Re: Action 93

Hi Alan,

My apologies for chiming in -- I'm coming to this process quite late. 
Feel free to ignore if the point I'm raising merely rehashes comments 
that have already been  made, or is off point in some other respect.

My concern with deference to domestic standards in this context is it 
will make it very difficult for Internet companies to develop multiple 
notification criteria for the various jurisdictions they're going to be 
active in. The most likely outcome would be either the inconsistency in 
application of these standards or, worse, convergence on the lowest 
common denominator. This won't help the legitimacy and adoption of a W3C 
standard abroad, I suspect.

Certainly in Canada, direct notification (beyond notice buried in a 
privacy statement) would appear to be a minimal requirement for 
compliance with the online tracking guidelines our privacy commissioner 
issued not too long ago. I paste these here in part for your consideration:

While obtaining consent in the online environment is not without its 
challenges, it is possible. Opt-out consent for online behavioural 
advertising could be considered reasonable providing that:

  * Individuals are made aware of the purposes for the practice in a
    manner that is clear and understandable -- the purposes must be made
    obvious and cannot be buried in a privacy policy. Organizations
    should be transparent about their practices and consider how to
    effectively inform individuals of their online behavioural
    advertising practices, by using a variety of communication methods,
    such as online banners, layered approaches, and interactive tools;
  * Individuals are informed of these purposes at or before the time of
    collection and  provided with information about the various parties
    involved in online behavioural advertising;
  * Individuals are able to easily opt-out of the practice - ideally at
    or before the time the information is collected;
  * The opt-out takes effect immediately and is persistent;
  * The information collected and used is limited, to the extent
    practicable, to non-sensitive information (avoiding sensitive
    information such as medical or health information); and
  * Information collected and used is destroyed as soon as possible or
    effectively de-identified.

Thanks and best regards,

Tamir Israel
Staff Lawyer

Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC)
University of Ottawa, Faculty of Law, CML
57 Louis Pasteur Street
Ottawa, ON, K1N 6N5
Tel: (613) 562-5800 ext. 2914
Fax: (613) 562-5417

On 2/22/2012 9:31 AM, Alan Chapell wrote:
> Thanks Jeff - This is certainly a step in the right direction. I'd like to
> propose my own text for consideration.
> When seeking exemption when DNT:1 is sent sites should communicate those
> requests clearly, accurately and in line with consumer protection law(s)
> in the jurisdiction(s) in which they operate.
> Cheers,
> Alan Chapell
> Chapell&  Associates
> 917 318 8440
> On 2/22/12 9:16 AM, "Jeffrey Chester"<>  wrote:
>>> When seeking exemption when DNT:1 is sent, a site must disclose on the
>>> first screen an accurate summary of their data tracking practices.  It
>>> should succinctly and accurately explain how a user will be tracked on
>>> the site, and what data may be shared or used by third parties.  The
>>> site should not rely on privacy statement that requires the user to
>>> travel to another page.  Sites seeking an exemption should engage in
>>> additional disclosure when seeking a user exemption from DNT:1

Received on Thursday, 23 February 2012 09:25:11 UTC