W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: explicit-explicit exception pairs

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Mon, 7 May 2012 12:57:02 -0700
To: ifette@google.com
Cc: Rigo Wenning <rigo@w3.org>, public-tracking@w3.org, rob@blaeu.com, Nicholas Doty <npdoty@w3.org>, Matthias Schunter <mts-std@schunter.org>
Message-ID: <8D0ADE8F6807491AB8A7004E472C805F@gmail.com>
The emerging consensus interpretation of EU privacy law requires that a user consent to *specific* third parties and *specific* information practices *before* those third-party websites use tracking cookies.  (Some working group participants contest this interpretation and are actively lobbying against it.)  A list of third parties and information practices made available *after* tracking cookies are used (e.g. a legalese privacy policy or machine-readable list of third parties) would not be in compliance.  The new cookie guidance in France gives a workable overview (translation required): http://www.cnil.fr/en-savoir-plus/fiches-pratiques/fiche/article/ce-que-le-paquet-telecom-change-pour-les-cookies/

Browsers can and should facilitate compliance with this legislation.  Relying on existing web technologies would yield a bad outcome for both websites and consumers.  Websites would continue to operate under a shadow of legal uncertainty, and they'd have to scramble to develop ad-hoc, fragmented consent mechanisms.  Users, meanwhile, would have inconsistent experiences across the web and no centralized means of adjusting their preferences.

Getting the browser user interface right will, to be sure, require iteration and experience.  Ian's proposal seems a reasonable sketch of a first step.  The French DPA has a more succinct mock-up: http://www.cnil.fr/fileadmin/images/approfondir/imagecookies1.jpg

One final note: I wouldn't generalize from the ECJ's Deutsche Telekom opinion (available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=82128&pageIndex=0&doclang=EN&mode=doc&dir=&occ=first&part=1&cid=475465).  That case dealt with the interaction of pro-competition telecom law and a specialized section of the ePrivacy Directive that regulates public directories.  (A large telecom had tried to exercise monopoly control over public directory services; it seized upon the ePrivacy Directive to justify its practices.)  The court interpreted the public directory provisions—unlike other provisions—to not require consent with respect to third-party directory services.  The Article 29 Working Party (rightly) cited the opinion only as a guidepost for the "specific" element of consent under the ePrivacy Directive.

Jonathan  


On Monday, May 7, 2012 at 9:33 AM, Ian Fette (イアンフェッティ) wrote:

