- From: (unknown charset) Matthias Schunter <mts@zurich.ibm.com>
- Date: Mon, 16 Jan 2012 18:00:40 +0100
- To: (unknown charset) John Simpson <john@consumerwatchdog.org>
- CC: (unknown charset) public-tracking@w3.org
Hi All, I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like: If a site receives a DNT;1 request header, then it SHOULD send a DNT response header. (header details defined elsewhere) Reasoning: 1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A site that is compliant with above wording honors a DNT=1 request but may not send a corresponding acknowledgement (for whatever reason) The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact. This will make users assume the worst (i.e., that DNT=1 was not honored). While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective. A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT. Similar to today's practice that privacy policies usually over-state the potential uses of the collected data. What do you think? Regards, matthias On 12/20/2011 9:58 PM, John Simpson wrote: > Agree that if request header is DNT=1, then a site MUST send a > response header to be compliant. >
Received on Monday, 16 January 2012 17:01:14 UTC