Re: Mapping DNT to GDPR

Hi All,

I’m following along with the current comments on public tracking DNT-WG, and I see that focus has now shifted to supporting GDPR AND the ePrivacy Reg with the latest request to add:

  *   “an optional DNT-extension string after EACH host name in the array when a site-specific grant is requested” - link<https://lists.w3.org/Archives/Public/public-tracking/2017Oct/0061.html>

I have also reviewed Rob van Eijk’s presentation: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3003152 to ensure my comments below align - my focus from the presentation were slides 29, 30, 31 although there is a wealth of other information in the deck. Especially slide 20 which shows you what an optional MUST have DNT-Extension will need to be capable of.

Summary:

  *   Based on the need to acquire meaningful consent PRIOR to using a data subject’s private data the optional DNT-extension string is NO longer an option, it is now a MUST for every party (based on the LIBE report)
  *   In the use case of they NYT there are 86 parties that will need to be added to the ‘array’, with consent agreed upon for each one by the user (in the EU there is no delineation between first and third parties, there is only consent)
  *   Each party MUST explain to the data subject exactly what data of theirs is being used and for what purpose
     *   Any other parties that the 86 parties share this data with, MUST be included in the discussion
  *   Once the user has indicated their consent status for all 86 parties (and any other parties) this data needs to be transmitted to the origin server and then communicated with all 86 parties in an agreed upon format (which is mentioned on the forum, but upon which there is no formal standardized agreement)
  *   All of this data MUST be stored on the data subject’s device so it can be read by a script the next time the user visits the site - which means that the UGE database is now back ‘in scope’ because the ability to revoke consent is required under ePrivacy Reg and GDPR.
  *   RE: Attaching the entire contents of the array/database to every DNT header.
     *   Attaching it to EVERY header is not recommended due to increased server loads and it will probably break caching as well - the protocol will have gone from a simple 8 bytes - DNT:1 to a very large number of bytes which is constantly changing based on each users consent, see the use case below.

Using the Bouncer Extension as a use case example for the DNT-Extension process:

Summary:

  *   Bouncer is the ONLY extension that implements DNT as per the current CR spec
     *   Current issues:
        *   It only supports one browser
        *   There is no mobile support
        *   As per Rob’s slide deck slide 29, the browser extension MUST allow for:
           *   Consent: Initiated by publisher/embedded resource NOT by the initial DNT signal
           *   Revocation: Initiated by user
  *   Use case:
     *   The user types into their browser www.nytimes.com<http://www.nytimes.com>
     *   Bouncer loads a page with all 86 parties listed and their explanation as to the use of your data (see LIBE report note above)
     *   The user indicates consent or no consent - nothing can be communicated to or from the device during this process - the transaction is essentially paused
     *   Bouncer then can write this to the UGE database and then communicate all of the information back to the nytimes.com<http://nytimes.com> site - this is legally binding
     *   The nytimes.com<http://nytimes.com> site shares those consent settings with all parties who modify their responses accordingly
     *   The nytimes.com<http://nytimes.com> sends a refreshed page to the consumer
  *   Two days later the user opens up Bouncer and goes to their nytimes.com<http://nytimes.com> consent settings
     *   They proceed to modify their settings and click submit to store their changes
     *   Bouncer writes the information to the database and then the next time the nytimes.com<http://nytimes.com> site is requested they use a script to read the contents of the database and then starts the process of communicating the changes to the ‘parties’ prior to loading a refreshed page based on these new settings
  *   Seven days later the user opens up Bouncer and goes to their nytimes.com<http://nytimes.com> settings
     *   They have decided they want the right to be forgotten
     *   They click on the option to be forgotten and then click submit
     *   Bouncer writes the information to the database (Optionally sends this data to the nytimes.com<http://nytimes.com> site AND ALL of the parties acknowledge it (GDPR requirement) or:
        *   The user visits the nytimes.com<http://nytimes.com> web site - which reads the database and sees that this user wants to be forgotten
        *   The nytimes.com<http://nytimes.com> acknowledges this request, writes to the Bouncer database that it is acknowledged, and then sends a refreshed generic page to the user

Conclusion:

  *   Severe user fatigue
  *   Severe user experience issues
  *   Major user interface issues as OEMs figure out how to simplify the UGE database
  *   Major extension format issues as all parties MUST agree upon a format that covers ALL types of data
  *   An incredible amount of server traffic and ad network code updates ALL of which have legal risk associated with them
  *   As frustration mounts data subject simply opts-out of everything - equivalent to DNT:1 for everything - ad rates plummet

GDPR AND ePrivacy regulation enforcement starts on May 25, 2018

  *   218 days from now
  *   150 work days from now


Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.





