W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Out-of-Band Consent Standard (ISSUE-65)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Tue, 13 Mar 2012 20:14:06 -0700
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <6B384554-D7D4-4059-9162-C776A5135411@stanford.edu>
To: "Leung, Ted" <Ted.Leung@disney.com>
(spinning a new thread since this is a different topic)

I see two separate policy choices on out-of-band consent.

1) Can out-of-band consent be persistent?

2) What is the standard for out-of-band consent?

I believe you're asking about #1; I think the answer should be yes, and as I understand it, just about all participants agree.

#2 has proven much harder for the group.  There are three points of view I've heard expressed.

(a) We should set a high standard for consent (e.g. clear and conspicuous notice with explicit opt-in consent).  That's my view.

(b) We should set a low standard for consent (e.g. discoverable in a privacy policy or terms of service).

(c) We should not specify a standard for consent, and instead defer to local law (which will mean, very roughly, (a) in the EU and (b) in the U.S.).

On Mar 13, 2012, at 7:56 PM, Leung, Ted wrote:

> Jonathan,
> 
> Can you outline what you feel are acceptable out-of-band consent experiences.   As I understand you right now, it sounds like you want consent to be obtained after the user logs in, each time the user logs in.  Is that what you are looking for?
> 
> Ted
> 
> From: Jonathan Mayer <jmayer@stanford.edu>
> Date: Tue, 13 Mar 2012 19:42:39 -0700
> To: Shane Wiley <wileys@yahoo-inc.com>
> Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
> Subject: Re: Logged-In Exception (ISSUE-65)
> 
> For purposes of this issue, let's assume the user has not provided out-of-band consent.
> 
> While I seriously doubt that we would allow a first party to achieve out-of-band consent by burying it in signup terms or a privacy policy (ISSUE-69), even if we did, some responsible third parties would not take advantage of the loophole.
> 
> On Mar 13, 2012, at 7:29 PM, Shane Wiley wrote:
> 
>> Jonathan,
>>  
>> If “logged-in” equates to “out of band” consent from a user, then I believe this is moot discussion and would equate more likely to #3 – depends on the terms of registration with that party.  I would suggest we treat “logged-in” on the merits of registration with each party and therefore the W3C makes no statement with regard to DNT and a logged-in state.
>>  
>> - Shane
Received on Wednesday, 14 March 2012 03:14:38 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC