Re: action-159 Draft shorter language to describe conditions for consent from Justin Brookman on 2012-04-12 (public-tracking@w3.org from April 2012)

From: Justin Brookman <justin@cdt.org>
Date: Thu, 12 Apr 2012 11:50:48 -0400
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4F86F9D8.4090407@cdt.org>
If the service has an obvious cross-site tracking function that the user 
deliberately signs up for, I suppose I don't care if a formal statement 
that DNT will be ignored is put in the privacy policy.  Of course, 
that's not going to be the context for the vast majority of parties 
seeking out-of-band consent.

Would you be OK with a a non-normative example stating that the a 
company could not obtain [adjective] [adjective] consent to ignore DNT 
in third-party settings by placing notice in a privacy policy/terms of 
use for an email service or a game (if that company also happens to own 
an advertising network)?

Justin Brookman
Director, Consumer Privacy
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 4/12/2012 10:18 AM, Shane Wiley wrote:
> Justin,
>
> Much like the FTC report, I believe the issue is more contextual than that (privacy in context - PbD).  If a service has an express "tracking" function and this is well understood, then I believe its fine calling out that other tracking preference settings will be ignored in a privacy policy (in a clear, direct, and obvious manner).
>
> Again, for each interaction with a user that has an out-of-band consent, the response/well-known header will:
> - remind the user of this fact (if they have DNT:1 set)
> - provide a resource (link) to alter this consent AT ANY TIME
>
> So I believe concerns of "burying" and "set it and forget it" in this case are not founded and this structure more than meets your concerns.
>
> - Shane
>
> -----Original Message-----
> From: Justin Brookman [mailto:justin@cdt.org]
> Sent: Thursday, April 12, 2012 10:11 AM
> To: public-tracking@w3.org
> Subject: Re: action-159 Draft shorter language to describe conditions for consent
>
> Shane, would you be comfortable with non-normative text stating that
> merely including notice/granting of permission within a privacy policy
> or terms of use would be insufficient for out-of-band consent?
>
> (I'm not sure that I'm comfortable with your formulation, but this would
> help get me closer.)
>
> Justin Brookman
> Director, Consumer Privacy
> Center for Democracy&   Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
>
>
> On 4/12/2012 9:47 AM, Shane Wiley wrote:
>> Nike,
>>
>> Interestingly each of the terms you've selected have specific legal context and break your goal of "avoid getting into the details of a particular model of content (leaving that up to the implementer and the particular jurisdiction's [laws])".
>>
>> That aside, many of us feel this language is close but has some unintended impacts to user experiences albeit it well intentioned.
>>
>> Rather than use the terms "distinct, affirmative" I would recommend this be altered to "explicit" as this allows some degree of bundling of permissions but means the material elements must be directly evident to a user for it to meet the "explicit" bar (again, another term with legal context - I don't know how we discuss this topic without stepping into existing legal territory :-) ).
>>
>> I stripped out redundant terms such as "previously" and "tracking" as these are already implied.
>>
>> The amended statement would be: "Sites MAY override a user's DNT preference if they have received explicit, informed consent to do so."
>>
>> - Shane
>>
>> -----Original Message-----
>> From: Nicholas Doty [mailto:npdoty@w3.org]
>> Sent: Thursday, April 12, 2012 1:27 AM
>> To: Tracking Protection Working Group WG
>> Cc: David Singer
>> Subject: Re: action-159 Draft shorter language to describe conditions for consent
>>
>> David and I were tasked with coming up with a shorter piece of text on standards for out-of-band override of a user's DNT preference (that is, contra to a user-agent-managed site-specific exception). This proposal is meant to avoid getting in to the details of a particular model of consent (leaving that up to the implementer and the particular jurisdiction's regulator) while specifying what would be necessary to match our understanding of a user's expressed preference.
>>
>>> Sites MAY override a user's DNT preference if they have previously received _distinct, affirmative, informed consent_ to track the user.
>> (Really, we're just proposing these three adjectives, and I'm guessing that something like this sentence would go around them, but I leave that up to the editors. Also, this doesn't speak to the tracking response question, which I believe we have broad consensus on but is likely taken up elsewhere.)
>>
>>>  From a handful of coffee conversations, it seems like this short set of descriptors might be amenable to various stakeholders.
>> Thanks,
>> Nick
>>
>>
>>
>
>
>
Received on Thursday, 12 April 2012 15:51:19 UTC