Re: Compliance issues

Aleecia and colleagues,

Unfortunately, I am unlikely to be on call today, but am glad to tackle the writing assignment, Issue-6.

Best regards,
John

----------------
John M. Simpson
Consumer Advocate
Consumer Watchdog
Tel: 310-392-7041
 

On Dec 7, 2011, at 2:54 AM, "Aleecia M. McDonald" <aleecia@aleecia.com> wrote:

> As we have discussed for a few weeks on calls, we are moving forward by each taking on some small bits of text to draft. Below are issues assigned to some people I think would do a great job with a first pass at writing a quick draft, plus another set of eyes to take a look before final text goes to the mailing list. I have also included a little bit of context to think about, though of course you are free to head in a different direction.
> 
> There are a few people active in the TPWG discussions who are not listed as members (seehttp://www.w3.org/2000/09/dbwg/details?group=49311&public=1). I went with the official list, and grit my teeth over a few issues I wanted to assign to people in particular who are not yet members. I hear there are a few who are very close, and I look forward to fast resolution. 
> 
> 	First drafts: 14 December
> 	Editing: 21 December
> 
> When the first draft is complete, please email it to the editor by 14 December. When edits are complete, please send the text to the mailing list by 21 December with the "issue-<number>" in the subject line. If the person drafting text and the person editing do not agree, that's fine, just present some alternatives for the group to consider. This will allow us to get through this phase before the winter holidays. Ideally I will be thinking about DNT while you all get a break.
> 
> The idea here is to generate starting points for discussion. Do not worry about getting everything perfect, just put a quick draft together. Please use the enclosed template to help editors in their task of turning this into one document for group review. Note that the template text is then followed by a small example so you can see the basic idea. I highly encourage you to re-read the FPWD section where your issue fits in, plus any discussion captured in the issue itself.
> 
> <template.txt>
> 
> 
> Thank you all for your help as we make some progress on issues we have not spent as much time on. Please let me know if you have any questions or concerns, either by email or on the call tomorrow. 
> 
> 	Aleecia
> 
> -------
> 
> Issue-6, What are the underlying concerns? 
> 	Draft: John Simpson
> 	Edit: Kevin Trilli
> In particular, we had feedback that we do not mention users are concerned about tracking. Take a look at the FPWD to see where issue-6 fits in, and please add to the existing text already there. You might add a couple of paragraphs with a little bit of history on DNT and pointers to places where it is documented that users are concerned. If I were doing this, I would not attempt to wade into what those concerns are, per se, since that could be a novella, and I doubt we will reach internal consensus.
> 
> Issue-14, How does what we talk about with 1st/3rd party relate to European law about data controller vs data processor?
> 	Draft: Frank Wagner
> 	Edit: Rob van Eijk
> It is possible this issue is too early to take up while the 1st party discussion is still on-going. But is basic current approach where agents of third parties that are bound to use data on behalf of the first party only close enough to a European approach? Are there implications for how we phrase things, and particularly the definitions section?
> 
> Issue-15, What special treatment should there be for children's data?
> 	Draft: Ted Leung
> 	Edit: Paddy Underwood
> US Congress seems more interested in regulating/legislating for children To summarize prior discussions: one possible answer to this is "nothing at all". We could try to identify children, which seems unproductive if not dangerous. Or we could follow the general path of COPPA in that DNT might be somehow different for sites that typically interact with children under a certain age. Or something entirely different. We have not taken this up as a group very much. 
> 
> Issue-30, Will Do Not Track apply to offline aggregating or selling of data?
> 	Draft: Peter Eckersley
> 	Edit: MeMe Rasmussen
> Given we appear to be moving to a view that any company claiming first party status must not sell user data, that sounds like at least some limitation with selling data to offline parties. Should the same restriction apply to third parties? From the other direction, any restrictions on "enhanced data" with purchasing offline data and combining with online data? We have not taken this up as a group.
> 	
> Issue-31, Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)
> 	Draft: Kevin Smith
> 	Edit: Sue Glueck
> As with other issues, the answer issue-31 could be "not at all". Or it could be that exemptions only apply if data is held no longer than a certain amount of time. Or some exemptions could have minimization requirements, while others do not, or have different requirements. And if there are minimization requirements, what does that entail: what steps must companies take?
> 
> Issue-32, Sharing of data between entities via cookie syncing / identity brokering
> 	Draft: Brett Error
> 	Edit: Vincent Toubiana
> This came up on the first day in Santa Clara and we have not discussed it since. See http://www.w3.org/2011/09/21-dnt-minutes.html for the discussion we had at the time. 
> 
> Issue-35, Issue-52, Issue-53, Issue-56, Issue-57, Issue-58
> 		How will DNT interact with existing opt-out programs (industry self-reg, other)?
> 		What if conflict between opt-out cookie and DNT?
> 		How should opt-out cookie and DNT signal interact?
> 		What if DNT is unspecified and an opt-out cookie is present?
