New “Privacy.txt” File Format Proposed to Enhance Web Privacy

A groundbreaking draft presented by a collaboration of researchers and industry experts, introduces a new file format dubbed “privacy.txt” aimed at improving consumer privacy protections on the web.

This proposal, drafted by notable figures including Nick Sullivan, Louise Van der Peet, Georgios Smaragdakis from TU Delft, and Brien Colwell from BringYour, Inc. is currently under discussion within the IETF's Network Working Group.

Proposal overview

The privacy.txt initiative follows the structural footsteps of familiar web server files like robots.txt, security.txt, and ads.txt, residing within the root or /.well-known directory of a web server. The draft specifies that this new format will house structured data in three crucial areas:

• Complete Privacy Policy: The proposal calls for a machine-parsable complete privacy policy that is both accessible and straightforward, aiming to standardize how privacy policies are associated with web services. It suggests fields for the entity issuing the privacy policy, along with a static URL where the entire policy text can be downloaded, enhancing the transparency and accessibility of privacy terms.
• Consumer Rights Actions: To simplify and facilitate the exercise of privacy rights by consumers, the draft introduces specific fields for actions such as data deletion and opting out of data sharing. These are structured to allow easy, one-click solutions that don't require user login, thereby promoting a more user-friendly approach to privacy management akin to the simplicity seen in one-click unsubscribe features in emails.
• Cookie Disclosures: The format also aims to provide clear, auditable declarations of cookie use by a website. This includes detailed descriptions of each cookie, such as duration, whether it's a first or third-party cookie, and its security attributes, making it easier for users and tools to monitor and enforce cookie policy compliance.

Security considerations

The draft acknowledges potential risks, such as the ease of making irreversible privacy decisions due to the proposed one-click mechanisms. It suggests the possible inclusion of a grace period to allow users to undo actions in case of mistakes or security incidents.

As the document is set to expire on October 17, 2024, its authors are actively seeking feedback and contributions through their working group's mailing list and GitHub project. This period of discussion and refinement is crucial for addressing the community's security concerns and operational challenges.

For web operators and privacy officers, the introduction of privacy.txt offers a promising tool for aligning with global privacy regulations like GDPR and CPRA more effectively. By adopting this format, services can not only enhance their transparency and accountability but also potentially streamline their compliance processes.

Web operators are encouraged to participate in the ongoing discussions, review the draft, and consider how integrating a privacy.txt file could benefit their compliance strategies and consumer interactions.