Request for thoughts: US, EU, and international DNT


I've been giving some thought to how we can make our work relevant in the EU and US, despite some strong differences. Nations have borders but the Internet does not. How can we support different regional cultures, norms, and laws on the Internet? I am putting this out as some things to think about and discuss further. 

Here are a few of my starting assumptions:

	* In the US, a first v. third party distinction is very important to businesses. 
	   In many (but not all) EU countries, first party is not an interesting or meaningful way to look at things. 
	* Key word in Europe: Consent
		- Users who do not consent to data practices must have their privacy protected. 
		- A global consent may not be sufficient; consent must be particular to a company and to a description of data use (in at least some countries)
		- We should at least address Article 5(3) of the 2002 ePrivacy Directive [1]
		- There is wide interest in finding a way to implement the revised framework of the Article 5(3) ePrivacy Directive without a deeply painful (on business or users) implementation, and DNT may help [2]
		- The exemptions we consider would not be valid in the EU without specific consent [3]
	* Key word in US: Choice
		- Users who choose to interact with a site do not need as much privacy protection as they do from sites they do not choose to interact with
		- We should at least fulfill the requirements for DNT set out in the FTC staff report [4] 
		- We should co-exist with existing industry self-regulation mechanisms [5]

Here are three areas where I think we can have a uniform underlying technical standard that is flexible enough to accommodate different national and regional policy priorities:

	(A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable DNT, DNT: 0 means do not enable DNT, and nothing sent means users have not made a selection. 
		In the US, no DNT signal gets viewed as "users did not choose to enable DNT" and treated as DNT: 0. 
		In some of the EU, no DNT signal gets viewed as "users did not consent to tracking"  and treated as DNT: 1.
	(B) In the US, site-specific exceptions will allow users to "opt back in" for specific first and third party pairs (perhaps along the likes of what Shane and Nick co-authored). In the EU, some (but not all) countries will require consent on a site-by-site basis, rather than a global "DNT: 0" signal or no DNT signal at all. The site-specific exemptions mechanism becomes the path to enable users to consent per site.
	(C) In the US, first parties have minimal responsibilities when receiving a DNT: 1 signal (perhaps along the lines of what Jonathan and Tom co-authored). In some (but not all) EU countries, there may be nothing that applies globally to all first and third parties, (and more to the point, the data controller) perhaps making the first/third party distinction irrelevant. 

I think this could be good enough in enough different ways for enough different interests. I'd like to hear other reactions. Does anyone have better or simpler ideas? Is this still too US-centric to work in Europe? 

If we find something we think will work, we could add a non-normative section to one of the specifications, or we could issue a note. Either way, I think specifications shouldn't be hard-coded to specific regulations and laws. However, since I think this approach could be confusing to those implementing the specification, I would like to give implementors a fighting chance by providing our opinions (and not legal advice!) with pointers to additional information. How does this approach sound?

And last but not least: any volunteers to work on these topics?


Thanks to a few TPWG members for taking time to step me through some of the issues here. All mistakes are, of course, my own. Citations and useful reading:

[1] For the before & after versions of 5(3), see [7], p 7
[2] See slides from Carl Christian Buhr, a member of Commissioner Kroes' Cabinet (European Commission), particularly slides 11-13, suggesting DNT could satisfy 5(3):
[3] As per 5(3), "Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user" is a given, but are other exemptions allowed? Recital 25 reads to me as: yes with consent, and no without consent. For example, billing for ad impressions is not part of the service explicitly requested, and seems to require informed consent. See [7], p 8
[4] FTC staff report, starting p 63,
[5] In particular, it would be unfortunate if DNT off with an opt-out cookie was interpreted one way by self-regulatory bodies, and another way in the DNT recommendations. We likely will reach different end points than the self-regulation guidelines, but they remain a very fruitful source of background information, including the recent multi-site data principles ( and the OBA principles (
[6] A very readable summary of [7] discussing where industry self-regulation is seen to fall short of 5(3): 
[7] The actual report itself: (COCOM10-34, Implementation of the revised Framework– Article 5(3) of the ePrivacy Directive)
[8] The whole text is worth at least skimming, including a brief note on children under 12. In particular the section on consent for cookies starting on p 8, and examples of consent not using pop ups on p 9:

Received on Tuesday, 10 January 2012 10:26:40 UTC