- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Tue, 20 Dec 2016 11:31:56 -0000
- To: "'Walter van Holst'" <walter@vanholst.com>, <public-tracking@w3.org>
I also think it is a good exercise to think through these requirements in an algorithmic way, i.e. to describe the "automated means" by which they would be implemented. Once that is done it will be a lot easier to describe them clearly in a "legalistic" compliance spec. Also take a look at Recital 25 in ePrivacy, it mentions cookies "set for a short period of time" as being a possible exception to requiring consent. -----Original Message----- From: Walter van Holst [mailto:walter@vanholst.com] Sent: 20 December 2016 10:44 To: public-tracking@w3.org Subject: RE: ePrivacy & DNT On 2016-12-20 10:39, Mike O'Neill wrote: > One thing to consider is who a compliance spec is directed at. Of > course there should be requirements on server (i.e. web application) > implementations but the "elephant in the room" is how user agents > should react to DNT. It is not only a signal to applications, browsers > can react to it also, as they must do for a host of other signals, > e.g. cache headers. It may be a bit unusual for us to disagree, but I don't see any place for a compliance spec that puts specific requirements on user agents. A compliance spec that would demand User Agents to shorten cookie lifespans makes no sense at all. Any server that would chose such a compliance spec can already shorten the cookie lifespan to a privacy-friendly period without asking the UA to do so. Conversely, a User Agent can already do so, regardless of how the server feels about DNT. Regards, Walter
Received on Tuesday, 20 December 2016 11:33:03 UTC