Re: Examples of successful opt-in implementations from Jonathan Mayer on 2012-06-13 (public-tracking@w3.org from June 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 13 Jun 2012 15:04:36 -0700
To: ifette@google.com
Cc: Dobbs, Brooks <brooks.dobbs@kbmg.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <F64C6E30F49645048779D242326531D5@gmail.com>
It's important to disentangle the third-party and first-party components of the ePrivacy Directive.  Quite a few participants, myself included, have suggested we should carefully consider facilitating third-party compliance.  I've heard a few discussions about first-party compliance, but none treating it as more than a possible repurposing of the DNT protocol.

Jonathan

On Wednesday, June 13, 2012 at 2:47 PM, Ian Fette (イアンフェッティ) wrote:  
> We agreed it was directed at third parties, however it seems some people (as we heard on the call today) are trying to turn DNT into something to solve opt-in problems, presumably for first parties as well. I'm trying to figure out how much of hole we're getting dug into :)
>  
> "No one has managed to figure this out in a deployable manner. Please give us a solution by 1 January 2013" is a bit of a frightening thought :)
>  
> -Ian
>  
> On Wed, Jun 13, 2012 at 2:30 PM, Jonathan Mayer <jmayer@stanford.edu (mailto:jmayer@stanford.edu)> wrote:
> > The cookie manager widget at http://www.bt.com/ seems passable.  
> >  
> > At any rate, I'm unsure where this line of inquiry is going.  We've already agreed that Do Not Track is directed towards third parties, not first parties.  
> >  
> > Jonathan
> >  
> > On Wednesday, June 13, 2012 at 3:18 PM, Dobbs, Brooks wrote:
> >  
> > > Ian,
> > >  
> > > I would say that I have seen some sites that are arguably one step closer, though not truly opt-in.   
> > >  
> > > If you look at http://www.nectar.com/ you’ll see a similar disclosure to that on the FT, but with a Cookie Consent link that takes you to a cookie inventory with a place for the status of each cookie and the purpose of each cookie.  Now while they get points for making a greater effort, I would say that the final result seems fairly problematic as: 1) though the site lists 52 cookie issuers, my personal packet sniff showed both that they included cookies that I didn’t come across (no problem - I didn’t actually read every page) AND missed cookies that I did come across (problem) and 2) a number of the 52 cookies issuers where listed as having “undisclosed” purposes with a specific inability to offer choice.   
> > >  
> > > So even if they took the particularly consumer annoying step of making the user go through 52 pop-up, opt-in screens, they still would not be opt-in compliant.
> > >  
> > > Not trying to pick on them, just pointing out that, as you seem to suggest, we aren’t seeing a lot of (any?) real opt-in compliant websites in the wild, and that the closer they get, the more troubles they seem to make for themselves.    
> > >  
> > > -Brooks
> > >  
> > >  
> > > On 6/13/12 3:26 PM, "Ian Fette   (イアンフェッティ)" <ifette@google.com (http://ifette@google.com)> wrote:
> > >  
> > > > Out of curiosity, on today's call two examples of "successful" opt-in implementations were given.
> > > >  
> > > > 1. was the financial times - http://www.ft.com/home/us. This shows a popup saying the following: "FT Cookie Policy
> > > > We have published a new cookie policy. It explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our cookie policy.
> > > >  
> > > > If you'd like to disable cookies on this device, please view our information pages on 'How to manage cookies'. Please be aware that parts of the site will not function correctly if you disable cookies.
> > > >  
> > > > By closing this message, you consent to our use of cookies on this device in accordance with our cookie policy unless you have disabled them."
> > > >  
> > > > Before you even accept anything, I counted 40 cookies being set, including 18 from Financial Times. FT itself used HTML5 local storage in addition to the 18 cookies.
> > > >  
> > > > 2. The other was the UK CIO's site -- this seems to be down at the moment. www.cio.gov.uk (http://www.cio.gov.uk) <http://www.cio.gov.uk>  redirects to some archive page. Taking another government site as an example, I see 7 cookies including GUIDs from http://www.cabinetoffice.gov.uk/content/privacy-policy
> > > >  
> > > > So, I'd like to re-raise my question of whether anyone has actually successfully managed to deploy an opt-in compliant website in the wild...
> > > >  
> > > > -Ian
> > > >  
> > >  
> > > --  
> > >  
> > > Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the Wunderman Network
> > > (Tel) 678 580 2683 (tel:678%20580%202683) | (Mob) 678 492 1662 (tel:678%20492%201662) | kbmg.com (http://kbmg.com)  
> > > brooks.dobbs@kbmg.com (http://brooks.dobbs@kbmg.com)
> > >  
> > >  
> > >  
> > > This email – including attachments – may contain confidential information. If you are not the intended recipient,
> > >  do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message.
> >  
>
Received on Wednesday, 13 June 2012 22:05:05 UTC