> Rigo,
>  
> If we operate under the premise that an enumeration of "top-level third parties" is required for consent to be meaningful in the E.U. but not globally, then I would argue that the preferred way to satisfy this is by doing something where we shift the balance of where the "compliance text" lives from the browser to the website. That is, somewhere, a user is going to be offered text explaining why they are being asked for an exception, what the exception covers, and what this means. I would argue that in the context of the browser, we're working across too many jurisdictions to actually say anything too meaningful about what the exception means. (We also tend to shun long text in our UI).   
>  
> What I would therefore propose is that for a site in the E.U. wishing to be compliant with whatever regulations end up being relevant, is that it could satisfy those regulations via text on the page that hosts the "grant an exception button". That is, the site could say,  
>  
> "Dear user,  
>  
> In an effort to provide you with high quality content, we have determined that we need to serve users targeted ads. These ads provide a higher amount of revenue that is otherwise possible, and this revenue directly pays for the content you are about to enjoy. We use the following third party service providers on our website:  
> - A Inc.
> - B GmbH.
> - C S.A.
>  
> If you grant an exception to our website, the third parties on our website will be able to track your visits on our website for the purpose of serving you more targeted content, including more relevant ads that we hope will create a more meaningful interaction with our website.  
>  
> Our DNT policy, located at <X> (and presumably referenced via some well known location and/or response header) also lists out the third parties that may be in use at any given time.
>  
> Click <here> to grant an exception to third parties on example.com (http://example.com) from your Do Not Track preference."
>  
>  
> This still leaves open the possibility of third parties changing over time, but I will posit that it's a bit unclear if it's actually required to re-confirm consent at this time if the user has already been told that their data will be used by third parties for the following purposes and there's a clear way for them to discover what those third parties are at any given time. (If you really cared, the browser could compile a list of first-level third parties as well, after the page is loaded.)  
>  
> -Ian
>  
> On Mon, May 7, 2012 at 1:17 AM, Rigo Wenning <rigo@w3.org (mailto:rigo@w3.org)> wrote:
> > Ian,
> >  
> > thanks for that quote. This is helpful. And I think it is in line with my
> > thinking that we have to only enumerate the third parties the first party
> > knows of.
> >  
> > In Detail: In the case you're taking up, the user gave his consent to a
> > particular directory service. Now this particular directory service was
> > transferring data to another directory service (e.g. because of a merger)
> > The court says: You've given your data to A for purpose directory service
> > and only because of a merger and no other change, there is no need to ask
> > every single person in the phone-directory again. This is reasonable. But it
> > does not compare to the situation we have, where we start already with an
> > undefined amount and identity of the data collectors (data controllers).
> >  
> > If you add your right to access and rectify the data about you, it is clear
> > that knowledge about the data controllers is needed. It may be possible to
> > have a publication of your data to unbound unknown third parties, but this
> > would equal to a generic web-wide exception for everybody. And in this case,
> > your browser would just spawn DNT;0 on all requests.
> >  
> > While I see the burden you're invoking, I have trouble to get around naming
> > the third parties used by (and known to) the first party. Now how can we
> > minimize the burden technically?
> >  
> > Rigo
> >  
> >  
> >  
> > On Saturday 05 May 2012 16:21:21 Ian Fette wrote:
> > > I'm curious what you mean by "implied" consent? If the user grants an
> > > exception in response to a dialog presented by the browser on behalf of
> > > the website, that's rather explicit, is it not? I fail to see how that is
> > > "implied".
> > >
> > > I'm not a lawyer and I don't pretend to be one, I'm just trying to figure
> > > out if there's some distinction here that you're drawing that i'm missing.
> > > I looked through the opinion you linked to, and in particular, I'm having
> > > trouble reconciling your statement with the following:
> > >
> > > "Recently the ECJ issued a preliminary ruling
> > > 22
> > >  regarding Article 12(2) of the ePrivacy
> > > Directive, concerning the need for renewed consent of subscribers who had
> > > already
> > > consented to have their personal data published in one directory, to have
> > > their personal
> > > data transferred to be published by other directory services.  The Court
> > > held that where
> > > the subscriber has been correctly informed of the possibility that his
> > > personal data may
> > > be passed to a third-party undertaking and s/he has already consented to
> > > the publication
> > > of those data in such a directory, renewed consent is not needed from the
> > > subscriber for
> > > the transfer of those same data, if it is guaranteed that the data in
> > > question will not be
> > > used for purposes other than those for which the data were collected with
> > > a view to their
> > > first publication (paragraph 65). "
> > >
> > > Wouldn't this imply that if you inform the user that their data may be
> > > passed on to third party advertisers for the following (X,Y,Z) purposes,
> > > the addition of another advertiser down the line would not be material?
> > >
> > > Also, I don't think you should take the prompt presented by the browser as
> > > the full context of the request for consent. The prompt by the browser is
> > > generated by the user clicking something on the page, the text
> > > surrounding that something on the page is part of the context under which
> > > the consent is given, and can do things like explain what third parties
> > > the site uses and what purposes the site wishes to use your data for.
> > >
> > > On Sat, May 5, 2012 at 8:40 AM, Rob van Eijk <rob@blaeu.com (mailto:rob@blaeu.com)> wrote:
> > > > This thread starts to overlap with 'ACTION-172: Write up more detailed
> > > > list of use cases for origin/origin exceptions'
> > > >
> > > > My assumption in this answer is that the browser reflects valid user
> > > > consent. As a prerequisite, this implies that the user has made an
> > > > informed choice, preferably in the install/update flow of the browser
> > > > to use DNT technology as a granular consent expression mechanism.
> > > >
> > > > Taking this assumption into account, my answer is easy, and I can be
> > > > crystal clear on this:
> > > > 1) Implied consent for * for an unknown list of parties is unacceptable
> > > > for it does not lead to compliance.
> > > > 2) Implied consent can only be valid for a select list of third parties
> > > > operating in a first party context: the processors who have a legal
> > > > processor-agreement with the first party (controller).
> > > >
> > > > In Brussels I gave a detailed presentation on the criteria for consent
> > > > to
> > > > be valid. They are well published in the Art. 29 Working Parties
> > > > opinion.
> > > >
> > > > Preso: http://lists.w3.org/Archives/**Public/public-tracking/**
> > > > 2012Jan/att-0268/W3C_v2.pdf<http://lists.w3.org/Archives/Public/public-t
> > > > racking/2012Jan/att-0268/W3C_v2.pdf> Opinion 15/2011 on Consent:
> > > > http://ec.europa.eu/justice/**
> > > > data-protection/article-29/**documentation/opinion-**
> > > > recommendation/files/2011/**wp187_en.pdf<http://ec.europa.eu/justice/dat
> > > > a-protection/article-29/documentation/opinion-recommendation/files/2011/
> > > > wp187_en.pdf>
> > > >
> > > > Rob
> > > >
> > > > On 4-5-2012 22:31, Rigo Wenning wrote:
> > > >> Ian,
> > > >>
> > > >> this is very clear and I think we are at the core of the issue. I have
> > > >> to
> > > >> leave it to Rob (and it may take some time) to answer the question
> > > >> whether informed consent can be given to an unknown list of third
> > > >> parties tracking me. From my german and french law roots, I have a
> > > >> feeling it doesn't work, but maybe I'm wrong.
>  
Received on Monday, 7 May 2012 19:57:35 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC