- From: CVS User npdoty <cvsmail@w3.org>
- Date: Wed, 06 Mar 2013 23:02:27 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv15136
Added Files:
tracking-compliance-20121030.html
Log Message:
snapshot of the October draft
--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance-20121030.html 2013/03/06 23:02:27 NONE
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance-20121030.html 2013/03/06 23:02:27 1.1
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<title>Tracking Compliance and Scope</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<script src='http://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script>
<script class="remove">
var respecConfig = {
specStatus: "ED",
shortName: "tracking-compliance",
previousPublishDate: "2012-05-23",
publishDate: "2012-10-30",
previousMaturity: "ED",
previousURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-20120523.html",
edDraftURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html",
editors: [
{ name: "Justin Brookman", url: "http://cdt.org/",
company: "CDT", companyURL: "http://cdt.org/" },
{ name: "Sean Harvey", url: "http://google.com/",
company: "Google", companyURL: "http://google.com/" },
{ name: "Erica Newland", url: "http://cdt.org/",
company: "CDT", companyURL: "http://cdt.org/" },
{ name: "Heather West", url: "http://Google.com/",
company: "Google", companyURL: "http://google.com/" },
],
wg: "Tracking Protection Working Group",
wgURI: "http://www.w3.org/2011/tracking-protection/",
wgPublicList: "public-tracking",
wgPatentURI: "http://www.w3.org/2004/01/pp-impl/49311/status",
issueBase: "http://www.w3.org/2011/tracking-protection/track/issues/",
}
</script>
<link rel="stylesheet" href="additional.css" type="text/css" media="screen"
title="custom formatting for TPWG editors">
</head>
<body>
<section id="abstract">
<p>
This specification defines the meaning of a Do Not Track (DNT)
preference and sets out practices for websites to comply with this
preference.
</p>
</section>
<section id="sotd">
<p>
This document is an editors' strawman reflecting a snapshot of live
discussions within the
<a href="http://www.w3.org/2011/tracking-protection/">Tracking Protection
Working Group</a>. It does not yet capture all of our work. For
example, we have issues that are [PENDING REVIEW] with complete text
proposals that have not yet made it into this draft. Text in blue boxes
presents multiple options the group is considering. Options included in
this draft should not be read as limitations on the potential outcome,
but rather simply as possible options that are currently under
consideration by the working group. An
<a href="http://www.w3.org/2011/tracking-protection/track/issues/">issue
tracking system</a> is available for recording
<a href="http://www.w3.org/2011/tracking-protection/track/issues/raised">raised</a>,
<a href="http://www.w3.org/2011/tracking-protection/track/issues/open">open</a>,
<a href="http://www.w3.org/2011/tracking-protection/track/issues/pendingreview">pending review</a>,
<a href="http://www.w3.org/2011/tracking-protection/track/issues/closed">closed</a>,
and <a href="http://www.w3.org/2011/tracking-protection/track/issues/postponed">postponed</a>
issues regarding this document.
</p>
</section>
<section id="introduction">
<h2>Introduction</h2>
<p class="note">
This introduction will be re-worked after details of substantive text
is closer to being finalized.
</p>
<p>
The World Wide Web (WWW, or Web) consists of millions of sites
interconnected through the use of hypertext. Hypertext provides a
simple, page-oriented view of a wide variety of information that can be
traversed by selecting links, manipulating controls, and supplying data
via forms and search dialogs. A Web page is usually composed of many
different information sources beyond the initial resource request,
including embedded references to stylesheets, inline images,
javascript, and other elements that might be automatically requested as
part of the rendering or behavioral processing defined for that page.
</p>
<p>
Each of the hypertext actions and each of the embedded resource
references might refer to any site on the Web, leading to a seamless
interaction with the user even though the pages might be composed of
information requested from many different and possibly independent Web
sites. From the user's perspective, they are simply visiting and
interacting with a single brand -- the first-party Web property -- and
all of the technical details and protocol mechanisms that are used to
compose a page representing that brand are hidden behind the scenes.
</p>
<p>
It has become common for Web site owners to collect data regarding the
usage of their sites for a variety of purposes, including what led the
user to visit their site (referrals), how effective the user experience
is within the site (web analytics), and the nature of who is using
their site (audience segmentation). In some cases, the data collected
is used to dynamically adapt the content (personalization) or the
advertising presented to the user (targeted advertising). Data
collection can occur both at the first-party site and via third-party
providers through the insertion of tracking elements on each page. A
survey of these techniques and their privacy implications can be found
in [[KnowPrivacy]].
