]>
Commit | Line | Data |
---|---|---|
aad0ec24 RK |
1 | Do Not Track Compliance Policy |
2 | ||
3 | Version 1.0 | |
4 | ||
5 | This domain complies with user opt-outs from tracking via the "Do Not Track" | |
6 | or "DNT" header [http://www.w3.org/TR/tracking-dnt/]. This file will always | |
7 | be posted via HTTPS at https://example-domain.com/.well-known/dnt-policy.txt | |
8 | to indicate this fact. | |
9 | ||
10 | SCOPE | |
11 | ||
12 | This policy document allows an operator of a Fully Qualified Domain Name | |
13 | ("domain") to declare that it respects Do Not Track as a meaningful privacy | |
14 | opt-out of tracking, so that privacy-protecting software can better determine | |
15 | whether to block or anonymize communications with this domain. This policy is | |
16 | intended first and foremost to be posted on domains that publish ads, widgets, | |
17 | images, scripts and other third-party embedded hypertext (for instance on | |
18 | widgets.example.com), but it can be posted on any domain, including those users | |
19 | visit directly (such as www.example.com). The policy may be applied to some | |
20 | domains used by a company, site, or service, and not to others. Do Not Track | |
21 | may be sent by any client that uses the HTTP protocol, including websites, | |
22 | mobile apps, and smart devices like TVs. Do Not Track also works with all | |
23 | protocols able to read HTTP headers, including SPDY. | |
24 | ||
25 | NOTE: This policy contains both Requirements and Exceptions. Where possible | |
26 | terms are defined in the text, but a few additional definitions are included | |
27 | at the end. | |
28 | ||
29 | REQUIREMENTS | |
30 | ||
31 | When this domain receives Web requests from a user who enables DNT by actively | |
32 | choosing an opt-out setting in their browser or by installing software that is | |
33 | primarily designed to protect privacy ("DNT User"), we will take the following | |
34 | measures with respect to those users' data, subject to the Exceptions, also | |
35 | listed below: | |
36 | ||
37 | 1. END USER IDENTIFIERS: | |
38 | ||
39 | a. If a DNT User has logged in to our service, all user identifiers, such as | |
40 | unique or nearly unique cookies, "supercookies" and fingerprints are | |
41 | discarded as soon as the HTTP(S) response is issued. | |
42 | ||
43 | Data structures which associate user identifiers with accounts may be | |
44 | employed to recognize logged in users per Exception 4 below, but may not | |
45 | be associated with records of the user's activities unless otherwise | |
46 | excepted. | |
47 | ||
48 | b. If a DNT User is not logged in to our service, we will take steps to ensure | |
49 | that no user identifiers are transmitted to us at all. | |
50 | ||
51 | 2. LOG RETENTION: | |
52 | ||
53 | a. Logs with DNT Users' identifiers removed (but including IP addresses and | |
54 | User Agent strings) may be retained for a period of 10 days or less, | |
55 | unless an Exception (below) applies. This period of time balances privacy | |
56 | concerns with the need to ensure that log processing systems have time to | |
57 | operate; that operations engineers have time to monitor and fix technical | |
58 | and performance problems; and that security and data aggregation systems | |
59 | have time to operate. | |
60 | ||
61 | b. These logs will not be used for any other purposes. | |
62 | ||
63 | 3. OTHER DOMAINS: | |
64 | ||
65 | a. If this domain transfers identifiable user data about DNT Users to | |
66 | contractors, affiliates or other parties, or embeds from or posts data to | |
67 | other domains, we will either: | |
68 | ||
69 | b. ensure that the operators of those domains abide by this policy overall | |
70 | by posting it at /.well-known/dnt-policy.txt via HTTPS on the domains in | |
71 | question, | |
72 | ||
73 | OR | |
74 | ||
75 | ensure that the recipient's policies and practices require the recipient | |
76 | to respect the policy for our DNT Users' data. | |
77 | ||
78 | OR | |
79 | ||
80 | obtain a contractual commitment from the recipient to respect this policy | |
81 | for our DNT Users' data. | |
82 | ||
83 | NOTE: if an “Other Domain” does not receive identifiable user information | |
84 | from the domain because such information has been removed, because the | |
85 | Other Domain does not log that information, or for some other reason, these | |
86 | requirements do not apply. | |
87 | ||
88 | c. "Identifiable" means any records which are not Anonymized or otherwise | |
89 | covered by the Exceptions below. | |
90 | ||
91 | 4. PERIODIC REASSERTION OF COMPLIANCE: | |
92 | ||
93 | At least once every 12 months, we will take reasonable steps commensurate | |
94 | with the size of our organization and the nature of our service to confirm | |
95 | our ongoing compliance with this document, and we will publicly reassert our | |
96 | compliance. | |
97 | ||
98 | 5. USER NOTIFICATION: | |
99 | ||
100 | a. If we are required by law to retain or disclose user identifiers, we will | |
101 | attempt to provide the users with notice (unless we are prohibited or it | |
102 | would be futile) that a request for their information has been made in | |
103 | order to give the users an opportunity to object to the retention or | |
104 | disclosure. | |
105 | ||
106 | b. We will attempt to provide this notice by email, if the users have given | |
107 | us an email address, and by postal mail if the users have provided a | |
108 | postal address. | |
109 | ||
110 | c. If the users do not challenge the disclosure request, we may be legally | |
111 | required to turn over their information. | |
112 | ||
113 | d. We may delay notice if we, in good faith, believe that an emergency | |
114 | involving danger of death or serious physical injury to any person | |
115 | requires disclosure without delay of information relating to the | |
116 | emergency. | |
117 | ||
118 | EXCEPTIONS | |
119 | ||
