Re: Mandatory Legal Process (ACTION-57, ISSUE-28) from Justin Brookman on 2012-01-31 (public-tracking@w3.org from January 2012)

From: Justin Brookman <justin@cdt.org>
Date: Tue, 31 Jan 2012 16:01:15 -0500
To: public-tracking@w3.org
Message-ID: <4F28569B.4010103@cdt.org>
Revising Jonathan's text based on this string:

A party MAY take action contrary to the requirements of this standard if compelled by applicable law.  If compelled by applicable law to collect, retain, or transmit data  despite receiving a DNT:1 signal for which there is no exception or exemption, the party SHOULD notify affected users to the extent practical and allowed by law.

I suggest "applicable law" instead of "mandatory legal process" both to accommodate David's concern about using contract to compel and because a statute could mandate the retention of IP logs (for example) without serving a subpoena or court order (which is what "process" means to me).  Feel free to revise the terms "exception or exemption" --- I was trying to convey the two scenarios of
(1) operational data collection/use/retention is allowed even if DNT is on and/or
(2) the user has given permission to a company to track,
but I haven't gotten all the way through the ponderous thread on the meanings of exception/exemption.

I also don't think a requirement to tell users when DNT is being ignored because of government action is at all out of scope.  I'm suggesting SHOULD as a placeholder but think a MUST is worth a discussion.  However, it's relevant to note that we don't require (or even offer SHOULD guidance) that companies inform users about operational collection/usage/retention (exceptions???) that is allowed despite the DNT header.

Justin Brookman
Director, Consumer Privacy Project
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 1/31/2012 2:40 PM, Shane Wiley wrote:
>
> If the concern is that a party can somehow contract their way out of 
> DNT compliance (versus other types of legal/government obligations) 
> then I'm fine with calling that out more directly.
>
> - Shane
>
> *From:*David Singer [mailto:singer@apple.com]
> *Sent:* Tuesday, January 31, 2012 12:36 PM
> *To:* Shane Wiley
> *Cc:* John Simpson; Amy Colando (LCA); Joanne Furtsch; MeMe Rasmussen; 
> Tom Lowenthal; Jonathan Mayer; public-tracking@w3.org
> *Subject:* Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>
> On Jan 31, 2012, at 19:22 , Shane Wiley wrote:
>
>
>
> Agreed -- NO text seems like the appropriate path (in agreement with 
> Amy and John).
>
> well, the rationale was way back at the end of the thread.  it's two-fold:
>
> a) you can send DNT, but don't forget that tracking may still happen 
> if legally required - there is a 'legislation exception'
>
> b) a notification of a 'legislation exception taken' will be signaled 
> if legally possible, but under some laws, notification itself is not 
> allowed.
>
> we can also explain that having a *contract* that 'forces' you to 
> track is not a valid exception...
>
> David Singer
>
> Multimedia and Software Standards, Apple Inc.
>
Received on Tuesday, 31 January 2012 21:01:46 UTC