- From: Peter Cranstone <peter.cranstone@3phealth.com>
- Date: Fri, 13 Oct 2017 00:00:25 +0000
- To: "Aleecia M. McDonald" <aleecia@aleecia.com>
- CC: Robin Berjon <robin.berjon@nytimes.com>, public-tracking-comments w3.org <public-tracking-comments@w3.org>
- Message-ID: <1B45A552-8D31-47DB-BEC8-500A08E4C3F1@3phealth.com>
Hello Robin, I would argue that DNT may NOT be used to fulfill GDPR consent requirements. My argument is based on a single word - location, and In an ironic twist Aleecia agrees with me on this from her email below where she states… unset - in the US, the user has not made a choice for privacy so it's ok to still track them. - in the EU, the user has not consented to tracking, so it's not ok to track them. DNT does NOT convey location information so until you determine location the DNT signal has NO value. If you determine that the person is in the EU then you have to ask for meaningful consent. You may choose to make a best guess as to location but that is RISKY from a compliance standpoint - but that’s a business choice. At no time can you, could you or should you rely on any of the three DNT conditions because there is INSUFFICIENT data to make a decision. Location drives your decision. Now lets move on to the storage of consent. At the moment - the only practical choice you have is cookies. Section 6.1 of Tracking Preference Expression (DNT) - W3C Candidate Recommendation 07 September 2017 (link<https://w3c.github.io/dnt/drafts/CRc-tracking-dnt.html#exception-overview>) This is being updated but there are NO changes to the section below: A client-side database can be used for persistent storage of user-granted exceptions, such that permission to send DNT:0 is obtained by a site and stored via a JavaScript API. However, we only define the API (below); the choice of storage mechanism is left to each implementation. In comparison to the use of cookies to manage consent, an exception database and APIs provide more transparency and better user control, while also providing better persistence of those exceptions for sites. I completely agree with the spec in this regard. The only appropriate way to store your consent is in an exception database because it provides ‘transparency and better user control’ - why is this important? The right to be forgotten. The consumer needs the ability to change their mind - wading through thousands of cookies in search of the right consent cookie does not meet the GDPR guidelines. As no current browser supports an exception database you will be forced to use cookies with a lot of explanation. In closing I’m going to bring up one other section of the GDPR - Article 3 Clause 2… Territorial scope - (link<https://gdpr-info.eu/art-3-gdpr/>) which states… This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. Again we come back to location. If I land in Zurich and connect to a US web site then technically I’m under GDPR irrespective of whatever my DNT signal says (it’s irrelevant). Which means that all US web sites etc will need to determine real time location. Real time location cannot be added to the DNT:1 signal because that would be a violation of my privacy (and because there are as of yet no agreed upon extensions - see this link: https://w3c.github.io/dnt/drafts/CRc-tracking-dnt.html#dnt-extensions So in another ironic twist you will have to determine exactly where I am, then based on that, ask for consent and then if I opt out - forget about me until I come back to the site and you can run a script to read the cookie to see what my consent settings were for your site. Of course if there is nothing there the process starts all over again. In summary: * DNT has NO value in the US as there is no enforceable compliance document (Equifax is a great example - zero fines). * DNT has NO value in the EU as it cannot transmit location so it is essentially the equivalent of unset which means that no header was ever transmitted in the first place Privacy is contextual (my desire to share data), privacy depends on context (my location), privacy depends on identity. My best, Peter Peter Cranstone CEO, 3PHealth COMS: Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs Skype: cranstone Website | www.3phealth.com<http://www.3phealth.com> (Healthcare Patient Engagement and Data Interoperability) Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.) CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you. On Oct 12, 2017, at 4:18 PM, Aleecia M. McDonald <aleecia@aleecia.com<mailto:aleecia@aleecia.com>> wrote: Hello Robin, A co-author and I argue that DNT may be used to fulfill GDPR depending on how browsers work [1]. The W3C working group has designed DNT from the start to be a tri-part state. DNT:1 - request not to be tracked DNT:0 - agreement to be tracked unset - in the US, the user has not made a choice for privacy so it’s ok to still track them. - in the EU, the user has not consented to tracking, so it’s not ok to track them. This is related to the point Roy raised, but a little different. Basically tracking as opt-in v. opt-out flips based on where the user is located. Roy’s point covers things like: it’s not ok for a general purpose browser to choose a setting for their users (i.e. IE.) At a purist level it does not even matter if the browser spams DNT:1 or DNT:0 for users who did not elect it themselves, it will break *somewhere* it is merely the details of how things break that change based on where the user is. The phrase “general purpose browser” above exempts things like privacy mode, or a plug-in for privacy, or a plug-in for more personalized ads and shopping suggestions. Those might reasonably send a specific DNT setting as part of how they serve their audience. But for all other general purpose browsers, if the user has not made a choice, don’t send a DNT signal. Of course there are more details beyond this. I think Mike did a good job at the big picture so I’ll let that stand. Please feel free to contact me on or off list if I can be of assistance. Aleecia [1] Zuiderveen Borgesius, F. J., and McDonald, A. M. (2015). Do Not Track for Europe.<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2588086> 43rd Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference) September 26, 2015.
Received on Friday, 13 October 2017 08:37:36 UTC