- From: CVS User jbrookma <cvsmail@w3.org>
- Date: Fri, 12 Apr 2013 21:05:22 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv28442/WWW/2011/tracking-protection/drafts
Modified Files:
tracking-compliance.html
Log Message:
data append, service provider, user agent compliance, permission to track
--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/04/09 18:08:17 1.89
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/04/12 21:05:21 1.90
@@ -266,7 +266,7 @@
command-line tools, native applications, and mobile apps [[!HTTP11]].
</p>
<p class="note">
- There has been recent discussion about whether the specification
+ There has been discussion about whether the specification
should differentiate among different types of users agents (such as
general purpose browsers, add-ons, and stand-alone software
programs), and possibly specify different compliance obligations
@@ -351,18 +351,30 @@
<section id="def-service-providers">
<h4>Service Providers</h4>
- <p>
- Outsourced service providers are considered to be the same party as their
+ <p class=option>
+ Outsourced <dfn>service providers</dfn> are considered to be the same party as their
clients if the outsourced service providers only act as data processors on
behalf of that party in relation to that party, silo the data so that it
cannot be accessed by other parties, and have no control over the use or
sharing of that data except as directed by that party.
</p>
+ <p class=option>Outsourced <dfn>service providers</dfn> are considered to be the same
+ party as their clients if the service provider<br><br>
+ 1. acts only as a data processor on behalf of the client;<br><br>
+ 2. ensures that the data can only be accessed and used as directed by that client;<br><br>
+ 3. has not independent right to use or share the data except as necessary to ensure the
+ integrity, security, and correct operation of the service being provided; and<br><br>
+ 4. has a contract in place that outlines and mandates these requirements.</p>
+
<p class="note">
The working group is continuing to fine tune the defintion of service
- provider. The above language is not consensus.
+ provider. Neither option above is at consensus.
</p>
+
+ <p class=issue data-number=49 title="Third party as first party -- is a
+ third party that collects data on behalf of a first party treated the
+ same way as the first party"></p>
<!--- Justin, 2.1.13: I could not just comment out three options, so I
deleted them entirely. However, we can find them in previous drafts if
@@ -397,16 +409,19 @@
be jointly operated by two or more parties, and a user would reasonably expect
to communicate with all of them by accessing that resource. User understanding
that multiple parties operate a particular resource could be accomplished
- through inclusion of multiple parties' brands in a URI, or prominent branding
+ through inclusion of multiple parties' brands in a domain name, or prominent branding
on the resource indicating that multiple parties are responsible for content or
functionality on the resource with which a user reasonably would expect to
- interact by accessing the resource. Simple branding of a party that merely
- serves as a service provider to the single entity providing a resource will not
- be sufficient to make that party a first party in any particular network
- interaction.</p>
+ interact by accessing the resource. Simple branding of a party, without more,
+ will not be sufficient to make that party a first party in any particular
+ network interaction.</p>
<p class="note">The language on multiple first parties is not yet at consensus.</p>
</section>
+
+ <p class=issue data-number=10 title="What is a first party?"></p>
+
+
</section>
<section id="third-party">
@@ -941,15 +956,38 @@
themselves under this standard.
</p>
+ <p class=option>When DNT:1 is received,<br><br>
+ 1. A first party MUST NOT combine or otherwise use identifiable data received
+ from another party with data it collected while a first party;<br><br>
+ 2. A first party MUST NOT share identifiable data with another party unless the
+ data was provided voluntarily by the user and is necessary to complete a
+ business transaction with the user; and<br><br>
+ 3. A party MUST NOT use data gathered while a first party when operating as a
+ third party.<br><br>
+ <b>Non-Normative</b><br><br>
+ When DNT:1 is received, a 1st Party retains the ability to customize content,
+ services, and advertising only within thecontext of the first party experience.
