RE: Propagating site-wide consent without Javascript from Mike O'Neill on 2017-02-22 (public-tracking@w3.org from February 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 22 Feb 2017 09:02:47 -0000
To: "'Shane M Wiley'" <wileys@yahoo-inc.com>, "'Matthias Schunter $Intel Corporation$'" <mts-std@schunter.org>, <public-tracking@w3.org>
Message-ID: <1f4801d28cea$7090a810$51b1f830$@baycloud.com>
Hi Shane,

 

I agree the exception API is crucial, but I do not think changes to the ePR will make much difference to it.  Consent will always be a legal basis under both regulations, and even if the legitimate interest basis is imported into the ePR there still has to be a right to object (by “automated means”), and DNT:1 supplies that. If a significant proportion of users then set the general preference  site owners will want to have the ability to register specific consent to override it.

 

There could be a case for generalising the API so sites could also use it as a “right to object” signal, i.e. for users who do not have the general preference set.

 

Mike

 

 

From: Shane M Wiley [mailto:wileys@yahoo-inc.com] 
Sent: 21 February 2017 23:11
To: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>; public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Re: Propagating site-wide consent without Javascript

 

Matthias and Working Group,

 

I believe the Exception API is critical for industry support of DNT.  >From a web site owners perspective (in light of a possible requirement to obtain explicit consent from a user) you will have several options:

 

1.  Implement your own consent solution and store the result in a browser cookie and/or with the user's account (if you have account registration)

2.  Implement DNT as your consent solution and store the exception with the browser (which can be shared across authenticated devices of the browser)

3.  BOTH (as this could allow crossing browser types - although this approach has to handle race conditions)

 

If the Exceptions API is removed there is little value in implementing DNT as the site owner is forced to use cookies to store a user's preference.  The clear win for a site owner is that Exceptions should survive cookie cleaning (could be deleted through another mechanism - that needs to be decided by browser vendors).  If Exceptions offer no value over standard cookies then the path of least resistance is to implement your own consent mechanism as you have complete control over the user experience and you don't have to brace for possible unexpected developments from each browser vendor (which will always remain a concern with a browser centric model).

 

Timing:  It was in the ePR context that more direct calls for DNT support came from several EU regulators. The ePR is still in draft form and its legislative timing and final wording are unclear.   As that may take some time we may be trying to force the completion of the TPE a bit too quick for the regulatory environment to clear up on core concepts like legitimate interests of 3rd parties and forms of acceptable consent where legitimate interests are not found.  Once the language of the ePR is finalized we'll better understand the boundaries of legal certainty and related options for implementation which will in turn help drive the direction for the Working Group (IMHO).

 

- Shane

 

Shane Wiley
VP, Privacy Policy
Yahoo

 

  _____  

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org <mailto:mts-std@schunter.org> >
To: "public-tracking@w3.org (public-tracking@w3.org) <mailto:public-tracking@w3.org%20(public-tracking@w3.org)> " <public-tracking@w3.org <mailto:public-tracking@w3.org> > 
Sent: Monday, February 20, 2017 5:14 AM
Subject: Propagating site-wide consent without Javascript

 

Hi Folks,

 

during our last call, David suggested that we should put the Javascript

API at risk. By doing so, we can continue towards recommendations even

if the API is not implemented by the participants.

 

I would like to now kick-off a "what if" discussion.

 

The javascript API serves IMHO three purposes:

1 - To store site/web-wide exceptions

2 - To propagate consent from the site to its sub-elements (e.g. the

  site

  obtained site-wide consent and all its sub-elements (such as

  analytics) will then receive a DNT;0 to signal that they are

  permitted to track.

3 - To provide transparency to the user (who can check what

  consent/exceptions are stored in his browser)

 

If the Javascript API were removed, then consent can be stored using

cookies or other means (point 1), transparency would need to be provided

(at a limited level) by the sites (point 2).

 

I would now kick off a discussion how consent could be forwarded from a

site to its subsidiaries. Options I see

 

Option 1: Javascript API + DNT;0 header (current solution; at risk)

 

Option 2: Some other way to trigger sending DNT;0 (e.g. we could define

a "site-wide exceptioN" response header that triggers sending DNT;0 to

other elements

 

Option 3: Encoding in URLs? Some Javascript tricks? Other?

 

 

What do you think? Opinions?

 

 

Regards,

matthias
Received on Wednesday, 22 February 2017 09:06:52 UTC