Make tokens spec GDPR(-like) aware

[Noxitu]

Hi,

I think it is impossible to design a replacement system without GDPR-like laws in mind. After all - a simple request to store a cookie is now regulated by law.

I think that GDPR use cases should be part of the design: maybe token is optional, maybe token is required and its usage is GDPR-compliant or maybe token is required and not compliant with your region. Maybe each generated token should also store some metadata about it's purpose?

[michael-oneill]

Whether the local law requires an opt-in or an opt-out, the user's informed choice has to be recorded. The information presented to them needs to be recorded somewhere, and the purpose metadata accessible so the user can review it, change their mind perhaps.

The Origin-Policy JSON resource could be used to store this metadata. The origin server could use the token (or cookie state) to dynamically return a url of a page showing what purposes were shown to the user to gain their agreement, or a default purpose if in an opt-out regime. It would also list what storage was being used, session token use, cookie name, localStorage items etc., and the identity (e.g. company name) of the controller. An "opt-out" url resource should be in the metadata so the UA at the user's behest can withdraw their consent. A POST (or DELETE?) to it would indicate a withdrawal of consent or an exercise of a right-to-object.

The opt-out resource could return a Clear-Site-Data header, so all storage is immediately deleted.