Re: DNT Concerns

Thanks Walter. I'm not sure that everyone in the wg agrees with your analysis. But leaving that aside, even under your analysis,  it seems that dnt would need to be applied very differently in the EU than in other places in order to meet the legal requirements there. 

Cheers,

Alan Chapell
917 318 8440Walter van Holst <walter.van.holst@xs4all.nl> wrote:On 12/6/12 2:01 PM, Alan Chapell wrote:
> Thanks Walter. Just so I understand your position, are you suggesting that
> DNT:1 for the EU might satisfy Eprivacy by - for example - addressing
> certain first party cookies?

DNT:0 when done right may satisfy ePrivacy + DPD up to a point.

Each of DNT:1, DNT-unset or no DNT signal at all will require European,
Australian, South-African, Canadian, New-Zealand and Brazilian servers
to limit their data gathering and processing to exceptional cases, such
as fraud detection and security measures or when consent is obtained
through other means.

>From an DPD + ePrivacy perspective the matter of site-wide exceptions
may actually be more interesting than DNT:0 though, since the exception
mechanism may allow servers to make a better case for having an informed
consent than DNT:0 alone.

Which BTW is another good reason to use a machine understandable
mechanism for exceptions instead of Javascript, since logging both on
the UA and the server side will be necessary to be able to achieve this.

I must urge you however not to focus overly in the ePrivacy directive.
>From a DNT perspective it does only a few things:

- it clarifies the status of cookies by presuming that they are personal
data;
- it requires consent for setting cookies beyond those technically
necessary to run the service at all.

- it also clarifies the status of location data by presuming that they
are personal data.
- traffic data is also put firmly within the scope of the DPD, with
additional safeguards

As a result of this, tracking that does not use cookies (for example
using UA fingerprinting would fall outside the scope of art. 5 ePrivacy
Directive) but is still very likely to fall within the scope of the DPD.
In the case of 1st party tracking, this may be possible without
obtaining prior consent (again, up to a point). However, tracking across
multiple domains would require an extremely liberal interpretation of
the DPD's 'legitimate interest' cluase.

At the very least I would not advice anyone, especially none of my
clients, to take that route.

Which brings us back to the value of DNT:0 and/or the exception
mechanism for non-US servers: it has the potential to provide the legal
certainty that is now lacking.

Regards,

Walter

Received on Thursday, 6 December 2012 15:29:00 UTC