Re: Examples of successful opt-in implementations

Hi Vinay,

Thanks for the rapid respons. I see you are addressing three things. The 
opinion, the mind model
and the scope.

First the opinion: I argue that the opinion isn't just an opinion. It is 
a common baseline, expressed
by the dpa's who will enforce the legal framework. That expression is, 
in the light of differences
in national implementations, not to be taken lightly. The common 
baseline expresses what all dpa's
see as a reasonable and defendable position that doesn't conflict with 
national laws. You can see
clearly in the case of the first party analytics, how far the consensus 

p. 10: "However, the Working Party considers that first party analytics 
cookies are not likely to
create a privacy risk when they are strictly limited to first party 
aggregated statistical purposes
and when they are used by websites that already provide clear 
information about these
cookies in their privacy policy as well as adequate privacy safeguards. 
Such safeguards are
expected to include a user friendly mechanism to opt-out from any data 
collection and
comprehensive anonymization mechanisms that are applied to other 
collected identifiable
information such as IP addresses."

This means that not all dpa's were able to see first party analytics as 
functional with respect
of the national implementations.

An important function of the opinion is to give advice to the European 
legislator. That is why
on the next page we included an advise.

p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC 
be re-visited in the future, the
European legislator might appropriately add a third exemption criterion 
to consent for cookies
that are strictly limited to first party anonymized and aggregated 
statistical purposes.
First party analytics should be clearly distinguished from third party 
analytics, which use a
common third party cookie to collect navigation information related to 
users across distinct
websites, and which pose a substantially greater risk to privacy."

Second, the mind model applied to first-party analytics: in most 
countries you wouln't
need to call for an exception. As explained above, getting first-party 
analytics into the
category of functional cookies in all jurisdictions just wasn't possible.

Third, the scope: no, I am not arguing for a scope increase. Getting a 
standard to Last Call
with the scope as it is, is already a difficult task. What I ask for, is 
to have the usefulness
of the re-usable technical building blocks in the back of our minds 
while creating a meaningful
standard. The scope is what it is.


On 14-6-2012 19:07, Vinay Goel wrote:
> Hi Rob,
> Hoping you can help me understand your mind model since applying it is
> complex given the very different approaches to ePrivacy compliance across
> the member states.  Different markets are defining what a 'functional
> cookie' is differently.  And, I know you shared the Working Party's
> opinion; but its just that -- an opinion by the Working Party, not
> specific law or guidance from a DPA.
> Assuming you take the Working Party's opinion that first-party site
> analytics is not a strictly necessary function, is your mind model
> suggesting that the first party needs to use the DNT exception mechanism
> or well-known URL in order to use the data for users that have DNT:1 for
> first-party analytics?  If so, isn't that an increase in the scope (where
> you say "I am also not arguing that first parties must be subject to DNT")?
> Thanks in advance.
> -Vinay

Received on Thursday, 14 June 2012 18:08:16 UTC