Additional TSR properties supporting European Privacy & Data Protection Law

Introduction

EU Privacy law requires that access to user agent storage is only allowed if the user has given consent, or that the storage is used for a limited set of exempted purposes. In addition EU Data Protection law says that personal data cannot be processed unless the purpose for the processing is claimed from the outset to be covered by at least one of 6 legal bases, the first of which being consent. In either case consent must be "freely given, specific, informed and unambiguous and based on a user's actions", and (under the draft ePrivacy Regulation (ePR) proposal), "may be expressed by using the appropriate technical settings of a software application enabling access to the internet", and that "users shall be given the possibility to withdraw their consent at any time".

The information given to the user must therefore:

be given before the data is collected or processed;
clearly identify the responsible Data Controller or Controllers, any Data Processors contracted to process personal data on their behalf, and other recipients or categories of recipients of the personal data (GDPR A.13);
explain the modalities of collection, and purpose and legal basis of the processing, in a clear and intelligible way; and
explain any measure the end-user of the terminal equipment can take to stop or minimize the collection.

In addition Data Controllers have a responsibility to ensure that personal data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing" (GDPR A.1(f)) and "in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing" (GDPR Recital 39). This is directly applicable to the risk of delivery of malware onto user agents, especially when this results from deliberate insertion of subresource elements within website content.

Information about the potential tracking behaviour of resources can be delivered to the user within website content or by intrinsic user agent functionality. Websites can obtain the required information to do this relatively easily, whereas user agents can only present information gleaned from the automated examination of responses e.g. limited technical details about cookies and subresources. There is no standardised way for user agents alone to impart information that can only be known by an application's developers, such as the identity of the data controller(s) or of any data processors, their purposes for data collection and contracted relationships with other parties that may be present.

The TPE enables information to be available at arbitrary times by specifying it in the Tracking Status Resource, or presented at the time consent is registered within parameters to the API.

The need for changes to the existing TPE

The properties currently defined in the TSR need improvement in the following areas:

Purposes for Storage Use
It is a requirement that the use of user agent storage, such as cookies or local Storage, is explained. Some purposes, such as that "strictly necessary to fulfil a service requested by the user", do not need consent, so it makes sense that the information is presented at all times, not just when consent is registered.
User agents may wish to offer users privacy settings that would result in some storage being protected, e.g. "third-party cookies blocks", or allow the user to delete certain categories of non-exempted storage at any time.
Data Controller Identity
The existing "controller" property is a Url pointing to a human readable page that identifies the Data Controller, such as an About page. Any user agent UI presenting this information in a tabular or list form will need to acquire a simple string denoting the Data Controller's name, which is hard when all that is available is an unstructured HTML page. Furthermore, the GDPR requires that more detailed information about the Data Controller is provided, for example the contact details of the relevant Data Protection Officer. For these reasons it would be better to provide an object property in the TSR that can, at a minimum, supply a company's legal name, but that can also be extended with further fields, and these supplementary fields should be offered as non-normative examples. The TSR is again the most appropriate place to define these because, in situations where the GDPR applies, other legal bases than consent may be available.
User Security
User agents should be given the means to block sub-resources that could contain dangerous content, e.g. malware. Also sub-resources may allow third-party entities to collect and process a users personal data, or otherwise access user agent storage without the user's consent. Data Controllers can determine if the subresources they embed do not present dangers, or do not enable the collection of personal data. Similarly they know what third-party entities they have contracted with as Data Processors (service providers), which are not allowed to process data on their own behalf. The TSR would be the appropriate place for where these declarations should be made, because the information is equally valid when consent is not relied upon or registered.
Support for Out-Of-Band Consent The existing config property can be any arbitrary web page, which will diminish the possibilities to support User Control in situations where the Consent API is not supported. Some companies now support the self-regulatory Opt-out program by implementing a resource that signals when a user opts-out or revokes their implied opt-in, causing the deletion of any unique user identifier. There is no standardised way for a user agent or user to determine the Url of this resource, so defining a suitable property in the TSR would improve functionality and possibilities for future innovation. There would of course be no way to supply this information if the Consent API is not supported.

Tracking Status Representation - Additional Properties

Status Object

The tracking status representation can have the following additional properties, as illustrated by the following Orderly schema [Orderly]:

object {
    string tracking;                 // as per the Orderly schema in the TPE
    array { string; } compliance?;   //                 ''                   
    string qualifiers?;              //                 '' 
    array { string; } controller?;   //                 ''
    array { string; } same-party?;   //                 '' 
    array { string; } audit?;        //                 '' 
    string policy?;                  //                 '' 
    string config?;                  //                 '' 
    array { object { string name;                // Legal name of the data controller
                     string address?;            // postal address of head office of controller
                     string email?;              // email address for main contact
                     string tel?;                // main telephone number for controller
                     string about?;              // URI of a web page describing the Data Controller
                     object {
                                name?;           // name of person primarily responsible for data protection or privacy issues
                                address?;        // postal address of this person
                                email;           // contact email address of this person
                                tel?:            // contact telephone number of this person;
                            } DPO?;              // details of primary Data Protection or Privacy Officer
                   } 
          } controllerDescription;   // object identifying the data controller(s) (perhaps jointly) responsible for this website;
    array { object { string domain;  // domain name for a known embedded resource i.e. managed by the first-party sites, its data processors or any other entity
                     string category? ["P", "N", "S"] 
                   } 
          } otherParties?; // an object declaring the domains of all the resources (other than the first-party top-level domain) embedded by the site
    object { long overall_retention?; // A positive number of seconds indicating the overall maximum lifetime of all client storage used by this origin.
             array object { string name; // the user readable name for this storage item, e.g. for a cookie this could be the "name" component.
                            string type ["C","L","I","E","O"]; // storage type C = a cookie, L = localStorage item, I = indexdedDB table, "E" = cache item e.g. ETag, "O" = other storage. 
                            string match; // a regular expression used to match an item of storage when applied to the item name or cookie name and value pair
                            array { object { string ["S","F","A","T","Pf","Pl","Ps"]* code; // codified purpose for this storage item- see below
                                             string description? } // optional further text for further describing the purpose of this storage item
                                    purpose; }; // object for defining purpose for using this client data item
                            array { string sharedWith; }; // the main domains names managed by the entities the data may be shared with.
                            long retention?; // A positive number of seconds indicating the maximum lifetime of the storage item.
                            string deleteDataUri; // URI of resource that if sent a POST causes this data item on this origin to be deleted
                          } 
           } declaredData; // matches any client data item e.g. a cookie, item in localStorage etc., used by the origin server
    string deleteAllDataUri?; // URI of resource that if sent a POST causes all tracking data on this origin to be deleted
}*;