+ A 1st party takes the user interaction outside of the 1st party experience if it
+ receives identifiabledata from another party and uses that data for customization of
+ content, services, or advertising.<br><br>
+ When DNT:1 is received the 1st Party may continue to utilize user provided data in
+ order to complete or fulfill a user initiated business transaction such as fulfilling
+ an order for goods or a subscription.<br><br>
+ When DNT:1 is received and a Party has become a 3rd Party it is interacting with the
+ user outside of the 1st Party experience. Using data gathered while a 1st party is
+ incompatible with interaction as a third party.</p>
+
<p class="note">
This language is not consensus. The parties are
- generally agreed that this language should only prohibit first parties
+ generally agreed that this language should prohibit first parties
from enabling third parties to circumvent "Do Not Track" by providing
them with correlatable cross-site data in a different context. There is
an open debate about the extent to which this should prohibit "data
append" practices, where first parties query data brokers about their
users (and thus trasmit information to the brokers) order to augment
- their own records on users. One proposed compromise would be to allow
+ their own records on users, or whether third parties may use data they
+ previously collected in a first party context. One proposed compromise
+ to the first issue would be to allow
data append only when the data broker would qualify as a service provider,
having no independent right to use the data associated with the append
inquiry.<!-- (Justin to suggest edits) -->
@@ -961,7 +999,7 @@
<section id="user-agent-compliance">
<h3>User Agent Compliance</h3>
- <p>
+ <!-- <p>
A user agent MUST offer a control to express a tracking preference to
third parties. The control MUST communicate the user's preference in
accordance with the [[!TRACKING-DNT]] recommendation and otherwise
@@ -980,16 +1018,63 @@
preference (e.g., "Privacy settings: high"). Likewise, a user might
install or configure a proxy to add the expression to their own
outgoing requests.
- </p>
- <p class="option">
- Shane's proposal has suggested the additional compliance requirements
- of user agents:<br>
- 1. The User Agent must also make available via a link in explanatory
- text where DNT is enabled to provide more detailed information about
- DNT functionality<br>
- 2. Any User Agent claiming compliance must have a functional
- implementation of the browser exceptions in this specification
- </p>
+ </p>-->
+
+ <p class=option>A user agent MUST offer a control to express a tracking preference to third
+ parties. The control MUST communicate the user's preference in accordance with the [TRACKING-DNT
+ <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT>]
+ recommendation and otherwise comply with that recommendation. A user agent MUST NOT express
+ a tracking preference for a user unless the user has given express and informed consent to
+ indicate a tracking preference.<br><br>
+ While we do not specify how tracking preference choices are offered to the user or how the
+ preference is enabled, each implementation MUST follow the following user interface guidelines:<br><br>
+ 1. The User Agent is responsible for determining the user experience by which a tracking preference is
+ enabled. For example, a user might select a check-box in their user agent's configuration, or install
+ an extension or add-on that is specifically designed to add a tracking preference expression so long as
+ the checkbox, extension or add-on otherwise follows these user interface guidelines;<br><br>
+ 2. The User Agent MUST ensure that the tracking preference choices are communicated to users clearly
+ and conspicuously, and shown at the time and place the tracking preference choice is made available to
+ a user;<br><br>
+ 3. The User Agent MUST ensure that the tracking preference choices accurately describe DNT, including
+ the parties to whom DNT applies, and MUST make available via a link in explanatory text where DNT is
+ enabled to provide more detailed information about DNT functionality.<br><br>
+
+<b>Non-Normative:</b><br><br>
+
+ The User Agent plays a key role in enacting the DNT functionality. As a result, it is appropriate for
+ the User Agent to play an equally key role in describing DNT functionality and educating users about
+ DNT in order for this standard to be meaningful.<br><br>
+ While the user interface guidelines do not specify the exact presentation to the user, they are
+ intended to help ensure that users understand their choices with respect to DNT. For example,
+ outlining the parties (e.g., First Parties, Service Providers, Third Parties) to whom DNT applies
