Re: Action-157: Update logged-in consent proposal from Justin Brookman on 2012-05-07 (public-tracking@w3.org from May 2012)

From: Justin Brookman <justin@cdt.org>
Date: Mon, 07 May 2012 18:01:33 -0400
To: public-tracking@w3.org
Message-ID: <4FA8463D.4030308@cdt.org>
On 5/5/2012 8:59 PM, Nicholas Doty wrote:
> Also, Shane and Justin, does this sentence
>> "Companies ... should not seek to obtain explicit, informed consent 
>> from users in non-obvious ways such as placing these details in their 
>> Terms of Service or deeply placed within their Privacy Center"
> imply that a service *can* obtain explicit, informed consent to 
> override a user's DNT preference via a Terms of Service document and 
> be in compliance with this standard?
>
> If not, then we could make this clearer by updating the normative text:
>> Sites MAY override a user's DNT preference if they have received 
>> explicit, informed consent to do so. Sites MUST NOT obtain explicit, 
>> informed consent via Terms of Service or other non-obvious means.
I think we are all in agreement that the operator of a site cannot 
obtain explicit, informed consent via a Terms of Service, privacy 
policy, or other non-obvious means.  Either the tracking is obvious by 
the nature of the product, or you have to go out of your way to explain 
clearly and conspicuously and get permission.  I am open to putting 
language in the normative section making that clear, but I thought that 
Shane and others were strongly opposed to that.  I do agree that the 
proposed non-normative text could make clearer that ToS by itself cannot 
work.  Here is revised language:

Non-Normative Text:

Even when a user has turned on a "Do Not Track" setting, the operator of 
a site may seek to obtain the user's permission to ignore that setting 
and track the user as a third party on other sites.  In seeking user 
consent, the tracking functionality has to be clearly communicated to 
the user such that the user is positioned to make a voluntary and 
informed decision about whether to allow the operator to collect and use 
cross-site data about the user in ways that would otherwise be prevented 
by the DNT setting.

Interactions with users to obtain consent can in many cases be 
contextual.  If a service has an obvious cross-site tracking function 
that the user deliberately signs up for then this could be deemed to 
have achieved explicit and informed consent from a user without directly 
addressing its reaction to an external Tracking Preference (which may 
not have been contemplated at the time the consent experience was 
designed).  For example, if a user signs up for a social reader service 
that clearly indicates that information about activity on other sites 
will be collected and published to a user's social networking page, the 
service would not need to get separate permission to ignore the DNT 
signal.  Even in these cases, however, organizations should provide 
Tracking Preference references in associated product or service 
materials such as a privacy policy, help center, and/or in separate 
notice to users.

Most services that a user signs up for do not have cross-site tracking 
functionality that would be obvious to a user.  For these services, 
operators who wish to comply with this spec and track despite the 
presence of a DNT signal should clearly and conspicuously ask users for 
permission to track despite the Do Not Track setting.  Simply agreeing 
to a long boilerplate legal agreement that includes mention of a right 
to track despite a DNT settings would not constitute express and 
informed consent.  For example, if the operator of an instant messaging 
client (who also owned an advertising network) asserted permission to 
track for behavioral advertising purposes only in a linked license 
agreement, a user's agreeing to the license agreement would not 
constitute express, informed consent to override the user's DNT 
preference for the purposes of this spec.
Out-of-band consent will be further reinforced in user interactions 
through *[let's park this paragraph until the response header/well known 
URI are fully fleshed out.]*

> Or if the group believes there are some cases where non-obvious means 
> would be acceptable, that would be a SHOULD NOT rather than MUST 
> NOT. Or this could be phrased definitionally instead: "Consent via a 
> Terms of Service or other non-obvious means is not explicit and informed."
>
> Also, per the question on "ideally", is that a SHOULD requirement? 
> e.g. "Sites SHOULD provide options to alter this consent via the 
> tracking status resource."
>
> Thanks,
> Nick
>
> On Apr 25, 2012, at 12:23 PM, Shane Wiley wrote:
>
>> I’m fine with “ideally”:
>> <Normative>
>> Sites MAY override a user's DNT preference if they have received 
>> explicit, informed*consent*to do so.
>> <Non-Normative>
>> In the absence of a Tracking Preference standard, many organizations 
>> have developed direct consent mechanisms for web-wide tracking.  
>> Interactions with users to obtain consent are often contextual.  For 
>> example, If a service has an obvious cross-site tracking function 
>> that the user deliberately signs up for then this could be deemed to 
>> have achieved “explicit and informed” consent from a user without 
>> directly addressing its reaction to an external Tracking Preference 
>> (which wasn’t contemplated at the time the consent experience was 
>> designed).  Even in these cases, organizations should consider 
>> providing Tracking Preference references in associated product or 
>> service materials such as a privacy policy, help center, or separate 
>> notice to users.
>> Companies claiming public compliance with the W3C Tracking Protection 
>> standard, should not seek to obtain explicit, informed consent from 
>> users in non-obvious ways such as placing these details in their 
>> Terms of Service or deeply placed within their Privacy Center if it 
>> will not be obvious to users that the nature of the service will lead 
>> them to ignore a user’s Tracking Preference based on the nature of 
>> the consent the user is granting.
>> Out-of-band consent will be further reinforced in user interactions 
>> through either the Header Response or Well-Known URI approaches to 
>> replying to user Tracking Preferences.  This will provide a constant 
>> reminder of prior consent on each interaction and provide a resource 
>> (link) to allow the user to understand how this consent was achieved 
>> and ideally options to alter that consent if the user chooses to do so.
Received on Monday, 7 May 2012 22:02:05 UTC