Of course, for the cookie to be used as a signal to embedded third-parties,
browsers would need to support the functionality of detecting the W3CTP name
and insert a clone of it in distributary third-party requests. I have
amended the text accordingly.







6.12 Out-of Band Consent


This section is non-normative.


An origin server may provide other mechanisms for establishing, modifying or
revoking out-of-band consent for tracking. It would be helpful for
transparency, and therefore trust in the web, if these mechanisms used
similar definitions and elements.


One such method could be based on the use an HTTP cookie (as described in
RFC 6265) to register and signal user agreement. The origin server would
cause a particular named cookie to be stored in the user agent indicating
the user had given consent for tracking. In addition, if user agents
implement enhancements whereby a cloned copy of the cookie is inserted into
distributary third-party requests, it could also signal that they had not
given consent in situations where absence of DNT must be assumed to signify
DNT:1 (as in the EU). 


It is recommended that this cookie should have the name W3CTP and have a
value that starts with the characters "C=0" or "C=1" to make the fact of a
user consent state transparent to regulators, user agents and users. The
rest of the cookie value could be anything the implementer decides. The
standard "Expires"" attribute can be used so that the user agent removes the
cookie after a period causing the user's registered consent signal to lapse.
A copy of this attribute could also be encoded in the cookie's value so the
server can determine when the consent signal is about to be removed. 


The server would use the presence of such a cookie in the cookies header of
subsequent HTTP requests to indicate that the user had given consent. If the
cookie is absent or its value does not start with "C=1" this indicates to
the server that the user has not given consent. If the value starts with
"C=0" this also indicates that consent has not been given, but it could be a
signal to third-parties that the data controller of the containing
first-party page had reason to assume the transaction was subject to EU law
so consent was required, but had not been obtained.










Received on Saturday, 29 June 2013 16:48:18 UTC