-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[VK Company Feedback] Privacy policy on FPS domains #72
Comments
Thanks for the feedback! As we think about how to operationalize the policy, we’ll take this into consideration. For now, I'm tagging this issue with the ua_policy label and leaving it open. |
(Updated to simplify) The privacy policy that is shared with users (which sites typically do by adding a regular link to at least the home page, possibly other pages) needs to be the same as the privacy policy that is checked by the IEE. If the IEE looked for a privacy policy under Sites might have technical differences (template packages, JS bundling, and so on) that might make privacy policy pages not an exact match even if the privacy policy text is the same. In that case the site should be able to indicate the privacy policy text to be checked by adding an HTML From an ease of implementation point of view: some sites are already required to disclose privacy policy URLs to government organizations, customers, or industry self-regulatory groups, so it would be better to not make sites move their privacy policy. The IEE's privacy policy checker could then:
(That way, if two FPS member sites already have identical privacy policies linked to from their homepages, they wouldn't have to change anything, otherwise the extra work to indicate the policy to be checked would be minimal) |
What if the page isn't in English? Also, some company's privacy policies may change frequently with minor corrections or adjustments, but that shouldn't require a new certificate from the IEE unless the changed text is related to privacy guarantees that are relevant to FPS. Perhaps the IEE could identify key paragraphs and as long as those paragraphs remain unchanged, a review is not required until renewal time as long as all FPS sites use the same, updated policy? As another option, we could have the IEE hash the policy(s) it has checked. On a first visit to an FPS, the browser could locate the privacy policy, hash it and verify the hash with the IEE. If it differs, it would send a copy of the policy to the IEE (in case the site is presenting a different version to the IEE than it is to regular users). The IEE would then add the hash of that policy to its list of hashes for the site so that other browsers would not need to also forward a copy. The IEE could asynchronously perform an automated comparison of the new policy to the original policy and flag a review if too much or critical sections have changed. |
@RussStringham Good point. If the privacy policy is available in multiple languages
One way to handle this would be to put all languages on the same page. Or the The question about what privacy policy changes are and aren't relevant to FPS would be a matter for the IEE to make a judgment call on, and there is already a lot of responsibility on the IEE. If the FPS members are truly under common controllership, it should be feasible for the set controller to bring all privacy policy pages up to date in a short time. Having browsers report the hash of the privacy policy to the IEE could be useful. (The IEE would probably crawl from confidential, residential IP addresses to avoid "cloaking" by invalid sets) |
I'm having hard time imagining how this could be automated without creating special html markup or enforcing special usage of existing markup, given that websites could be on different languages, with different links, etc. Also it isn't clear who exactly is going to parse all the websites, browsers or third-party entities. But in any case, it sounds like such a thing would require its own specification.
It might be better if common privacy policy would be provided in .well-known endpoints and browsers would display it consistently in their UI for FPS websites.
The text was updated successfully, but these errors were encountered: