- From: CVS User rfieldin <cvsmail@w3.org>
- Date: Sat, 02 Aug 2014 03:47:39 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv28512
Added Files:
tracking-compliance-i203.html
Log Message:
tracking-ISSUE-204: Add a complete proposal for incorporating all of the decisions of TPE into a new TCS
--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance-i203.html 2014/08/02 03:47:39 NONE
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance-i203.html 2014/08/02 03:47:39 1.1
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<title>Tracking Compliance Alternative</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<script src='http://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script>
<script class="remove">
var respecConfig = {
specStatus: "ED",
shortName: "tracking-compliance",
//previousPublishDate: "2012-04-30",
//previousMaturity: "WD",
//previousURI: "http://www.w3.org/TR/2013/WD-tracking-compliance-20130430/",
edDraftURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203.html",
editors: [
{ name: "Roy T. Fielding", url: "http://roy.gbiv.com/",
company: "Adobe", companyURL: "http://www.adobe.com/" }
],
wg: "Tracking Protection Working Group",
wgURI: "http://www.w3.org/2011/tracking-protection/",
wgPublicList: "public-tracking",
wgPatentURI: "http://www.w3.org/2004/01/pp-impl/49311/status",
issueBase: "http://www.w3.org/2011/tracking-protection/track/issues/",
localBiblio: {
"TRACKING-DNT": {
"authors": ["Roy T. Fielding","David Singer"],
"status" : "LCWD",
"href" : "http://www.w3.org/TR/tracking-dnt/",
// "status" : "ED",
// "href" : "http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html",
"title" : "Tracking Preference Expression (DNT)",
"date" : "24 April 2014",
"publisher" : "W3C"
}
}
}
</script>
</head>
<body>
<section id="abstract">
<p>
Tracking Compliance and Scope defines a set of requirements and best
practices regarding tracking to which an origin server can claim
adherence by reference within the tracking status representation of the
Tracking Preference Expression (TPE) protocol. These requirements
and best practices are intended to meet a user's expectations regarding
a Do Not Track (DNT) preference by limiting tracking to specific
permitted uses and retention policies when DNT:1 is received.
</p>
</section>
<section id="sotd">
<p class="issue" data-number="203" title="Use of 'tracking' in third-party compliance">
This <strong>temporary editor's draft</strong> is provided as a proposal
to address ISSUE-203. It does not constitute consensus and will change
frequently, with the goal of eventually replacing or merging with
<a href="http://www.w3.org/TR/tracking-compliance/">TCS</a>.
</p>
<p>
Reviewers are advised to consult the
<a href="https://www.w3.org/2011/tracking-protection/track/products/5">list
of issues tracked in the Compliance Current product</a> and the
<a href="http://www.w3.org/wiki/Privacy/TPWG#Change_proposals">wiki list
of change proposals</a> developed by participants in the Working Group.
The Working Group has published a Last Call Working Draft of the
companion <a href="http://www.w3.org/TR/tracking-dnt/">Tracking
Preference Expression</a> document.
</p>
</section>
<section id="scope-and-goals">
<h2>Scope</h2>
<p>
This specification defines a set of compliance requirements and best
practices for tracking protection. It applies to any tracking data
that has been collected via a resource for which the origin server
provided a corresponding tracking status representation, as defined in
[[!TRACKING-DNT]], with a compliance property that contained at least
one reference to this specification
(see <a href="#indicating-compliance" class="sectionRef"></a>).
</p>
<p>
In other words, this specification applies whenever a party that
controls a given resource claims to be adhering to this specification.
Such a claim implies that the origin server, resource owner, and all
recipients of the data collected as a result of accessing that resource
(during the period in which the tracking status representation is fresh)
intend to conform to this specification with regard to that data for as
long as that data has not been de-identified.
