W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: tracking-ISSUE-184 (Walter van Holst): 3rd party dependencies in 1st party content [Tracking Definitions and Compliance]

From: Kimon Zorbas <vp@iabeurope.eu>
Date: Thu, 25 Oct 2012 07:29:12 +0000
To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>
Message-ID: <71C6931F-C837-48DD-B627-AE1F8F8E8362@iabeurope.eu>
Fully support Rigo: if a user objects to the data processing, the service provider has a right to not provide the service. That is broad consensus of policymakers, industry and regulatory authorities (DPAs & telecom and other).

Kind regards,
Kimon

----- Reply message -----
From: "Rigo Wenning" <rigo@w3.org>
To: "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>
Subject: tracking-ISSUE-184 (Walter van Holst): 3rd party dependencies in 1st party content [Tracking Definitions and Compliance]
Date: Thu, Oct 25, 2012 8:58 am



Walter, Rob,

in our setup, a first party doesn't need consent with the current
specifications. And the second party is not DNT enabled in your
scenario. So you have already a logic break in there.

There is a law in Germany that a service can't refuse service merely
because the data subject refuses data collection. This hasn't been
applied in a case I know of. And for good reasons. If the user
refuses necessary data collection, how would I obtain the service?

I think we would be ill-guided if we would accept that a service
can't refuse service. Forced licenses and services exist for patents
and monopolies. We are not there. And if we were there, we would
have to define precisely what that minimum service is. I don't think
we can do that from here.

The only point that Walter has is the following: If the first party
responds "3" (as in the EU context) and has other third parties not
compliant with DNT and the site is not working without them, one
could argue for text that says, the entire site is not DNT
compliant. But that has dangers from redirects and other surprises.
I would rather say that we add non-normative text that the browser
should assume that the site is not usable with DNT. It finally says
that the site, by establishing the denial, it links its service to
another non-DNT service such that the DNT can't be assumed.

Another break is then, that Walter assumes DNT and says: "The user
is forced to give consent". But there is no DNT to consent to other
than the first party as -by definition- the third party is not DNT
enabled.

Concluding, I can say that for the EU, the situation is rather
simple. Requests are DNT-enabled or not. If those enabled are
hardwired with a service that aren't, the entire request must fail
or made under the assumption of DNT unset.

Rigo



On Wednesday 24 October 2012 19:49:46 Rob van Eijk wrote:
> > This raises an interesting situation if we have DNT. For example
> > we have a 1st party that is trusted by the user and also claims
> > to comply
> > to DNT and a 3rd party that is neither. Since the 1st party
> > content  is
> > technically dependent on 3rd party content, the user has the
> > choice between either granting consent to the 3rd party in
> > order to have the 1st party function properly or not getting
> > the content at all.
> >
> > To what extent is such consent informed, genuine and meaningful?
>
> I would like to add the question the element of free (i.e. freely
> given): to what extent is such consent freely given.
>
> (Recital 17 (2002/58/EC): Consent may be given by any appropriate
> method enabling a freely given, specific and informed  indication
> of the userís whishes.)
Received on Thursday, 25 October 2012 07:29:57 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:37 UTC