W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

[Issue-5][Action-78] Remember to forget me

From: Vincent Toubiana <v.toubiana@free.fr>
Date: Thu, 02 Feb 2012 18:28:00 +0100
Message-ID: <4F2AC7A0.3090000@free.fr>
To: "public-tracking@w3.org" <public-tracking@w3.org>
CC: karld@opera.com
Description:

Write-up of the "Remember to forget me" definition. This first draft 
focuses on a definition addressing the collection of data by third 
parties. The main idea is to keep the log entries with DNT:1 and to flag 
them to quickly de-identify them when they are not longer covered  by an 
exemption.

Server Logs

- A 3rd party MAY log request received with DNT:1. If such request is 
logged, the third party MUST keep the header DNT:1 in the logs.
- A 3rd party operator SHOULD not infer information from/about a user 
who send DNT=1.
- After the retention period corresponding to each of the exemption has 
been reached, the 3rd party operator MUST erase the referrer header of 
entries flagged with DNT:1 and either erase or de-identify the rest of 
the entry.  -   To de-identify the data, the 3rd party operator MUST 
replace semi-identifiers by fix values  (i.e IP=0.0.0.0, UA=ZZZ).
- When a 3rd party aggregates logs, it MUST either not process the 
entries flagged with DNT:1 or de-identify them beforehand.
- A 3rd party receiving DNT:1 MUST not personalize the response based in 
user ID.

User Agent

- A User-Agent sending DNT:1 MAY prevent the transmission of cookies and 
other identifiers that are sent with the request.
-- A User-Agent receiving a "non tracking" response from a 3rd party 
operator SHOULD not modify its state regarding this 3srd party (local 
storage, cookie, cache,...).
Received on Thursday, 2 February 2012 17:28:33 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:44 UTC