Re: Agenda: Global considerations F2F meeting 11-12 Berlin

And I want to emphasise that there is disagreement among the regulators on the interpretation of the cookies not requesting consent. The French, as an example, do not require consent for web analytics. Others do. I refer to this, because even Art. 29 WP states that web analytics (first party analytics) does not pose a privacy risk.

Very messy and we need to drill down to details, as the Directive is transposed differently across the EU/EEA.

Kind regards,
Kimon

----- Reply message -----
From: "Vinay Goel" <vigoel@adobe.com>
To: "Rigo Wenning" <rigo@w3.org>
Cc: "David Wainberg" <david@networkadvertising.org>, "Haakon Bratsberg" <haakonfb@opera.com>, "public-tracking-international@w3.org" <public-tracking-international@w3.org>
Subject: Agenda: Global considerations F2F meeting 11-12 Berlin
Date: Wed, Mar 6, 2013 6:10 pm



Hi Rigo

I agree with you that the EU law has not made distinctions between first and third parties, although some DPAs within the member states' have given guidance on e-privacy that do create different rules when using data in a first vs third party setting. For example, the ICO has said that an implied consent model may be sufficient for website analytics, whereas an implied consent model likely isn't sufficient when using the data for cross-site advertising.

Adobe is not saying we're exempt from EU law. What I'm saying is that I expect many global companies will not be able to equate honoring DNT with ePrivacy compliance (because the law doesn't make the party distinctions that DNT does).  Because there's that disconnect, Adobe (and I expect other global companies) will not be able to completely switch how it processes DNT in the EU to make it equal to ePrivacy compliance. I expect global companies to honor the DNT signal the same way globally, and then take other steps to fill the gap between DNT and local law. In the EU example, that means honoring DNT as it relates to interest based cross-site advertising and then using a window shade/some other consent mechanism for use cases covered by law but not by DNT.

I don't think DNT will get rid of those ugly window shades for global companies unless the laws change. And understanding that changing the laws is highly unlikely, I think the window shades are going to stay (for global companies).

I think the worst outcome for consumers is when different companies treat DNT differently because consumers would not understand what their choice means.  I think your goal is admirable. But, I question the practicality when thinking about deployments. That's why I suggest we focus on what deployments look like, in particular how both global and local-only companies can implement DNT.

I look forward to your first session on Monday. I just want to make sure the group remembers: a) there is not consistency across the DPAs on what is currently required by ePrivacy; and 2) how both global and local companies can implement DNT.  I know there's a pending regulation that will hopefully reduce the inconsistencies across the member states; but as we know that regulation is a moving target as to what the consent requirements will be.

Vinay

Sent from my phone

On Mar 6, 2013, at 9:34 AM, "Rigo Wenning" <rigo@w3.org> wrote:

> Vinay,
>
> On Wednesday 06 March 2013 06:57:36 Vinay Goel wrote:
>> I don't think your statement "So everybody has to behave like a 3rd
>> party in DNT" is how it will play out.
>
> If you find a legal way of having first/third party distinction in the
> EU, I'd be interested in your argumentation. If we specify knowingly in
> contradictions to legal imperatives, IMHO we will not achieve what my
> goal here is.
>>
>> I don't expect most global companies to modify its web servers,
>> analytics practices, and onsite optimization services so that it will
>> treat itself as a first party on www.company.com<http://www.company.com>, www.company.ch<http://www.company.ch>,
>> etc., but treat itself as a third party on www.company.uk<http://www.company.uk>.  It will
>> not be easy for a company to programmatically treat itself as a 3rd
>> party for its EU websites; especially when the site is
>> www.company.com/uk<http://www.company.com/uk>.  For global companies that set global policies
>> and need consistent systems/approaches/privacy policies across the
>> globe, I expect them to treat the DNT signal the same regardless of
>> market; and those global companies will do whatever they need to do
>> outside of DNT for legal compliance.
>
> This is interesting. I did not think a company would treat parts of
> itself as a third party. If the company is claiming "safe harbor" we are
> back to the question whether first/third party distinction is legally
> possible in Europe and as "safe harbour".
>>
>> I can't speak for other global companies, but I can speak for how
>> Adobe is considering its global compliance obligations.
>
> If Adobe is thinking that it isn't bound by EU compliance or safe
> harbor, Adobe will not benefit from global considerations, as this is
> trying to make EU compliance very easy for the Web - part of data
> processing.
>>
>> I still think a fair discussion at the Global Considerations workshop
>> is how companies actually plan to implement this globally.
>
> This is my goal. I want to find a viable easy solution. My benchmark is
> to achieve endorsement by the authorities with something that good faith
> companies consider (rather easily) implementable.
>
> Of course we will first have to discuss if other people share that goal
> or what the goal should be. I imagined the first session to do this. My
> plan was to present something and have people reflect on it and make
> their own suggestions. (mainly 13:30 - 15:00 on Monday)
>
> What do you think?
>
> --Rigo