- From: Chris Pedigo <CPedigo@online-publishers.org>
- Date: Thu, 14 Jun 2012 19:14:35 +0000
- To: Kimon Zorbas <vp@iabeurope.eu>, "rob@blaeu.com" <rob@blaeu.com>, "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-Id: <CEED5B1AC4405240B53E0330753999D301BB41BB@mbx023-e1-nj-8.exch023.domain.local>
I share Kimon’s concerns here. We heard about the Dutch law on yesterday’s call but it’s one of only 3 countries that have implemented the cookie law. And, as Kimon, points out, the UK has a different approach. Then, with the pending data protection regulation working its way through the EU Parliament, we may have a different EU standard to deal with in 2 years, but nobody really knows for sure. Not to rain on the EU, but it feels odd to me that we’re trying to build our spec to accommodate/comply with the EU when even the EU doesn’t know what compliance looks like. If we can provide some basic functionality that could be useful in the EU, then great. But, let’s not go out of our way to try to build for EU compliance because nobody knows what that might look like. I don’t mean to shut down this conversation unnecessarily, but it does feel like we’ve spent a lot of time on this discussion with no real work to show for it. From: Kimon Zorbas [mailto:vp@iabeurope.eu] Sent: Thursday, June 14, 2012 2:33 PM To: rob@blaeu.com; Vinay Goel (Adobe); public-tracking@w3.org Subject: Re: Examples of successful opt-in implementations Rob, colleagues, I am sorry, but I have serious problems with the way this group works and operates. I do not believe that we need to delve into (European) legal discussion and would appreciate if we could conclude in Seattle for once and forever about the role of Article 29 WP. Rob, you are pushing so hard for the acceptance of Article 29 WP opinion as the word of God on data protection issues (and others also, to be fair) and I don't understand what you are trying to achieve with this. We may like what Article 29 WP says or not, but FACT is that it is JUST an opinion. It is not the law. And, frankly the UK, one of the most engaged EU Member States, is not following the supposed 'baseline'. Kind regards, Kimon From: Rob van Eijk <rob@blaeu.com> Reply-To: "rob@blaeu.com" <rob@blaeu.com> Date: Thursday 14 June 2012 20:07 To: "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org> Subject: Re: Examples of successful opt-in implementations Resent-From: <public-tracking@w3.org> Resent-Date: Thursday 14 June 2012 20:08 Hi Vinay, Thanks for the rapid respons. I see you are addressing three things. The opinion, the mind model and the scope. First the opinion: I argue that the opinion isn't just an opinion. It is a common baseline, expressed by the dpa's who will enforce the legal framework. That expression is, in the light of differences in national implementations, not to be taken lightly. The common baseline expresses what all dpa's see as a reasonable and defendable position that doesn't conflict with national laws. You can see clearly in the case of the first party analytics, how far the consensus went. p. 10: "However, the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses." This means that not all dpa's were able to see first party analytics as functional with respect of the national implementations. An important function of the opinion is to give advice to the European legislator. That is why on the next page we included an advise. p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first party anonymized and aggregated statistical purposes. First party analytics should be clearly distinguished from third party analytics, which use a common third party cookie to collect navigation information related to users across distinct websites, and which pose a substantially greater risk to privacy." Second, the mind model applied to first-party analytics: in most countries you wouln't need to call for an exception. As explained above, getting first-party analytics into the category of functional cookies in all jurisdictions just wasn't possible. Third, the scope: no, I am not arguing for a scope increase. Getting a standard to Last Call with the scope as it is, is already a difficult task. What I ask for, is to have the usefulness of the re-usable technical building blocks in the back of our minds while creating a meaningful standard. The scope is what it is. mvg::Rob On 14-6-2012 19:07, Vinay Goel wrote: Hi Rob, Hoping you can help me understand your mind model since applying it is complex given the very different approaches to ePrivacy compliance across the member states. Different markets are defining what a 'functional cookie' is differently. And, I know you shared the Working Party's opinion; but its just that -- an opinion by the Working Party, not specific law or guidance from a DPA. Assuming you take the Working Party's opinion that first-party site analytics is not a strictly necessary function, is your mind model suggesting that the first party needs to use the DNT exception mechanism or well-known URL in order to use the data for users that have DNT:1 for first-party analytics? If so, isn't that an increase in the scope (where you say "I am also not arguing that first parties must be subject to DNT")? Thanks in advance. -Vinay
Received on Thursday, 14 June 2012 19:33:05 UTC