RE: change proposals

Thanks Nick (& Thomas) , 


That covers it very well (for my TPC changes).


I have added my answers to your questions in-line.




From: Nicholas Doty [] 
Sent: 29 June 2013 19:53
To: Mike O'Neill
Subject: Re: change proposals


Hi Mike,


There are a lot of changes here; I've done my best to categorize them


On Jun 20, 2013, at 2:21 PM, Mike O'Neill <>

1. Scope


Replace the term user-granted exception with user-granted tracking consent
throughout the document.




The word exception has a particular meaning in the context of software
program flow and will be confusing here particularly when JavaScript issues
are discussed. It is also not always an exception to a DNT general
preference because it can be specified when the general preference is unset.


We might consider this simply editorial, but since it would be a significant
change across both documents, and out of caution, I've opened an issue
(ISSUE-212) and created a change proposal on the wiki.


For what it's worth, I've heard similar requests from potential
implementers, with the same pair of reasons.

2. Definitions


In paragraph 5 a new item 3.


3. has no independent right to use or share the data.




The current wording is too broad especially when applied to data sharing. It
could be read as saying that data could be shared in order for "correct
operation" which could be construed to be for almost any purpose. The
ability to use a third party for security and integrity etc. is already
covered by item 2 "and used as directed by that client".

This is important because the use of persistent identifiers in first-party
contexts will take over the tracking role from third-party cookies and there
will be pressure for them to be shared to support cross-domain tracking.


This may be purely editorial if, as I believe the group has discussed
before, "used as directed" could encompass these debugging and security
uses. I've added this edit to:


A new set of definitions for persistent identifiers and duration. The term
unique user identifiershould be replaced by persistent identifier throughout
the document.


A persistent identifier is an arbitrary value held in the User-Agent whose
purpose is to identify the User-Agent in subsequent transactions to a
particular web domain. It may be encoded for example as the name or value
attribute of an HTTP cookie, as an item in localStorage or recorded in some
way in the cache.


The duration of a persistent  identifier is the maximum period of time it
will be retained in the User-Agent. This could be implemented for example
using the Expires or Max-Age attributes of an HTTP cookie so that it is
automatically deleted by the User-Agent after the specified time period is


Added to:




The original name in the TPC was persistent identifier which is a better
term, though it still needs defining. An identifier may not need to be
unique in order for it to be used for tracking, but it would have to be
persistent. We should qualify permitted uses so the duration of any
persistent identifiers is purpose limited.


This also connects to the duration requirement suggested on identifiers in
the permitted uses section (which you describe below), collected at:

A new paragraph 3.


A user agent MUST have a default tracking preference of unset (not enabled)
unless a specific tracking preference is implied by the decision to use that
agent, or another default preference is needed in order to comply with
applicable laws, regulations and judicial processes.




The original wording in the TPE, allowing the choice of a privacy oriented
user-agent, was better so why lose it, and it is possible that rights-based
jurisdictions like the EU with an assumed right to privacy may require
user-agents be supplied with DNT set by default.


It sounds like you're supportive of Justin's proposal that the group reply
on the full wording in the TPE; so I've added a link to your message to that
proposal on the wiki. If you have a distinct proposal, feel free to


Yes, that's fine. I already added it to Justin's text in the wiki.

In paragraph 4. Remove MUST ensure that the tracking preference choices
describe the parties to whom DNT applies




This is unclear. If it is about the difference between first and third
parties then it is irrelevant in Europe.


Perhaps the confusion is over the wording; that DNT applies to all parties
but has different requirements for different parties or within different
contexts. Is that right? Or are you proposing that UAs not be required to
describe anything about parties/contexts in describing DNT?


We should make it clearer. If it is about first-party/third-party
distinctions then we should ensure that UA text contains a reference that it
is subject to local law.

4. First Party Compliance


Replace sentence 1 to paragraph 1 with:

If a first party receives a DNT:1 signal it may react to it as if it were a
third-party as described in section 5 below, for example in order to comply
with applicable laws, regulations and judicial processes. Otherwise it MAY
engage in its normal collection and use of information.


Remove paragraph 3.




First-parties may be required to follow third-party procedures, or may elect
to off their own bat.


Apologies, I don't understand this change. You want to change the ordering
so that the "MAY follow third-party practices" is first and the "MAY engage
in its normal" is last? Or is there a substantive change here?


It was mainly editorial, I was just attempting to clarify that in the EU
first-parties may need to follow the same restrictions as third-parties, so
it may be a requirement as well as something they elect to.

Third Party Compliance: Remove  paragraphs 5 and 7.




No data should be collected when DNT is set unless it is for a permitted
use. If "and otherwise be linked to" ends up being removed from the
definition of de-identified data then this could create a gaping hole in the


Per Thomas's question, is this just a question about the definition of
de-identified? Or a change such that de-identified data cannot be collected?


Yes, this will get discussed when we debate the definition of


 5.1.2 Data Minimisation, Retention and Transparency


New paragraph 4.


If persistent identifiers are used then their duration should be limited to
the maximum necessary for such permitted use.




If a permitted use requires a persistent identifier then it does not need to
exist beyond the purpose of the permitted use. For example if it is
necessary to detect unique visitors for frequency capping the duration could
be no more than some number of minutes.


Added to

5.2 Permitted Uses


Add a new paragraph 5.


If a persistent identifier is required for any permitted use, for example in
order to identify a unique visitor for billing or frequency capping
purposes,  the duration of the persistent identifier should be limited to
the maximum necessary  for such permitted use.




Same as above.


I believe the general requirement for permitted uses is the correct place
for this change; if adopted, we wouldn't need to repeat it in the Permitted
Uses section as well.

I'm forwarding the other change proposals (which I believe Thomas had
identified as editorial) to the editors in case they can resolve them simply
by cleaning up language.




Received on Saturday, 29 June 2013 19:44:23 UTC