</p>
<p>
People have the right to know how data about them will be collected and
how it will be used. Empowered with that knowledge, individuals can
decide whether to allow their online activities to be tracked and data
about them to be collected. Many Internet companies use data gathered
about people's online activities to personalize content and target
advertising based on their perceived interests. While some people
appreciate this personalization of content and ads in certain contexts,
others are troubled by what they perceive as an invasion of their
privacy. For them, the benefit of personalization is not worth their
concerns about allowing entities with whom they have no direct
relationship to amass detailed profiles about their activities.
</p>
<p>
Therefore, users need a mechanism to express their own preference
regarding tracking that is both simple to configure and efficient when
implemented. In turn, Web sites that are unwilling or unable to offer
content without such targeted advertising or data collection need a
mechanism to indicate those requirements to the user and allow them (or
their user agent) to make an individual choice regarding user-granted
exceptions.
</p>
<p>
This specification defines the terminology of tracking preferences, the
scope of its applicability, and the requirements on compliant
first-party and third-party participants when an indication of tracking
preference is received. This specification defines the meaning of a Do
Not Track preference and sets out practices for websites and other
online companies to comply with this preference.
</p>
<p>
A companion document, [[!TRACKING-DNT]], defines the HTTP request
header field DNT for expressing a tracking preference on the Web, a
well-known location (URI) for providing a machine-readable tracking
status resource that describes a service's DNT compliance, the HTTP
response header field Tk for resources to communicate their compliance
or non-compliance with the user's expressed preference, and JavaScript
APIs for determining DNT status and requesting a site-specific,
user-granted exception.
</p>
</section>
<section id="scope-and-goals">
<h2>Scope and Goals</h2>
<p class="issue" data-number="6" title="What are the underlying concerns? Why are we doing this?">
This section consists of proposed text that is meant to address ISSUE-6
and is in active discussion. Currently, it satisfies no one. Like the
introduction, we will revisit and finalize once the document is more
complete.
</p>
<p>
While there are a variety of business models to monetize content on the
web, many rely on advertising. Advertisements can be targeted to a
particular user's interests based on information gathered about one's
online activity. While the Internet industry believes many users
appreciate such targeted advertising, as well as other personalized
content, there is also an understanding that some people find the
practice intrusive. If this opinion becomes widespread, it could
undermine the trust necessary to conduct business on the Internet. This
Compliance specification and a companion [[!TRACKING-DNT]]
specification are intended to give users a means to indicate their
tracking preference and to spell out the obligations of compliant
websites that receive the Do Not Track message. The goal is to provide
the user with choice, while allowing practices necessary for a smoothly
functioning Internet. This should be a win-win for business and
consumers alike. The Internet brings millions of users and web sites
together in a vibrant and rich ecosystem. As the sophistication of the
Internet has grown, so too has its complexity which leaves all but the
most technically savvy unable to deeply understand how web sites
collect and use data about their online interactions. While on the
surface many web sites may appear to be served by a single entity, in
fact, many web sites are an assembly of multiple parties coming
together to power a user's online experience. As an additional privacy
tool, this specification provides both the technical and compliance
guidelines to enable the online ecosystem to further empower users with
the ability to communicate a tracking preferences to a web site and its
partners.
</p>
<p>
The accompanying
<a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT">TRACKING-DNT</a>
recommendation explains how a user, through a user agent, can clearly
express a desire not to be tracked. This Tracking Compliance and Scope
recommendation sets the standard for the obligations of a website that
receives such a DNT message.
</p>
<p>
Taken together these two standards should have four substantial
outcomes:
</p>
<ol start="1">
<li>Empower users to manage their preference around the collection and
correlation of data about Internet activities that occur on different
sites and spell out the obligations of sites in honoring those
preferences when DNT is enabled.</li>
<li>Provide an exceedingly straightforward way for users to gain
transparency and control over data usage and the personalization of
content and advertising on the web.</li>
<li>Enable a vibrant Internet to continue to flourish economically by
supporting innovative business models while protecting users'
privacy.</li>
<li>Establish compliance metrics for operators of online services</li>
</ol>
<p>
This standard has limited applicability to any practices by first
parties, their service providers, subsidiaries, or affiliated
companies. Under the standard, first parties may and will continue to
collect and use data for tracking and other purposes. This standard is
primarily directed at third parties.
