- From: Heather West via cvs-syncmail <cvsmail@w3.org>
- Date: Tue, 28 Aug 2012 20:10:46 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts In directory hutz:/tmp/cvs-serv19927 Modified Files: tracking-compliance.html Log Message: Delete emdash, add pointer to audit qualifier in TPE, add additional party/service provider language Index: tracking-compliance.html =================================================================== RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html,v retrieving revision 1.68 retrieving revision 1.69 diff -u -d -r1.68 -r1.69 --- tracking-compliance.html 28 Aug 2012 18:12:00 -0000 1.68 +++ tracking-compliance.html 28 Aug 2012 20:10:44 -0000 1.69 @@ -48,7 +48,7 @@ <h2>Introduction</h2> <p class="note">This introduction will be re-worked after details of substantive text is closer to being finalized.</p> <p>The World Wide Web (WWW, or Web) consists of millions of sites interconnected through the use of hypertext. Hypertext provides a simple, page-oriented view of a wide variety of information that can be traversed by selecting links, manipulating controls, and supplying data via forms and search dialogs. A Web page is usually composed of many different information sources beyond the initial resource request, including embedded references to stylesheets, inline images, javascript, and other elements that might be automatically requested as part of the rendering or behavioral processing defined for that page.</p> - <p>Each of the hypertext actions and each of the embedded resource references might refer to any site on the Web, leading to a seamless interaction with the user even though the pages might be composed of information requested from many different and possibly independent Web sites. From the user's perspective, they are simply visiting and interacting with a single brand &emdash; the first-party Web property &emdash; and all of the technical details and protocol mechanisms that are used to compose a page representing that brand are hidden behind the scenes.</p> + <p>Each of the hypertext actions and each of the embedded resource references might refer to any site on the Web, leading to a seamless interaction with the user even though the pages might be composed of information requested from many different and possibly independent Web sites. From the user's perspective, they are simply visiting and interacting with a single brand -- the first-party Web property -- and all of the technical details and protocol mechanisms that are used to compose a page representing that brand are hidden behind the scenes.</p> <p>It has become common for Web site owners to collect data regarding the usage of their sites for a variety of purposes, including what led the user to visit their site (referrals), how effective the user experience is within the site (web analytics), and the nature of who is using their site (audience segmentation). In some cases, the data collected is used to dynamically adapt the content (personalization) or the advertising presented to the user (targeted advertising). Data collection can occur both at the first-party site and via third-party providers through the insertion of tracking elements on each page. A survey of these techniques and their privacy implications can be found in [[KnowPrivacy]].</p> <p>People have the right to know how data about them will be collected and how it will be used. Empowered with that knowledge, individuals can decide whether to allow their online activities to be tracked and data about them to be collected. Many Internet companies use data gathered about people's online activities to personalize content and target advertising based on their perceived interests. While some people appreciate this personalization of content and ads in certain contexts, others are troubled by what they perceive as an invasion of their privacy. For them, the benefit of personalization is not worth their concerns about allowing entities with whom they have no direct relationship to amass detailed profiles about their activities.</p> <p>Therefore, users need a mechanism to express their own preference regarding tracking that is both simple to configure and efficient when implemented. In turn, Web sites that are unwilling or unable to offer content without such targeted advertising or data collection need a mechanism to indicate those requirements to the user and allow them (or their user agent) to make an individual choice regarding user-granted exceptions.</p> @@ -93,14 +93,19 @@ <p>This specification uses the term user agent to refer to any of the various client programs capable of initiating HTTP requests, including but not limited to browsers, spiders (web-based robots), command-line tools, native applications, and mobile apps [[!HTTP11]].</p> </section> - <section id="def-parties"> - <h3>Parties</h3> + <section id="def-party"> + <h3>Party</h3> <!-- <p class="note">Dsinger has asked to add something about the responsibility following the data</p> --> <!-- I have shuffled this language around for clarity and simplicity, but it should retain the same meaning. Previous language retained in comments. --> -A <dfn>party</dfn> is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person which acts as a functional entity. A set of functional entities is considered affiliated when they are related by both common majority ownership and common control, and affiliation is made easily discoverable by a user. +<section class="option" id="def-party-1"><h4>Option 1</h4><p>A <dfn>party</dfn> is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person which acts as a functional entity. A set of functional entities is considered affiliated when they are related by both common majority ownership and common control, and affiliation is made easily discoverable by a user.</p></section> +<section class="option" id="def-party2"><h4>Option 2</h4><p>A <dfn>party</dfn> is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person. For unique corporate entities to qualify as a common party with respect to this document, those entities MUST be commonly owned and commonly controlled (Affiliates) and MUST provide “easy discoverability” of affiliate organizations. An “Affiliate List” MUST be provided within one click from each page or the entity owner clearly identified within one click from each page. +</p><p class="example">A website with a clear labeled link to the Affiliate List within the privacy policy would +meet this requirement or the ownership brand clearly labeled on the privacy policy +itself and may choose to act as a single party. +</p></section> <!-- A <dfn>functional entity</dfn> is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person. <br/><br/> @@ -137,7 +142,7 @@ <section id="def-service-providers"> <h4>Service Providers/Outsourcers</h4> -<p class="note">We seem to have general consensus in theory but not in language for the definition of a service provider. However, the two options below different significantly in how prescriptive and demanding the test to qualify as a service provider should be.