Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

[replying just to the list; I assume anyone who cares about this thread is on the list, though not everyone on the list may care :-(]

On Apr 2, 2012, at 11:13 , Shane Wiley wrote:

> Rigo,
> This argument is circular so I'm going to bow out now.  The Working Group already agreed user consent trumps DNT.  I believe this is an appropriate outcome and look forward to working on what "appropriate consent" means outside of this working group.


I agree, we (I think) agreed:
* explicit user consent can over-ride DNT
* we won't define what constitutes appropriate consent (as that's a legal, juridical, question).

But we are left with the question of defining what the user needs to give consent to, and how much consent may reasonably be bundled. That's a description of our protocol.

I tried over the weekend to think about this (without writing), and particularly to ask whether there might be a service for which merely being logged-in IS 'enough consent'.

I envisaged a new web service (I call it ReadMeToo), as a thought experiment.

"ReadMeToo gives web reading recommendations.  If you subscribe to ReadMeToo, then while you are logged in, ReadMeToo will track every page you visit, and remember your web history.  It'll also track the pages you tell ReadMeToo you like or don't like (by clicking on our buttons on the pages). When you return to ReadMeToo, we'll show you sites you don't seem to have visited that nonetheless you might find interesting; we tune this based on this tracking information."

In essence, the only point of being logged in to ReadMeToo is to enable them to track your web history. I would, I think meet you here, that merely being logged in to THIS service could be taken ipso facto as out-of-band consent.

But I am still unhappy in saying that as a blanket statement for all web services; I think the bundling of consent with "if you want to use the service at all, you have to agree to being tracked if you stay logged-in" would be troublesome.  So I am wondering if we can meet in the middle with a text that describes the need for an 'explicit, separate, consent to being tracked when logged-in'?

We can leave as a note what they consent constitutes (e.g. a check-box in the service's privacy settings).

I also wonder if we need to say that logging out removes that consent, even if "remember me" is set for that service.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Monday, 2 April 2012 18:30:44 UTC