, users need a mechanism to express their own preference
      regarding tracking that is both simple to configure and efficient when
      implemented. In turn, Web sites that are unwilling or unable to offer
      content without such targeted advertising or data collection need a
      mechanism to indicate those requirements to the user and allow them (or
      their user agent) to make an individual choice regarding user-granted
      This specification defines the terminology of tracking preferences, the
      scope of its applicability, and the requirements on compliant
      first-party and third-party participants when an indication of tracking
      preference is received. This specification defines the meaning of a Do
      Not Track preference and sets out practices for websites and other
      online companies to comply with this preference.
      A companion document, [[!TRACKING-DNT]], defines the HTTP request
      header field DNT for expressing a tracking preference on the Web, a
      well-known location (URI) for providing a machine-readable tracking
      status resource that describes a service's DNT compliance, the HTTP
      response header field Tk for resources to communicate their compliance
      or non-compliance with the user's expressed preference, and JavaScript
      APIs for determining DNT status and requesting a site-specific,
      user-granted exception.

  <section id="scope-and-goals">
    <h2>Scope and Goals</h2>

    <p class="issue" data-number="6" title="What are the underlying concerns? Why are we doing this?">
      This section consists of proposed text that is meant to address ISSUE-6
      and is in active discussion. Currently, it satisfies no one. Like the
      introduction, we will revisit and finalize once the document is more
      While there are a variety of business models to monetize content on the
      web, many rely on advertising. Advertisements can be targeted to a
      particular user's interests based on information gathered about one's
      online activity. While the Internet industry believes many users
      appreciate such targeted advertising, as well as other personalized
      content, there is also an understanding that some people find the
      practice intrusive. If this opinion becomes widespread, it could
      undermine the trust necessary to conduct business on the Internet. This
      Compliance specification and a companion [[!TRACKING-DNT]]
      specification are intended to give users a means to indicate their
      tracking preference and to spell out the obligations of compliant
      websites that receive the Do Not Track message. The goal is to provide
      the user with choice, while allowing practices necessary for a smoothly
      functioning Internet. This should be a win-win for business and
      consumers alike. The Internet brings millions of users and web sites
      together in a vibrant and rich ecosystem. As the sophistication of the
      Internet has grown, so too has its complexity which leaves all but the
      most technically savvy unable to deeply understand how web sites
      collect and use data about their online interactions. While on the
      surface many web sites may appear to be served by a single entity, in
      fact, many web sites are an assembly of multiple parties coming
      together to power a user's online experience. As an additional privacy
      tool, this specification provides both the technical and compliance
      guidelines to enable the online ecosystem to further empower users with
      the ability to communicate a tracking preferences to a web site and its
      The accompanying
      <a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT">TRACKING-DNT</a>
      recommendation explains how a user, through a user agent, can clearly
      express a desire not to be tracked. This Tracking Compliance and Scope
      recommendation sets the standard for the obligations of a website that
      receives such a DNT message.
      Taken together these two standards should have four substantial
    <ol start="1">
      <li>Empower users to manage their preference around the collection and
      correlation of data about Internet activities that occur on different
      sites and spell out the obligations of sites in honoring those
      preferences when DNT is enabled.</li>

      <li>Provide an exceedingly straightforward way for users to gain
      transparency and control over data usage and the personalization of
      content and advertising on the web.</li>

      <li>Enable a vibrant Internet to continue to flourish economically by
      supporting innovative business models while protecting users'

      <li>Establish compliance metrics for operators of online services</li>
      This standard has limited applicability to any practices by first
      parties, their service providers, subsidiaries, or affiliated
      companies. Under the standard, first parties may and will continue to
      collect and use data for tracking and other purposes. This standard is
      primarily directed at third parties.
      This solution is intended to be persistent, technology neutral, and
      reversible by the user. It aims to preserve a vibrant online ecosystem,
      privacy-preserving secondary data uses necessary to ecommerce, and
      adequate security measures. We seek a solution that is persistent,
      technology neutral, and [something that speaks with the ability to opt
      back in], but that preserves a vibrant online ecosystem,
      privacy-preserving secondary data uses, and adequate security measures.