</p>
<p>
The remainder of this specification assumes that the origin server has
indicated compliance on behalf of the party (or joint parties) that
control any data collected via the designated resource. Requirements
that are placed on either a party or an origin server are meant to
constrain both the behavior of the origin server software and the
behavior of any party that receives data collected via the designated
resource.
</p>
<p>
Data collection, retention, use, or sharing that does not amount to
tracking is outside the scope of this specification. For example,
collecting data about a particular user's activity within a single
context is not considered tracking, but retaining, using, or sharing
data derived from that activity (such as a user profile) outside the
context in which that activity occurred is considered tracking.
Likewise, data that has been de-identified is outside the scope of this
specification.
</p>
<p>
Short-term, transient collection and use of data is also outside
the scope of this specification so long as the data is not used to build
a profile about the user. For example, customization of ads based only
on the current context in which the ad is placed, such as the content of
the surrounding page or nature of the site being visited, is not
restricted by a tracking preference.
</p>
<p class="issue" data-number="209" title="Description of scope of specification"></p>
<p class="issue" data-number="134" title="Would we additionally permit logs that are retained for a short enough period?"></p>
<p class="issue" data-number="204" title="Definitions of collection / retention and transience / network interaction"></p>
<p class="issue" data-number="227" title="User Agent requirements in UA Compliance vs. Scope section"></p>
</section>
<section id="terminology">
<h2>Terminology</h2>
<p>
This specification uses the following terms as they have been defined by
[[!TRACKING-DNT]]:
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-tracking">tracking</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-context">context</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-designated-resource">designated resource</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-user">user</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-user-agent">user agent</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-network-interaction">network interaction</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-user-activity">user activity</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-party">party</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-collects">collects</a></dfn>,
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-uses">uses</a></dfn>, and
<dfn><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-shares">shares</a></dfn>.
</p>
<section id="service-provider">
<h3>Service Provider</h3>
<p>
Access to Web resources often involves multiple parties that might
process the data received in a network interaction. For example,
domain name services, network access points, content distribution
networks, load balancing services, security filters, cloud platforms,
and software-as-a-service providers might be a party to a given
network interaction because they are contracted by either the user or
the resource owner to provide the mechanisms for communication.
Likewise, additional parties might be engaged after a network
interaction, such as when services or contractors are used to perform
specialized data analysis or records retention.
</p>
<p>
For the data received in a given network interaction, a
<dfn>service provider</dfn> is considered to be the same party as its
<dfn>contractee</dfn> if the service provider:
</p>
<ol>
<li>processes the data on behalf of the contractee;</li>
<li>ensures that the data is only retained, accessed, and used as
directed by the contractee;</li>
<li>has no independent right to use the data other than in a
<a>de-identified</a> form (e.g., for monitoring service integrity,
load balancing, capacity planning, or billing); and,</li>
<li>has a contract in place with the contractee which is consistent
with the above limitations.</li>
</ol>
</section>
<section id="de-identified">
<h3>De-identified</h3>
<p>
Data is <dfn>de-identified</dfn> when a party:
</p>
<ol>
<li>has achieved a reasonable level of justified confidence that the
data cannot be used to infer information about, or otherwise be
linked to, a particular consumer, computer, or other device;</li>
<li>commits to make no attempt to re-identify the data; and</li>
<li>contractually prohibits downstream recipients from attempting to
re-identify the data.</li>
</ol>
<p class="issue" data-number="188" title="Definition of de-identified (or previously, unlinkable) data">
<strong>OPEN</strong> This definition is being actively discussed and
may soon be replaced by a term with less baggage.
</p>
<p class="note">
Note that geolocation data (of a certain precision or over a period of
time) may itself identify otherwise de-identified data.
