Introduction
...
Some of the terms used in this document are based on the “Personal Information Protection and Electronic Documents Act” (PIPEDA). They are defined here.
...
An organization or service shares information it has collected with external third parties.
Information Model
privacyPreferences
The container for all of the user's privacy preferences. In JSON:
...
implies using the default settings for all of the user's privacy preferences. Default settings are indicated using bold text.
privacyPreferences.thirdPartyTracking
Defines a set of Boolean preferences with respect to third parties tracking of a user's behaviour, and whether to alert the user of any tracking. If the user preference is to block all tracking, and that preference is actually enforced, then the alert preference is superfluous The default preference is to prohibit all tracking by third parties.
...
Highlight |
---|
"privacyPreferences": { "thirdPartyTracking": { "doNotTrack": "onLeaveSite", "alerts": true } } |
privacyPreferences.thirdPartyScripts
Provides preferences for restriction of
...
on a web page or site. There is no default setting in this case, since the preference is specified in the context of the page or site. Since there can be numerous sites and pages that these settings apply to, the thirdPartyScripts preference is an array of restrictions on a per site or per page basis. Each site or page is defined by a URI.
- site or page:
- Value: URI of the site or the page to which to apply the user’s preferred restrictions
- allow:
- Value: one of
- of
Highlight |
---|
true, |
...
false, |
or
Highlight |
---|
temporarily. |
- true: allow all scripts
false: block all scripts
temporarily: allow all scripts to run for the current session. That is, when the user leaves the site or page, the preference switches to false.
Example:
"privacyPreferences": {
...
"site": "www.nefarious.org",
"allow": false
}]
}
privacyPreferences.locationTracking
Provides a set of values and a whitelist of services that track the location of the user. The default is to not allow any service to track the user’s location. A service is specified using a URI, designated as a serviceURI.
User’s can allow all services to track them, or allow no services to track them, or allow only a set of trusted services to track. If the latter, the preferences allow the user to specify a list of trusted services.
- locationTracking:
Value: none (default), all, or a whitelist of trusted services
none: indicates no location tracking is permitted by any service
all: indicates that all services are allowed to track the user’s location
array of serviceURIs: a list of trusted services that are allowed to track the user’s location.
Examples:
The first two examples show all that is necessary to specify no tracking or, in contrast, tracking by any service. The third example shows how to state preferences for only trusted services.
Example 1 -- no service can track:
"privacyPreferences": {
"locationTracking": "none"
}
Example 2 -- all services can track:
"privacyPreferences": {
"locationTracking": "all"
}
Example 3 -- trusted services can track:
"privacyPreferences": {
...
"serviceURI",
"serviceURI",
…
]
}
privacyPreferences.sharingContacts
A set of values and a whitelist of services with respect to sharing the user’s contacts (e.g., address book). The default is to disallow any contact sharing.
...
sharingContacts:
Value: off (default),on, an optional askMeFirst, or a whitelist of trusted services.
off: indicates that the user does not want to share their contacts with any service
on: indicates that the user is willing to share their contacts with all services
A structure that contains a Boolean value followed by a whitelist:
askMeFirst:
Value: true or false
true: indicates the system needs to alert the user that they are about to share their contacts with services in their whitelist, and confirm that the user wants to share.
false: indicates that the system does not alert the user about sharing their contacts with the services in their whitelist.
whiteList:
Value: a list of trusted services. If a service is not listed, then contacts are not shared with that service. Each service is specified using a string.
Examples:
The first two examples show all that is necessary to specify no sharing or, in contrast, sharing with any service. The third and fourth examples show how to state preferences for only trusted services, with and without confirmation.
Example 1 -- do not share contacts with any service:
"privacyPreferences": {
"sharingContacts": "off"
}
Example 2 -- share contacts with all services:
"privacyPreferences": {
"sharingContacts": "on"
}
Example 3 -- share contacts only with trusted services, but only with user’s confirmation:
"privacyPreferences": {
...
"..."
]
}
}
Example 4 -- share contacts only with trusted services, but without user’s confirmation:
"privacyPreferences": {
...
"..."
