RE: Tracking names and emails across sites

Jonathan,

  If you’re interested in registering Stanford to start using the About Ads icon to identify their adherence to the DAA principles, I suggest you engage with the DAA directly, outside of this group.

  The most important takeaways from my mail yesterday are that:


-          Consent-based value exchange of PII for access exists now, and will exist in a DNT world.

-          If the DNT world does not offer sufficiently robust exceptions management, the pressure on the consumer will be to disable DNT for access.

/brendan.

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Monday, December 17, 2012 9:29 PM
To: Brendan Riordan-Butterworth
Cc: public-tracking@w3.org
Subject: Re: Tracking names and emails across sites

Brendan,

Could you please provide a bit more detail on Point 2 below?  In particular, what control would this company have to provide to comply with the DAA principles?  In my reading of the DAA's documents: none.

Thanks,
Jonathan

On Monday, December 17, 2012 at 10:23 AM, Brendan Riordan-Butterworth wrote:

Point 1: Humor and realism

Facial recognition is such an inefficient method of consumer identification.  It’d be a much simpler implementation to enhance customer loyalty cards with range-readable RFID tags – that way you’ve also got opt-in, and the possibility of spinning up a consumer-choice portal.



Point 2: Existing Self-Reg

The current self-regulatory guidelines offered via the DAA require that Third Parties and Service Providers (like what this “website intelligence” network seems to be) provide “clear, meaningful, and prominent notice” of what’s being collected, how it’s being used, and an opt-out mechanism.  You can review starting on page 12 of this document:



http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf




If they’re not providing this information and control, they’re not in line with the DAA principles.



Point 3: DNT World

I don’t think that the business practice of requiring the exchange of PII for services or discounts would be eliminated under a DNT regime.  Specifically, a site that currently blocks access or participation on filling in a form that includes being given permission to share the consumer’s email address with other parties would need to update their form to request the appropriate exceptions via the DNT protocol.  If the DNT exception protocol isn’t sufficiently robust to allow the consumer to give minimal tracking permission, it’s likely that these sites will simply require the global disabling of the DNT state.



/brendan.





From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Wednesday, December 12, 2012 11:52 PM
To: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Fw: Tracking names and emails across sites



Spotted this on the public-tracking list.  The practice may be a helpful future use case to keep in mind as we refine the compliance document.  It certainly would not be permissible for Do Not Track users under a linkability-oriented approach.  If I understand correctly, current self-regulatory guidelines would allow it.



Jonathan



Forwarded message:

From: Karl Dubost <karld@opera.com<mailto:karld@opera.com>>
To: public-privacy@w3.org<mailto:public-privacy@w3.org> mailing list) <public-privacy@w3.org<mailto:public-privacy@w3.org>>
Date: Wednesday, December 12, 2012 8:24:17 PM
Subject: Tracking names and emails across sites



FYI,



Tracking personal identifiable information across sites.



On Thu, 13 Dec 2012 04:23:08 GMT

In You’re not anonymous. I know your name, email, and company.

At http://42floors.com/blog/youre-not-anonymous-i-know-your-name-email-and-company/




I’ve learned that there is a “website

intelligence” network that tracks form submissions

across their customer network. So, if a visitors

fills out a form on Site A with their name and

email, Site B knows their name and email too as

soon as they land on the site.



--

Karl Dubost - http://dev.opera.com/


Developer Relations, Opera Software