Copyright © 2011 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This specification defines the meaning of a Do Not Track preference and sets out practices for websites to comply with this preference.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
This is the First Public Working Draft, consisting of an outline of the issues raised so far by the working group with a few points raised during discussion.
This document was published by the Tracking Protection Working Group as a First Public Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-tracking@w3.org (subscribe, archives). All feedback is welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This specification defines the meaning of a Do Not Track preference and sets out practices for websites to comply with this preference.
What are underlying user concerns, and goals, that we hope a tracking preference recommendation will address?
ISSUE-6: What are the underlying concerns? Why are we doing this / what are people afraid of?
ISSUE-8: How do we enhance transparency and user awareness? Explain the scope of this tracking document in the context of Do Not Track
Explain the success criteria. What do we want this specification to achieve?
ISSUE-10: What is a first party?
ISSUE-49: Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party?
ISSUE-26: Providing data to 3rd-party widgets -- does that imply consent?
Options for discussion:
In addition, a domain that hosts a third-party visible widget or window that is clearly identified and branded as being controlled and operated by a party separate and distinct from the first party becomes a first party itself when a user engages in "meaningful interaction" with the window or widget.
There has also been a discussion whether we should distinguish between first and third party. Is this a useful road to go down?
A third party is any entity other than a first party as defined above. A user is neither a first party nor a third party.
Open questions:
Transactional data is information about the user's interactions with various websites, services, or widgets which could be used to create a record of a user’s system information, online communications, transactions and other activities, including websites visited, pages and ads viewed, purchases made, etc.
Our definition should be technology independent (cookies, flash cookies, etc)
ISSUE-16: What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)
ISSUE-5: What is the definition of tracking?
Note: This section will obviously be the topic of conversation and will need significant work; the current text merely represents a straw man and a starting point. It may be useful to decide, first, whether we are working to prevent XYZ or allow only ABC.
For now, we are using "behavioral tracking" as the term of interest in the scope of this document, though we may want to refer in all cases to "tracking" instead.
Behavioral tracking is the collection and retention of transactional data about the web-based activities of a particular user, computer, or device across non-commonly branded entities in a form that allows activities across non-commonly branded entities to be attributed to a particular user, computer, or device, over time, for any purpose other than the explicitly-excepted purposes specified below.
Depending on the conclusion of first vs. third parties issues, this definition of tracking may not include references to common branding.
We expect to discuss several activities as potential exemptions including the following:
Should we explicitly identify goals and use cases in order to evaluate these exemptions?
We may want to talk about including a data minimization piece to these exceptions
For the purposes of this specification, here are some examples of activities associated with tracking:
ISSUE-7: What types of tracking exist, and what are the use cases for these types of tracking?
Should we address the association of first party data with third party data? What does this standard say about a first party associating offline data from a third party with their own data and then using that in targeting? How about the first party associating it with third party data and/or selling it to a third party?
ISSUE-34: Possible exemption for aggregate analytics
ISSUE-22: Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.)
ISSUE-23: Possible exemption for analytics
ISSUE-73: In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract
ISSUE-24: Possible exemption for fraud detection and defense
ISSUE-25: Possible exemption for research purposes
ISSUE-28: Exception for mandatory legal process
ISSUE-75: How do companies claim exemptions and is that technical or not?
ISSUE-31: Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)
ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?
ISSUE-74: Are surveys out of scope?
ISSUE-92: If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?
ISSUE-72: Basic principle: independent use as an agent of a first party
ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.
ISSUE-97: Re-direction, shortened URLs, click analytics -- what kind of tracking is this?
If we provide an exception for de-identified cross-site research/analytics, we will need to define de-identified data .
ISSUE-20: Different types of data, what counts as PII, and what definition of PII
Note: this may be irrelevant - the rest of the spec does not mention PII
ISSUE-69: Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)
One option for the definition of meaningful interaction is:
Options:
ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?
ISSUE-17: Data use by 1st Party
ISSUE-30: Will Do Not Track apply to offline aggregating or selling of data?
