Re: Propose to drop from the strawman: requirement for privacy policy disclosure

A lot of this effort is dedicated to verifiability --- isn't that why 
we've spent so much time discussing the sending of compliance headers?  
Having an accountable statement of compliance is another effort at 
that.  I suppose you could make an argument that it should be in the 
technical spec instead of the compliance spec (though I would disagree), 
but especially if third-party header responses are deemed optional or a 
Bad Idea, the spec needs to lay out how to communicate to consumers that 
the header is being respected.  If the header just flies into the blue 
with no standardized way to disclose compliance, this process seems 
destined to fail; if nothing else, privacy policy disclosure should be 
considered as an alternative to automated header responses.

Justin Brookman
Director, Consumer Privacy Project
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 10/25/2011 5:16 PM, David Wainberg wrote:
> Section 6.4 of the Compliance and Scope document states, "In order to 
> be compliant with this specification, an operator of a third-party 
> domain must clearly and unambiguously assert in the privacy policy 
> governing that domain that it is in compliance with this 
> specification." Such a requirement is out of scope of this standard 
> and should not be included in the strawman. While it may be in scope 
> to create tools that facilitate auditing and enforcement by other 
> entities, it is not the role of this technical standard to impose 
> legal requirements for compliance. Any such requirements will come 
> from entities with relevant authority, e.g. Congress or the FTC in the US.

Received on Tuesday, 25 October 2011 21:51:05 UTC