Re: action-231, issue-153 requirements on other software that sets DNT headers

On Aug 23, 2012, at 2:48 PM, Justin Brookman wrote:

> No, what is obvious is that are advocating for two different levels of user intent: a high bar for turning on DNT in the first place, and a considerably lower bar for getting a user-granted exception to the DNT signal.

I don't know what you are talking about.  To get a user-granted
exception we have to interrupt the user's task, ask them to
grant an exception, have an explicit action by the user grant
that exception (unless it has already been explicitly granted and
cached by the UA), and then hope that the UA actually sends DNT:0
as a result of the user granting that exception.  That is a much
higher bar than the spec requires for turning DNT on.  I don't
even believe it will be implemented by UAs, but that's not my

To obtain explicit and informed prior consent, we have to do something
out of band that obtains explicit and informed consent.  I don't
know exactly what that is, but I am sure it doesn't include giving
a pre-selected option in a dialog during initial installation/use
of an operating system default UA.

Would you accept it if Microsoft had said the same dialogs default
to sending DNT:0?  Would Rob say that the EU data protection laws
would be satisfied by the same dialogs pre-selected for DNT:0?
My guess is no, that would not qualify in Europe, and companies
that operate in Europe would be required to ignore that invalid
signal because it is the recipient's obligation to obtain
valid (informed, specific, and explicit) prior consent regardless
of what some buggy software sends us on the wire.  But that's
just a guess based on my read of the WP opinions.

Unlike turning DNT on, assuming explicit and informed consent when
it has not actually been granted in fact (according to the regulator)
can result in penalties that are quite high, both financially and
in terms of reputation.  Hence, there is a built-in bar for prior
consent, based on enforcement actions, that is far more extensive
than anything we could summarize in our spec, particularly given
that it is also sensitive to context and regional laws.

The argument you were having with Shane, to which I responded,
was about what more the document would require for prior consent.
Many people are simply not willing to engage in a process of
"let's define what regulators should enforce" in the absence
of context.  It's like playing "pin the tail on the donkey" with
actual pins and a real donkey -- not recommended, in practice,
and almost certain to be forbidden by our employers.  It does
not mean that we think consent should be a low bar.


Received on Thursday, 23 August 2012 23:46:43 UTC