RE: action-159 Draft shorter language to describe conditions for consent

Justin,

Much like the FTC report, I believe the issue is more contextual than that (privacy in context - PbD).  If a service has an express "tracking" function and this is well understood, then I believe its fine calling out that other tracking preference settings will be ignored in a privacy policy (in a clear, direct, and obvious manner).

Again, for each interaction with a user that has an out-of-band consent, the response/well-known header will:
- remind the user of this fact (if they have DNT:1 set)
- provide a resource (link) to alter this consent AT ANY TIME

So I believe concerns of "burying" and "set it and forget it" in this case are not founded and this structure more than meets your concerns.

- Shane

-----Original Message-----
From: Justin Brookman [mailto:justin@cdt.org] 
Sent: Thursday, April 12, 2012 10:11 AM
To: public-tracking@w3.org
Subject: Re: action-159 Draft shorter language to describe conditions for consent

Shane, would you be comfortable with non-normative text stating that 
merely including notice/granting of permission within a privacy policy 
or terms of use would be insufficient for out-of-band consent?

(I'm not sure that I'm comfortable with your formulation, but this would 
help get me closer.)

Justin Brookman
Director, Consumer Privacy
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 4/12/2012 9:47 AM, Shane Wiley wrote:
> Nike,
>
> Interestingly each of the terms you've selected have specific legal context and break your goal of "avoid getting into the details of a particular model of content (leaving that up to the implementer and the particular jurisdiction's [laws])".
>
> That aside, many of us feel this language is close but has some unintended impacts to user experiences albeit it well intentioned.
>
> Rather than use the terms "distinct, affirmative" I would recommend this be altered to "explicit" as this allows some degree of bundling of permissions but means the material elements must be directly evident to a user for it to meet the "explicit" bar (again, another term with legal context - I don't know how we discuss this topic without stepping into existing legal territory :-) ).
>
> I stripped out redundant terms such as "previously" and "tracking" as these are already implied.
>
> The amended statement would be: "Sites MAY override a user's DNT preference if they have received explicit, informed consent to do so."
>
> - Shane
>
> -----Original Message-----
> From: Nicholas Doty [mailto:npdoty@w3.org]
> Sent: Thursday, April 12, 2012 1:27 AM
> To: Tracking Protection Working Group WG
> Cc: David Singer
> Subject: Re: action-159 Draft shorter language to describe conditions for consent
>
> David and I were tasked with coming up with a shorter piece of text on standards for out-of-band override of a user's DNT preference (that is, contra to a user-agent-managed site-specific exception). This proposal is meant to avoid getting in to the details of a particular model of consent (leaving that up to the implementer and the particular jurisdiction's regulator) while specifying what would be necessary to match our understanding of a user's expressed preference.
>
>> Sites MAY override a user's DNT preference if they have previously received _distinct, affirmative, informed consent_ to track the user.
> (Really, we're just proposing these three adjectives, and I'm guessing that something like this sentence would go around them, but I leave that up to the editors. Also, this doesn't speak to the tracking response question, which I believe we have broad consensus on but is likely taken up elsewhere.)
>
> > From a handful of coffee conversations, it seems like this short set of descriptors might be amenable to various stakeholders.
>
> Thanks,
> Nick
>
>
>

Received on Thursday, 12 April 2012 14:19:44 UTC