</p>
<p class="issue" data-number="202" title="Limitations on geolocation by third parties"></p>
</section>
</section> <!-- end Terminology -->
<section id="compliance">
<h3>Compliance</h3>
<section id="indicating-compliance">
<h3>Indicating Compliance</h3>
<p>
To indicate compliance with this specification for a given
<a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-designated-resource">designated resource</a>,
an origin server MUST do all of the following:
<ol>
<li>conform to the origin server requirements of [[!TRACKING-DNT]];</li>
<li>send a value other than "!" (under construction) for any
<a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#tracking-status-value">tracking status value (TSV)</a>
applicable to that designated resource; and</li>
<li>send, in any
<a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#status-representation">tracking status representation</a>
applicable to that designated resource, a
<code>compliance</code> property that contains at least one
reference to the following URI:<br />
<code>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html</code></li>
</ol>
</p>
<p class="note">
The editor's draft URI points to content that will change and is only
suitable for testing purposes. Versions of this document that are
published as Working Drafts or later maturity levels will use permanent
URIs in this section, pointing to content that does not change.
</p>
</section>
<section id="communicating-tracking-status">
<h3>Communicating Tracking Status</h3>
<p>
When a tracking status representation is used to communicate the
tracking status for a designated resource, the origin server MUST send
within the representation's tracking property a TSV that is consistent
with the current or anticipated tracking that might occur if a similar
request is sent to that designated resource.
</p>
<p>
When a Tk response header field [[!TRACKING-DNT]] is used to
communicate a tracking status for the current request, the origin
server MUST send a TSV that either refers to a request-specific tracking
status resource or reflects the target resource's current tracking
behavior for this request.
</p>
</section>
<section id="adhering-to-tracking-status">
<h3>Adhering to Tracking Status</h3>
<p>
An origin server that sends a TSV of
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-N">N</a></code> (not tracking)
MUST NOT engage tracking if a similar request is made to the designated
resource while that tracking status remains fresh. In other words, the
party MUST NOT knowingly collect, retain, use, or share data from a
<a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#dfn-network-interaction">network interaction</a>
with the designated resource that would allow that party to associate
the same user with tracking data it has previously obtained from user
activity in other contexts, MUST NOT retain, use, or share data derived
from this user activity outside the context in which this activity
occurred, and MUST NOT tailor or personalize the response from the
designated resource based on data derived from this user's activity in
other contexts (aside from contextual data provided by the user in the
current request).
</p>
<p>
An origin server that sends a TSV of
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-T">T</a></code> (tracking)
MAY engage tracking if a similar request is made to the designated
resource. Further limitations on that tracking depend on the received
tracking preference expression, if any:
<dl>
<dt><code>DNT:0</code></dt>
<dd>
The user is expressing a preference for a personalized experience
and this signal indicates explicit consent for data collection,
retention, use, and sharing by the recipient of this signal to
provide a personalized experience for the user.
This specification does not limit tracking in the presence of
<code>DNT:0</code>. Note, however, a party might be limited by its
own statements to the user, if any, regarding the <code>DNT:0</code>
setting.</dd>
<dt><code>DNT:1</code></dt>
<dd>The party MUST limit its tracking to the permitted uses
defined in <a href="#limited-tracking-permitted" class="sectionRef"></a>.
The party MAY provide additional information in the
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#rep.qualifiers">qualifiers</a></code>
property of a tracking status representation to indicate what
permitted uses of tracking are engaged while under <code>DNT:1</code>,
as described in <a href="#sending-qualifiers" class="sectionRef"></a>.
The party MUST NOT share data about this network interaction with
any party other than the controller(s) of the context in which this
activity occurred, <a title="service provider">service providers</a>
to said controller(s), or service providers to the party.
<dt><em>not enabled</em></dt>
<dd>In the absence of regulatory, legal, or other requirements, a party
MAY interpret the lack of an expressed tracking preference as they
find most appropriate for the given user, particularly when
considered in light of the user's privacy expectations and cultural
circumstances. Likewise, origin servers might make use of other
preference information outside the scope of this specification, such
as site-specific user preferences or third-party registration
services, to inform or adjust their behavior when no explicit
preference is expressed in a request.<dd>
</dl>
</p>
<p>
An origin server that sends a TSV of
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-C">C</a></code> (consent)
MUST have received prior consent for tracking this user, user agent, or
device, perhaps via some mechanism not defined by this specification,
that overrides a tracking preference expressed by this protocol.
