- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Fri, 3 Feb 2012 15:52:56 -0800
- To: Tom Lowenthal <tom@mozilla.com>
- Cc: Lauren Gelman <gelman@blurryedge.com>, Justin Brookman <justin@cdt.org>, public-tracking@w3.org
Substantively, I'm in general agreement. In the interest of analytical consistency and not conflating issues, I'd avoid siting this content in the high-level compliance section. I'd instead locate the discussion of personalization by IP geolocation, user-agent, and referrer in a contextual personalization exception. Jonathan On Feb 3, 2012, at 3:34 PM, Tom Lowenthal wrote: > ACTION-65 ISSUE-39 > > Proposed text. Compare with text currently in > [S-4.1.2](http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#third-party-compliance) > > ~~~~ > ### Compliance by a third party {#third-party-compliance} > > If the operator of a third-party domain receives a communication to > which a [DNT-ON] header is attached: > > 1. that operator MUST NOT collect or use information related to that > communication outside of the explicitly expressed exceptions as defined > within this standard; > 2. that operator MUST NOT use information about previous communications > in which the operator was a third party, outside of the explicitly > expressed exceptions as defined within this standard; > 3. that operator [MUST NOT or SHOULD NOT] retain information about > previous communications in which the operator was a third party, outside > of the explicitly expressed exceptions as defined within this standard. > > #### Non-Normative Discussion > > It is acceptable to use data sent as part of this particular network > interaction when composing a response to a [DNT-ON] request, but it is > not acceptable to store that data any longer than needed to reply. For > instance, it would be appropriate to use an IP address to guess which > country a user is in, to avoid showing them an advertisement for > products or services unavailable where they live. > > When using request-specific information to compose a reply, some levels > of detail may feel invasive to users, and may violate their expectations > about Do Not Track. These sorts of detailed assessments should be avoided. > > *Reasonable behavior*: A user visits you from an IP address which a > general geo-IP database suggests is in the NYC area, where it is 6pm on > a Friday. You choose to show an advertisement for theaters and > restaurants in the area. > > *Invasive behavior*: A user visits you from an IP address which suggests > that they are in a particular ZIP+4, which has a distinctive demographic > profile. Their user-agent indicates that they are a Mac user, further > narrowing their expected profile. You serve them an ad for business > within a few blocks of them which specializes in items which their > expected profile indicates they may enjoy. > > In this example, even though the decision about which ad to serve was > based exclusively on request specific information, but was still > tailored to a highly-specific user profile. In particular, the > estimation of a user's location to within a single ZIP+4 may make a user > feel that they are being followed closely, even if the decision was made > on the fly, and the information was only held ephemerally. > > ~~~ >
Received on Friday, 3 February 2012 23:53:31 UTC