RE: Retention with grace period (ACTION-266)

Ian,

Thank you for this text. I actually see a difference with what you proposed for issue-142: here it seems that companies just keep the data for 6 weeks and then discard them. So they do not keep “unlinkable data” or claim any permitted use.
Bigger companies keeping “unlinkable data” or claiming permitted uses would not be covered by the grace period, right?
If that’s the case, I think we should make it clear and add a statement like “third parties claiming the 6 weeks period grace MUST not keep any data after 6 weeks even for pertmitted uses”.

But I think that we should distinguish this “grace period” and the X-weeks “pre-processing” step because that’s confusing. With that in mind, I think it is possible to find a compromise and only list “unpermitted uses” for the grace period.

Also, your text mentions “small websites”, do you mean first parties?

Thank you,

Vincent



________________________________
De : Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
Envoyé : mercredi 24 octobre 2012 18:54
À : public-tracking@w3.org Group WG
Objet : Retention with grace period (ACTION-266)

In the Amsterdam f2f I was given ACTION-266 to suggest retention related to a timed grace period. I'm trying to figure out how this is fundamentally different from ISSUE-142 (https://www.w3.org/2011/tracking-protection/track/issues/142) which we have fundamentally failed to make progress on.

I'll briefly repeat my general stance, but I really don't want to sound like a broken record which I feel is something that's becoming an increasing risk for the working group in general.

I'd like to see an approach where, within the first six weeks of "collecting" or "being exposed to data", the burden on implementers (servers) is extremely low. I'd like to see that so that for the majority of small companies / websites, it's very easy to claim compliance (and thus broaden adoption of DNT by servers). In my ideal world, you would be able to "retain" or "collect" data for up to six weeks without any compliance burden. As long as you discard data from DNT users within 6 weeks (e.g. you only keep the last 6 weeks of logs at any point), you're done. It essentially creates a fast path "If this applies to you you can stop reading, you're done."

Sadly, it can't be quite that simple, because if it's a total free-for-all within the six week period one could simply transfer data to a third party and say "I'm still in compliance." So, we need some limitations on what can be done within the first six weeks, but to be very explicit, this DOES NOT line up precisely with uses of long-term (>6wk) data. If we make it line up exactly, then the compliance burden becomes the same and we've not achieved anything.

My concrete proposal is contained in http://lists.w3.org/Archives/Public/public-tracking/2012May/0030.html


Additionally, I think we need to discuss what an audit for DNT would look like. My proposal here would be that audits should look at practices as relate to long-term data retention only. (If you're keeping data >6 weeks, you must show that your use matches what is stated in whatever policy you have, and that you have appropriate technical controls in place to ensure that access to the data is controlled for these uses only.) Within the 6 week period, there's flexibility to get your data from its original logging sources/formats into the system of controls you have in place for long-term data, and the "audit" is a noop unless someone has provided evidence that you're doing something prohibited by http://lists.w3.org/Archives/Public/public-tracking/2012May/0030.html in the six week period (e.g. transferring data to a third party).

If someone believes this action was somehow materially different from ISSUE-142 / ACTION-190 I'm all ears.