Re: Mapping DNT to GDPR

> On Oct 13, 2017, at 2:00 , Peter Cranstone <peter.cranstone@3phealth.com> wrote:
> 
> Hello Robin,
> 
> I would argue that DNT may NOT be used to fulfill GDPR consent requirements. 
> 
> My argument is based on a single word - location, and In an ironic twist Aleecia agrees with me on this from her email below where she states…
> 
> unset
> - in the US, the user has not made a choice for privacy so it's ok to still track them.
> - in the EU, the user has not consented to tracking, so it's not ok to track them.
> 
> DNT does NOT convey location information so until you determine location the DNT signal has NO value.

I think this is a non-sequitur. (a) the server may be able to work out location in some other way and (b) it can always be conservative and assume no consent, in the absence of location info.

> If you determine that the person is in the EU then you have to ask for meaningful consent. You may choose to make a best guess as to location but that is RISKY from a compliance standpoint - but that’s a business choice. At no time can you, could you or should you rely on any of the three DNT conditions because there is INSUFFICIENT data to make a decision. Location drives your decision.
> 
> Now lets move on to the storage of consent. At the moment - the only practical choice you have is cookies. 

The record that consent has been granted IS the storage of the exception. We don’t need another one as well.


David Singer
Manager, Software Standards, Apple Inc.

Received on Friday, 13 October 2017 08:42:40 UTC