> 		What if an opt-out cookie exists but an "opt back in" out-of-band is present?
> 		What if DNT is explicitly set to 0 and an opt-out cookie is present?
> 	Draft: Kimon Zorbas
> 	Edit: Sid Stamm
> These issues are sufficiently interrelated that I think it makes sense to take them on as one block. The basic idea here is what happens with a company that is part of an industry self-regulatory opt-out program? If DNT status and opt-out cookie status conflict, which one should prevail? 
> 
> Issue-22, Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.)
> 	Draft: Sid Stamm
> 	Edit: Shane Wiley
> This issue is a request for additional exemptions for advertising billing and operations. The risk in one direction is we wind up with advertisers collecting exactly the same data they do today, which will almost certainly result in scathing press coverage and privacy advocates coming out against DNT, perhaps also not be strong enough to avoid regulation. In the other direction we risk creating substantial barriers to adoption by requiring companies re-architect their systems, and perhaps change business models. Is there a middle ground? 
> 
> Issue-23 and Issue-34,
> 		Possible exemption for analytics
> 		Possible exemption for aggregate analytics
> 	Draft: David Singer
> 	Edit: Jonathan Mayer
> Here we have something invisible and unknown to users, but have strong business interests in the resulting data. Google analytics offers an opt-out. Can carefully designed aggregate data be sufficient for both business use cases and user privacy?
> 	
> Issue-24, Possible exemption for fraud detection and defense
> 	Draft: Elise Berkower
> 	Edit: Peter Eckersley
> This is non-trivial. At the Princeton workshop we heard all data must be collected and kept indefinitely, just in case some day it might be used for anti-fraud measures. We also heard that fraud has historically been used as an excuse to justify data collection that then winds up out of the collector's control, by lawsuit or law enforcement, and must be narrowly scoped. We have not taken up this issue as a group. What seems like a reasonable balance? Do we know of any use cases where DNT would change any current practices?
> 
> Issue-25 and Issue-74, 
> 		Possible exemption for research purposes
> 		Are surveys out of scope?
> 	Draft: Kathy Joe
> 	Edit: Alexandros Deliyannis
> Is this something that can be handled on a site-specific exemption ("opting back in") basis? If not, what use case illustrates why not, and, what proposal will address that use case in a way that will not violate user expectations?
> 
> Issue-28, Exception for mandatory legal process
> 	Draft: Elise Berkower
> 	Edit: Bryan Sullivan
> Presumably DNT does not ask entities to break laws, and we might want some text along those lines. Are there ways in which sites should communicate with users about any places where laws conflict with DNT compliance? If so, how? Any implications for when new laws come into force?
> 
> Issue-36, Should DNT opt-outs distinguish between behavioral targeting and other personalization?
> 	Draft: JC Cannon
> 	Edit: Joanne Furtsch
> Another question where the answer might just be "no". If yes, how, where, and why?
> 
> Issue-39, Tracking of geographic data (however it's determined, or used)
> 	Draft: Shane Wiley
> 	Edit: David Singer
> We have talked about this as a group a few times, and it seems as though consensus is likely to fall somewhere between it's ok to identify country of origin and it's not ok to go to zip-plus-four level. The final details, and how we express that in an international context, has not been put into text.
> 
> Issue-54, Can first party provide targeting based on registration information even while sending DNT
> 	Draft: Adrian Bateman
> 	Edit: Vikram Malaiya
> See also issues 71 and 65, and note that this applies to first parties. If a user registers with a site, but is not currently logged in, is that registration information still something companies can use even with DNT?  
> 
> Issue-65, How does logged in and logged out state work
> 	Draft: Andy Zeigler
> 	Edit: Thomas Lowenthal
> Much of the discussion around DNT assumes a lower concern for users who understand they are interacting with a given party. Does logging in change their DNT status? What if that log in is in a different tab or buried window? How long may that login status reasonably persist? If logging in does not change their DNT status, how do use cases work there (site-specific exemption, something else?)
> 
> Issue-71, Does DNT also affect past collection or use of past collection of info?
> 	Draft: Amy Colando
> 	Edit: Ninja Marnau
> This is particularly of interest in Europe, where consent may only apply to information that will be collected in the future, not retrospectively. If DNT does affect prior data collection, how does that work in practice? What are companies responsible for? We have not discussed this in detail as a group.
> 
> Issue-88, different rules for impression of and interaction with 3rd-party ads/content
> 	Draft: Kevin Smith 
> 	Edit: Ileana Leuca
> This may be handled the same way as Issue-26 (Providing data to 3rd-party widgets -- does that imply consent?) unless there is a use case that suggests not to. Are these still two different issues, or will one unified approach suffice?
> 
> Issue-92, If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?
> 	Draft: Haakon Bratsberg
> 	Edit: Jonathan Mayer
> Contrast to issue-31, which is about how data retention may or may not interact with specific exemptions. This asks if ephemeral data collection still counts as tracking. Note that the FTC staff report calls for DNT to cover collection, but the details are vague. For example, does DNT apply to Apache log files in any way?