  <section id="definitions">
<p class="note">The definitions section is a strawman proposal from editors
based on discussion in Seattle. Many sections are not yet consensus text.</p>

    <section id="def-user">
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft.</p>

        A user is an individual human. When user-agent software accesses
        online resources, whether or not the user understands or has specific
        knowledge of a particular request, that request is made "by" the

    <section id="def-user-agent">
      <h3>User Agent</h3>
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft, but there may be some debate on the definition.</p>

        This specification uses the term user agent to refer to any of the
        various client programs capable of initiating HTTP requests,
        including but not limited to browsers, spiders (web-based robots),
        command-line tools, native applications, and mobile apps [[!HTTP11]].
      <p class="note">
        There has been recent discussion about whether the specification
        should differentiate among different types of users agents (such as
        general purpose browsers, add-ons, and stand-alone software
        programs), and possibly specify different compliance obligations
        depending on the type of user agent, or priority among different
        categories of user agents in the event of conflicting settings. There
        is currently no open ISSUE associated with this discussion.

    <section id="def-party">
<p class="note">Dsinger has asked to add something about the responsibility
following the data</p>
      <!-- I have shuffled this language around for clarity and simplicity,
      but it should retain the same meaning. Previous language retained in
      comments. -->

      <section class="option" id="def-party-1">
        <h4>Option 1</h4>

          A <dfn>party</dfn> is any commercial, nonprofit, or governmental
          organization, a subsidiary or unit of such an organization, or a
          person which acts as a functional entity. A set of functional
          entities is considered affiliated when they are related by both
          common majority ownership and common control, and affiliation is
          made easily discoverable by a user.

      <section class="option" id="def-party2">
        <h4>Option 2</h4>

          A <dfn>party</dfn> is any commercial, nonprofit, or governmental
          organization, a subsidiary or unit of&nbsp;such an organization, or
          a person. For unique corporate entities to qualify as a common
          party with respect to this document,&nbsp;those entities MUST be
          commonly owned and commonly controlled (Affiliates) and&nbsp;MUST
          provide “easy discoverability” of affiliate organizations. An
          “Affiliate List” MUST be&nbsp;provided within one click from each
          page or the entity owner clearly identified within one&nbsp;click
          from each page.
        <p class="example">
          A website with a clear labeled link to the Affiliate List within
          the privacy policy would meet this requirement or the ownership
          brand clearly labeled on the privacy policy itself and may choose
          to act as a single party.
A <dfn>functional entity</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or a person.
Functional entities are <dfn>affiliated</dfn> when they are related by both
common majority ownership and common control.
A <dfn>party</dfn> is a set of functional entities that are affiliated.

<p class="note">This section is at best out of place, and should be in the
compliance section, not definitions.</p>
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>

<h2>Affiliated Parties</h2>
<p class="note">I changed this text to reflect that it's a definition of
affiliated parties, but should retain the requirement that an affiliated party
must be discoverable in order to be considered affiliated under this
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>

    <section id="def-service-providers">
      <h4>Service Providers/Outsourcers</h4>

      <p class="note">
        We seem to have general consensus in theory but not in language for
        the definition of a service provider. However, the three options
        below different significantly in how prescriptive and demanding the
        test to qualify as a service provider should be.
<!--  <p class="note">Ensure that third party can act as a third party,
      or as a first party within section</p>
      <p class="note">hwest to propose an alternative definition of first
      party (based on ownership? alternative to inference?) [recorded in

      <section class="option" id="def-service-providers-opt-1">
        <h3>Option 1: Service Provider/Outsourcer Definition</h3>

        <p class="note">
          This option contains both definitions and normative compliance
          This section applies to parties engaging in an outsourcing
          relationship, wherein one party "stands in the shoes" of another
          party to perform a specific task. Both parties have
          responsibilities, as detailed below.
          A <a>first party</a> or a <a>third party</a> MAY outsource

[1643 lines skipped]
Received on Wednesday, 6 March 2013 23:02:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:48:56 UTC