RE: ACTION-152 - Write up logged-in-means-out-of-band-consent

Jonathan,

I don't believe we agree on to what extent is something "buried" (highly subjective) - but more directly I don't see an issue here as we've failed to articulate real harms to users in the broader context of this discussion (debate).  For this particular thread we're only looking at registration services in the current discussion of "out-of-band" consent.  I don't believe this poses a large risk to the value of DNT ("undo all the work").  If you feel that a registration service has very clearly stated in their privacy policy that they will both HONOR DNT for logged-out / non-registered users -- and -- through registration and logged-in state INGORE that user's DNT preference (providing options for them to log out) as being a real-threat to "undo all the work we've done", then we do disagree.

- Shane

-----Original Message-----
From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
Sent: Monday, April 02, 2012 12:03 PM
To: Shane Wiley
Cc: Lee Tien; Alan Chapell; Rigo Wenning; public-tracking@w3.org; Jeffrey Chester; David Singer; John Simpson
Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

You see no issue that in some jurisdictions, quite possibly including the U.S., a buried disclosure could undo all the work we've done?

As for prevailing U.S. law, there's substantial ambiguity on what's permissible (we only have a single recent consent order to work from), but it would seem that only the most egregious practices are off the table.  That's a very low bar.  Moreover, as a practical matter, by setting no consent standard we'd encourage a cat and mouse game where companies push the limits and the FTC is compelled to repeatedly articulate the scope of "unfair" and "deceptive" disclosures.

Jonathan

On Apr 2, 2012, at 11:06 AM, Shane Wiley wrote:

