RE: Mapping DNT to GDPR

Hi Robin,

Let me say a few words speaking for myself, as an engineer, not claiming to ba a lawyer. Also, I am not joining the discussion with Peter on the same thread. I am not trying to do a legal assessment of DNT. I am just trying to put your question into context, based on my view of the articles.

ad 1. The intent, yes, but more specifically we should refer to consent under the ePR, which (most likely) is the same as consent under the GDPR. I say most likely, because the ePR must be read in conjunction with the GDPR when it comes to online tracking and  the ePR text is not final yet.

ad 2. The intent, yes, but the answer needs some clarification. Article 21 is about direct marketing, Article 21 should be read in conjunction with, e.g., recitals 69 and 70. Moreover, we should distinguish offline and online. Direct marketing is a concept that includes offline and online activities. Examples of offline direct marketing are, e.g., an advertising brochure, or a telemarketing call. Examples of online direct marketing are, e.g. direct marketing by email.In short, if a company presents a value proposition off-line, it may rely on the legal ground of legitimate interest and it has to offer an opt-out. For example, they can include an special telephone number, or e-mail address. Many countries have codes of conduct for, e.g., direct response advertising, direct marketing by email, telemarketing.See, e.g. FEDMA's code of conduct. 
However, if a company presents a value proposition via a digital channel, e.g., email, fax or text message, it requires prior consent and it has to offer the possibility to revoke consent. In short, for online direct marketing the 'right to object object' is not the right term. It is about revoking consent. In any case, companies must inform people how they can exercise their rights (opt-out or revoke consent). Note that in (most) online cases we are talking about an existing client relationship.Otherwise it may be just spam..In closing, publishers and third parties performing, e.g., behavioral online (re)targeting based on tracking techniques would require prior consent and they would have to offer its audience a way to easily revoke consent. DNT may contain the right building blocks to do parts of the consent job. It is clear however, that it cannot contain all that is needed for valid consent. Eg., the UI is left out of scope, and other forms of valid consent exist (e.g. out of bound consent in a customer loyalty program).

I hope this is helpful and answers your questions,.
Happy to take clarifying questions offline,
Kind regards,
Rob

-----Original message-----
From: Robin Berjon
Sent: Tuesday, October 10 2017, 5:07 pm
To: public-tracking-comments w3.org
Subject: Mapping DNT to GDPR

Dear TPWG,

I have walked through your documents and mailing list archives in search for an answer to my question but I cannot seem to find it. It is essentially two-fold and concerns the relationship between DNT and the GDPR from the point of view of a website. While I understand that legal questions may be tricky my understanding, which may be wrong, is that your current charter is designed to allow for better alignment with European privacy laws. I will therefore formulate my question in terms of use cases.

1) Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?

2) Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".

Thank you very much for any information!

PS: Please do not read this message as indicating that the NYT will necessarily deploy DNT (or do so by the GDPR deadline); at this stage it is simply one aspect (amongst numerous others) that we are looking at.

-- 
Robin Berjon
The New York Times Company
Executive Director, Data Governance
robin.berjon@nytimes.com