Re: Fwd: Action 9 - Proposal for a DNT definition for 1st Parties from Tom Lowenthal on 2011-10-05 (public-tracking@w3.org from October 2011)

From: Tom Lowenthal <tom@mozilla.com>
Date: Wed, 05 Oct 2011 10:07:32 -0700
To: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4E8C8ED4.4020900@mozilla.com>

Proposal is at:
https://people.mozilla.com/~tlowenthal/dnt/tpwg_action-9_proposal.md

---

Interpretation of the DNT signal by 1st Parties
===============================================

Proposal to the W3C Tracking Protection Working Group
Authored by Thomas Lowenthal, Mozilla
Associated with [Action
9](http://www.w3.org/2011/tracking-protection/track/actions/9)


When a first party receives a request where

- they know that they are a first party, and
- the DNT signal is on,

that party **should**:

- store as little information about that request as possible,
- store as little information about the user who made the request as
possible,
- take all reasonable steps to protect the privacy and anonymity of the
user who made the request; and

that party **may**:

- provide an affirmative notice to that user regarding the steps that
the site takes as a result of the user's expressed preference,
- provide the user with additional options to choose how the site should
further protect that user's privacy; and

that party **should not**:

- send information about that request or the user who made the request
to any other entity, unless
    - the entity to which the information is sent is performing a
service as the agent of that party, and
        - that entity is bound by contractual or technical means
            - to keep information associated with requests and users
related to this party completely separate from information associated
with any other information they keep, and
            - not to further share such information except under similar
restrictions, or
    - it is the user's deliberate intent to share information
        - (for instance, when a user sends an email through a webmail
provider, that provider should send that email to the destination
server); and

that party **must only**:

- store information about that request where
    - each piece of information is stored for a particular purpose, and
    - the party posts a readily-accessible policy which describes
        - what information is collected, and
        - the purpose for which each piece of information is stored.

Received on Wednesday, 5 October 2011 17:08:05 UTC