Re: Mapping DNT to GDPR

> On Oct 10, 2017, at 8:05 AM, Robin Berjon <robin.berjon@nytimes.com> wrote:
> 
> Dear TPWG,
> 
> I have walked through your documents and mailing list archives in search for an answer to my question but I cannot seem to find it. It is essentially two-fold and concerns the relationship between DNT and the GDPR from the point of view of a website. While I understand that legal questions may be tricky my understanding, which may be wrong, is that your current charter is designed to allow for better alignment with European privacy laws. I will therefore formulate my question in terms of use cases.
> 
> 1) Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?

Yes, assuming the DNT:0 is the result of an informed consent action by that user.
IOW, the protocol itself is only communicating what the API has been used to
record -- whether or not that agreement is sufficient and legitimate in the eyes
of the GDPR depends both on what the site or browser presented to the user just
before asking for consent (when the APIs are invoked) and how well the site's
actual behavior conforms to that consent.

> 2) Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".

That is the intent of the TPE; we are depending on browsers adhering to
that intent by not sending DNT until the user deliberately configures it.
If that turns out to be false, DNT:1 won't convey anything.

Cheers,

Roy T. Fielding                     <http://roy.gbiv.com/>
Senior Principal Scientist, Adobe   <https://www.adobe.com/>

Received on Wednesday, 11 October 2017 18:39:23 UTC