+ and using language that a reasonable user is likely to understand is critical for ensuring that users
+ are in position to provide their informed consent to a tracking preference.<br><br>
+ Moreover, as DNT functionality is complex, it is important that User Agents educate users about DNT,
+ including but not limited to offering a clearly described link that takes the user to additional
+ information about DNT functionality. For example, given that some parties may chose not to comply with
+ DNT, it would be helpful for browsers to educate users about how to check the response header and/or
+ tokens to see if a server is responding with a “public commitment” of compliance.<br><br>
+ Finally, recognizing that DNT settings may be set by non-browser User Agents acting in violation of
+ the user interface guidelines, the browsers should take reasonable steps to ensure that DNT settings
+ are valid.</p>
+
+ <p class=option>User agents and web sites MUST obtain express and informed consent
+ when setting controls that affect the tracking preference expression. The controls
+ MUST communicate the user's preference in accordance with the [TRACKING-DNT
+ <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT>]
+ recommendation.<br><br>
+ User agents and web sites offering tracking preference choices to users MUST follow the
+ following user interface guidelines:<br><br>
+ 1. User agents and web sites are responsible for determining the user experience by which a
+ tracking preference is controlled;<br><br>
+ 2. User agents and web sites MUST ensure that tracking preference choices are communicated
+ to users clearly and accurately, and shown at the time and place the tracking preference
+ choice is made available to a user; <br><br>
+ 3. User agents and web sites SHOULD ensure that the tracking preference choices describe the
+ parties to whom DNT applies and SHOULD make available explanatory text to provide more
+ detailed information about DNT functionality.</p>
+
+
<p class="issue" data-number="150" title="DNT conflicts from multiple user agents"></p>
<p class="issue" data-number="153" title="What are the implications on software that changes requests but does not necessarily initiate them?"></p>
</section>
@@ -1380,7 +1465,11 @@
user when acting as a first party.
</p>
- <p class="note">This text may be revised to offer two alternatives:
+ <p class="note">This permitted use does not reflect consensus.
+ Some members of the group do not think first party data should be
+ used in a third-party context (this option is reflected in the
+ optional text for First Party Compliance above.<br><br>
+ This text may be revised to offer two alternatives:
first parties can use any data to offer content in the third party
context, or first parties can only use declared data to offer
content in the third party context. Shane Wiley has proposed
@@ -1563,9 +1652,6 @@
panels. The <a href="http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0335.html">most recent proposal by ESOMAR is available</a>,
but the language is not consensus, and the working group has not
decided whether such a permitted use is even appropriate.</p>
- <p class="note">There had previously been an open debate about whether Aggregate Reporting
- (including market research and product improvement) should be a dedicated Permitted Use.
- The group has since decided to address this issue through the exception for Unlinkable Data.</p>
</section>
<section id="compliance">
@@ -1625,6 +1711,22 @@
<p class="issue" data-number="67" title="Should opt-back-in be stored on the client side? - pretty sure this belongs in the technical spec"></p>
-->
+<p class=option>User agents and web sites MUST obtain express and informed consent
+ when setting controls that affect the tracking preference expression. The controls
+ MUST communicate the user's preference in accordance with the [TRACKING-DNT
+ <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT>]
+ recommendation.<br><br>
+ User agents and web sites offering tracking preference choices to users MUST follow the
+ following user interface guidelines:<br><br>
+ 1. User agents and web sites are responsible for determining the user experience by which a
+ tracking preference is controlled;<br><br>
+ 2. User agents and web sites MUST ensure that tracking preference choices are communicated
+ to users clearly and accurately, and shown at the time and place the tracking preference
+ choice is made available to a user; <br><br>
+ 3. User agents and web sites SHOULD ensure that the tracking preference choices describe the
+ parties to whom DNT applies and SHOULD make available explanatory text to provide more
+ detailed information about DNT functionality.</p>
+
<section id="interactions">
<h3>Interaction with existing user privacy controls</h3>
<p>
Received on Friday, 12 April 2013 21:05:27 UTC