- From: Justin Brookman <justin@cdt.org>
- Date: Tue, 25 Oct 2011 17:50:32 -0400
- To: public-tracking@w3.org
- Message-ID: <4EA72F28.7040400@cdt.org>
A lot of this effort is dedicated to verifiability --- isn't that why we've spent so much time discussing the sending of compliance headers? Having an accountable statement of compliance is another effort at that. I suppose you could make an argument that it should be in the technical spec instead of the compliance spec (though I would disagree), but especially if third-party header responses are deemed optional or a Bad Idea, the spec needs to lay out how to communicate to consumers that the header is being respected. If the header just flies into the blue with no standardized way to disclose compliance, this process seems destined to fail; if nothing else, privacy policy disclosure should be considered as an alternative to automated header responses. Justin Brookman Director, Consumer Privacy Project Center for Democracy& Technology 1634 I Street NW, Suite 1100 Washington, DC 20006 tel 202.407.8812 fax 202.637.0969 justin@cdt.org http://www.cdt.org @CenDemTech @JustinBrookman On 10/25/2011 5:16 PM, David Wainberg wrote: > Section 6.4 of the Compliance and Scope document states, "In order to > be compliant with this specification, an operator of a third-party > domain must clearly and unambiguously assert in the privacy policy > governing that domain that it is in compliance with this > specification." Such a requirement is out of scope of this standard > and should not be included in the strawman. While it may be in scope > to create tools that facilitate auditing and enforcement by other > entities, it is not the role of this technical standard to impose > legal requirements for compliance. Any such requirements will come > from entities with relevant authority, e.g. Congress or the FTC in the US.
Received on Tuesday, 25 October 2011 21:51:05 UTC