ISSUE-54: Can first party provide targeting based on registration information even while sending DNT
ISSUE-59: Should the first party be informed about whether the user has sent a DNT header to third parties on their site?
ISSUE-9: Understand all the different first- and third-party cases.
ISSUE-91: Might want prohibitions on first parties re-selling data to get around the intent of DNT
This issue is being addressed in the Tracking Preference Expression specification.
ISSUE-95: May an institution or network provider set a tracking preference for a user?
If the operator of a third-party domain receives a request to which a DNT header is attached, that operator must not engage in behavioral tracking of that user UNLESS that operator has received the affirmative, informed consent of that user to be tracked and such consent has not been subsequently rescinded. If data is collected for an excepted purpose, the operator must not use that data for any other purpose.
If the operator of a third-party domain receives a request to which a DNT header is attached, that operator must not use previously collected behavioral tracking data to inform the third party's decision as to what content to render for the user in response to the request, or otherwise alter the user's experience based on the previously collected behavioral tracking data UNLESS that operator has received the affirmative, informed consent of that user to be tracked and such consent has not been subsequently rescinded.
If the operator of a third-party domain receives a request to which a DNT header is attached, that operator must/should/may delete previously collected behavioral tracking data about that user, EXCEPT that operator may retain previously generated reports based on data about aggregated behavioral tracking data from multiple users' data even if those reports were based in part on previously collected behavioral tracking data about that user.
ISSUE-19: Data collection / Data use (3rd party)
ISSUE-88: different rules for impression of and interaction with 3rd-party ads/content
ISSUE-32: Sharing of data between entities via cookie syncing / identity brokering
ISSUE-71: Does DNT also affect past collection or use of past collection of info?
This specification does not provide for heightened levels of protection for sensitive categories of data, including children's data.
ISSUE-15: What special treatment should there be for children's data?
How should tracking and the availability of choices regarding tracking be conveyed to users?
Is this in scope for the document?
ISSUE-41: Consistent way to discuss tracking with users (terminology matters!)
ISSUE-37: Granularity based on business types and uses
ISSUE-38: Granularity for different people who share a device or browser
ISSUE-66: Can user be allowed to consent to both third party and first party to override general DNT?
ISSUE-67: Should opt-back-in be stored on the client side? [Not sure this doesn't belong in the technical spec]
ISSUE-83: How do you opt out if already opted in?
ISSUE-93: Should 1st parties be able to degrade a user experience or charge money for content based on DNT?
If the operator of a third-party domain receives a request to which there is no DNT header attached but detects that it has set an "opt-out" cookie for that particular device, the operator may comply with the behavioral tracking prohibitions on third-party domains that receive the DNT header as specified in x.x (currently 4.3) of this specification, and must comply with the assurances that the operator previously made to the user in association with the user "opting out" from the third party and the setting of the opt-out cookie.
ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)?
ISSUE-52: What if conflict between opt-out cookie and DNT?
ISSUE-53: How should opt-out cookie and DNT signal interact?
ISSUE-58: What if DNT is explicitly set to 0 and an opt-out cookie is present?
ISSUE-56: What if DNT is unspecified and an opt-out cookie is present?
ISSUE-57: What if an opt-out cookie exists but an "opt back in" out-of-band is present?
ISSUE-33: Complexity of user choice (are exemptions exposed to users?)
ISSUE-65: How does logged in and logged out state work
How do we educate and communicate with users? Is that out of scope?
If there is a response header, this is likely unnecessary
Options:
ISSUE-21: Enable external audit of DNT compliance
ISSUE-45: Companies making public commitments with a "regulatory hook" for US legal purposes
This specification does not place limitations on the use of geolocation technologies by the operators of third-party domains.
ISSUE-39: Tracking of geographic data (however it's determined, or used)
ISSUE-12: How does tracking require relation to unique identities, pseudonyms, etc.?
ISSUE-14: How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor?
Do we need a section on existing law/relationships etc?
ISSUE-94: Is "Do Not Track" the right name to use?
No normative references.
No informative references.