Re: Propose to drop from the strawman: requirement for privacy policy disclosure from David Wainberg on 2011-10-26 (public-tracking@w3.org from October 2011)

From: David Wainberg <dwainberg@appnexus.com>
Date: Wed, 26 Oct 2011 11:23:40 -0400
To: Justin Brookman <justin@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4EA825FC.1020307@appnexus.com>

I totally support verifiability and accountability. However, I do not 
think this standard has to accomplish both, but rather can provide the 
tools to do so.
The standard will be released into a larger context. It is not this 
group's or the W3C's role, in my opinion, to create a regulatory regime 
for online advertising. It is out of scope to create legal requirements 
as part of the standard. A flag in the header, or a machine readable 
file in a well-known location are logical technical additions to the 
spec, that would provide useful feedback to users/clients, and would 
support the efforts of relevant authorities to do enforcement.

One other thing I want to clarify. You said, "the spec needs to lay out 
how to communicate to consumers that the header is being respected." I 
disagree. The spec can lay out a technical means to communicate that an 
entity intends to respect the header. There is no way to communicate 
whether it is actually respected. (This is an important distinction, in 
my view, because it goes to evaluating proposals for responses.)

On 10/25/11 5:50 PM, Justin Brookman wrote:
> A lot of this effort is dedicated to verifiability --- isn't that why 
> we've spent so much time discussing the sending of compliance 
> headers?  Having an accountable statement of compliance is another 
> effort at that. 
> I suppose you could make an argument that it should be in the 
> technical spec instead of the compliance spec (though I would 
> disagree), but especially if third-party header responses are deemed 
> optional or a Bad Idea, the spec needs to lay out how to communicate 
> to consumers that the header is being respected.
>   If the header just flies into the blue with no standardized way to 
> disclose compliance, this process seems destined to fail; if nothing 
> else, privacy policy disclosure should be considered as an alternative 
> to automated header responses.
> Justin Brookman
> Director, Consumer Privacy Project
> Center for Democracy&  Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
>
> On 10/25/2011 5:16 PM, David Wainberg wrote:
>> Section 6.4 of the Compliance and Scope document states, "In order to 
>> be compliant with this specification, an operator of a third-party 
>> domain must clearly and unambiguously assert in the privacy policy 
>> governing that domain that it is in compliance with this 
>> specification." Such a requirement is out of scope of this standard 
>> and should not be included in the strawman. While it may be in scope 
>> to create tools that facilitate auditing and enforcement by other 
>> entities, it is not the role of this technical standard to impose 
>> legal requirements for compliance. Any such requirements will come 
>> from entities with relevant authority, e.g. Congress or the FTC in 
>> the US.

Received on Wednesday, 26 October 2011 15:24:06 UTC