Re: LCWD: Tracking Compliance and Scope

Tracking Compliance [1]

> That confidence may result from ensuring or demonstrating that it is no longer possible to:
>    isolate some or all records which correspond to a device or user;
>    link two or more records (either from the same database or different databases), concerning the same device or user;
and/or ?
>    deduce, with significant probability, information about a device or user.

> The restrictions might include, for example:
>    technical safeguards that prohibit re-identification of de-identified data;
>    business processes that specifically prohibit re-identification of de-identified data;
>    business processes that prevent inadvertent release of de-identified data;
and/or ?
>    administrative controls that limit access to de-identified data.

> A party collects data received in a network interaction if that data remains within the party’s control after the network interaction is complete.
> In order to indicate a party's compliance with a user's expressed tracking preference as described in this specification for a given resource, an origin server:

you aren't consistently using plain/fancy quotes

> When a third party to a given user action receives a DNT:1 signal in a related network interaction, that party MAY collect and use data about those network interactions when:

> 1. a user has explicitly granted consent, as described below (Section 4. Consent);
> 2. data is collected for the set of permitted uses described below (Section 3.3.2 Permitted Uses);

usually the conjunction is at the end of the preceding line, not at
the beginning of the next item:
> 3. or, the data is permanently de-identified as defined in this specification.

> Other than under those enumerated conditions, that party:

> 1. MUST NOT collect data from this network interaction that would result in data regarding this particular user being associated across multiple contexts;
see here:
> 2. MUST NOT retain, use, or share data from this particular user's activity outside the context in which that activity occurred; and
> 3. MUST NOT use data from network interactions with this particular user in a different context.

I don't see any reason for either of these lists to be numbered
instead of bulleted.

> Examples of using a graduated response for data minimization in security and fraud prevention include:

capitalize:
> recording all use from a given IP address range, regardless of DNT signal, when the party believes it is seeing a coordinated click fraud attack on its service from that IP address range.
capitalize + add period:
> collecting all data matching an identifiable fingerprint (a combination of User Agent and other protocol information, say) and retaining logs until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution

", say"??




[1] http://www.w3.org/TR/2015/WD-tracking-compliance-20150714/

Received on Wednesday, 26 August 2015 02:32:07 UTC