Re: Out-of-Band Consent Standard (ISSUE-65) from Leung, Ted on 2012-03-14 (public-tracking@w3.org from March 2012)

From: Leung, Ted <Ted.Leung@disney.com>
Date: Wed, 14 Mar 2012 15:26:16 -0700
To: Jonathan Mayer <jmayer@stanford.edu>
CC: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <CB866871.17D48%ted.leung@disney.com>

Thanks for the clarification on 1.

In the case of 2a, would a separate dialog and checkbox during the TOS/privacy policy flow meet the high standard.  Assume that existing users will have to go through the TOS/privacy policy flow if DNT support were enacted.   If a separate dialog and checkbox would not be satisfactory, could you explain how you envision the acquisition of consent?

From: Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>>
Date: Tue, 13 Mar 2012 20:14:06 -0700
To: Ted Leung <ted.leung@disney.com<mailto:ted.leung@disney.com>>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Out-of-Band Consent Standard (ISSUE-65)

(spinning a new thread since this is a different topic)

I see two separate policy choices on out-of-band consent.

1) Can out-of-band consent be persistent?

2) What is the standard for out-of-band consent?

I believe you're asking about #1; I think the answer should be yes, and as I understand it, just about all participants agree.

#2 has proven much harder for the group.  There are three points of view I've heard expressed.

(a) We should set a high standard for consent (e.g. clear and conspicuous notice with explicit opt-in consent).  That's my view.

(b) We should set a low standard for consent (e.g. discoverable in a privacy policy or terms of service).

(c) We should not specify a standard for consent, and instead defer to local law (which will mean, very roughly, (a) in the EU and (b) in the U.S.).

On Mar 13, 2012, at 7:56 PM, Leung, Ted wrote:

Jonathan,

Can you outline what you feel are acceptable out-of-band consent experiences.   As I understand you right now, it sounds like you want consent to be obtained after the user logs in, each time the user logs in.  Is that what you are looking for?

Ted

From: Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>>
Date: Tue, 13 Mar 2012 19:42:39 -0700
To: Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Logged-In Exception (ISSUE-65)

For purposes of this issue, let's assume the user has not provided out-of-band consent.

While I seriously doubt that we would allow a first party to achieve out-of-band consent by burying it in signup terms or a privacy policy (ISSUE-69), even if we did, some responsible third parties would not take advantage of the loophole.

On Mar 13, 2012, at 7:29 PM, Shane Wiley wrote:

Jonathan,

If “logged-in” equates to “out of band” consent from a user, then I believe this is moot discussion and would equate more likely to #3 – depends on the terms of registration with that party.  I would suggest we treat “logged-in” on the merits of registration with each party and therefore the W3C makes no statement with regard to DNT and a logged-in state.

- Shane

Received on Wednesday, 14 March 2012 22:26:43 UTC