- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Sat, 29 Jun 2013 17:47:45 +0100
- To: <public-tracking@w3.org>
- Cc: <rob@blaeu.com>
- Message-ID: <002101ce74e8$62894100$279bc300$@baycloud.com>
Of course, for the cookie to be used as a signal to embedded third-parties, browsers would need to support the functionality of detecting the W3CTP name and insert a clone of it in distributary third-party requests. I have amended the text accordingly. Mike 6.12 Out-of Band Consent This section is non-normative. An origin server may provide other mechanisms for establishing, modifying or revoking out-of-band consent for tracking. It would be helpful for transparency, and therefore trust in the web, if these mechanisms used similar definitions and elements. One such method could be based on the use an HTTP cookie (as described in RFC 6265) to register and signal user agreement. The origin server would cause a particular named cookie to be stored in the user agent indicating the user had given consent for tracking. In addition, if user agents implement enhancements whereby a cloned copy of the cookie is inserted into distributary third-party requests, it could also signal that they had not given consent in situations where absence of DNT must be assumed to signify DNT:1 (as in the EU). It is recommended that this cookie should have the name W3CTP and have a value that starts with the characters "C=0" or "C=1" to make the fact of a user consent state transparent to regulators, user agents and users. The rest of the cookie value could be anything the implementer decides. The standard "Expires"" attribute can be used so that the user agent removes the cookie after a period causing the user's registered consent signal to lapse. A copy of this attribute could also be encoded in the cookie's value so the server can determine when the consent signal is about to be removed. The server would use the presence of such a cookie in the cookies header of subsequent HTTP requests to indicate that the user had given consent. If the cookie is absent or its value does not start with "C=1" this indicates to the server that the user has not given consent. If the value starts with "C=0" this also indicates that consent has not been given, but it could be a signal to third-parties that the data controller of the containing first-party page had reason to assume the transaction was subject to EU law so consent was required, but had not been obtained.
Received on Saturday, 29 June 2013 16:48:18 UTC