120 | Data from DNT Users collected by this domain may be logged or retained only in | |
121 | the following specific situations: | |
122 | ||
123 | 1. CONSENT / "OPT BACK IN" | |
124 | ||
125 | a. DNT Users are opting out from tracking across the Web. It is possible | |
126 | that for some feature or functionality, we will need to ask a DNT User to | |
127 | "opt back in" to be tracked by us across the entire Web. | |
128 | ||
129 | b. If we do that, we will take reasonable steps to verify that the users who | |
130 | select this option have genuinely intended to opt back in to tracking. | |
131 | One way to do this is by performing scientifically reasonable user | |
132 | studies with a representative sample of our users, but smaller | |
133 | organizations can satisfy this requirement by other means. | |
134 | ||
135 | c. Where we believe that we have opt back in consent, our server will | |
136 | send a tracking value status header "Tk: C" as described in section 6.2 | |
137 | of the W3C Tracking Preference Expression draft: | |
138 | ||
139 | http://www.w3.org/TR/tracking-dnt/#tracking-status-value | |
140 | ||
141 | 2. TRANSACTIONS | |
142 | ||
143 | If a DNT User actively and knowingly enters a transaction with our | |
144 | services (for instance, clicking on a clearly-labeled advertisement, | |
145 | posting content to a widget, or purchasing an item), we will retain | |
146 | necessary data for as long as required to perform the transaction. This | |
147 | may for example include keeping auditing information for clicks on | |
148 | advertising links; keeping a copy of posted content and the name of the | |
149 | posting user; keeping server-side session IDs to recognize logged in | |
150 | users; or keeping a copy of the physical address to which a purchased | |
151 | item will be shipped. By their nature, some transactions will require data | |
152 | to be retained indefinitely. | |
153 | ||
154 | 3. TECHNICAL AND SECURITY LOGGING: | |
155 | ||
156 | a. If, during the processing of the initial request (for unique identifiers) | |
157 | or during the subsequent 10 days (for IP addresses and User Agent strings), | |
158 | we obtain specific information that causes our employees or systems to | |
159 | believe that a request is, or is likely to be, part of a security attack, | |
160 | spam submission, or fraudulent transaction, then logs of those requests | |
161 | are not subject to this policy. | |
162 | ||
163 | b. If we encounter technical problems with our site, then, in rare | |
164 | circumstances, we may retain logs for longer than 10 days, if that is | |
165 | necessary to diagnose and fix those problems, but this practice will not be | |
166 | routinized and we will strive to delete such logs as soon as possible. | |
167 | ||
168 | 4. AGGREGATION: | |
169 | ||
170 | a. We may retain and share anonymized datasets, such as aggregate records of | |
171 | readership patterns; statistical models of user behavior; graphs of system | |
172 | variables; data structures to count active users on monthly or yearly | |
173 | bases; database tables mapping authentication cookies to logged in | |
174 | accounts; non-unique data structures constructed within browsers for tasks | |
175 | such as ad frequency capping or conversion tracking; or logs with truncated | |
176 | and/or encrypted IP addresses and simplified User Agent strings. | |
177 | ||
178 | b. "Anonymized" means we have conducted risk mitigation to ensure | |
179 | that the dataset, plus any additional information that is in our | |
180 | possession or likely to be available to us, does not allow the | |
181 | reconstruction of reading habits, online or offline activity of groups of | |
182 | fewer than 5000 individuals or devices. | |
183 | ||
184 | c. If we generate anonymized datasets under this exception we will publicly | |
185 | document our anonymization methods in sufficient detail to allow outside | |
186 | experts to evaluate the effectiveness of those methods. | |
187 | ||
188 | 5. ERRORS: | |
189 | ||
190 | From time to time, there may be errors by which user data is temporarily | |
191 | logged or retained in violation of this policy. If such errors are | |
192 | inadvertent, rare, and made in good faith, they do not constitute a breach | |
193 | of this policy. We will delete such data as soon as practicable after we | |
194 | become aware of any error and take steps to ensure that it is deleted by any | |
195 | third-party who may have had access to the data. | |
196 | ||
197 | ADDITIONAL DEFINITIONS | |
198 | ||
199 | "Fully Qualified Domain Name" means a domain name that addresses a computer | |
200 | connected to the Internet. For instance, example1.com; www.example1.com; | |
201 | ads.example1.com; and widgets.example2.com are all distinct FQDNs. | |
202 | ||
203 | "Supercookie" means any technology other than an HTTP Cookie which can be used | |
204 | by a server to associate identifiers with the clients that visit it. Examples | |
205 | of supercookies include Flash LSO cookies, DOM storage, HTML5 storage, or | |
206 | tricks to store information in caches or etags. | |
207 | ||
208 | "Risk mitigation" means an engineering process that evaluates the possibility | |
209 | and likelihood of various adverse outcomes, considers the available methods of | |
210 | making those adverse outcomes less likely, and deploys sufficient mitigations | |
211 | to bring the probability and harm from adverse outcomes below an acceptable | |
212 | threshold. | |
213 | ||
214 | "Reading habits" includes amongst other things lists of visited DNS names, if | |
215 | those domains pertain to specific topics or activities, but records of visited | |
216 | DNS names are not reading habits if those domain names serve content of a very | |
217 | diverse and general nature, thereby revealing minimal information about the | |
218 | opinions, interests or activities of the user. |