CVS WWW/2011/tracking-protection/drafts from CVS User dsinger2 on 2013-06-25 (public-tracking-commit@w3.org from June 2013)

From: CVS User dsinger2 <cvsmail@w3.org>
Date: Tue, 25 Jun 2013 01:26:48 +0000
To: public-tracking-commit@w3.org
Message-Id: <E1UrI1w-0004nI-Ad@gil.w3.org>
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv18424

Modified Files:
	tracking-dnt.html 
Log Message:
edits for actions 422, 423, 424, and their linked actions (231, 396) and
issues.



--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2013/06/05 22:16:00	1.214
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2013/06/25 01:26:48	1.215
@@ -249,6 +249,15 @@
         add-on is an explicit choice by the user for that tracking preference.
       </p>
       <p>
+        A user agent extension or add-on MUST NOT alter the user's tracking
+        preference setting unless it complies with the requirements in this document,
+        including but not limited to this section (Determining a User Preference).
+        Software outside of the user agent that causes a DNT header to be sent (or
+        causes existing headers to be modified) MUST NOT do so without ensuring that
+        the requirements of this section are met; such software also MUST ensure the
+        transmitted preference reflects the individual user's preference.
+      </p>
+      <p>
         We do not specify how tracking preference choices are offered to the
         user or how the preference is enabled: each implementation is
         responsible for determining the user experience by which a tracking
@@ -658,9 +667,12 @@
             defined by this specification, and that prior consent overrides
             the tracking preference expressed by this protocol.
           </p>
-          <p class="issue" data-number="195" title="Flows and signals for handling out of band consent">
-            <b>[OPEN]</b> The <code><a>C</a></code> tracking status
-            value indicates out of band consent.
+          <p>
+            If the consent was signaled to the origin server 'out of band', that is,
+            by some other mechanism than the receipt of a DNT:0 header, then the
+            'edit' member of the well-known-resource MUST provide both documentation
+            of how the consent was established and documentation of the means, 
+            or the means, to revoke that consent.
           </p>
           <p class="issue" data-number="152" title="User Agent Compliance: feedback for out-of-band consent">
             <b>[PENDING REVIEW]</b> Proposal is to not add UA requirements.
@@ -1066,7 +1078,12 @@
                   information and the data collected is minimized
                   accordingly.</td>
             </tr>
-          </table>
+             <tr><td>t</td>
+                <td>Transferred consent: The origin server is
+                satisfying the request on behalf of another server which had
+                consent, and that consent has been transferred.</td>
+            </tr>
+         </table>
           <p>
             Multiple qualifiers mean that multiple permitted uses of tracking
             might be present and that each such use conforms to the associated
@@ -1082,6 +1099,7 @@
               / %x66  ; "f" - fraud
               / %x6C  ; "l" - local
               / %x72  ; "r" - referral
+              / %x72  ; "t" - transferred consent
           </pre>
           <p class="issue" data-number="136" title="Resolve dependencies of the TPE on the compliance specification">
             [OPEN] The list of qualifiers is intended to match one to one to the 
@@ -1542,6 +1560,13 @@
              user agents MAY choose to provide no user interface regarding 
              user-granted exceptions.
            </p>
+           <p>
+             If the user revokes the consent by deleting the exception, the site
+             MUST respect that revocation (though it may ask again for the
+             exception). The exception mechanism MUST NOT be used when the site
+             will deem consent to exist even after the exception has been
+             revoked.
+           </p>
 		   <p class="note">
 		     The requirement for the site to determine the user's intention is new;
 		     previously the site was required to inform, but the final 
@@ -2078,9 +2103,9 @@
 		<p>A named third party 
 			acquiring an exception with this mechanism MUST make sure that sub-services 
 			it uses acknowledge this constraint by requiring the use of the appropriate 
-			tracking status <a href="#tracking-status-value">value</a> 
-			and <a href="#dfn-qualifiers">qualifier</a>, which is "XX"
-			(such as "tl"), from its sub-sub-services.</p>
+			tracking status <a href="#tracking-status-value">value</a> of 'C' (consent),
+			and the <a href="#dfn-qualifiers">qualifier</a> "t", from its 
+			sub-sub-services.</p>
 		
 		<p>The permission acquired by the DNT mechanism does not override retention 
 			limitations found in the legal system the content provider or the named 
@@ -2089,13 +2114,8 @@
 		<p class="issue" data-number="168" title="What is the correct way for 
 		sub-services to signal that they are taking advantage of a 
 		transferred exception?">
-		[OPEN] When the status values and qualifiers are fixed, the 
-			penultimate paragraph will probably need adjusting to match.  The use of "tl" 
-			(which meant "tracking but only in accordance with local laws" when this text 
-			was written) doesn't seem right, as the text talks, essentially, of 
-			the sub-sub-service acting on behalf of the site that received the 
-			DNT:0 header, which might suggest something more like "CS" 
-			(service provision to a third-party that received consent).</p>
+		[PENDING REVIEW] When the status values and qualifiers are fixed, the 
+			penultimate paragraph may need adjusting to match.</p>
 	  </section>
 	  
       <section id="exceptions-ui" class="informative">
Received on Tuesday, 25 June 2013 01:26:49 UTC