- From: Peter Cranstone <peter.cranstone@3phealth.com>
- Date: Mon, 23 Oct 2017 16:12:21 +0000
- To: Shane M Wiley <wileys@oath.com>
- CC: public-tracking-comments w3.org <public-tracking-comments@w3.org>
- Message-ID: <0F8F72F2-70EB-4D36-81FA-62DA5D8E2728@3phealth.com>
Shane, 100% agreement. IMO the UI/UX will determine the effectiveness of the protocol - here’s a simple use case: 1. I connect to a web site - the transaction is paused while I read the ‘articles of consent’ - I’m in a hurry so I hit ‘agree to all’ 2. I use the site, and then as I leave I decide I want to revoke ALL consent - how? (TBD) As consent and revocation are legally binding my ‘wishes’ must be communicated accurately in both cases. Interesting times ahead - especially for large publishers. For example can you knowingly ship a product on May 25 2018 that is known to be out of compliance? It’s one thing not to be ready, it’s another thing entirely to ‘knowingly' violate the regs. I’m seeing the same thing in healthcare. There’s the 21st Century Cures Act - Article III which talks to interoperability - it comes into force January 1 2018. Not one vendor is currently compliant and yet nobody seems to care. I’ll be watching with great interest to see ‘who cares’ on May 25th. Peter Peter Cranstone CEO, 3PHealth COMS: Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs Skype: cranstone Website | www.3phealth.com<http://www.3phealth.com> (Healthcare Patient Engagement and Data Interoperability) Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.) CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you. On Oct 23, 2017, at 9:36 AM, Shane M Wiley <wileys@oath.com<mailto:wileys@oath.com>> wrote: Peter, We have discussed revocation and this is captured in the TPE. It's the same path as setting an exception (UGE) in reverse. The devil in the detail will be how Publishers make this available to users such that is meets the parity requirement (UX is not defined by the TPE). - Shane On Mon, Oct 23, 2017 at 7:32 AM, Peter Cranstone <peter.cranstone@3phealth.com<mailto:peter.cranstone@3phealth.com>> wrote: Some very important reading for privacy folks… The official e-privacy draft document showing the original Commission draft alongside the agreed Parliament amendments. link<http://www.europarl.europa.eu/sed/doc/news/flash/20215/A8-0324_2017_EN.docx> I would suggest doing a search for the word ‘consent’ and then reading the latest amendments. The one on page 26 is particularly revealing. I’ve copied it into this email below and left the formatting intact from the original document, only to highlighting words in red to draw your attention to them. (23) The principles of data protection by design and by default are codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software permitting electronic communications (such as browsers, operating systems and communication apps), irrespective of whether the software is obtained separately or bundled with hardware, shall configure the software so that privacy is protected, the cross- domain tracking and the storing of information on the terminal equipment by third parties is prohibited by default. In addition, providers of such software are required to offer sufficiently granular options to consent to each distinct category of purposes. These distinct categories include, at least, the following categories: (i) tracking for commercial purposes or for direct marketing for non-commercial purposes (behavioural advertising); (ii) tracking for personalised content; (iii) tracking for analytical purposes; (iv) tracking of location data; (v) providing personal data to third parties (including providing unique identifiers to match with personal data held by third parties) No consent is required for information that is collected from end-users’ terminal equipment when it is strictly necessary for providing an information society service requested by the end-user, for example in order to adapt the screen size to the device, or to remember items in a shopping basket. Web browsers, operating systems and communication apps should allow the end-user to consent to cookies or other information that is stored on, or read from terminal equipment (including the browser on that equipment) by a specific website or originator even when the general settings prevent the interference and vice versa. With regard to a specific party, web browsers and communication apps should also allow users to separately consent to internet-wide tracking. Privacy settings should also include options to allow the user to decide for example, whether multimedia players, interactive programming language viewers, or similar software can be executed, if a website can collect geo-location data from the user, or if it can access specific hardware such as a webcam or microphone. Such privacy settings should be presented in an easily visible and intelligible manner, and at the moment of installation or first use, users should be informed about the possibility to change the default privacy settings among the various options. Information provided should not dissuade users from selecting higher privacy settings and should include relevant information about the risks associated to allowing cross-domain trackers, including the compilation of long-term records of individuals’ browsing histories and the use of such records to send targeted advertising or sharing with more third parties. Software manufacturers should be required to provide easy ways for users to change the privacy settings at any time during use and to allow the user to make exceptions for or to specify for such services websites trackers and cookies are always or never allowed. DNT is going to need extensions and UGE database with a UI to be even remotely viable as a privacy protocol for the Internet. And we haven’t even discussed revocation of consent yet. Which is also going to be legally binding like consent. Peter Peter Cranstone CEO, 3PHealth COMS: Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs Skype: cranstone Website | www.3phealth.com<http://www.3phealth.com/> (Healthcare Patient Engagement and Data Interoperability) Website | www.3pmobile.com<http://www.3pmobile.com/> (Privacy by Design Platform for GDPR and ePrivacy reg.) CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you. -- - Shane Shane Wiley VP, Privacy Oath: A Verizon Company
Received on Monday, 23 October 2017 16:12:52 UTC