- From: Ian Jacobs <ij@w3.org>
- Date: Thu, 6 Oct 2016 10:22:03 -0500
- To: public-privacy@w3.org
- Cc: Adam Roach <abr@mozilla.com>, "Telford-Reed, Nick" <Nick.Telford-Reed@worldpay.com>, Adrian Hope-Bailie <adrian@ripple.com>
- Message-Id: <5DCE81B0-952D-4B49-96B7-4613E4D04FC6@w3.org>
Dear Privacy IG, The Web Payments WG’s draft “Payment Request API” [1] involves user actions to share some information with a merchant (e.g., credit card details, shipping address). We would like to make it clear in the specification that that information should not be shared without user consent. Opinions vary on how much (if any) guidance to provide about securing user content. I would like to ask for your review of the proposal below, which would appear in our “Privacy Considerations” (section 18). Please let me know whether you find the text below useful and sufficient. For comparison, an analogous section in the Media Capture and Streams specification goes into greater detail: https://w3c.github.io/mediacapture-main/getusermedia.html#privacy-and-security-considerations Thank you, Ian [1] https://w3c.github.io/browser-payment-api/ ================= Proposal for 18.1 Exposing user information Capturing user information (payment credentials, shipping address, etc.) exposes personally-identifiable information to applications. The user agent should never share user information to the web page without user consent. For a number of reasons, this specification does not recommend particular practices for establishing user consent: • What constitutes user consent from a regulatory perspective may vary by jurisdiction. • Users provide consent through a variety of mechanisms, both case-by-case (e.g., one-time click-through agreement) and persistent (e.g., contractual agreements that involve a single user interaction, user agent settings, and operating system settings). • There are numerous good practices for establishing consent, such as clear notice to the user about implications of an action, usability of configuration interfaces to view and change user decisions, and avoiding unnecessary prompts. Developers should therefore consult up-to-date good practice documentation, which may vary by region, browser, operating system, and payment system. -- Ian Jacobs <ij@w3.org> http://www.w3.org/People/Jacobs Tel: +1 718 260 9447
Received on Thursday, 6 October 2016 15:22:15 UTC