controllerDescription

An origin server MAY send a property named controllerDescription containing an array of objects representing one or more Data Controllers jointly responsible for an origin. If a controllerDescription exists it MUST contain a string property name indicating the legal name of the Data Controller entity. Additional optional properties are:

address Address of main or head office of controller.
email The main contact email address of the controller.
tel Main contact telephone number for controller.
about A URI for a human readable page describing the Data Controller. Equivalent to the existing "controller" property.
DPO An object containing fields that identify the Data Protection Officer, the person who deals with Data Protection or Privacy issues for the controller
- name Name of Data Protection Officer.
- address Address of Data Protection Officer.
- email The Data Protection Officer's email address.
- tel The Data Protection Officer's telephone number.

otherParties

An origin server MAY send a property named otherParties containing an array of objects representing the domains of all resources that the controller has determined may be embedded by any resource with this origin. Each object contains a string domain indicating the URI authority name of an embedded party target, along with an optional category value of either "P", "N" or "S".

A category of "P" indicates that the party owning the domain can receive personal data and has contracted with the origin server as a Data Processor. If the party owning the domain is known not to receive personal data from the interaction the code is "N". "S" indicates that the domain is managed by the site owner (i.e. one of the entities indicated by the controllerDescription array). Each embedded domain should contain a TSR with an otherParties property declaring its own expected embedded resources. This information can be used by browsers, browser extensions or script libraries to help protect user privacy by blocking, inhibiting or managing the actions of resources that are not so declared by the embedding site.

declaredData

This is an object representing user agent storage employed by the origin server for tracking or other purposes. This gives the origin server the ability to transparently describe in a standardised way the overall retention time for client storage and the purpose and retention period for each storage item.

User agents MAY present this information to the user, and privacy regulators, audit services etc. will be able use website scanning tools to verify it. In addition Privacy Enhancing Technology components, such as TrackingBlocker or AdBlocker extensions, can make intelligent decisions regarding content blocking or storage removal when enforcing a user's privacy preferences.

The object contains a long integer overall_retention a positive number of seconds indicating the maximum lifetime of all the declared data, and an array of objects describing individual storage items controlled by the origin server. Each of these contains a selector string used to match the name or name-value pair of a particular item , a string type representing the class of storage used where "C" is an HTTP cookie, "L" is local HTML5 storage, "I" is indexedDB, "E" is information stored in the browser cache such as "If-Then-Else/Etag" values, and "O" is any other form of storage. The selector string MAY contains a = character to demarcate between Regex match strings for the name and value of a name-value pair. The purposes for each item is encoded in the purpose array of objects. Each purpose object contains a short purpose identifier code and an option string description further describing the purpose. The code property MUST contain one or more of the following purpose identifiers.

N.B. Maybe the Qualifiers property should have the same coding.

Code	Purpose	Definition
S	Necessary	Strictly necessary to fulfil a service requested by the user.
F	Functional	Retains information in the user agent solely used to retain state between HTTP transactions without a unique user identifier. Any data retained is generic in nature and will not be used to profile the user.
A	Analytics	Used to collect anonymous statistical information about visitors to a web site. No attempt will be made to single-out the user for profiling purposes. Any unique identifier used will not be shared with any other party.
T	Tracking	Used to single-out or track a user, i.e. a unique user identifier. If this is shared with another party their domain MUST be indicated in the `sharedWith` attribute below.
O	Opt-out	This identifies an HTTP cookie used by some non-standard systems to indicate that a user has opted-out from tracking. If the same cookie name is also used as a UID tracking identifier then the `selector` must uniquely identify the opt-out case e.g. `UID=opted-out`. A properly identified opt-out cookie MUST not be deleted by a user agent when other storage is deleted, for example when the `overall_retention` period expires.
Pf	Permitted frequency capping	Used for frequency capping, i.e. to limit the number of times that a user sees a particular advertisement, as long as the data retained do not reveal the user’s browsing history.
Pl	Permitted financial logging	Used for financial logging, i.e. for billing and auditing related to the current network interaction and concurrent transactions. This may include counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards.
Ps	Permitted security	Used for security, i.e. to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity, provided that such data is not used for operational behaviour beyond what is reasonably necessary to protect the service or institute a graduated response.

The long integer retention contains a positive number of seconds indicating the maximum lifetime of the storage item. The optional array of strings sharedWith represents the main domains of any entities that this data item is shared with.

deleteDataUri

An origin server MAY send a property named deleteDataUri indicating the URI (relative to the origin domain) of a resource that will, in response to a PUSH, PUT or DELETE request, delete all data held for this origin in the user agent. In many cases this would be the resource advertiser exchanges use for the self-regulatory Opt-out iframe.

Scope