2.2.6: Timeouts [AAA]
Users are warned of the duration of any user inactivity that could cause data loss, unless the data is preserved for more than 20 hours when the user does not take any actions.
Privacy regulations may require explicit user consent before user identification has been authenticated and before user data is preserved. In cases where the user is a minor, explicit consent may not be solicited in most jurisdictions, countries or regions. Consultation with privacy professionals and legal counsel is advised when considering data preservation as an approach to satisfy this success criterion.
Sufficient Techniques for Success Criterion 2.2.6
Note: Other techniques may also be sufficient if they meet the success criterion. See Understanding Techniques.
- Setting a session timeout to occur following at least 20 hours of inactivity.
- Store user data for more than 20 hours.
- Provide a warning of the duration of user inactivity at the start of a process.