</p>
<p>
This solution is intended to be persistent, technology neutral, and
reversible by the user. It aims to preserve a vibrant online ecosystem,
privacy-preserving secondary data uses necessary to ecommerce, and
adequate security measures. We seek a solution that is persistent,
technology neutral, and [something that speaks with the ability to opt
back in], but that preserves a vibrant online ecosystem,
privacy-preserving secondary data uses, and adequate security measures.
</p>
</section>
<section id="definitions">
<h2>Definitions</h2>
<!--
<p class="note">The definitions section is a strawman proposal from editors
based on discussion in Seattle. Many sections are not yet consensus text.</p>
-->
<section id="def-user">
<h3>User</h3>
<!--
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft.</p>
-->
<p>
A user is an individual human. When user-agent software accesses
online resources, whether or not the user understands or has specific
knowledge of a particular request, that request is made "by" the
user.
</p>
</section>
<section id="def-user-agent">
<h3>User Agent</h3>
<!--
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft, but there may be some debate on the definition.</p>
-->
<p>
This specification uses the term user agent to refer to any of the
various client programs capable of initiating HTTP requests,
including but not limited to browsers, spiders (web-based robots),
command-line tools, native applications, and mobile apps [[!HTTP11]].
</p>
<p class="note">
There has been recent discussion about whether the specification
should differentiate among different types of users agents (such as
general purpose browsers, add-ons, and stand-alone software
programs), and possibly specify different compliance obligations
depending on the type of user agent, or priority among different
categories of user agents in the event of conflicting settings. There
is currently no open ISSUE associated with this discussion.
</p>
</section>
<section id="def-party">
<h3>Party</h3>
<!--
<p class="note">Dsinger has asked to add something about the responsibility
following the data</p>
-->
<!-- I have shuffled this language around for clarity and simplicity,
but it should retain the same meaning. Previous language retained in
comments. -->
<section class="option" id="def-party-1">
<h4>Option 1</h4>
<p>
A <dfn>party</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or a
person which acts as a functional entity. A set of functional
entities is considered affiliated when they are related by both
common majority ownership and common control, and affiliation is
made easily discoverable by a user.
</p>
</section>
<section class="option" id="def-party2">
<h4>Option 2</h4>
<p>
A <dfn>party</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or
a person. For unique corporate entities to qualify as a common
party with respect to this document, those entities MUST be
commonly owned and commonly controlled (Affiliates) and MUST
provide “easy discoverability” of affiliate organizations. An
“Affiliate List” MUST be provided within one click from each
page or the entity owner clearly identified within one click
from each page.
</p>
<p class="example">
A website with a clear labeled link to the Affiliate List within
the privacy policy would meet this requirement or the ownership
brand clearly labeled on the privacy policy itself and may choose
to act as a single party.
</p>
</section>
<!--
A <dfn>functional entity</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or a person.
<br/><br/>
Functional entities are <dfn>affiliated</dfn> when they are related by both
common majority ownership and common control.
<br/><br/>
A <dfn>party</dfn> is a set of functional entities that are affiliated.
<section>
<h2>Transparency</h2>
<p class="note">This section is at best out of place, and should be in the
compliance section, not definitions.</p>
<section>
<h2>Requirement</h2>
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
</section>
<section>
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>
<h2>Affiliated Parties</h2>
<p class="note">I changed this text to reflect that it's a definition of
affiliated parties, but should retain the requirement that an affiliated party
must be discoverable in order to be considered affiliated under this
draft.</p>
<section>
<h2>Requirement</h2>
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
</section>
<section>
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>
</section>
</section>
-->
</section>
<section id="def-service-providers">
<h4>Service Providers/Outsourcers</h4>
<p class="note">
We seem to have general consensus in theory but not in language for
the definition of a service provider. However, the three options
below different significantly in how prescriptive and demanding the
test to qualify as a service provider should be.
</p>
<!-- <p class="note">Ensure that third party can act as a third party,
or as a first party within section</p>
<p class="note">hwest to propose an alternative definition of first
party (based on ownership? alternative to inference?) [recorded in
http://www.w3.org/2012/07/11-dnt-minutes.html#action01]</p>
-->
<section class="option" id="def-service-providers-opt-1">
<h3>Option 1: Service Provider/Outsourcer Definition</h3>
<p class="note">
This option contains both definitions and normative compliance
requirements.
</p>
<p>
This section applies to parties engaging in an outsourcing
relationship, wherein one party "stands in the shoes" of another
party to perform a specific task. Both parties have
responsibilities, as detailed below.
</p>
<p>
A <a>first party</a> or a <a>third party</a> MAY outsource
[1643 lines skipped]
Received on Wednesday, 6 March 2013 23:02:29 UTC