RE: [ACTION-20] First parties signaling exceptions to third parties

For requests like a tracking pixel, the 1st party does not have any control over the headers sent to the 3rd party.  That request is made by the browser.  It's possible that the 1st party could somehow signal to the browser that the existing user has opted back in, then the browser could automatically add the override header, but that seems pretty complicated.  However, my guess is that opt in will often be cookie based, and the communication will happen at opt-in time by the 1st party making a call to the 3rd party allowing the 3rd party to set their own cookies and therefore not need any special communication at subsequent requests.

From: Peter Eckersley [mailto:peter.eckersley@gmail.com]
Sent: Wednesday, November 09, 2011 11:20 AM
To: Tracking Protection Working Group WG
Subject: [ACTION-20] First parties signaling exceptions to third parties

Some possible language to consider:

First parties sometimes have active exceptions to DNT.  For instance, a user
on the New York Times site may have logged in and knowingly opted back in to
being tracked by third parties while reading the New York Times site.  In such a
case, the first party needs a way to signal to the third parties that, for these
particular requests, an exception is overriding the DNT: 1 header that the
user's browser is sending.

If a first party wishes to signal to a third party that there is an active
exception to DNT, the first party MUST indicate this with a request parameter
"dnt-override=" with a non-null value (eg, "dnt-override=1",
"dnt-override=user logged in", "dnt-override=retain for 1 week", etc).  This
parameter may be set as a URI query parameter, a URI fragment parameter, or an
HTTP POST parameter.

A webserver receiving a request with the "dnt-override=" parameter with a
value of "1" MAY disregard a DNT: 1 header that it simultaneously
receives from the client.  However if it does so, it MUST send the Tracking: 1
response header to the client.

First parties and third parties MAY agree to additional semantics for values of
the dnt-override parameter other than 1 or null.  If a third party receives a
value for "dnt-override" where such an agreement and implementation is not in
place, it MUST send Tracking: 0 to the client, and ignore the dnt-override
parameter.

--
Peter

Received on Friday, 11 November 2011 01:07:23 UTC