Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

I'm having a hard time understanding some of your arguments. You say the
group should not be creating standards for consent. And then you also say
that we are creating a consent requirement - and one which others have
indicated should be outlined in considerable detail. Sorry, but I'm afraid
you've lost me.

And I don't believe we are here because regulators are unable to determine
standards of fairness for their jurisdiction. If the goal is to set out a
detailed level of requirements around 'consent' that will work in every
jurisdiction, then I think we're in for a long discussion that will push
the development of our spec out several months.





On 4/2/12 11:25 AM, "Rigo Wenning" <rigo@w3.org> wrote:

>On Monday 02 April 2012 09:54:26 Alan Chapell wrote:
>> On 4/1/12 4:06 PM, "Rigo Wenning" <rigo@w3.org> wrote:
>> >1/ we do not set standards at W3C, we issue Recommendations. Being
>> 
>> Thanks for the clarification, Rigo. You may want to direct this to
>> Jonathan and Jeff - as they are the ones that seem to be pushing for
>>this
>> group to create consent standards. (Jonathan and Jeff - if there's a
>> nuance I'm missing, please let me know.)
>
>I think they understand that the consent requirement we would create are
>scoped solely to the compliance of the W3C Specification and not some
>general rule as only a legislator can issue it (and there are over 192 of
>those world wide)


>
>[...]
>> >3/ Whether our factual specifications are accepted as "consent",
>> >"meaningful consent" or "informed consent" is not up to the Group as
>those
>> >definitions are under a different sovereignty. But what we can discuss
>>is
>> >whether we want to align with requirements as defined elsewhere. We
>> >do that e.g. by trying to get some EU blessing with our tool so that
>>it 
>is
>> >really really useful for industry there and by inviting those others
>>to 
>our
>> >table.
>> 
>> I'm not sure how aligning with a single jurisdiction's definition of
>> consent isn't tantamount to creating a pan-world consent standard based
>> upon that single jurisdictions laws. What works in the EU may not work
>> elsewhere. Again - I may be missing a nuance here.
>
>I think you are. Please do not overlook the "e.g." I wrote. It is the
>other 
>way around. We do some technical specification and it is on every region
>to 
>accept that and give it a useful role in their system (or not). And we
>would 
>be ill advised not to take into account feedback whether our stuff is
>useful 
>in a regional system or not. But W3C is not the organization that can
>decide 
>on whether our Specifications are useful in a certain region. So the EU
>will 
>decide on EU things and the US will decide on US things. And we can use
>the 
>W3C platform to provide a tool. Or fall back into the trenches.
>
>[...]
>> >This
>> >will open the path back to the deep legalese that allows for all those
>> >nice
>> >surprises*.
>> 
>> I like the coffee example - But the FTC and other regulators already
>>have
>> recourse if a business engages in these types of surprises. Do you
>>agree?
>
>We wouldn't be here if the regulators had a better idea on how to solve
>those issues. They let us try as they think the industry has the
>technical 
>experts and maybe something useful comes out before they do some SOPA
>on the industry.  So this is an opportunity the regulator gives us, not
>an 
>argument to fall back on letting the regulator do stuff. I encourage you
>to 
>see our effort here as an opportunity. At least I see it like this.
>
>> >Accordingly, we are back into reading 22 pages of legalese
>> >as they can tell whether the DNT signal will be ignored. And this would
>> >even be compliant.
>> 
>> Again - regulators are free to take action to the extent they believe
>>that
>> 22 pages of legalese are unfair or deceptive based upon that
>>jurisdictions
>> legal framework.
>
>You misunderstood IMHO. It is on W3C to decide what should be compliant
>to 
>W3C DNT and it will use its process to come to a fair result. W3C decides
>on 
>W3C Specifications. And if W3C, within the process, decides that some
>"out 
>of band" event hidden in 22 pages of legalese is not sufficient to claim
>compliance with the W3C Specification, then W3C is just deciding on its
>Specification, not on the US or EU legal system. See my email to Shane to
>understand that you can't have the cake and eat it too. (But you can
>always 
>try)
>> 
>> > This being compliant affects the value of the W3C Specification.
>
>> 
>> I think Shane has been pretty clear here. User consent trumps DNT.
>
>In terms of a US legal perspective, you may be right. I haven't assessed
>any 
>of that. But there is no consent in the Group that out of band agreements
>allow you to ignore the signal and still claim compliance with the W3C
>DNT 
>Specifications. And unless we accept Shane's wording, which I'm against,
>I 
>wouldn't agree that the requirements of the DNT Specifications are
>fulfilled 
>by ignoring the DNT signal thus allowing someone to claim compliance.
>
>> 
>> >2/ Re-consider JC's solution to give DNT a meaning in a logged-in
>> >scenario
>> >(David, I disagree that this would be too subtle)
>> >
>> >3/ require "direct interaction"
>> >
>> >4/ explore the browser-maker outrage if we start telling them they
>>should
>> >show
>> >us when we are logged in to something
>> >
>> >5/ Define the meaning of "logged in" for the compliance with the W3C
>> >Specification
>> >
>It is unfortunate that we do not look forward in a creative way and
>consider 
>some of the solutions. So far, you haven't considered the solutions
>proposed 
>above.
>
>Best, 
>
>Rigo
>

Received on Monday, 2 April 2012 15:41:00 UTC