Discussion of the issue is available in Issue 14. To file comments on this proposal, please raise new issues for each discrete comment in GitHub.

Where data can be lost due to user inactivity, users are warned at the start of a process about the length of inactivity that generates the timeout, unless the data is preserved for a minimum of 24 hours of user inactivity.

Privacy regulations may require explicit user consent before user identification has been authenticated and before user data is preserved. In cases where the user is a minor, explicit consent may not be solicited in most jurisdictions. Consultation with privacy professionals and legal counsel is advised when considering data preservation as an approach to satisfy this success criterion.