]
}
}
privacyPreferences.clearHistory
Defines which of a user’s browser history features are to be forgotten, and when. The browser features are history, downloads, passwords, autofill form data, and the cache. A special case is where users do not want these features recorded in the first place. This is represented as the special time period “neverRemember”, meaning do not record or store historical information.
clearHistory:
Value: a set of browser features with an associated frequency for periodically clearing that feature. All browser features MUST be listed. The features to clear are:
history
downloads
passwords
autofillFormData
cache
The associated time periods are:
neverRemember,
hourly,
daily (default),
weekly,
monthly,
neverDelete,
onQuit
Example:
This example shows a list of all the different browser features and how frequently they should be cleared.
...
"cache": "daily"
}
}
privacyPreferences.eraseAfterUsing
Defines whether specific personal information, which has been provided, needs to be erased and forgotten immediately after its use. An example is providing one’s credit card information for making a purchase. When the purchase is complete, and the information is no longer needed, this preference indicates that the user expects their credit card information will be erased.
eraseAfterUsing:
Value: true (default) or false.
true: indicates that personal information is erased immediately after use.
false: indicates that personal information is retained.
Example:
This example indicates that personal information should be erased immediately after it is no longer needed.
...
"eraseAfterUsing": true
}
privacyPreferences.allowAdvertising
Defines a set of values and a whitelist of advertisements. The default is to not allow any advertisements.
...
allowAdvertising:
Value: off (default), on, or a whitelist of targeted advertisements.
off: indicates no advertising is allowed
on: indicates that all advertising is allowed
array: a list of allowed advertisements. Each advertisement is idenitified as a serviceURI
Examples:
The first two examples show all that is necessary to prohibit any advertisements or, in contrast, allow all advertisements by any service. The third example shows how to state preferences for only targeted advertisements.
Example 1 -- no advertisements:
"privacyPreferences": {
"allowAdvertising": "on"
}
Example 2 -- all advertisements:
"privacyPreferences": {
"allowAdvertising": "off"
}
Example 3 -- trusted services can track:
"privacyPreferences": {
...
"serviceURI",
"serviceURI",
…
]
}
privacyPreferences.cookies
The “cookies” preference is a container for a number of privacy settings with respect to the creation of cookies, the sharing of cookie data, and when to force the expiration of a cookie.
allowCreation:
Value: never, always, fromOriginalService (default),askFirst, or a whitelist of trusted services.
never: indicates that cookie creation of any kind is not allowed. Note that this may mean that a given page or site might not work as expected, especially if it cookies are required for normal functionality
always: indicates that there are no restrictions on cookie creation
fromOriginalService: indicates that cookie creation is allowed if the site currently visited is creating the cookie. Third party cookie creation from the same page is not allowed.
askFirst: requires the system to present a confirmation dialog to the user to confirm if a cookie or cookies can be created when a service attempt is to do so.
A whitelist of trusted services: an array of serviceURIs representing trusted services that are allowed to create cookies
allowSharing:
Value: never (default), always, askFirst, or a whitelist of trusted services.
never: indicates that cookie sharing of any kind is not allowed.
always: indicates that there are no restrictions on cookie creation
askFirst: requires the system to to present a confirmation dialog to the user asking if a cookie or cookies can be shared.
A whitelist of trustedServices: an array of serviceURIs representing trusted services with which sharing cookies are allowed
expiration:
Value: endOfSession, whenLeavingSite (default), daily, weekly
endOfSession: indicates that cookie data is to be erased at the end of the session
onLeaveSite: indicates that cookies are erased when the user leaves the site.
daily: indicates that cookies are deleted at the end of the day
weekly: indicates that cookies are deleted at the end of the week
Examples:
"privacyPreferences": {
...
"expiration": "endOfSession"
}
}
privacyPreferences.dataControl
This group of preferences allows users to view, update, delete, set expiration dates, and ask for details about how their information is being used or disclosed. The preferences represent user requests about their personal information as managed by some organization. The preferences or requests is on a per-organization basis. Organizations are specified by a serviceURI. Since a user can supply information to multiple organizations, the dataControl preferences are a list of requests for each organization.
...
viewAll: user wants to view all data held by the organization
editUpdateAll: user wants to update the accuracy of their data, and submit changes back to the organization
howUsed: user requests an explanation as to how their data is being used by the organization
howDisclosed: user requests which third parties the organization has disclosed their personal information to, and for what purposes.
deleteAll: user wants to delete all the personal information held by the organization
expiration: user specifies when their personal information is to be deleted
Value: ISO-8601 specification of date/time
Example:
"privacyPreferences": {
...
"expiration": "2017-04-05T14:30Z"
}]
}
Full Preference Set Example
"privacyPreferences": {
...