</p>
<aside class="example">
<p>
A site might provide a settings page to its logged-in users with an
explanation of a feature that involves collecting data on that user's
activity on other sites in order to provide more relevant content on
the home site. To implement the feature and record that consent, the
site places a cookie on the user's machine. In subsequent requests
where the consent cookie is recognized and a <code>DNT: 1</code>
header is present, the site responds with a TSV of <code>C</code> to
indicate that consent.
</p>
</aside>
<p>
An origin server that sends a TSV of <code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-P">P</a></code> (potential consent)
MAY engage tracking for requests made to the designated resource, but
MUST NOT use or share any data to which DNT:1 applies until it can be
determined that it has received prior consent to do so. If not, the
origin server MUST delete or de-identify the collected data within
forty-eight hours.
</p>
<p>
An origin server MAY send a tracking status value of
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-?">?</a></code> (dynamic),
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-D">D</a></code> (disregarding), or
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-U">U</a></code> (updated)
when such a response is consistent with its associated requirements in
[[!TRACKING-DNT]].
</p>
<p class="issue" data-number="170" title="Definition of and what/whether limitations around data append and first parties"></p>
<p class="issue" data-number="210" title="Interaction with existing privacy controls"></p>
<p class="issue" data-number="207" title="Conditions for dis-regarding (or not) DNT signals"></p>
</section>
<section id="limited-tracking-permitted">
<h3>Limited Tracking Permitted under DNT:1</h3>
<p>
When an origin server sends a TSV of
<code><a class="externalDFN" href="http://www.w3.org/TR/tracking-dnt/#TSV-T">T</a></code> (tracking)
for a designated resource and a request is received targeting that
resource with a tracking preference expression of <code>DNT:1</code>,
some limited tracking is still permitted if it conforms to the
requirements of this section.
</p>
<section id="general-permitted-use-requirements">
<h4>General Requirements for Permitted Uses</h4>
<section id="data-minimization-and-transparency">
<h5>Data Minimization, Retention, and Transparency</h5>
<p>
When <code>DNT:1</code> is received, a party MUST minimize the
tracking data it collects under one or more permitted uses to what
is reasonably necessary for each such permitted use.
A party MUST NOT retain such data any longer than is proportionate
to, and reasonably necessary for, those permitted uses.
</p>
<p>
A party MUST provide public transparency of the time periods
for which tracking data collected for permitted uses are retained.
A party MAY enumerate different retention periods for
different permitted uses. A party MUST NOT use data collected for
a permitted use once the data retention period for that permitted
use has expired. When all such data retention periods have expired
for the permitted uses for which a given data set has been
retained, the party MUST delete or
<a title="de-identified">de-identify</a> that data.
</p>
<p class="issue" data-number="211" title="Should we specify retention periods (extended with transparency) for permitted uses?"></p>
<p class="issue" data-number="199" title="Limitations on the use of unique identifiers"></p>
</section>
<section id="no-secondary-uses">
<h5>No Secondary Uses</h5>
<p>
When <code>DNT:1</code> is received, a party MUST NOT use tracking
data collected in that request for purposes other than the
permitted use(s) for which that data was collected.
</p>
<p>
A party that collects tracking data under a permitted use MUST
implement reasonable technical and organizational safeguards to
prevent further processing of that data for non-permitted uses.
While physical separation of data retained for permitted uses is not
required, a party SHOULD implement best practices and technical
controls that ensure access limitations and information security. A
party SHOULD ensure that access and use of data retained under one
or more permitted uses is auditable.
</p>
[175 lines skipped]
Received on Saturday, 2 August 2014 03:47:41 UTC