- From: Shane M Wiley <wileys@oath.com>
- Date: Fri, 13 Oct 2017 14:46:15 -0700
- To: "Aleecia M. McDonald" <aleecia@aleecia.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <CAEwb2yn97wu_5oL4Y0fz57cYO5x8nZMGq+SHr15cqjb3OOcm2w@mail.gmail.com>
The array only needs to make sense to three parties: user, publisher, and
ad tech vendor (3rd party).
- Publisher and Ad Tech Vendor decide on the array they will use (1=x,
2=y) for their relationship
- Ad Tech Vendor publishes these values and their meaning in their WKL
- The Ad Tech Vendor will publish one set of purposes to reflect their
entire business but only a few may be displayed to the user based on the
business relationship with that specific Publisher
- Publisher displays the purposes choices for that Ad Tech Vendor to the
User for consent (with links to learn more)
- Ad Tech Vendor receives their purpose array with their DNT:0 when that
User interacts with that Publisher -- this tells the Ad Tech Vendor which
practices are allowed or disallowed based on the array they receive for
that transaction
- Shane
On Fri, Oct 13, 2017 at 2:12 PM, Aleecia M. McDonald <aleecia@aleecia.com>
wrote:
> Ah! I think I am finally starting to understand. Thanks for your patience,
> Shane.
>
> Not to make this harder, but presumably you need more than 1 to n, since
> there could be multiple ecosystems that want to do similar mappings. It
> would be deeply unfortunate to have Publisher A get consent to purpose 1 in
> context Breakfast Tracking, while an advertiser *thinks* they have consent
> to purpose 1 in the Ad Ecosystem, but no, it was purpose 1 in the Breakfast
> Tracking ecosystem.
>
> Arrays seem fundamentally problematic. I do not have better ideas yet.
>
> I hesitate to put this forward, but perhaps an array that is documented as
> [0] through [19] are reserved for use by IAB/NAI/AAAA/whomever will own the
> coordination task. This is suboptimal. Perhaps we need prefixes or multiple
> well-named arrays, though there are obvious brittle problems there. We
> could use a registry of some type but I doubt W3C is interested in unending
> work to support such things.
>
> (Ignoring fingerprinting risk for now; ignoring that we may fail to ship
> any spec by making major changes this late; can weigh those when we have a
> solid idea of how to move forward)
>
> Aleecia
>
> On Oct 13, 2017, at 1:20 PM, Shane M Wiley <wileys@oath.com> wrote:
>
> David,
>
> The way this is likely going to work in the real-world, with or without
> DNT, is that the publisher will be capturing the consent (by purpose) for
> each ad tech vendor they work with. Imagine a consent dialogue that lists
> 5 ad tech partners with 2 to 3 purposes below each partner that the user
> must consent (thus far the mocks I've seen are not very pretty).
>
> Note - I'll avoid the pre-checked box debate here as there could be a
> secondary unchecked box that confirms the user's choice prior to allowing
> them to hit the "I Consent" button.
> Note 2 - I'll avoid the all-or-nothing discussion here (having that with
> Rob on the same thread).
> Note 3 - I'll also avoid the pay-wall or tracking-wall debates (as those
> are on-going in the ePR legislative process).
>
> The publisher will capture this consent and then need to convey it to
> those 3rd parties in some manner. DNT is a nice solution as the browser
> does this for the ad tech vendor (publisher -> browser -> ad tech vendor).
> Similarly, the publisher could daisy chain through their 3rd party ad tech
> vendor's domains (iFramed) so they each set a cookie with the appropriately
> passed parameters for what level of consent has been provided. If the
> consent is "web-wide" the publisher would need to follow a similar approach
> anyway (site-wide does not require the iFrame daisy chain). The publisher
> will of course record this themselves as any changes (new partners, new
> purposes) will require they interact with the user again to gain consent
> for the new elements. Net-net: EU users will be seeing A LOT of consent
> dialogues going forward.
>
> In the publisher to ad tech vendor setup they will need to agree to the
> purposes for which the ad tech vendor is seeking to gain consent to prior
> to launching the consent experience with users on the publisher's site. Ad
> Tech Vendors may agree to a single set of possible purposes such that
> numbering is common across industry (1 = interest based ads, 2 =
> cross-device mapping, 3 = probabilistic mapping, N...). In either case the
> publisher and the ad tech vendor have to agree to this up front so they are
> accurately conveying the appropriate consent for each purpose for that
> vendor.
>
> - Shane
>
> On Fri, Oct 13, 2017 at 9:39 AM, David Singer <singer@apple.com> wrote:
>
>>
>>
>> > On Oct 13, 2017, at 17:48 , Shane M Wiley <wileys@oath.com> wrote:
>> >
>> > David,
>> >
>> > The missing element in your assessment is that the user MUST be able to
>> consent (or not) to the options individually. We're not able to make it an
>> "all-or-nothing" proposition legally. If that was possible we wouldn't
>> need to have this conversation as then a single signal would cover our
>> needs.
>>
>> OK. Kinda weird. The site may not do the quid-pro-quo (e.g. free access)
>> unless you consent to it all. So ‘granular consent’ as I wrote below, and
>> possibly ‘changing purposes over time’ are both issues.
