- From: Rigo Wenning <rigo@w3.org>
- Date: Tue, 17 Jan 2012 11:33:43 +0100
- To: public-tracking@w3.org
- Cc: Matthias Schunter <mts@zurich.ibm.com>
Matthias, the feedback mechanism is needed to record the consent. So in case you want to record consent, there MUST be a response on DNT=1. next is that if a browser sends DNT=1 and gets no response, it may want to turn on tor. I mean this as caveats that we may want to note down somewhere, not as an opposition to a "SHOULD". People should be aware that a browser may react if DNT=1 or DNT=0 is not acked... Best, Rigo On Monday 16 January 2012 18:00:40 Matthias Schunter wrote: > Hi All, > > > I gave this another thought and I now had the impression that SHOULD > may be sufficient. A wording like: > If a site receives a DNT;1 request header, > then it SHOULD send a DNT response header. > (header details defined elsewhere) > > Reasoning: > 1. In order to be compliant, a site needs to satisfy the compliance > and DNT specs > 2. A site that is compliant with above wording honors a DNT=1 request > but may not send a corresponding acknowledgement (for whatever reason) > > The result would be that a site sufficiently protects privacy > (according to the compliance spec) while not advertising the fact. > This will make users assume the worst (i.e., that DNT=1 was not honored). > > While this is not optimal, it at least ensures that the site provides > more privacy than promised which I believe to be OK from a privacy > perspective. > > A benefit of SHOULD is that sites could improve their data > collection/retention/usage first to satisfy the compliance spec and > then later do further upgrades to provide transparency/notice. An > example would be a site that never stores anything while ignoring DNT. > Similar to today's practice that privacy policies usually over-state > the potential uses of the collected data. > > What do you think? > > > Regards, > matthias > > On 12/20/2011 9:58 PM, John Simpson wrote: > > Agree that if request header is DNT=1, then a site MUST send a > > response header to be compliant.
Received on Tuesday, 17 January 2012 10:34:11 UTC