W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

RE: Comments on tracking-compliance.html

From: Jennifer Karan <jennifer.karan@doubleverify.com>
Date: Wed, 26 Oct 2011 14:48:38 -0500
To: David Wainberg <dwainberg@appnexus.com>, Justin Brookman <justin@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>, Jennifer Karan <jennifer.karan@doubleverify.com>
Message-ID: <028EE6B1D9B07244BEAD40D2B5289C204705E1F0BF@34093-MBX-C11.mex07a.mlsrvr.com>
The concern I have is that there are different ways to define consent even in regards to tracking.  A user can have opt-in cookies or a user could have removed the opt out cookie for a specific company (by opting in).  If we remember in Cambridge, Aleecia drew a diagram about what to do if the cookie for the company and the DNT do not match.  I think that this might be the right place to determine what to do when there is not a match for this specific scenario.


-----Original Message-----
From: public-tracking-request@w3.org [mailto:public-tracking-request@w3.org] On Behalf Of David Wainberg
Sent: Wednesday, October 26, 2011 15:00
To: Justin Brookman
Cc: public-tracking@w3.org
Subject: Re: Comments on tracking-compliance.html

I agree that would be a perverse result. It's likely the scenario you describe would be an unfair trade practice under FTC jurisdiction (in the US). I agree more broadly that appropriate notice for users is an issue. I just don't think it's a problem we should try to solve. It's not our job to fix privacy regulation around the world. We're going to have to let go a bit, and see what regulatory bodies, users, and software makers do with the tools we give them. A simple "DNT honored here" flag in the headers, for example, provides meaningful and actionable information to users (via the client). Let the client software decide how to present it to users. Let regulatory organizations build the rest of the framework around enforcement.

On 10/25/11 11:16 PM, Justin Brookman wrote:
> Fair enough, but the legal definition of consent is actually 
> incredibly vague in many jurisdictions, and we may wish to specify a 
> higher standard for users in those places where the requirements are 
> weak or unclear.  For instance, it would be a perverse result if a 
> company's privacy policy could say both "we comply with 'Do Not 
> Track'" and "oh, by the way, we reserve the right to track you."  One 
> way to avoid the legal inconsistency problem would be to define 
> "Affirmative Informed Consent" as AT LEAST in response to a clear and 
> prominent request separate from other permissions/disclosures.
Received on Wednesday, 26 October 2011 19:49:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:26 UTC