The Do-Not-Track protocol both enables user control over tracking, and the delivery of "machine-readable claims" regarding the tracking behaviour of servers or web applications. This document addresses the latter transparency aspects, in light of European legal requirements.
EU Privacy law requires that access to user agent storage is only allowed if the user has given consent, or that the storage is used for a limited set of exempted purposes. In addition EU Data Protection law says that personal data cannot be processed unless the purpose for the processing is claimed from the outset to be covered by at least one of 6 legal bases, the first of which being consent. In either case consent must be "freely given, specific, informed and unambiguous and based on a user's actions", and (under the draft ePrivacy Regulation (ePR) proposal), "may be expressed by using the appropriate technical settings of a software application enabling access to the internet", and that "users shall be given the possibility to withdraw their consent at any time".
The information given to the user must therefore:
Information about the potential tracking behaviour of resources can be delivered to the user within website content or by intrinsic user agent functionality. Websites can obtain the required information to do this relatively easily, whereas user agents can only present information gleaned from the automated examination of responses e.g. limited technical details about cookies and subresources. There is no standardised way for user agents alone to impart information that can only be known by an application's developers, such as the identity of the data controller(s) or of any data processors, their purposes for data collection and contracted relationships with other parties that may be present.
The TPE enables information to be available at arbitrary times by specifying it in the Tracking Status Resource, or presented at the time consent is registered within parameters to the API.
The properties currently defined in the TSR need improvement in the following areas:
config
property can be any arbitrary web page,
which will diminish the possibilities to support User Control in situations where the Consent API is not supported.
Some companies now support the self-regulatory Opt-out program by implementing
a resource that signals when a user opts-out or revokes their implied opt-in, causing the deletion of any unique user identifier.
There is no standardised way for a user agent or user to determine the Url of this resource, so defining a suitable property in the TSR
would improve functionality and possibilities for future innovation. There would of course be no way to supply this information if the Consent API is not supported.
A site-wide tracking status resource provides information about the potential tracking behaviour of resources located at that origin server. For example, in the current TPE, a user agent might choose to exclude, or perform additional pre-flight verification of, requests to other domains that have not been claimed as same-party by the referring site.
The proposed ePrivacy Regulation will apply to user agent providers ("software providers permitting electronic communications"), where Article 10 requires them to help protect data stored there. In order to accurately recognise this data, and to minimise the need for arbitrary domain blocking or other withdrawal of functionality, the TSR can be a useful conduit for web application declarations about data use.
The tracking status representation can have the following additional properties, as illustrated by the following Orderly schema [Orderly]:
object { string tracking; // as per the Orderly schema in the TPE array { string; } compliance?; // '' string qualifiers?; // '' array { string; } controller?; // '' array { string; } same-party?; // '' array { string; } audit?; // '' string policy?; // '' string config?; // '' array { object { string name; // Legal name of the data controller string address?; // postal address of head office of controller string email?; // email address for main contact string tel?; // main telephone number for controller string about?; // URI of a web page describing the Data Controller object { name?; // name of person primarily responsible for data protection or privacy issues address?; // postal address of this person email; // contact email address of this person tel?: // contact telephone number of this person; } DPO?; // details of primary Data Protection or Privacy Officer } } controllerDescription; // object identifying the data controller(s) (perhaps jointly) responsible for this website; array { object { string domain; // domain name for a known embedded resource i.e. managed by the first-party sites, its data processors or any other entity string category? ["P", "N", "S"] } } otherParties?; // an object declaring the domains of all the resources (other than the first-party top-level domain) embedded by the site object { long overall_retention?; // A positive number of seconds indicating the overall maximum lifetime of all client storage used by this origin. array object { string name; // the user readable name for this storage item, e.g. for a cookie this could be the "name" component. string type ["C","L","I","E","O"]; // storage type C = a cookie, L = localStorage item, I = indexdedDB table, "E" = cache item e.g. ETag, "O" = other storage. string match; // a regular expression used to match an item of storage when applied to the item name or cookie name and value pair array { object { string ["S","F","A","T","Pf","Pl","Ps"]* code; // codified purpose for this storage item- see below string description? } // optional further text for further describing the purpose of this storage item purpose; }; // object for defining purpose for using this client data item array { string sharedWith; }; // the main domains names managed by the entities the data may be shared with. long retention?; // A positive number of seconds indicating the maximum lifetime of the storage item. string deleteDataUri; // URI of resource that if sent a POST causes this data item on this origin to be deleted } } declaredData; // matches any client data item e.g. a cookie, item in localStorage etc., used by the origin server string deleteAllDataUri?; // URI of resource that if sent a POST causes all tracking data on this origin to be deleted }*;
An origin server MAY send a property named controllerDescription
containing an array of objects representing one or more Data Controllers jointly responsible for an origin.
