Skip to content

Commit

Permalink
notes on what is not covered
Browse files Browse the repository at this point in the history 
- clarify decision to not add api actions from previous author meeting
- split entity per suggestion #2
- add motivation notes for entity
  • Loading branch information
@xcolwell
xcolwell committed May 6, 2024
1 parent cb81527 commit 76083ad
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions draft-colwell-privacy-txt.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,12 @@ It is currently difficult to associate a complete privacy policy text with a ser

This file format proposes two fields for the privacy policy. One or both can be used, depending on the policy format.

`Entity: NAME,COUNTRY_CODE`
`Entity: NAME`
`Entity-country: COUNTRY_CODE`

The entity issuing the privacy policy. A name that contains a comma should escape the comma as `\,`. The country code should follow 2-letter ISO 3166-1.
The legal name of the entity issuing the privacy policy. The country code should follow 2-letter ISO 3166-1.

The current and historical mapping of hostname to entity can be used as a canonical key to associate privacy reputation or enforcement actions similar to a certificate authority. This proposal does not outline what a privacy authority would look like.

`Privacy-policy-text: URL`

Expand All @@ -98,6 +101,10 @@ This file format proposed fields to structure the consumer actions described in

Below a one-click URL refers to a URL that can process a request without requiring a customer password or login. The URL should take customer identification such as email and verify as necessary to complete the request.

It is allowed to have multiple conforming Action-* values for the same action.

An API standard to make privacy actions more toolable is not covered in this proposal. This proposal could be extended in the future to allow some well-defined API actions given there is at least one other non-assisted option available.

`Contact: mailto:EMAIL`

An email contact for the privacy office must be given. This email must be able to handle consumer requests via email where there is not an applicable `Action-*` field for the request. Responses can ask for additional verification but should not require customer password or login. If `Action-*` fields are defined for all applicable consumer requests, this email does not need to handle any requests. This proposal imagines companies would build self-service one-click URLs for all consumer actions as the most scalable outcome.
Expand Down

0 comments on commit 76083ad

Please sign in to comment.