On Oct 19, 2017, at 9:13 AM, Rob van Eijk <rob@blaeu.com<mailto:rob@blaeu.com>> wrote:

See also my presentation 'on browser settings, cookies, and (not) being tracked by digital advertisements' to the Working Party on Telecommunications and Information Society of the Council of the European Union. The slides are on SSRN.



https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3003152




Rob
-----Original message-----
From: Rob van Eijk
Sent: Thursday, October 19 2017, 4:51 pm
To: Rob van Eijk; Robin Berjon; public-tracking-comments w3.org<http://w3.org>
Subject: RE: Mapping DNT to GDPR

FYI:



Today's vote on the LIBE report of the ePrivacy Regulation is important for DNT. Article 8 (d) contains an opt-out for audience measurement. It is an angle DNT may play an important role. Two points that relate to Robin's question.



"If it is technically necessary for measuring the reach of an information society service requested by the user; provided that such measuement is carried out by the provider or on behalf of the provider, or by a web analytics agency acting in the public intrest including for acientific purpose; that the data is aggregated and the user is given the possibility to object; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; Where audience measuring takes place on behalf of an information society service provider, the data collected shall be kept separate from the data collected in the course of audience measuring on behalf of other providers;



Another interesting element I picked up is that DNT is still a key element.



Article 10 "For the purpose of (...) giving or withdrawing consent persuant to Article 9(2) of this (ePrivacy) Regulation, and objecting to the processing of personal data persuant to Article 21(5) of the GDPR, the settings shall lead to a signal based on thechnical specifications which is sent to the other parties to inform them about the users's intentions with regards to consent or objection. The signal shall be legally valid and be binding on, and enforceable against, any other party."



The ePR text is not final yet, but this is an imortant milestone in the legislative process.



Rob



-----Original message-----
From: Rob van Eijk
Sent: Monday, October 16 2017, 10:37 pm
To: Robin Berjon; public-tracking-comments w3.org<http://w3.org>
Subject: RE: Mapping DNT to GDPR

Hi Robin,

Let me say a few words speaking for myself, as an engineer, not claiming to ba a lawyer. Also, I am not joining the discussion with Peter on the same thread. I am not trying to do a legal assessment of DNT. I am just trying to put your question into context, based on my view of the articles.

ad 1. The intent, yes, but more specifically we should refer to consent under the ePR, which (most likely) is the same as consent under the GDPR. I say most likely, because the ePR must be read in conjunction with the GDPR when it comes to online tracking and  the ePR text is not final yet.

ad 2. The intent, yes, but the answer needs some clarification. Article 21 is about direct marketing, Article 21 should be read in conjunction with, e.g., recitals 69 and 70. Moreover, we should distinguish offline and online. Direct marketing is a concept that includes offline and online activities. Examples of offline direct marketing are, e.g., an advertising brochure, or a telemarketing call. Examples of online direct marketing are, e.g. direct marketing by email.In short, if a company presents a value proposition off-line, it may rely on the legal ground of legitimate interest and it has to offer an opt-out. For example, they can include an special telephone number, or e-mail address. Many countries have codes of conduct for, e.g., direct response advertising, direct marketing by email, telemarketing.See, e.g. FEDMA's code of conduct.
However, if a company presents a value proposition via a digital channel, e.g., email, fax or text message, it requires prior consent and it has to offer the possibility to revoke consent. In short, for online direct marketing the 'right to object object' is not the right term. It is about revoking consent. In any case, companies must inform people how they can exercise their rights (opt-out or revoke consent). Note that in (most) online cases we are talking about an existing client relationship.Otherwise it may be just spam..In closing, publishers and third parties performing, e.g., behavioral online (re)targeting based on tracking techniques would require prior consent and they would have to offer its audience a way to easily revoke consent. DNT may contain the right building blocks to do parts of the consent job. It is clear however, that it cannot contain all that is needed for valid consent. Eg., the UI is left out of scope, and other forms of valid consent exist (e.g. out of bound consent in a customer loyalty program).

I hope this is helpful and answers your questions,.
Happy to take clarifying questions offline,
Kind regards,
Rob

-----Original message-----
From: Robin Berjon
Sent: Tuesday, October 10 2017, 5:07 pm
To: public-tracking-comments w3.org<http://w3.org>
Subject: Mapping DNT to GDPR

Dear TPWG,

I have walked through your documents and mailing list archives in search for an answer to my question but I cannot seem to find it. It is essentially two-fold and concerns the relationship between DNT and the GDPR from the point of view of a website. While I understand that legal questions may be tricky my understanding, which may be wrong, is that your current charter is designed to allow for better alignment with European privacy laws. I will therefore formulate my question in terms of use cases.

1) Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?

2) Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".

Thank you very much for any information!

PS: Please do not read this message as indicating that the NYT will necessarily deploy DNT (or do so by the GDPR deadline); at this stage it is simply one aspect (amongst numerous others) that we are looking at.

--
Robin Berjon
The New York Times Company
Executive Director, Data Governance
robin.berjon@nytimes.com<mailto:robin.berjon@nytimes.com>

Received on Thursday, 19 October 2017 16:11:41 UTC