Re: ACTION-415 Provide text proposal regarding limitations on using a Potential Consent signal

I don't understand the reference to the 'D' status;  the last sentence should read, in my opinion

 If an origin server subsequently determines that it does not have prior consent to track a user, the origin server MUST then respect the user's DNT:1 signal (and signal so).


In addition, and missing here

When the 'P' status value is signaled, the 'edit' member of the well-known resource must give a URL in which the user can (possibly with some latency) find their actual status.

(in discussion on the call, that page might say 'please wait while we retrieve your information';  I think we set an outer limit of how log, but I cannot recall what it was)


On Wednesday, June 12, 2013 at 1:54 PM, Matthias Schunter (Intel Corporation) wrote:

> Hi Team,
> 
> 
> as expressed in the call, I would like to ensure that 
>  (a) The "P" flag only relaxes the requirements on transparency/notification.
>  (b) The "P" flag does not give you any extra leeway/permisson to collect or track
> 
> As a consequence, I suggest to split this text into two orthogonal pieces:
>  (A) A "P" flag that allows delayed notification (without any additional permitted use)
>  (B) A permitted use for keeping data for "48h" (or some other short-term retention).
> 
> Text proposals for (A):
> Normative: "A tracking status value of P indicates that a site is following third party rules ("3"), except for users who have given prior consent. Unlike C, the origin server does not know, in real-time, whether it has received prior consent for tracking this user, user agent, or device. Since this status value does not itself indicate whether consent has been received for a specific user, an origin server that sends a P tracking status value must provide an edit member in the corresponding tracking status representation that links to a resource for obtaining consent status."
> Non-Normative: The P tracking status value is specifically meant to address audience survey systems for which determining consent at the time of a request is either impractical, due to legacy systems not being able to keep up with Web traffic, or potentially "gamed" by first party sites if they can determine which of their users have consented. The data cannot be used for the sake of personalization. If consent can be determined at the time of a request, the C tracking status should be used. If an origin server subsequently determines that it does not have prior consent to track a user, the origin server may not then disregard the user's DNT:1 signal; rejections of DNT:1 signals must be made in real-time, using the tracking status value of D defined in 5.2.8.
> 
> 
> Text proposal for (B):
> (SOME FLAG) This permitted use allows third parties to temporarily keep data for 48h. After this time (unless consent has been obtained), the third party compliance rules 
>     must be satisfied.
> 
> 
> Opinions/Feedback?
> 
> Matthias
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 14 June 2013 23:00:59 UTC