ACTION-277 - suggested clean-up of the intro to compliance 6.1

[number the intro section 6.1, so it can be referred to!]

If a third-party receives a communication to which a DNT:1 header is attached, that third party may nevertheless collect, use, and retain information related to that communication for these permitted uses:

[list the permissions from the following sub-sections]

These permitted uses and requirements are further discussed below.

[then replace this:]

As long as there is:

	• No Secondary Use
	• Data Minimization and Transparency
	• Reasonable Security
	• No Personalization

[with:]

For all permitted uses, the following restrictions apply:
1. Data collected for a permitted must not be used for any other use; the organization collecting the data must take reasonable measures (including using reasonable data protection measures)  to protect the data from other uses;
2. The data collected must be reasonably necessary for the permitted use;
3. The data must be retained only as long as reasonably needed for the permitted use.

The privacy policy, or similar document, must provide transparency on the permitted use, documenting both the nature of the data retained and the period used.

Note that a contract, other specification, or industry practice might be a reference of reasonable need for the data or period, but may not suffice if its requirements are not reasonable.


David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 3 October 2012 12:09:03 UTC