Re: Mapping DNT to GDPR

Dear Aleecia,

Let’s stay focused on Robin’s questions. You only have to read Shane’s posts today on the Do Not Track forum to see the problem(s) that Robin is raising. This one in particular which you were cc’d on - link<https://lists.w3.org/Archives/Public/public-tracking/2017Oct/0040.html>  BTW I’m 100% in agreement with Shane.

DNT is irrelevant because ‘Meaningful Consent’ MUST be obtained prior to loading a web page. (Although many will use the legitimate interest loophole but that will be cancelled out by ePR dir.) You can send DNT:1 or 0 or leave it unset as part of the request header and in the EU it’s completely irrelevant because of the way the LAW is written. But be careful because now there are regional differences that can cause problems. Accurate location is a MUST or take the business risk and do a reverse IP lookup. On Mobile and VPN’s YMMV.

Now here’s where it gets really interesting, consent is contextual - there is NO MORE ‘Accept and Continue’, you have to pick (or maybe there will be an ‘all’ button like Shane says, which is permissible). Now let’s say you check boxes A and B, but leave C and D empty.

I access the same web page and click C and D and leave A and B empty - what happens next? According to the DNT protocol you cannot modify the DNT setting (change a 0 to a 1 or an unset to a 1), and you cannot use the extensions feature because that would be a global setting and there are no approved extensions yet.

So you have to write the answers somewhere where either the ad servers or the enterprise can read it… there are only three places:


  1.  On the client - remember here that people now use multiple devices so you have to track them all
  2.  On a consent server - they’re springing up all over the place
  3.  On the content origin server

You now have another decision to make - use a cookie or the (doesn’t exist yet) UGE exception database to store the record. You have to write it somewhere - your own protocol states the following: Section 6.1 of Tracking Preference Expression (DNT) - W3C Candidate Recommendation 07 September 2017 (link<https://w3c.github.io/dnt/drafts/CRc-tracking-dnt.html#exception-overview>) This is being updated but there are NO changes to the section below:

A client-side database can be used for persistent storage of user-granted exceptions, such that permission to send DNT:0 is obtained by a site and stored via a JavaScript API. However, we only define the API (below); the choice of storage mechanism is left to each implementation. In comparison to the use of cookies to manage consent, an exception database and APIs provide more transparency and better user control, while also providing better persistence of those exceptions for sites.

Next please read this link: https://gdpr-info.eu/art-7-gdpr/ specifically this part…

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

And now you face your next problem based on how you solved the storage of the consent problem. Which will in all likelihood require a UI somewhere along the line so the consumer can access the record and delete it if he/she wants to. Which leads us into the next of Robin’s question...

Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".

How can it possibly do that? DNT=1 means Do Not Track, it doesn’t mean I object to this web site and the ads so remove me from the system and by the way find the record you stored on my device and delete it please.

And as I said above you’re now in a circular argument - you can’t do anything until the data controller/processor has obtained my consent. Based on that contextual consent different things are going to happen for different people. And then if 2 hours later I decide to object then I have the right as per GDPR Article 21 - para 5 to object by technical means. So how does the DNT protocol support the right to object? Where does it store that right? And how can the vendor appeal that right?

DNT was never designed with the GDPR/ePR Dir. in mind.

The huge difference is consent - in the US (there are no compliance fines) the Advertiser MAY ask for an exception based on what they see in the header (or not - in the case of 0 or unset). In the EU you MUST obtain consent. It’s all about MAY and MUST.

So based on MY location (even if I’m a US Citizen in Zurich using a US regional browser) you MUST ask for CONSENT regardless of what my DNT setting is - See Article 3 Clause 2. https://gdpr-info.eu/art-3-gdpr/


Which all points to one single fact - DNT settings are irrelevant in the EU because they cannot transmit contextual consent as part of the request.

But by all means prove me wrong. Build a EU use case that answers Robin’s questions and we can compare notes. Based on what Shane is writing about I feel confident in my responses.


Cheers,


Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.





On Oct 13, 2017, at 2:35 PM, Aleecia M. McDonald <aleecia@aleecia.com<mailto:aleecia@aleecia.com>> wrote:

No. Peter, claiming I agree with you when I have posted exactly the opposite conclusion is really over-the-top.

We’ve been over this many times before, as Peter well knows. Recall we’re talking EU region or not, and we do not need granularity like a street address. To recap just a few ways this can be accomplished:
- web browsers are typically released regionally; they know their users’ general location based on which browser version the user elected to download
- browser meta data typically contains language / region information; publishers get this data. For example, Firefox currently defaults to “English/United States [en-us]” for me.
- app stores often sell apps regionally and, as with browsers, therefore know well enough where their customers are
- IoT devices are often regional based on which bits of spectrum are available

And, of course, geoIP databases.

DNT and Right to be Forgotten are sufficiently orthogonal that I will save everyone’s time and not even respond to the rest. Yeesh.