If a controllerDescription
exists it MUST contain a string property name
indicating the legal name of the Data Controller entity.
Additional optional properties are:
address
Address of main or head office of controller.
email
The main contact email address of the controller.
tel
Main contact telephone number for controller.
about
A URI for a human readable page describing the Data Controller. Equivalent to the existing "controller" property.
DPO
An object containing fields that identify the Data Protection Officer, the person who deals with Data Protection or Privacy issues for the controller
name
Name of Data Protection Officer.
address
Address of Data Protection Officer.
email
The Data Protection Officer's email address.
tel
The Data Protection Officer's telephone number.
An origin server MAY send a property named otherParties
containing an array of objects representing the domains
of all resources that the controller has determined may be embedded by any resource with this origin.
Each object contains a string domain
indicating the URI authority name of an embedded party target,
along with an optional category
value of either "P", "N" or "S".
A category of "P" indicates that the party owning the domain can receive personal data and has contracted with the origin server as a Data Processor.
If the party owning the domain is known not to receive personal data from the interaction the code is "N".
"S" indicates that the domain is managed by the site owner (i.e. one of the entities indicated by the controllerDescription
array).
Each embedded domain should contain a TSR with an otherParties
property declaring its own expected embedded resources.
This information can be used by browsers, browser extensions or script libraries to help protect user privacy by blocking, inhibiting or managing the actions
of resources that are not so declared by the embedding site.
This is an object representing user agent storage employed by the origin server for tracking or other purposes. This gives the origin server the ability to transparently describe in a standardised way the overall retention time for client storage and the purpose and retention period for each storage item.
User agents MAY present this information to the user, and privacy regulators, audit services etc. will be able use website scanning tools to verify it. In addition Privacy Enhancing Technology components, such as TrackingBlocker or AdBlocker extensions, can make intelligent decisions regarding content blocking or storage removal when enforcing a user's privacy preferences.
The object contains a long integer overall_retention
a positive number of seconds indicating the maximum lifetime of all the declared data,
and an array of objects describing individual storage items controlled by the origin server.
Each of these contains a selector
string used to match the name or name-value pair of a particular item ,
a string type
representing the class of storage used where "C" is an HTTP cookie, "L" is local HTML5 storage, "I" is indexedDB,
"E" is information stored in the browser cache such as "If-Then-Else/Etag" values, and "O" is any other form of storage.
The selector
string MAY contains a =
character to demarcate between Regex match strings for the name and value of a name-value pair.
The purposes for each item is encoded in the purpose
array of objects.
Each purpose
object contains a short purpose identifier code
and an option string description
further describing the purpose.
The code
property MUST contain one or more of the following purpose identifiers.
Code | Purpose | Definition |
---|---|---|
S | Necessary | Strictly necessary to fulfil a service requested by the user. |
F | Functional | Retains information in the user agent solely used to retain state between HTTP transactions without a unique user identifier. Any data retained is generic in nature and will not be used to profile the user. |
A | Analytics | Used to collect anonymous statistical information about visitors to a web site. No attempt will be made to single-out the user for profiling purposes. Any unique identifier used will not be shared with any other party. |
T | Tracking |
Used to single-out or track a user, i.e. a unique user identifier.
If this is shared with another party their domain MUST be indicated in the sharedWith attribute below.
|
O | Opt-out |
This identifies an HTTP cookie used by some non-standard systems to indicate that a user has opted-out from tracking.
If the same cookie name is also used as a UID tracking identifier then the selector must uniquely identify the opt-out case e.g.
UID=opted-out . A properly identified opt-out cookie MUST not be deleted by a user agent when other storage is deleted,
for example when the overall_retention period expires.
|
Pf | Permitted frequency capping | Used for frequency capping, i.e. to limit the number of times that a user sees a particular advertisement, as long as the data retained do not reveal the user’s browsing history. |
Pl | Permitted financial logging | Used for financial logging, i.e. for billing and auditing related to the current network interaction and concurrent transactions. This may include counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards. |
Ps | Permitted security | Used for security, i.e. to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity, provided that such data is not used for operational behaviour beyond what is reasonably necessary to protect the service or institute a graduated response. |
retention
contains a positive number of seconds indicating the maximum lifetime of the storage item.
The optional array of strings sharedWith
represents the main domains of any entities that this data item is shared with.
An origin server MAY send a property named deleteDataUri
indicating the URI (relative to the origin domain) of a resource
that will, in response to a PUSH, PUT or DELETE request, delete all data held for this origin in the user agent.
In many cases this would be the resource advertiser exchanges use for the self-regulatory Opt-out iframe.