Re: Today's call: summary on user agent compliance

Mike,

The discussion on that part largely revolved around what sites an option
has when it receives a request that, for whatever reason, it believes
doesn't meet the bar. We've said from the beginning that no one is forcing
sites to implement DNT (or browsers for that matter). We are coming up with
a specification for what DNT means, we have no power to force anyone to use
the specification. The question came up something along the lines of "So,
what happens if I get a request from an IE10 user with DNT:1, what options
do I as a site have?".

There's some people in the working group who felt that if you as a site
support DNT, then you must support it when you see DNT:1 and you have no
business second-guessing the UI decisions made by the browser or the level
of compliance of the browser. You see DNT:1, you do your DNT:1 thing,
whatever that means.

There's other people in the working group, myself included, who feel that
since you are under no obligation to honor DNT in the first place (it is
voluntary and nothing is binding until you tell the user "Yes, I am
honoring your DNT request") that you already have an option to reject a
DNT:1 request (for instance, by sending no DNT response headers). The
question in my mind is whether we should provide websites with a mechanism
to provide more information as to why they are rejecting your request, e.g.
"You're using a user agent that sets a DNT setting by default and thus I
have no idea if this is actually your preference or merely another large
corporation's preference being presented on your behalf." Given that DNT is
optional and the only regulatory hooks are what you sign up for and say
you're going to do, someone suggested what Aleecia paraphrased in her
email, "we comply with the W3C DNT specification except we ignore
non-compliant user agents.". E.g. the site determining what amount of DNT
compliance it wishes to claim and under what circumstances. Perhaps we go
beyond there, perhaps we don't, who knows, but that was where the
discussion started to go.

-Ian

On Wed, Jun 6, 2012 at 7:19 PM, Mike Zaneis <mike@iab.net> wrote:

> I was not on the call today because I was with Marc and others at the CFA
> conference, so I'd love to hear more about this potential new publisher
> requirement. If they are outside of the Spec then why would they have any
> response obligation?  Happy to learn more about the initial discussion.
>
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
>
> On Jun 6, 2012, at 10:06 PM, "Aleecia M. McDonald" <aleecia@aleecia.com>
> wrote:
>
> >
> > On Jun 6, 2012, at 3:00 PM, David Singer wrote:
> >
> >>
> >> On Jun 6, 2012, at 11:48 , Aleecia M. McDonald wrote:
> >>
> >>> We did NOT hear a view that the specification should require
> publishers to honor DNT:1 signals from non-compliant User Agents.
> >>
> >> I think that I have consistently argued that when the two ends adhere
> to the protocol (i.e. their expression and responses are correct), then
> it's non-compliant to do other than the protocol requires, both in email
> and on the call.
> >>
> >> You might have good reason.  But it's still not compliant.  I sent you
> "Please do X", and you replied "No, I won't, I don't believe you."  I don't
> think you can describe that as *compliant*.  You might think it *justified*.
> >>
> >> Note well that this goes as much for servers claiming compliance and
> expecting to be treated as compliant, when in fact they implement something
> else (e.g. "do not target"). What is sauce for the goose is sauce for the
> gander, as they say, and if we write anything about one, we should write
> about both.
> >
> > To follow up on this, which is all a good capture of discussion, there
> was talk of publishers noting in a privacy policy "we comply with the W3C
> DNT specification except we ignore non-compliant user agents." We did not
> talk that all through. There is a lot more to talk about here, actually. We
> did make a good start getting into it; more to go.
> >
> >    Aleecia
>
>