- From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
- Date: Thu, 13 Jun 2013 10:22:42 +0200
- To: Ronan Heffernan <ronansan@gmail.com>
- CC: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <51B98152.30704@schunter.org>
Hi Ronan, Quick question: Do you only need a change in collection/retention time to 48h or would you also require to set a ID cookie? (i.e., loosely speaking "acting like DNT;0" for 48h and then cleaning up)? In the latter case (also 48h permission to set cookies), I would need to change the proposed text for this permitted use. Matthias -------- Original Message -------- Subject: Re: ACTION-415 Provide text proposal regarding limitations on using a Potential Consent signal Date: Wed, 12 Jun 2013 16:32:55 -0700 From: Jonathan Mayer <jmayer@stanford.edu> To: Matthias Schunter (Intel Corporation) <mts-std@schunter.org> CC: public-tracking@w3.org Just to remain clear from today's call, I'm not sold on the "P" flag. The technical need appears limited (especially if ID cookies aren't allowed for DNT: 1 and no consent), and the risk of abuse seems not insignificant. Jonathan On Wednesday, June 12, 2013 at 1:54 PM, Matthias Schunter (Intel Corporation) wrote: > Hi Team, > > > as expressed in the call, I would like to ensure that > (a) The "P" flag only relaxes the requirements on > transparency/notification. > (b) The "P" flag does not give you any extra leeway/permisson to > collect or track > > As a consequence, I suggest to split this text into two orthogonal pieces: > (A) A "P" flag that allows delayed notification (without any > additional permitted use) > (B) A permitted use for keeping data for "48h" (or some other > short-term retention). > > Text proposals for (A): > > Normative: "A tracking status value of P indicates that a site is > following third party rules ("3"), except for users who have given > prior consent. Unlike /*C*/, the origin server does not know, in > real-time, whether it has received prior consent for tracking this > user, user agent, or device. Since this status value does not itself > indicate whether consent has been received for a specific user, an > origin server that sends a |P| tracking status value /must/ provide an > |edit > <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-edit>| member > in the corresponding tracking status representation that links to a > resource for obtaining consent status." > > Non-Normative: The |P| tracking status value is specifically meant to > address audience survey systems for which determining consent at the > time of a request is either impractical, due to legacy systems not > being able to keep up with Web traffic, or potentially "gamed" by > first party sites if they can determine which of their users have > consented. The data cannot be used for the sake of personalization. If > consent can be determined at the time of a request, the |C > <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-c>|tracking > status should be used. *If an origin server subsequently determines > that it does not have prior consent to track a user, the origin server > may not then disregard the user's DNT:1 signal; rejections of DNT:1 > signals must be made in real-time, using the tracking status value of > D defined in 5.2.8.* > > > Text proposal for (B): > (SOME FLAG) This permitted use allows third parties to temporarily > keep data for 48h. After this time (unless consent has been obtained), > the third party compliance rules > must be satisfied. > > > Opinions/Feedback? > > Matthias > > > On 12/06/2013 17:02, Justin Brookman wrote: >> >> >> I propose to add the bolded sentence to 5.2.7 of the TPE on >> Potential Consent. >> >> >> 5.2.7 Potential Consent (P) >> >> A tracking status value of P means that the origin server does not >> know, in real-time, whether it has received prior consent for >> tracking this user, user agent, or device, but promises not to use or >> share any |DNT:1| data until such consent has been determined, and >> further promises to delete or de-identify within forty-eight hours >> any |DNT:1| data received for which such consent has not been received. >> >> Since this status value does not itself indicate whether a specific >> request is tracked, an origin server that sends a |P| tracking status >> value /must/ provide an |edit >> <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-edit>| member >> in the corresponding tracking status representation that links to a >> resource for obtaining consent status. >> >> The |P| tracking status value is specifically meant to address >> audience survey systems for which determining consent at the time of >> a request is either impractical, due to legacy systems not being able >> to keep up with Web traffic, or potentially "gamed" by first party >> sites if they can determine which of their users have consented. The >> data cannot be used for the sake of personalization. If consent can >> be determined at the time of a request, the |C >> <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-c>|tracking >> status is preferred. *If an origin server subsequently determines >> that it does not have prior consent to track a user, the origin >> server may not then disregard the user's DNT:1 signal; rejections of >> DNT:1 signals must be made in real-time, using the tracking status >> value of D defined in 5.2.8.* >> >
Received on Thursday, 13 June 2013 08:23:07 UTC