W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

From: John Simpson <john@consumerwatchdog.org>
Date: Thu, 2 Feb 2012 11:38:48 -0800
Message-Id: <D970F556-21C2-465A-82C9-46F6D1338824@consumerwatchdog.org>
Cc: Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
To: Shane Wiley <wileys@yahoo-inc.com>
Shane,

As I understood Justin's proposed language below it's the specific case where the site is legally compelled to collect data despite DNT being enabled.  His language says the affected user "SHOULD" be notified, but he raised the question of whether it ought to be  MUST. I  thought the stronger language, a MUST, was better.

Thanks,
John


On Feb 1, 2012, at 6:23 PM, Shane Wiley wrote:

> John,
>  
> A company may be legally compelled to gather and share data despite DNT:1 so Iím not understanding the ask here.  Are you asking for a broad disclosure of this fact somewhere on a partyís website or are you asking that sites provide notice to specific users if there information has been legally requested?   If the former, most websites already state they follow the law (and are of course subject to those laws even if they donít state it).  If itís the latter, this is a significant request, very expensive, and feels outside the scope of this standard.  As the working group has agreed in some part in the past, we should strive to not link legal entanglements into the DNT standard (Patriot Act, ECPA, ePrivacy Directive, EU Data Protection Regulation draft, etc.).
>  
> - Shane
>  
> From: John Simpson [mailto:john@consumerwatchdog.org] 
> Sent: Wednesday, February 01, 2012 3:40 PM
> To: Justin Brookman
> Cc: public-tracking@w3.org
> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>  
> This is is different than saying that the standard does not attempt to override applicable laws.  Justin's language is aimed at telling the user that a party has been legally required to gather data despite DNT 1.  I like it and would be inclined to make it a "must."
>  
>  
> On Jan 31, 2012, at 1:01 PM, Justin Brookman wrote:
> 
> 
> Revising Jonathan's text based on this string:
>  
> A party MAY take action contrary to the requirements of this standard if compelled by applicable law.  If compelled by applicable law to collect, retain, or transmit data  despite receiving a DNT:1 signal for which there is no exception or exemption, the party SHOULD notify affected users to the extent practical and allowed by law.
>  
> I suggest "applicable law" instead of "mandatory legal process" both to accommodate David's concern about using contract to compel and because a statute could mandate the retention of IP logs (for example) without serving a subpoena or court order (which is what "process" means to me).  Feel free to revise the terms "exception or exemption" --- I was trying to convey the two scenarios of
> (1) operational data collection/use/retention is allowed even if DNT is on and/or
> (2) the user has given permission to a company to track,
> but I haven't gotten all the way through the ponderous thread on the meanings of exception/exemption.
>  
> I also don't think a requirement to tell users when DNT is being ignored because of government action is at all out of scope.  I'm suggesting SHOULD as a placeholder but think a MUST is worth a discussion.  However, it's relevant to note that we don't require (or even offer SHOULD guidance) that companies inform users about operational collection/usage/retention (exceptions???) that is allowed despite the DNT header.
> Justin Brookman
> Director, Consumer Privacy Project
> Center for Democracy & Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
> 
> On 1/31/2012 2:40 PM, Shane Wiley wrote:
> If the concern is that a party can somehow contract their way out of DNT compliance (versus other types of legal/government obligations) then Iím fine with calling that out more directly.
>  
> - Shane
>  
> From: David Singer [mailto:singer@apple.com] 
> Sent: Tuesday, January 31, 2012 12:36 PM
> To: Shane Wiley
> Cc: John Simpson; Amy Colando (LCA); Joanne Furtsch; MeMe Rasmussen; Tom Lowenthal; Jonathan Mayer; public-tracking@w3.org
> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>  
>  
> On Jan 31, 2012, at 19:22 , Shane Wiley wrote:
> 
> 
> 
> Agreed Ė NO text seems like the appropriate path (in agreement with Amy and John).
>  
> well, the rationale was way back at the end of the thread.  it's two-fold:
>  
> a) you can send DNT, but don't forget that tracking may still happen if legally required - there is a 'legislation exception'
> b) a notification of a 'legislation exception taken' will be signaled if legally possible, but under some laws, notification itself is not allowed.
>  
> we can also explain that having a *contract* that 'forces' you to track is not a valid exception...
>  
> David Singer
> Multimedia and Software Standards, Apple Inc.
>  
>  
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
>  

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org
Received on Thursday, 2 February 2012 19:39:29 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:44 UTC