- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Fri, 15 Mar 2013 21:07:19 -0000
- To: <public-tracking@w3.org>, <rob@blaeu.com>, "Adrian Bateman" <adrianba@microsoft.com>, "David Singer" <singer@apple.com>, <ifette@google.com>, <haakonfb@opera.com>, <nmarnau@datenschutzzentrum.de>
- Message-ID: <03bd01ce21c1$1518e1c0$3f4aa540$@baycloud.com>
Another use-case for site specific DNT:1 came up at the Berlin Global Considerations meeting, which will also be a common occurrence outside of the EU. The current API for site-specific exceptions only allows for the setting of DNT:0, or the registration of Tracking Consent, after a first-party site has established it. A user may be able to remove this exception, or revoke the consent for tracking, by using a user-agent specific UI but this may not be present in their particular browser and the form of the UI cannot be under the control or part of the user experience of the first-party site. As there is no way with the current API to specify an expires or max-age qualifier and no way for a first-party site to programmatically revoke the signal we should extend the API so that script in the first-party domain origin an existing DNT:0 signal can be reset to the general preference, allowing the site to register in the user-agent that consent has been revoked. This would be a minor increment to the work needed to implement a site-specific exception and should be done for consistency, and to meet the requirements of regulators at least in Europe. The other use-case I previously pointed out was the ability for a first-party site in the EU to signal its embedded third-parties, in the case that the general preference is unset, that consent was required, for example because the first-party site or the user was in an EU jurisdiction, but had not been obtained. This would require the site-specific API to register DNT:1 so that the third-parties could take the correct course of action even if the DNT general preference was unset. The site specific API should have the ability, for the document origin and a list of embedded third-parties (targets), to set the following : . Set DNT to 0 . Set DNT to 1 . Set DNT to the General Preference i.e. 0, 1, or unset This could be done, for example, by supplying another DOMString member to the StoreSiteSpecificExceptionPropertyBag dictionary, specifying either "set-dnt-0", "set-dnt-1" or "revoke". In the future we could add qualifiers to this such as ";Expires=Fri, 15-Mar-2013 21:47:38 GMT". It would then be possible for script in the top-level origin to concatenate calls to the API, for instance to set DNT:1 for a set of domains and DNT:0 for a subset of them. At the moment we do not have the ability to specify wild-cards or regex expressions for the targets but we do have a rudimentary way to do it by not supplying an arrayOfDomainStrings, equivalent to *.*. At some point we should add regex or wild-card functionality to the definition of arrayOfDomainStrings. This would also give sites the ability to identify embedded resources differentiated by more than just the domain origin. -Mike
Received on Friday, 15 March 2013 21:07:59 UTC