Aleecia

On Oct 12, 2017, at 5:00 PM, Peter Cranstone <peter.cranstone@3phealth.com<mailto:peter.cranstone@3phealth.com>> wrote:

Hello Robin,

I would argue that DNT may NOT be used to fulfill GDPR consent requirements.

My argument is based on a single word - location, and In an ironic twist Aleecia agrees with me on this from her email below where she states…

unset - in the US, the user has not made a choice for privacy so it's ok to still track them.
- in the EU, the user has not consented to tracking, so it's not ok to track them.

DNT does NOT convey location information so until you determine location the DNT signal has NO value. If you determine that the person is in the EU then you have to ask for meaningful consent. You may choose to make a best guess as to location but that is RISKY from a compliance standpoint - but that’s a business choice. At no time can you, could you or should you rely on any of the three DNT conditions because there is INSUFFICIENT data to make a decision. Location drives your decision.

Now lets move on to the storage of consent. At the moment - the only practical choice you have is cookies.

Section 6.1 of Tracking Preference Expression (DNT) - W3C Candidate Recommendation 07 September 2017 (link<https://w3c.github.io/dnt/drafts/CRc-tracking-dnt.html#exception-overview>) This is being updated but there are NO changes to the section below:

A client-side database can be used for persistent storage of user-granted exceptions, such that permission to send DNT:0 is obtained by a site and stored via a JavaScript API. However, we only define the API (below); the choice of storage mechanism is left to each implementation. In comparison to the use of cookies to manage consent, an exception database and APIs provide more transparency and better user control, while also providing better persistence of those exceptions for sites.

I completely agree with the spec in this regard.

The only appropriate way to store your consent is in an exception database because it provides ‘transparency and better user control’ - why is this important? The right to be forgotten. The consumer needs the ability to change their mind - wading through thousands of cookies in search of the right consent cookie does not meet the GDPR guidelines. As no current browser supports an exception database you will be forced to use cookies with a lot of explanation.

In closing I’m going to bring up one other section of the GDPR - Article 3 Clause 2… Territorial scope - (link<https://gdpr-info.eu/art-3-gdpr/>) which states…

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Again we come back to location. If I land in Zurich and connect to a US web site then technically I’m under GDPR irrespective of whatever my DNT signal says (it’s irrelevant). Which means that all US web sites etc will need to determine real time location. Real time location cannot be added to the DNT:1 signal because that would be a violation of my privacy (and because there are as of yet no agreed upon extensions - see this link: https://w3c.github.io/dnt/drafts/CRc-tracking-dnt.html#dnt-extensions


So in another ironic twist you will have to determine exactly where I am, then based on that, ask for consent and then if I opt out - forget about me until I come back to the site and you can run a script to read the cookie to see what my consent settings were for your site. Of course if there is nothing there the process starts all over again.

In summary:


  *   DNT has NO value in the US as there is no enforceable compliance document (Equifax is a great example - zero fines).
  *   DNT has NO value in the EU as it cannot transmit location so it is essentially the equivalent of unset which means that no header was ever transmitted in the first place

Privacy is contextual (my desire to share data), privacy depends on context (my location), privacy depends on identity.

My best,


Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com/>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com/> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.





On Oct 12, 2017, at 4:18 PM, Aleecia M. McDonald <aleecia@aleecia.com<mailto:aleecia@aleecia.com>> wrote:

Hello Robin,

A co-author and I argue that DNT may be used to fulfill GDPR depending on how browsers work [1].

The W3C working group has designed DNT from the start to be a tri-part state.
DNT:1 - request not to be tracked
DNT:0 - agreement to be tracked
unset - in the US, the user has not made a choice for privacy so it’s ok to still track them.
- in the EU, the user has not consented to tracking, so it’s not ok to track them.

This is related to the point Roy raised, but a little different. Basically tracking as opt-in v. opt-out flips based on where the user is located.

Roy’s point covers things like: it’s not ok for a general purpose browser to choose a setting for their users (i.e. IE.) At a purist level it does not even matter if the browser spams DNT:1 or DNT:0 for users who did not elect it themselves, it will break *somewhere* it is merely the details of how things break that change based on where the user is.

The phrase “general purpose browser” above exempts things like privacy mode, or a plug-in for privacy, or a plug-in for more personalized ads and shopping suggestions. Those might reasonably send a specific DNT setting as part of how they serve their audience. But for all other general purpose browsers, if the user has not made a choice, don’t send a DNT signal.

Of course there are more details beyond this. I think Mike did a good job at the big picture so I’ll let that stand. Please feel free to contact me on or off list if I can be of assistance.

Aleecia
[1]  Zuiderveen Borgesius, F. J., and McDonald, A. M. (2015). Do Not Track for Europe.<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2588086> 43rd Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference) September 26, 2015.