Re: Issue 35 (was Re: Issues for Monday Call)

On the call today we agreed to three changes to make it into the spec without going through a consensus process (and thus could make it into the current release rather than waiting for another draft)
 1. SHOULD -> MAY as per Shane
 2. Fix my drafting error from UA’s to parties, thank you David for that correction
 3. Add non-normative examples

Now that I look again this actually translates to leaving the base text alone more, and drops out 2 by making no changes with 1 in the first place. David, this should resolve things though is not what we agreed to, but I think you will find it even better.

Please consider this an open call to anyone who would like to include an example. I expect EFF, Rob, and Shane might have useful examples to contribute. Timeframe is short; David suggested one day or so for initial texts to start discussion. 

 ***

6.5.8 lives here: https://www.w3.org/TR/tracking-dnt/#rep.policy <https://www.w3.org/TR/tracking-dnt/#rep.policy>

My only addition is: “This URI may inform users of what changes for them between sending DNT:0 and DNT:1.” 

 ***

Proposed new version of 6.5.8 in full:

An origin server may send a property named policy with a string value containing a URI reference to a human-readable document that describes the relevant privacy policy for the designated resource. This URI may inform users of what changes for them between sending DNT:0 and DNT:1. The content of such a policy document is beyond the scope of this protocol and only supplemental to what is described in the machine-readable tracking status representation. If no policy property is provided, this information might be obtained via the links provided in controller <https://www.w3.org/TR/tracking-dnt/#dfn-controller>.

 ***

Proposal: let’s put this in an appendix with a pointer to it directly after 6.5.8 (“for examples, see Appendix.”) To do well, it is too long to plunk into the middle of the nice, clean spec. I expect it will need subheadings and leave that to editors’ discretion. I offer this as a starting point with edits / additions expected from others. Let’s give people a chance of implementing the easy things, at least, and suggestions on how to think about harder things.

This section is non-normative.
The policy property may contain a URI for an in-house description of Do Not Track practices, for example, http://www.example1.com/dnt.html <http://www.example1.com/dnt.html> which might contain something like this:

 Example1 does not collect or share personal information and does not have any third party content on our website. Consequently, nothing changes on our website if you turn on Do Not Track. This description is in accordance with California AB 370, a law that provides Do Not Track transparency. For more information, please see our <a href=“http://www.example1.com/privacypolicy.html <http://www.example1.com/privacypolicy.html>”>privacy policy</a>.

Example1 would also send a Tk response header field of N to indicate they are not tracking, as described in section 6.2.5.


As another possibility, the policy property may simply contain a URI for a Do Not Track practice defined by a trade association or other group, for example, https://www.eff.org/dnt-policy <https://www.eff.org/dnt-policy>. 

Often, though, such policies are more comprehensive than lend themselves to easy reading by a user trying to make a Do Not Track decision. Another option is to provide your own short description plus a link to the longer policy. Rather than setting the policy property to the group’s policy, you might create your own http://www.example2.com/dnt.html <http://www.example2.com/dnt.html> containing something like this:

 Example2 collects and shares information in accordance with our <a href=“http://www.example2.com/privacypolicy.html <http://www.example2.com/privacypolicy.html>”>privacy policy</a>, and we ordinarily compile a profile of your interests based on the articles you read on our site. If you have Do Not Track enabled, we follow the <a href="https://www.eff.org/dnt-policy <https://www.eff.org/dnt-policy>”>Electric Frontier Foundation’s Do Not Track policy</a>, and we will delete your interest profile. 
 We show ads to our visitors. Our advertisers follow the <a href="http://digitaladvertisingalliance.org/principles <http://digitaladvertisingalliance.org/principles>”>DAA Self-Regulatory Principles</a>. We ask our Do Not Track users to consent to tracking by these advertisers to best support our website. If Do Not Track users will not grant permission for third-party tracking, we show ads from advertisers also following the EFF Do Not Track Policy. 

Example2 could have a variety of Tk header responses. Here are a few possibilities 
 (a) a user in the US has a DNT:1 setting and the user did not consent to being tracked by third parties. Example2 would then follow the EFF policy and send a Tk header of N (see 6.2.5) to indicate no tracking.
 (b) a user in the US has either a DNT:0 setting, or is not sending any information about DNT. Example2 would follow their standard privacy policy, show adds from their normal DAA-member advertisers, and send a TK header of T to confirm tracking.
 (c) a user in the US or EU has explicitly consented to being tracked. Example2 would show ads from their normal DAA-member advertisers, and send a TK header of C (see 6.2.7) to indicate consent.
 (d) a user in the EU has a DNT:1 setting, or is not sending any information about DNT and the user did not consent to being tracked by third parties. Example2 would then follow the EFF policy and send a Tk header of N (see 6.2.5) to indicate no tracking.
 (e) a user in the EU has a DNT:0 setting. Example2 would follow their standard privacy policy, show adds from their normal DAA-member advertisers, and send a TK header of C to indicate consent.

I think that needs to be a table but I have timed out right now. Perhaps someone else could do better, or I shall take this up again later today. Also to do: an example of how this might be presented to users.

 Aleecia

Received on Monday, 19 June 2017 17:46:45 UTC