>>
>> It’s easy for the site to talk back to itself; cookies, or even as I
>> suggested using the DNT-extension. That covers the web-wide exception, and
>> the site itself for site-specific.
>>
>> How do you think a site should convey to the ads and its 3rd-parties, for
>> site-specific exceptions, which purposes they have consent for?
>>
>> “This user agreed to a non-vegetarian meal” “This user agreed to wearing
>> synthetic fibers during the night-time” and so on?
>>
>>
>>
>> >
>> > - Shane
>> >
>> > On Thu, Oct 12, 2017 at 11:33 PM, David Singer <singer@mac.com> wrote:
>> >
>> >
>> > > On Oct 13, 2017, at 0:20 , Shane M Wiley <wileys@oath.com> wrote:
>> > >
>> > > I believe this is an over simplification of the issue. If we want
>> DNT to meet the most basic needs of even small publishers that means they
>> will need to support at least one ad tech partner (assuming the goal of the
>> group is still to meet the original target of the standard). Even the most
>> basic ad tech partner will participate in at least two distinct purposes
>> which lawyers are expressing need to be consented to separately:
>> interest-based advertising and cross-device mapping (all ad ecosystem
>> participants support these two common approaches in the EU marketplace
>> today). If the DNT standard is unable to support even the most basic
>> consent scenario then there will likely be zero adoption - at least for the
>> most common use case and original target of the standard. There may still
>> be hyper edge cases where a singular purpose consent will cover all needed
>> business cases.
>> >
>> > Shane
>> >
>> > I think I am confused.
>> >
>> > When consent is requested, the site manages the UI. It can certainly
>> ask:
>> >
>> > I need to be able to track you so that
>> > * I serve you the breakfast that corresponds to your weird food fads
>> > * I and my third parties can gather data about you that I will sell to
>> a foreign intelligence service, to cover my medical bills
>> >
>> > So, the dual purposes can be clearly expressed in the request.
>> >
>> > Likewise they can be expressed in the tracking status resource; we
>> could certainly have a list of purposes added here:
>> >
>> > object {
>> > string tracking; // TSV
>> > array { string; } compliance?; // hrefs
>> > string qualifiers?; // compliance flags
>> > array { string; } controller?; // hrefs
>> > array { string; } same-party?; // domains
>> > array { string; } audit?; // hrefs
>> > string policy?; // href
>> > string config?; // href
>> > }*;
>> >
>> > So, as I see it, for an unchanging picture we seem to be covered, no?
>> >
>> > The tricky parts come in at least two ways:
>> > * if the site offers granular consent, for each purpose separately, it
>> needs to know who consented to which purpose.
>> > * if the site’s needs and hence purposes for tracking change over time,
>> it needs to remember “this user gave consent before I added purpose-Q,
>> whereas that user gave consent also to purpose-Q”
>> >
>> > Are these what we are struggling with?
>> >
>> >
>> > >
>> > > - Shane
>> > >
>> > > On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <
>> aleecia@aleecia.com> wrote:
>> > >
>> > > > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com>
>> wrote:
>> > > >
>> > > […]
>> > > > In either case, we'll need a purpose array for the ad industry to
>> be able to leverage DNT as a lawful consent compliance approach in the EU
>> (at least that's what EU lawyers are telling me).
>> > > […]
>> > >
>> > > This sounds like an array of common purposes that also contains a
>> purpose of other.
>> > >
>> > > I imagine a common set of purposes congruent with EU regs, and then
>> “other” managed entirely by the publisher, which defines what it means,
>> conveys it meaningfully to users, and records not only consent but what was
>> consented to. I would expect any given publisher using “other” to change
>> what it means over time (e.g. after an acquisition or new product launch,
>> etc.) which is why a timestamp is going to matter.
>> > >
>> > > In an ideal world, Art 29 WP could issue guidance that turns the
>> common set of purposes into something fairly self-serve. Perhaps there will
>> be sample text akin to Safe Harbor guidance.
>> > >
>> > > For the complexities of Other, well, see your local DPA to have a
>> discussion about that.
>> > >
>> > > Small sites should be able to do just fine with the common set. Large
>> companies can get all the complexity they need from Other, which might need
>> to be further defined as OtherA, OtherB, OtherC, on the backend, but that
>> too is up to the publisher to manage.
>> > >
>> > > Early on we had the idea that straight-forward publishers should be
>> able to implement DNT easily and those with complex practices would have a
>> more complex implementation. I think we can still fulfill that goal.
>> > >
>> > > (I echo Rob’s concern about further delay and the ironies inherent in
>> this discussion.)
>> > >
>> > > Aleecia
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > - Shane
>> > >
>> > > Shane Wiley
>> > > VP, Privacy
>> > > Oath: A Verizon Company
>> >
>> > Dave Singer
>> >
>> > singer@mac.com
>> >
>> >
>> >
>> >
>> > --
>> > - Shane
>> >
>> > Shane Wiley
>> > VP, Privacy
>> > Oath: A Verizon Company
>>
>> David Singer
>> Manager, Software Standards, Apple Inc.
>>
>>
>
>
> --
> - Shane
>
> Shane Wiley
> VP, Privacy
> Oath: A Verizon Company
>
>
>
--
- Shane
Shane Wiley
VP, Privacy
Oath: A Verizon Company
Received on Friday, 13 October 2017 21:46:41 UTC