W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Examples of successful opt-in implementations

From: イアンフェッティ <ifette@google.com>
Date: Thu, 14 Jun 2012 11:39:26 -0700
Message-ID: <CAF4kx8dOqqO5TqR++rLgJsaf5UHRooJTY1u5z-OM+PBuK5vg3Q@mail.gmail.com>
To: Kimon Zorbas <vp@iabeurope.eu>
Cc: "rob@blaeu.com" <rob@blaeu.com>, "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
FYI apologies if I appear to have gone down a rathole. It just seems this
topic comes up frequently in one form or another and I wanted to just have
a frank, direct discussion so that I understood what certain people were
asking for, as opposed to trying to divine it from various arguments
scattered across multiple email threads.

On Thursday, June 14, 2012, Kimon Zorbas wrote:

>   Rob, colleagues,
>
>  I am sorry, but I have serious problems with the way this group works
> and operates. I do not believe that we need to delve into (European) legal
> discussion and would appreciate if we could conclude in Seattle for once
> and forever about the role of Article 29 WP.
>
>  Rob, you are pushing so hard for the acceptance of Article 29 WP opinion
> as the word of God on data protection issues (and others also, to be fair)
> and I don't understand what you are trying to achieve with this.
> We may like what Article 29 WP says or not, but FACT is that it is JUST an
> opinion. It is not the law. And, frankly the UK, one of the most engaged EU
> Member States, is not following the supposed 'baseline'.
>
>  Kind regards,
>  Kimon
>
>
>   From: Rob van Eijk <rob@blaeu.com <javascript:_e({}, 'cvml',
> 'rob@blaeu.com');>>
> Reply-To: "rob@blaeu.com <javascript:_e({}, 'cvml', 'rob@blaeu.com');>" <
> rob@blaeu.com <javascript:_e({}, 'cvml', 'rob@blaeu.com');>>
> Date: Thursday 14 June 2012 20:07
> To: "Vinay Goel (Adobe)" <vigoel@adobe.com <javascript:_e({}, 'cvml',
> 'vigoel@adobe.com');>>, "public-tracking@w3.org <javascript:_e({},
> 'cvml', 'public-tracking@w3.org');>" <public-tracking@w3.org<javascript:_e({}, 'cvml', 'public-tracking@w3.org');>
> >
> Subject: Re: Examples of successful opt-in implementations
> Resent-From: <public-tracking@w3.org <javascript:_e({}, 'cvml',
> 'public-tracking@w3.org');>>
> Resent-Date: Thursday 14 June 2012 20:08
>
>   Hi Vinay,
>
>  Thanks for the rapid respons. I see you are addressing three things. The
> opinion, the mind model
> and the scope.
>
>  First the opinion: I argue that the opinion isn't just an opinion. It is
> a common baseline, expressed
> by the dpa's who will enforce the legal framework. That expression is,
> in the light of differences
> in national implementations, not to be taken lightly. The common
> baseline expresses what all dpa's
> see as a reasonable and defendable position that doesn't conflict with
> national laws. You can see
> clearly in the case of the first party analytics, how far the consensus
> went.
>
>  p. 10: "However, the Working Party considers that first party analytics
> cookies are not likely to
> create a privacy risk when they are strictly limited to first party
> aggregated statistical purposes
> and when they are used by websites that already provide clear
> information about these
> cookies in their privacy policy as well as adequate privacy safeguards.
> Such safeguards are
> expected to include a user friendly mechanism to opt-out from any data
> collection and
> comprehensive anonymization mechanisms that are applied to other
> collected identifiable
> information such as IP addresses."
>
>  This means that not all dpa's were able to see first party analytics as
> functional with respect
> of the national implementations.
>
>  An important function of the opinion is to give advice to the European
> legislator. That is why
> on the next page we included an advise.
>
>  p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC
> be re-visited in the future, the
> European legislator might appropriately add a third exemption criterion
> to consent for cookies
> that are strictly limited to first party anonymized and aggregated
> statistical purposes.
> First party analytics should be clearly distinguished from third party
> analytics, which use a
> common third party cookie to collect navigation information related to
> users across distinct
> websites, and which pose a substantially greater risk to privacy."
>
>  Second, the mind model applied to first-party analytics: in most
> countries you wouln't
> need to call for an exception. As explained above, getting first-party
> analytics into the
> category of functional cookies in all jurisdictions just wasn't possible.
>
>  Third, the scope: no, I am not arguing for a scope increase. Getting a
> standard to Last Call
> with the scope as it is, is already a difficult task. What I ask for, is
> to have the usefulness
> of the re-usable technical building blocks in the back of our minds
> while creating a meaningful
> standard. The scope is what it is.
>
>  mvg::Rob
>
>  On 14-6-2012 19:07, Vinay Goel wrote:
>
> Hi Rob,
>
>  Hoping you can help me understand your mind model since applying it is
> complex given the very different approaches to ePrivacy compliance across
> the member states.  Different markets are defining what a 'functional
> cookie' is differently.  And, I know you shared the Working Party's
> opinion; but its just that -- an opinion by the Working Party, not
> specific law or guidance from a DPA.
>
>  Assuming you take the Working Party's opinion that first-party site
> analytics is not a strictly necessary function, is your mind model
> suggesting that the first party needs to use the DNT exception mechanism
> or well-known URL in order to use the data for users that have DNT:1 for
> first-party analytics?  If so, isn't that an increase in the scope (where
> you say "I am also not arguing that first parties must be subject to DNT")?
>
>  Thanks in advance.
>
>  -Vinay
>
>
>
>
Received on Thursday, 14 June 2012 18:39:58 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC