[Issue-5][Action-78] Remember to forget me


Write-up of the "Remember to forget me" definition. This first draft 
focuses on a definition addressing the collection of data by third 
parties. The main idea is to keep the log entries with DNT:1 and to flag 
them to quickly de-identify them when they are not longer covered  by an 

Server Logs

- A 3rd party MAY log request received with DNT:1. If such request is 
logged, the third party MUST keep the header DNT:1 in the logs.
- A 3rd party operator SHOULD not infer information from/about a user 
who send DNT=1.
- After the retention period corresponding to each of the exemption has 
been reached, the 3rd party operator MUST erase the referrer header of 
entries flagged with DNT:1 and either erase or de-identify the rest of 
the entry.  -   To de-identify the data, the 3rd party operator MUST 
replace semi-identifiers by fix values  (i.e IP=, UA=ZZZ).
- When a 3rd party aggregates logs, it MUST either not process the 
entries flagged with DNT:1 or de-identify them beforehand.
- A 3rd party receiving DNT:1 MUST not personalize the response based in 
user ID.

User Agent

- A User-Agent sending DNT:1 MAY prevent the transmission of cookies and 
other identifiers that are sent with the request.
-- A User-Agent receiving a "non tracking" response from a 3rd party 
operator SHOULD not modify its state regarding this 3srd party (local 
storage, cookie, cache,...).

Received on Thursday, 2 February 2012 17:28:33 UTC