Re: action-307, issue-119, absolutely not tracking

Just as a point of clarification here I am noticing some language I
believe to be technically incorrect entering into the discussion.  To be
clear - "short term collection" is NOT an exception; it is a permitted use.

This actually highlights another issue.  For consistency we may need to
change the language around user granted "exceptions" because they aren't
really exceptions.  An exception would be a special dispensation to
process a DNT: 1 signal differently than would otherwise be allowed.
Alternatively a UGE will change the UA's rendering of the DNT signal to
DNT: 0 for some set of user granted domains.  When those sites receive
DNT: 0 they aren't operating under an exception to a DNT: 1 condition,
they are operating under DNT: 0.  Again, compliance is defined around what
you do when you get a DNT: 1.  Actually getting DNT: 0 is not an exception
to DNT: 1, as DNT: 1 is per the spec not a default.  UGE sites never get
DNT: 1 which means they aren't looking for an exception for DNT: 1.  They
only need to follow any specific rules for DNT: 0.

Out of Band Consent might be an "exception", because the site actually
receives DNT:1, but UGEs aren't an exception for DNT:1; they are the
"rule" for DNT: 0.



Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 |

This email ­ including attachments ­ may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message.

On 11/8/12 9:24 AM, "David Singer" <> wrote:

>Hi David
>On Nov 8, 2012, at 15:11 , David Wainberg <>
>> Hi David,
>> I realize you've proposed non-normative. Consider this largely directed
>>at the issue in general.
>That was the action, yes, after discussion in Amsterdam.
>> <broken record>
>> We have not defined tracking.
>well, much to my puzzlement I have offered a definition (ages ago), that
>sought to 'limit the playing field'.  That is, I tried to say "if you are
>outside this, you are not tracking and hence not our concern" rather than
>saying "if you are inside this definition, you are tracking".  There was
>some pushback before I clarified this.  I think it helps both us and the
>community to have such a 'gateway' at the front the spec.
>It is linked from this thread
>> So how then are we to identify sites that perform no tracking? At best
>>we might allow sites to say that they believe they are not subject to
>>any requirements of the standard. But why wouldn't they be unless they
>>are collecting and using no data at all?
>That's certainly one, easy, case.  The most likely, I think, is that they
>keep short-term logs, so the 'third-party with the short-term raw data
>retention exception' is the most likely case by far.
>> Is that what this is for? But surely these sites collect server logs
>>and such that contain information about users' activity across
>>unaffiliated websites, and is therefore subject to the same risks or
>>harms group members have ascribed to the same data in the hands of third
>>party advertising companies.
>Yes, if they keep raw data indefinitely, or cooked data in which users
>can be identified, they are not 'simple non-tracking sites', alas.
>I know many sites don't engage in 'deliberate' tracking, i.e. the reason
>that they keep data is not a priori to keep records about people.  But a
>loophole that says "it's OK to have all the ingredients to make X, as
>long as you don't actually make X or allow the ingredients to be accessed
>by someone else" is not a great one to leave open (in any area).  Ideas
>are welcome.
>Lacking a better idea, the best I can see is '3' for non-logging sites,
>'3 + short-term raw-data' for logging sites.
>> </broken record>
>> -David
>> On 11/7/12 12:35 PM, David Singer wrote:
>>> (The issue asks for normative text, the action for non-normative, this
>>>is non-normative).  We need to tell sites that basically are not in the
>>>tracking business what they need to doŠ
>>> There are circumstances in which sites will appear in as third parties
>>>in a transaction, but those sites perform little or no tracking. Such
>>>sites might include those providing libraries of resources, such as
>>>scripts, style-sheets, or images, or sites providing content intended
>>>to be 'mashed up' into other sites. Unfortunately, it is not possible
>>>to distinguish, among the sites that do not implement Do Not Track,
>>>those that track but do not (yet) implement DNT, and sites that do not
>>> For this reason, it is recommended that these non-tracking sites
>>>implement a static well-known resource and/or a static DNT response
>>>header, indicating their status. The recommended status is '3' (fully
>>>third-party compliant, with no qualifiers and no permissions claimed)
>>>or '3s' (third party, claiming only the short-term logging permission).
>>> If logging is performed, then complying with the requirements for
>>>short-term logging may be necessary, to be compliant under these
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>David Singer
>Multimedia and Software Standards, Apple Inc.

Received on Thursday, 8 November 2012 15:31:23 UTC