W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Examples of successful opt-in implementations

From: Kimon Zorbas <vp@iabeurope.eu>
Date: Thu, 14 Jun 2012 18:06:11 +0000
To: "JC Cannon (Microsoft)" <jccannon@microsoft.com>, "ifette@google.com" <ifette@google.com>, "Vinay Goel (Adobe)" <vigoel@adobe.com>
CC: "rob@blaeu.com" <rob@blaeu.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <298EB567-7FCE-44BA-BAB5-16FD5CEF1D29@iabeurope.eu>
If Rob comes to Seattle, why not sit together?

We need to better understand, how this fits, with what we heard from the Commission today (NB: we had the 5th roundtable on our OBA self-regulatory programme).

Kind regards,

----- Reply message -----
From: "JC Cannon" <jccannon@microsoft.com>
To: "ifette@google.com" <ifette@google.com>, "Vinay Goel (Adobe)" <vigoel@adobe.com>
Cc: "rob@blaeu.com" <rob@blaeu.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Subject: Examples of successful opt-in implementations
Date: Thu, Jun 14, 2012 7:50 pm

Maybe we should have a side discussion with Rob on this.


From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
Sent: Thursday, June 14, 2012 10:20 AM
To: Vinay Goel
Cc: rob@blaeu.com; public-tracking@w3.org
Subject: Re: Examples of successful opt-in implementations

I am not advocating the following, but I'd like to understand if this is what regulators from opt-in regimes are advocating...

Basically, the first time you visit any site that sets cookies with a unique ID, either coming from the first party itself or from a third party, the browser should collect a reason for each party wishing to set a cookie, link to more policy info, and display this to the user.

User can then say yes or no (site may potentially block loading if it doesn't accept no as an answer, such as ft in its current implementation does not take no for an answer - accept or go elsewhere.)

The extent to which the user can say "remember" is unclear to me in this proposal. Presumably the user can consent to the first party in perpetuity, not clear to what extent they can consent to third parties in perpetuity in this proposal.

So basically, every time I visit a new website I must first deal with a popup. We've heard dnt:0 as a default (or whatever the equivalent is in this proposal) would not be acceptable as it is not "informed" consent.

So, we're back to the popup on every page model, but people want the browser to do the popup instead so the site.

Is that an accurate reflection or am I missing something?

On Thursday, June 14, 2012, Vinay Goel wrote:
Hi Rob,

Hoping you can help me understand your mind model since applying it is
complex given the very different approaches to ePrivacy compliance across
the member states.  Different markets are defining what a 'functional
cookie' is differently.  And, I know you shared the Working Party's
opinion; but its just that -- an opinion by the Working Party, not
specific law or guidance from a DPA.

Assuming you take the Working Party's opinion that first-party site
analytics is not a strictly necessary function, is your mind model
suggesting that the first party needs to use the DNT exception mechanism
or well-known URL in order to use the data for users that have DNT:1 for
first-party analytics?  If so, isn't that an increase in the scope (where
you say "I am also not arguing that first parties must be subject to DNT")?

Thanks in advance.


On 6/14/12 12:49 PM, "Rob van Eijk" <rob@blaeu.com> wrote:

>I would like to share a thought with you. I am expressing my personal
>views here. It is a thought that I had on my way back from the OBA
>roundtable today in Brussels. DNT has the potential to solve many
>uncertainties, but only if all parties involved are demonstrating the
>willingness to think out of the box.
>Let me explain why. DNT offers essential technical building blocks that
>may very well deal with e-priv directive and directive 94/95/EC
>compliance. That is in my view the added value of DNT in comparison to
>the current opt-out cookie system (eg. YourOnlineChoices). There is a
>small window of opportunity in recital 66 of directive 2009/136/EC. The
>essential building blocks are the response header and the exception
>mechanism. Rigo has been repeating this over and over. I am not arguing
>that DNT should include EU compliance in the compliance document. I am
>also not arguing that first parties must be subject to DNT. I am just
>showing the added value of DNT, that could save us from a 'world of
>pain', as Aleecia would call it.
>A user preference expression and acknowledgement from the server go hand
>in hand. In order to have a granular dialog with the user under the hood
>of the browser, exceptions play a vital role. DNT to me is about
>engaging the dialog between users and parties.
>Mind-model: if a first party want to use non-functional cookies, or if
>he want to use functional cookies beyond their normal purpose, then the
>1st party is still free to use the DNT exception mechanism or the
>well-known URL. Inform the user about the purpose of what you are saving
>and/or reading from the device and ask for an exception. If the answer
>is no, then think again about the value proposition you had in mind.
>Somehow the industry in the EU does, in my humble opinion, not see this
>opportunity of creating useful technical building blocks. We have an
>important task at hand, which is not just about the continues
>improvement of the transparency/control of the opt-out system. Therefor
>I call upon this group to think about making the technical building
>blocks as useful as possible, not just for 3rd parties operating in a
>1st party context.
>On 14-6-2012 1:21, Rigo Wenning wrote:
>> On Wednesday 13 June 2012 14:30:36 Jonathan Mayer wrote:
>>> At any rate, I'm unsure where this line of inquiry is
>>> going.  We've already agreed that Do Not Track is directed
>>> towards third parties, not first parties.
>> For consent purposes, first parties are not obliged by DNT, but can
>> benefit from DNT. So this is not at all a futile exercise
>> Rigo

Confidentiality Notice: The contents of this e-mail (including any attachments) may be confidential to the intended recipient, and may contain information that is privileged and/or exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and destroy the original e-mail and any attachments (and any copies that may have been made) from your system or otherwise. Any unauthorized use, copying, disclosure or distribution of this information is strictly prohibited. <ACL>
Received on Thursday, 14 June 2012 18:06:56 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:41:09 UTC