- From: Tom Lowenthal <tom@mozilla.com>
- Date: Wed, 05 Oct 2011 10:06:26 -0700
- To: "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <4E8C8E92.1080007@mozilla.com>
Proposal is at: https://people.mozilla.com/~tlowenthal/dnt/tpwg_action-8_proposal.md --- Interpretation of the DNT signal by 3rd Parties =============================================== Proposal to the W3C Tracking Protection Working Group Authored by Thomas Lowenthal, Mozilla Associated with [Action 8](http://www.w3.org/2011/tracking-protection/track/actions/8) When a third party receives a request where - they know that they are a third party, and - the DNT signal is on, that party **must not**: - **store** any information about that request, or - **use** any information previously stored, - which can be associated with the user or device making the request, - in order to produce or send the response, or - **send** any information about that request, or - any information previously stored about the user or device making the request - to any other party, but: - such information **may** be **stored** ephemerally, only in order to produce and send the response to this specific request, and no longer, - such information **may** be **stored** or **sent** if it is truly anonymous: - so that it is not possible to associate such information with either an individual or a device, - either directly, or in conjunction with other information or logs, - such information **may** be **stored**, **used**, or **sent** in connection with a specific, permitted exemption, only if - only as much data is stored as is needed for that exemption, - data is stored only as long as is needed for that exemption, and - data so stored is only used for the purpose of that exemption, - these restrictions do not apply if - the party has affirmative knowledge that the user making the request has opted back in to collection of data - by that party - on services operated the first party from whom the request is referred; that party **may**: - **use** information plainly sent as part of that request, including for instance: - the IP address of the request, - the referrer header of the request, - the time of the request, - when producing a response to request, but that party **should not**: - **use** such information plainly sent - to identify features of that user - which are not closely connected with such information plainly sent, - even if they can be deduced from the conjunction of such information plainly sent and other information sources, and that party **must not**: - **use** any information about the user wheresoever gained - to serve that user a targeted advertisement, - except that that party **may** use information about the page from which the request was sent - to serve an advertisement contextually related to the content of that page. (for instance: - that party **should not** use an IP address to estimate a ZIP code, look up a ZIP code, or to look up the user with that IP, in order to estimate the user's income and education level, then use that information to select a targeted advertisement, - but that party **may** use an IP address to estimate a country, and use that information to estimate which language in which to display the page, - or, knowing that the request is coming from a New York Times article regarding beaches in the Bahamas, serve a advertisement related to holidays in the Bahamas).
Received on Wednesday, 5 October 2011 17:07:12 UTC