RE: Are blanked exceptions usable in the EU? [ISSUE-129]

Matthias,

I am afraid it's not quite that simple.  The browser will certainly know after the fact all of the sites to which it made a request.  However, compiling a list of all sites covered under the * will be difficult if not impossible.  The first party in many cases will never know which 3rd party services were used in the ad chain, and since the ad chain is dynamic, it can change from request to request.  The browser could possibly keep an ongoing historical list, but this file could grow quite large, and be of questionable value (since it would only contain raw URLs which mean even less than the 3rd party company names to users).

Also, an additional question which needs to be added to this issue is whether exceptions make any sense without the '*' option.  If ad chains do not work, the use cases for exceptions are significantly diminished.  It may still make sense to define exceptions for the remaining scenarios, or it might not be worth the effort.

-kevin

From: Matthias Schunter [mailto:mts-std@schunter.org]
Sent: Monday, March 26, 2012 1:34 PM
To: public-tracking@w3.org
Subject: Re: Are blanked exceptions usable in the EU? [ISSUE-129]

Hi Shane/Kimon


thanks for your responses.

Is your suggestion (from a technology/TPE perspective), that the feature is useful (and should be there)
while it may not be usable/useful under some legislations?

This means that whether to what extent feature is actually used is up to competition/legislation/ or other factors external to the TPE document.

Nevertheless, I believe that  (if we allow an exception for "*" as a third party), a viable question is still how a user can actually find out what third parties are used at a given time by a given site.

Other opinions?


Regards,
matthias


On 26/03/2012 19:34, Shane Wiley wrote:
Ninja and I haven't had an opportunity to connect on this topic yet.

As Kimon rightly points out, there are varying EU country-level interpretations of appropriate consent expression.  My belief is for an Exchange level interaction, if the serving party is significantly limited in their data use (collected upon ad bid), then there is a fair argument that the party may be acting more as a data processor (service provider) than a controller at that moment and therefore may not need consent at all.  If you layer this on top of a broad user consent mechanism (must appropriately and fairly articulate to the user the breadth of their exception - aka "*") then this may be acceptable from an EU Data Protection Directive (and further through the draft Data Protection Regulation) - especially as tools are available within browsers today to accept or reject individual 3rd parties as they are introduced to a user.

This discussion is more rightly placed in the companion document we discussed last week as outside of the standards document.  I don't believe we should develop any country specific features for DNT and instead allow guidance for each country's legal system to begin to tease this out (many elements are in legal "grey areas").

As I believe Kimon and Ninja would agree, there is not a bright-line rule in this case and therefore there will be considerable discussion/debate on this topic (and others related to DNT) within the EU (and other legal jurisdictions, including the US).

- Shane

From: Kimon Zorbas [mailto:vp@iabeurope.eu]
Sent: Monday, March 26, 2012 12:39 PM
To: Matthias Schunter; Ninja Marnau; Shane Wiley
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Are blanked exceptions usable in the EU? [ISSUE-129]

Hi Matthias,

I am not clear, what the purpose would be? The E-Privacy Directive is not harmonised across the EU and as a consequence there cannot be a certain answer to what consent means (or how far it goes) or how such consent can be expressed (we believe browser settings can be used but it's not that easy either). Sorry not being able to give a simple response on this.

Kind regards,
Kimon
----- Reply message -----
From: "Matthias Schunter" <mts-std@schunter.org><mailto:mts-std@schunter.org>
To: "Ninja Marnau" <ULD66@datenschutzzentrum.de><mailto:ULD66@datenschutzzentrum.de>, "Shane Wiley (yahoo)" <wileys@yahoo-inc.com><mailto:wileys@yahoo-inc.com>
Cc: "public-tracking@w3.org"<mailto:public-tracking@w3.org> <public-tracking@w3.org><mailto:public-tracking@w3.org>
Subject: Are blanked exceptions usable in the EU? [ISSUE-129]
Date: Mon, Mar 26, 2012 6:33 pm

Hi Ninja/Shane,


during our last call, you disagreed whether it is OK (=considered
sufficient consent) from an EU legal perspective that an individual
accepts an exception for "any" third party used on a given site.

While I understood there is no problem to agree to a defined list
"thirdparty1, thirdparty2, ...", there seems to be a problem if this
list is undefined.

A second question is whether an OK to 'any' is OK if the user can then
later learn what parties where actually in use.

How about either agreeing offline or else starting this discussion on
the list?

FYI: From a technical perspective, it is OK to include a function that
would not be usable in the EU, however, in this case some guidance for
sites may be helpful anyway.


Regards,

Matthias

Received on Tuesday, 27 March 2012 23:27:07 UTC