Re: Are blanked exceptions usable in the EU? [ISSUE-129]

Hi Shane,

thanks for the input. On the list, most emails agree that such blanket
exceptions are important.

While there are privacy concerns, we still gain privacy compared to
today's status quo:
1. Our starting point is that users arrive with DNT;1
2. Not all publishers will always ask for exceptions (i.e., sometimes
users will be permitted to continue with DNT;1).
3. Transparency: Browser extensions are in the position to actually
learn what third parties are used (=where are requests sent?)
    and may be able to provide this information to individuals.

As a consequence, I suggest that we keep all three options mentioned
below in our current API and let the market decide what functions are
used by whom.

Comments/alternatives/...?


Reagards,
matthias



On 26/03/2012 21:45, Shane Wiley wrote:
>
> Matthias,
>
>  
>
> Yes -- I believe I've echoed this in several email threads on the
> list.  A site-wide exception would be incredibly beneficial to
> publishers and may be used almost in exclusivity over strictly named
> 1^st party / 3^rd party domain value pairs.
>
>  
>
> *_User Granted Exceptions_*
>
> Site-Specific Exception:  Known 1^st Party / Known 3^rd Party
>
> Site-Wide Exception:  Known 1^st Party / *
>
> Web-Wide Exception:  * / Known 3^rd Party
>
>  
>
> - Shane
>
>  
>
> *From:*Matthias Schunter [mailto:mts-std@schunter.org]
> *Sent:* Monday, March 26, 2012 3:34 PM
> *To:* public-tracking@w3.org
> *Subject:* Re: Are blanked exceptions usable in the EU? [ISSUE-129]
>
>  
>
> Hi Shane/Kimon
>
>
> thanks for your responses.
>
> Is your suggestion (from a technology/TPE perspective), that the
> feature is useful (and should be there)
> while it may not be usable/useful under some legislations?
>
> This means that whether to what extent feature is actually used is up
> to competition/legislation/ or other factors external to the TPE document.
>
> Nevertheless, I believe that  (if we allow an exception for "*" as a
> third party), a viable question is still how a user can actually find
> out what third parties are used at a given time by a given site.
>
> Other opinions?
>
>
> Regards,
> matthias
>
>
> On 26/03/2012 19:34, Shane Wiley wrote:
>
> Ninja and I haven't had an opportunity to connect on this topic yet. 
>
>  
>
> As Kimon rightly points out, there are varying EU country-level
> interpretations of appropriate consent expression.  My belief is for
> an Exchange level interaction, if the serving party is significantly
> limited in their data use (collected upon ad bid), then there is a
> fair argument that the party may be acting more as a data processor
> (service provider) than a controller at that moment and therefore may
> not need consent at all.  If you layer this on top of a broad user
> consent mechanism (must appropriately and fairly articulate to the
> user the breadth of their exception -- aka "*") then this may be
> acceptable from an EU Data Protection Directive (and further through
> the draft Data Protection Regulation) -- especially as tools are
> available within browsers today to accept or reject individual 3^rd
> parties as they are introduced to a user.
>
>  
>
> This discussion is more rightly placed in the companion document we
> discussed last week as outside of the standards document.  I don't
> believe we should develop any country specific features for DNT and
> instead allow guidance for each country's legal system to begin to
> tease this out (many elements are in legal "grey areas"). 
>
>  
>
> As I believe Kimon and Ninja would agree, there is not a bright-line
> rule in this case and therefore there will be considerable
> discussion/debate on this topic (and others related to DNT) within the
> EU (and other legal jurisdictions, including the US).
>
>  
>
> - Shane
>
>  
>
> *From:*Kimon Zorbas [mailto:vp@iabeurope.eu]
> *Sent:* Monday, March 26, 2012 12:39 PM
> *To:* Matthias Schunter; Ninja Marnau; Shane Wiley
> *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>
> *Subject:* Re: Are blanked exceptions usable in the EU? [ISSUE-129]
>
>  
>
> Hi Matthias,
>
> I am not clear, what the purpose would be? The E-Privacy Directive is
> not harmonised across the EU and as a consequence there cannot be a
> certain answer to what consent means (or how far it goes) or how such
> consent can be expressed (we believe browser settings can be used but
> it's not that easy either). Sorry not being able to give a simple
> response on this.
>
> Kind regards,
> Kimon
>
> ----- Reply message -----
> From: "Matthias Schunter" <mts-std@schunter.org>
> <mailto:mts-std@schunter.org>
> To: "Ninja Marnau" <ULD66@datenschutzzentrum.de>
> <mailto:ULD66@datenschutzzentrum.de>, "Shane Wiley (yahoo)"
> <wileys@yahoo-inc.com> <mailto:wileys@yahoo-inc.com>
> Cc: "public-tracking@w3.org" <mailto:public-tracking@w3.org>
> <public-tracking@w3.org> <mailto:public-tracking@w3.org>
> Subject: Are blanked exceptions usable in the EU? [ISSUE-129]
> Date: Mon, Mar 26, 2012 6:33 pm
>
>  
>
> Hi Ninja/Shane,
>
>
> during our last call, you disagreed whether it is OK (=considered
> sufficient consent) from an EU legal perspective that an individual
> accepts an exception for "any" third party used on a given site.
>
> While I understood there is no problem to agree to a defined list
> "thirdparty1, thirdparty2, ...", there seems to be a problem if this
> list is undefined.
>
> A second question is whether an OK to 'any' is OK if the user can then
> later learn what parties where actually in use.
>
> How about either agreeing offline or else starting this discussion on
> the list?
>
> FYI: From a technical perspective, it is OK to include a function that
> would not be usable in the EU, however, in this case some guidance for
> sites may be helpful anyway.
>
>
> Regards,
>
> Matthias
>
>
>
>
>

Received on Monday, 2 April 2012 19:18:07 UTC