- From: achapell <achapell@chapellassociates.com>
- Date: Thu, 06 Dec 2012 10:28:24 -0500
- To: walter.van.holst@xs4all.nl, public-tracking@w3.org
- Message-ID: <k3ox0nuhm8ckcoa9q6k9a6mu.1354807368969@email.android.com>
Thanks Walter. I'm not sure that everyone in the wg agrees with your analysis. But leaving that aside, even under your analysis, it seems that dnt would need to be applied very differently in the EU than in other places in order to meet the legal requirements there. Cheers, Alan Chapell 917 318 8440Walter van Holst <walter.van.holst@xs4all.nl> wrote:On 12/6/12 2:01 PM, Alan Chapell wrote: > Thanks Walter. Just so I understand your position, are you suggesting that > DNT:1 for the EU might satisfy Eprivacy by - for example - addressing > certain first party cookies? DNT:0 when done right may satisfy ePrivacy + DPD up to a point. Each of DNT:1, DNT-unset or no DNT signal at all will require European, Australian, South-African, Canadian, New-Zealand and Brazilian servers to limit their data gathering and processing to exceptional cases, such as fraud detection and security measures or when consent is obtained through other means. >From an DPD + ePrivacy perspective the matter of site-wide exceptions may actually be more interesting than DNT:0 though, since the exception mechanism may allow servers to make a better case for having an informed consent than DNT:0 alone. Which BTW is another good reason to use a machine understandable mechanism for exceptions instead of Javascript, since logging both on the UA and the server side will be necessary to be able to achieve this. I must urge you however not to focus overly in the ePrivacy directive. >From a DNT perspective it does only a few things: - it clarifies the status of cookies by presuming that they are personal data; - it requires consent for setting cookies beyond those technically necessary to run the service at all. - it also clarifies the status of location data by presuming that they are personal data. - traffic data is also put firmly within the scope of the DPD, with additional safeguards As a result of this, tracking that does not use cookies (for example using UA fingerprinting would fall outside the scope of art. 5 ePrivacy Directive) but is still very likely to fall within the scope of the DPD. In the case of 1st party tracking, this may be possible without obtaining prior consent (again, up to a point). However, tracking across multiple domains would require an extremely liberal interpretation of the DPD's 'legitimate interest' cluase. At the very least I would not advice anyone, especially none of my clients, to take that route. Which brings us back to the value of DNT:0 and/or the exception mechanism for non-US servers: it has the potential to provide the legal certainty that is now lacking. Regards, Walter
Received on Thursday, 6 December 2012 15:29:00 UTC