When using a different TPS, the URI for the policy document is not mandatory in the response

[wvholst]

This is an inconsistency in the TPE.

[npdoty]

Can you add more detail? What is a "TPS"? What possible changes are you suggesting?

[wvholst]

Tracking Policy Specification. Basically the compliance specification.

[npdoty]

Currently the spec includes an optional compliance property in the tracking status resource: https://www.w3.org/TR/tracking-dnt/#rep.compliance

Can you tell us what change you're asking for with this issue? Do you think the compliance property should be mandatory rather than optional? Can you give an explanation of why the Working Group should reverse its decision on that point?

[wvholst]

I am asking for making this property mandatory since leaving it empty will leave the UA with uncertainty regarding the actual policy implications of an affirmative response to DNT:1

[royfielding]

But that's exactly what an empty compliance property is supposed to mean. Effectively, it means the user will have to read the site's privacy policies because the site does not comply with a named standard. A user agent is free to do with that information as it wishes.

Making the compliance property mandatory would mean the communication ends if no standard is met, which would be a hopeless situation given the absence of current compliance standards.

[mschunte2]

Hi Roy,
IMHO having a pointer to the privacy policy is better than an empty field. This would allow the user agent to keep information like "this link explains what you consented to".

I see your point that this will initially create to an unlimited number of links that are neither machine readable nor standardized. However, if useful standards evolve (which I hope) then it gets more likely that the URL point to a well-known URL. In this scenario, say 20% of sites point to the W3C policy, 15% to EFF, another 10% to a new EU policy, and the other 55% are pointers to other standards, policies, URLs that are just recorded or may also just be deemed untrusted.

Why would such a scenario not work from your perspective?

[royfielding]

We already have a policy property, which defaults to controller if not present, which in turn defaults to the site's domain if not present.

I don't think it is useful to make additional TSR properties required in TPE because they just supply information beyond what is required by the protocol itself. If the site wants to provide that information, it will supply the appropriate property.

[royfielding]

policy is now mandatory in some cases