W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Out-of-Band Consent Standard (ISSUE-65)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 14 Mar 2012 16:27:14 -0700
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <EA432F34-8021-43AF-9AAD-945C8E438387@stanford.edu>
To: "Leung, Ted" <Ted.Leung@disney.com>
There are, it seems to me, five factors that separate a high consent standard from a low consent standard.  (I'm drawing extensively on the FTC's definition of "clear and conspicuous" here.)

1) Default - is the choice mechanism presented without "allow" selected?
2) Prominence - are the text and choice mechanism reasonable sized and contrasted from the background?
3) Presentation - is the text in plain language, formatted to encourage careful reading, and free of distractions?
4) Placement - are the choice mechanism and text in a place where consumers would look?
5) Proximity - is the text reasonably close to the choice mechanism?

I think that a readable explanation in signup or preferences, accompanied by an unchecked dialog or checkbox, would be adequate to meet just about any participant's conception of a high standard.  I imagine that is how many websites would choose to implement out-of-band consent, and we should give it as a non-normative example.  I've pasted below a mockup that Arvind Narayanan and I did some time ago of a Facebook out-of-band consent.


On Mar 14, 2012, at 3:26 PM, Leung, Ted wrote:

> Thanks for the clarification on 1.
> 
> In the case of 2a, would a separate dialog and checkbox during the TOS/privacy policy flow meet the high standard.  Assume that existing users will have to go through the TOS/privacy policy flow if DNT support were enacted.   If a separate dialog and checkbox would not be satisfactory, could you explain how you envision the acquisition of consent?
> 
> From: Jonathan Mayer <jmayer@stanford.edu>
> Date: Tue, 13 Mar 2012 20:14:06 -0700
> To: Ted Leung <ted.leung@disney.com>
> Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
> Subject: Out-of-Band Consent Standard (ISSUE-65)
> 
> (spinning a new thread since this is a different topic)
> 
> I see two separate policy choices on out-of-band consent.
> 
> 1) Can out-of-band consent be persistent?
> 
> 2) What is the standard for out-of-band consent?
> 
> I believe you're asking about #1; I think the answer should be yes, and as I understand it, just about all participants agree.
> 
> #2 has proven much harder for the group.  There are three points of view I've heard expressed.
> 
> (a) We should set a high standard for consent (e.g. clear and conspicuous notice with explicit opt-in consent).  That's my view.
> 
> (b) We should set a low standard for consent (e.g. discoverable in a privacy policy or terms of service).
> 
> (c) We should not specify a standard for consent, and instead defer to local law (which will mean, very roughly, (a) in the EU and (b) in the U.S.).
> 
> On Mar 13, 2012, at 7:56 PM, Leung, Ted wrote:
> 
>> Jonathan,
>> 
>> Can you outline what you feel are acceptable out-of-band consent experiences.   As I understand you right now, it sounds like you want consent to be obtained after the user logs in, each time the user logs in.  Is that what you are looking for?
>> 
>> Ted
>> 
>> From: Jonathan Mayer <jmayer@stanford.edu>
>> Date: Tue, 13 Mar 2012 19:42:39 -0700
>> To: Shane Wiley <wileys@yahoo-inc.com>
>> Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
>> Subject: Re: Logged-In Exception (ISSUE-65)
>> 
>> For purposes of this issue, let's assume the user has not provided out-of-band consent.
>> 
>> While I seriously doubt that we would allow a first party to achieve out-of-band consent by burying it in signup terms or a privacy policy (ISSUE-69), even if we did, some responsible third parties would not take advantage of the loophole.
>> 
>> On Mar 13, 2012, at 7:29 PM, Shane Wiley wrote:
>> 
>>> Jonathan,
>>>  
>>> If “logged-in” equates to “out of band” consent from a user, then I believe this is moot discussion and would equate more likely to #3 – depends on the terms of registration with that party.  I would suggest we treat “logged-in” on the merits of registration with each party and therefore the W3C makes no statement with regard to DNT and a logged-in state.
>>>  
>>> - Shane
Received on Wednesday, 14 March 2012 23:27:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC