RE: diff of TPE editing since the FPWD


Thank for the explanation but I would continue to caution you and the rest of the W3C that attempting to leverage DNT for ePrivacy Directive compliance is not an appropriate path and will result in the worst case scenario for consumers - endless pop-up dialogue boxes (not to mention the fact that each country has taken slightly different approaches to transposing the ePrivacy Directive which alters available consent approaches).  There are far more elegant solutions for gaining consumer consent and cookie management either in production or in development.

I hope we can continue to focus DNT as a method to expand 3rd party data collection and use transparency and to harden user choices and controls in that regard.

Thank you,

Side Note - Yahoo! is a global organization operating in over 50 countries - with users from far more.  My role and my perspective in the W3C working group is likewise global.

-----Original Message-----
From: Rigo Wenning [] 
Sent: Friday, January 13, 2012 2:00 AM
To: Shane Wiley
Cc:; Ed Felten
Subject: Re: diff of TPE editing since the FPWD


On Thursday 12 January 2012 14:55:30 Shane Wiley wrote:
> Could you please explain the context of why the UK ICO is requesting an
> "expression mechanism" in this regard?  

Have I said "requested"? I don't think so. I met the UK ICO people at the OECD 
high level meeting in Paris last June and explained them the potential of DNT 
with respect to Art. 5.3 of the current version of Directive 2002/58/EC. They 
were really really interested. Why? See below...

> If you're suggesting that DNT
> expressions serve as a persistent store for a user's opt-out choices
> available from most 3rd party OBA activities, then I completely agree (and
> believe this is the true value and goal of the working group).  

It is even better than that. IMHO DNT is already obviously a very good 
mechanism to implement opt-out in a technically very solid way. But DNT can be 
also used (and is a tool here, so don't panic) to ease the pain for businesses 
in regional areas that clearly have chosen an opt-in regime, which is clearly 
the case for Directive 2002/58/EC as amended by 2009/136/EC (ePrivacy). The 
idea is that it doesn't need technical changes to DNT, but some howto for the 

> But even in
> this context, the goal is to limit/halt "cross-site tracking".  Is there
> some other activity you're attempting to have this signal serve as an
> "expression"?  In the EU Data Protection Directive context, is there
> another use for 1st parties you're envisioning here?
DNT can perhaps serve as a (limited) expression of consent to a certain 
extend. That was the idea I presented in hallway conversations in Princeton 
and that got some traction. Though I haven't heard Rob praising it yet, so 
there may still be a lot of work. This is a more silent track and goal of our 
works here. And this goal is not affected by the baseline protection 
discussions for the US market we are having too with more noise. The 
additional goal is realized on the protocol level. And if the US baseline 
protection discussion poisons the protocol, we run into difficulties to make 
everything useful in other regions. 

My request to move "cross-site" back into the compliance discussions is thus 
not one of content and does IMHO not affect the US baseline protection 
discussion in its substance. 

IMHO we need a good tool to record expressions reliably. This can be opt-
whatever (in/out/on/off/up/down). There is more to it, like the feedback 
mechanism whether a service supports DNT. At the end, somebody coming to you 
saying "you collected data but weren't supposed to" can be confronted with his 
own declarations. In this context the "opt back in" works become very 
important and I'm looking forward to discussions about it in Brussels. 



Received on Monday, 16 January 2012 21:34:05 UTC