</p> +<p class="note">We seem to have general consensus in theory but not in language for the definition of a service provider. However, the three options below different significantly in how prescriptive and demanding the test to qualify as a service provider should be.</p> <!-- <p class="note">Ensure that third party can act as a third party, or as a first party within section</p> <p class="note">hwest to propose an alternative definition of first party (based on ownership? alternative to inference?) [recorded in http://www.w3.org/2012/07/11-dnt-minutes.html#action01]</p> --> @@ -341,13 +346,18 @@ silo the data so that it cannot be accessed by other parties, and have no control over the use or sharing of that data except as directed by that party. </section> + <section class="option" id="def-service-providers-opt-3"><h3>Option 3: Service Provider/Outsourcer Definition</h3> +<p class="note">Service Providers acting on the behalf of a First Party and with no independent rights to +use the First Party’s data outside of the context of that First Party and Permitted Uses are also +considered to be acting as the First Party. +.</p></section> </section> <section id="first-third-parties"> <h3>First and Third Parties</h3> - - <section><h4>Definitions</h4> + <section class="option" id="def-first-third-parties-opt-1"><h4>Option 1: First and Third Parties</h5> + <section><h4>Definitions</h4> <p>A <dfn>first party</dfn> is any <a>party</a>, in a specific <a>network interaction</a>, that can infer with high probability that the user knowingly and intentionally communicated with it. Otherwise, a party is a third @@ -502,13 +512,23 @@ button, and a user clicks it. Example Social is a first party once the user clicks its embedded social sharing button. The average user would understand that by clicking the button she is communicating with Example Social.</li></ol> + </section></section></section> + <section class="option" id="def-first-third-parties-opt-2"><h5>Option 2: First and Third Parties</h5> + <p>First Party is the party that owns the Web site or has control over the Web site the consumer visits. A First Party also includes the owner of a widget, search box or similar +service with which a consumer interacts.</p> +<pclass="note">If a user merely mouses over, closes, or mutes third-party content, that is not +sufficient interaction to constitute a First Party widget interaction.</p><p> +A Third Party is any party other than a First Party, Service Provider, or the user. +It is possible to have multiple first parties on a single page but each party must provide +clear branding and a link to their respective privacy policy (co-branded experience). +</p> +</section> + <p class="issue" data-number="26" title="Providing data to 3rd-party widgets -- does that imply consent?"></p> - <p class="issue" data-number="26" title="Providing data to 3rd-party widgets &emdash; does that imply consent?"></p> - - </section> - </section> </section> + + <section id="def-unlinkable"> <h3>Unlinkable Data</h3> <p class="note">There is debate about whether to use the terms unlinkable, unlinked, or unidentified to describe this type of data.</p> @@ -786,34 +806,14 @@ <p>Outside of Security and Frequency Capping, data retained for Permitted Uses MUST NOT be used to alter a specific user's online experience based on multi-site activity.</p> </section> -<section id="no-persistent-identifiers"> -<h5>No Persistent Identifiers</h5> - -<p class=option>A third party may only collect, use, and retain for permitted uses information that a user agent necessarily shares with a web server when it -communicates with the web server (e.g. IP address and User-Agent), and -the URL of the top-level page, communicated via a Referer header or other -means, unless the URL contains information that is not unlinkable (e.g. a -username or user ID).</br></br>A third party may not collect, use, or retain information -that a web server could cause to not be sent but still be able to -communicate with the user agent (e.g. a cookie or a Request-URI parameter -generated by the user agent), except the URL of the top-level page, or -any data added by a network intermediary that the operator of a web server has -actual knowledge of (e.g. a unique device identifier HTTP header).</p> - -<p class=note>The EFF/Mozilla/Stanford proposal is heavily dependent upon a requirement that -permitted use data is not correlated to a unique cookie or other persistent identifier. This issue -remains one of the biggest areas of dispute in the working group, as the industry proposal allows for the -use of cookies and other unique identifiers by third parties despite a DNT:1 instruction.</p> -</section> - <!-- <p class="issue" data-number="24" title="Possible permitted use for fraud detection and defense"></p> <p class="issue" data-number="25" title="Possible permitted use for research purposes"></p> <p class="issue" data-number="75" title="How do companies claim permitted uses and is that technical or not?"></p> -<p class="issue" data-number="31" title="Minimization &emdash; to what extent will minimization be required for use of a particular permitted use? (conditional permitted uses)"></p> +<p class="issue" data-number="31" title="Minimization -- to what extent will minimization be required for use of a particular permitted use? (conditional permitted uses)"></p> <p class="issue" data-number="92" title="If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?"></p> <p class="issue" data-number="89" title="Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites."></p> -<p class="issue" data-number="97" title="Re-direction, shortened URLs, click analytics &emdash; what kind of tracking is this?"></p> +<p class="issue" data-number="97" title="Re-direction, shortened URLs, click analytics -- what kind of tracking is this?"></p> --> </section></section> <section id="geolocation"> @@ -920,11 +920,13 @@ <section id="3p-audit"> <h4>Third Party Auditing</h4> -<p class="note">Add reference to TPE, or potentially move to TPE; add reference to audit array from Action 219</p> + <p class="issue" data-number="21" title="Enable external audit of DNT compliance"></p> <!-- <p class="note">We have reviewed one audit proposal that we declined to adopt as mandatory, but there is significant support to include a flexible option to enable auditing. We may include a smaller-scoped proposal in the future, or may drop auditing all together.</p> --> +<p><cite><a class="ref" href="http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#status-representation">Tracking Status Qualifiers</a></cite> may include a value to indicate auditing.</p> + </section> </section></section> <section id="acknowledgements" class='appendix'>
Received on Tuesday, 28 August 2012 20:10:53 UTC