> Jonathan,
> 
> There are many different vehicles where consent terms can be placed - each with their own advantages for consumer transparency, education, and understanding.  I don't see this being buried in a privacy policy as the only possible location.  I would argue that in certain jurisdictions this would not be a legally viable solution.  For example, in the US, the Sears Consent Order made it clear that some material elements need to be directly expressed at the time of consent and not "buried" (to use your term).
> 
> - Shane
> 
> -----Original Message-----
> From: Jonathan Robert Mayer [mailto:jmayer@stanford.edu] 
> Sent: Monday, April 02, 2012 9:47 AM
> To: Shane Wiley
> Cc: Lee Tien; Alan Chapell; Rigo Wenning; public-tracking@w3.org; Jeffrey Chester; David Singer; John Simpson
> Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent
> 
> Shane,
> 
> Could you please explain how a term buried in a privacy policy is "real-time, in experience information" that constitutes "consent in context"?
> 
> Thanks,
> Jonathan
> 
> On Apr 2, 2012, at 9:35 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
> 
>> Lee,
>> 
>> As DNT signals come with very little consumer education (single check box - not defined - no detail - no context), I believe out-of-band consent structures are the "higher-quality signal" as they provide real-time, in experience information and capture consumer consent in context.
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: Lee Tien [mailto:tien@eff.org] 
>> Sent: Monday, April 02, 2012 9:29 AM
>> To: Alan Chapell
>> Cc: Rigo Wenning; public-tracking@w3.org; Jeffrey Chester; Shane Wiley; Jonathan Mayer; David Singer; John Simpson
>> Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent
>> 
>> Is it perhaps useful to think of the consent issue in terms of internal consistency or coherence?
>> 
>> IMHO the DNT mechanism -- user making a deliberate choice to set it at 1 or 0 -- has an inherent consent element, aspect, flavor, whatever you want to call it.  And I think part of our thinking here is that servers can rely on it as the consumer's expressed preference because it's a high-quality signal.  
>> 
>> So the issue seems to me NOT about anyone's law, but rather that the DNT spec is internally consistent, doesn't create an "arbitrage" that undermines it.  (Part of that, I think, also has to be what we think users who indeed chose DNT:1 expect, but internal consistency may be the easier way to approach.)
>> 
>> Lee
>> 
>> 
>> On Apr 2, 2012, at 8:40 AM, Alan Chapell wrote:
>> 
>>> I'm having a hard time understanding some of your arguments. You say the
>>> group should not be creating standards for consent. And then you also say
>>> that we are creating a consent requirement - and one which others have
>>> indicated should be outlined in considerable detail. Sorry, but I'm afraid
>>> you've lost me.
>>> 
>>> And I don't believe we are here because regulators are unable to determine
>>> standards of fairness for their jurisdiction. If the goal is to set out a
>>> detailed level of requirements around 'consent' that will work in every
>>> jurisdiction, then I think we're in for a long discussion that will push
>>> the development of our spec out several months.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 4/2/12 11:25 AM, "Rigo Wenning" <rigo@w3.org> wrote:
>>> 
>>>> On Monday 02 April 2012 09:54:26 Alan Chapell wrote:
>>>>> On 4/1/12 4:06 PM, "Rigo Wenning" <rigo@w3.org> wrote:
>>>>>> 1/ we do not set standards at W3C, we issue Recommendations. Being
>>>>> 
>>>>> Thanks for the clarification, Rigo. You may want to direct this to
>>>>> Jonathan and Jeff - as they are the ones that seem to be pushing for
>>>>> this
>>>>> group to create consent standards. (Jonathan and Jeff - if there's a
>>>>> nuance I'm missing, please let me know.)
>>>> 
>>>> I think they understand that the consent requirement we would create are
>>>> scoped solely to the compliance of the W3C Specification and not some
>>>> general rule as only a legislator can issue it (and there are over 192 of
>>>> those world wide)
>>> 
>>> 
>>>> 
>>>> [...]
>>>>>> 3/ Whether our factual specifications are accepted as "consent",
>>>>>> "meaningful consent" or "informed consent" is not up to the Group as
>>>> those
>>>>>> definitions are under a different sovereignty. But what we can discuss
>>>>> is
>>>>>> whether we want to align with requirements as defined elsewhere. We
>>>>>> do that e.g. by trying to get some EU blessing with our tool so that
>>>>> it 
>>>> is
>>>>>> really really useful for industry there and by inviting those others
>>>>> to 
>>>> our
>>>>>> table.
>>>>> 
>>>>> I'm not sure how aligning with a single jurisdiction's definition of
>>>>> consent isn't tantamount to creating a pan-world consent standard based
>>>>> upon that single jurisdictions laws. What works in the EU may not work
>>>>> elsewhere. Again - I may be missing a nuance here.
>>>> 
>>>> I think you are. Please do not overlook the "e.g." I wrote. It is the
>>>> other 
>>>> way around. We do some technical specification and it is on every region
>>>> to 
>>>> accept that and give it a useful role in their system (or not). And we
>>>> would 
>>>> be ill advised not to take into account feedback whether our stuff is
>>>> useful 
>>>> in a regional system or not. But W3C is not the organization that can
>>>> decide 
>>>> on whether our Specifications are useful in a certain region. So the EU
>>>> will 
>>>> decide on EU things and the US will decide on US things. And we can use
>>>> the 
>>>> W3C platform to provide a tool. Or fall back into the trenches.
>>>> 
>>>> [...]
>>>>>> This
>>>>>> will open the path back to the deep legalese that allows for all those
>>>>>> nice
>>>>>> surprises*.
>>>>> 
>>>>> I like the coffee example - But the FTC and other regulators already
>>>>> have
>>>>> recourse if a business engages in these types of surprises. Do you
>>>>> agree?
>>>> 
>>>> We wouldn't be here if the regulators had a better idea on how to solve
>>>> those issues. They let us try as they think the industry has the
>>>> technical 
>>>> experts and maybe something useful comes out before they do some SOPA
>>>> on the industry.  So this is an opportunity the regulator gives us, not
>>>> an 
>>>> argument to fall back on letting the regulator do stuff. I encourage you
>>>> to 
>>>> see our effort here as an opportunity. At least I see it like this.
>>>> 
>>>>>> Accordingly, we are back into reading 22 pages of legalese
>>>>>> as they can tell whether the DNT signal will be ignored. And this would
>>>>>> even be compliant.
>>>>> 
>>>>> Again - regulators are free to take action to the extent they believe
>>>>> that
>>>>> 22 pages of legalese are unfair or deceptive based upon that
>>>>> jurisdictions
>>>>> legal framework.
>>>> 
>>>> You misunderstood IMHO. It is on W3C to decide what should be compliant
>>>> to 
>>>> W3C DNT and it will use its process to come to a fair result. W3C decides
>>>> on 
>>>> W3C Specifications. And if W3C, within the process, decides that some
>>>> "out 
>>>> of band" event hidden in 22 pages of legalese is not sufficient to claim
>>>> compliance with the W3C Specification, then W3C is just deciding on its
>>>> Specification, not on the US or EU legal system. See my email to Shane to
>>>> understand that you can't have the cake and eat it too. (But you can
>>>> always 
>>>> try)
>>>>> 
>>>>>> This being compliant affects the value of the W3C Specification.
>>>> 
>>>>> 
>>>>> I think Shane has been pretty clear here. User consent trumps DNT.
>>>> 
>>>> In terms of a US legal perspective, you may be right. I haven't assessed
>>>> any 
>>>> of that. But there is no consent in the Group that out of band agreements
>>>> allow you to ignore the signal and still claim compliance with the W3C
>>>> DNT 
>>>> Specifications. And unless we accept Shane's wording, which I'm against,
>>>> I 
>>>> wouldn't agree that the requirements of the DNT Specifications are
>>>> fulfilled 
>>>> by ignoring the DNT signal thus allowing someone to claim compliance.
>>>> 
>>>>> 
>>>>>> 2/ Re-consider JC's solution to give DNT a meaning in a logged-in
>>>>>> scenario
>>>>>> (David, I disagree that this would be too subtle)
>>>>>> 
>>>>>> 3/ require "direct interaction"
>>>>>> 
>>>>>> 4/ explore the browser-maker outrage if we start telling them they
>>>>> should
>>>>>> show
>>>>>> us when we are logged in to something
>>>>>> 
>>>>>> 5/ Define the meaning of "logged in" for the compliance with the W3C
>>>>>> Specification
>>>>>> 
>>>> It is unfortunate that we do not look forward in a creative way and
>>>> consider 
>>>> some of the solutions. So far, you haven't considered the solutions
>>>> proposed 
>>>> above.
>>>> 
>>>> Best, 
>>>> 
>>>> Rigo
>>>> 
>>> 
>>> 
>>> 
>> 
>> 
> 

Received on Monday, 2 April 2012 19:31:07 UTC