Re: Examples of successful opt-in implementations

Tamir,

don't get me wrong: I always believe every well-intended idea is worth discussing and be given room for presentation. And we should certainly find room discussing this in Seattle. (We actually had a great discussion with our members and Rigo on this a couple of days ago).

However, the real question is: are we trying to agree on a legal compliance instrument (for Europe)? Or are we trying to agree on a technical standard (that could be supported by the entire ecosystem and self-regualtion initiatives)?
We support the latter. How a standard then fits with law and can be supplemented by self-regulatory instruments is the next step – but am not sure this is part of the job of W3C. But maybe I got W3C's mission wrong.


Kimon


From: Tamir Israel <tisrael@cippic.ca>
Date: Thursday 14 June 2012 21:14
To: Kimon Zorbas <vp@iabeurope.eu>
Cc: "rob@blaeu.com" <rob@blaeu.com>, "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Subject: Re: Examples of successful opt-in implementations
Resent-From: Nicholas Doty <npdoty@w3.org>
Resent-Date: Thursday 14 June 2012 21:34

Hi Kimon -- not to wade too deeply into choppy EU waters, but even if we do not take Art29WP outputs as 'fact', certainly you do not advocate that we ignore them altogether?

At least in the short term, I'd argue there's a high probability that at least some EU jurisdictions end up deploying as the WP suggests. In the long term, the UK might get taken to task on its regime.

So I don't think it hurts to try and get an understanding of what Rob and his colleagues have in mind, even if we do not treat this as definitive.

I certainly would find it useful to understand what an 'ideal' (from the Art29WP perspective) explicit consent mechanism might look like.

Best,
Tamir

On 6/14/2012 2:33 PM, Kimon Zorbas wrote:
> 
> Rob, colleagues,
> 
> I am sorry, but I have serious problems with the way this group works and operates. I do not believe that we need to delve into (European) legal discussion and would appreciate if we could conclude in Seattle for once and forever about the role of Article 29 WP.
> 
> Rob, you are pushing so hard for the acceptance of Article 29 WP opinion as the word of God on data protection issues (and others also, to be fair) and I don't understand what you are trying to achieve with this.
> We may like what Article 29 WP says or not, but FACT is that it is JUST an opinion. It is not the law. And, frankly the UK, one of the most engaged EU Member States, is not following the supposed 'baseline'.
> 
> Kind regards,
> Kimon
> 
> 
> From: Rob van Eijk <rob@blaeu.com>
> Reply-To: "rob@blaeu.com" <rob@blaeu.com>
> Date: Thursday 14 June 2012 20:07
> To: "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
> Subject: Re: Examples of successful opt-in implementations
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Thursday 14 June 2012 20:08
> 
> Hi Vinay,
> 
> Thanks for the rapid respons. I see you are addressing three things. The
> opinion, the mind model
> and the scope.
> 
> First the opinion: I argue that the opinion isn't just an opinion. It is
> a common baseline, expressed
> by the dpa's who will enforce the legal framework. That expression is,
> in the light of differences
> in national implementations, not to be taken lightly. The common
> baseline expresses what all dpa's
> see as a reasonable and defendable position that doesn't conflict with
> national laws. You can see
> clearly in the case of the first party analytics, how far the consensus
> went.
> 
> p. 10: "However, the Working Party considers that first party analytics
> cookies are not likely to
> create a privacy risk when they are strictly limited to first party
> aggregated statistical purposes
> and when they are used by websites that already provide clear
> information about these
> cookies in their privacy policy as well as adequate privacy safeguards.
> Such safeguards are
> expected to include a user friendly mechanism to opt-out from any data
> collection and
> comprehensive anonymization mechanisms that are applied to other
> collected identifiable
> information such as IP addresses."
> 
> This means that not all dpa's were able to see first party analytics as
> functional with respect
> of the national implementations.
> 
> An important function of the opinion is to give advice to the European
> legislator. That is why
> on the next page we included an advise.
> 
> p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC
> be re-visited in the future, the
> European legislator might appropriately add a third exemption criterion
> to consent for cookies
> that are strictly limited to first party anonymized and aggregated
> statistical purposes.
> First party analytics should be clearly distinguished from third party
> analytics, which use a
> common third party cookie to collect navigation information related to
> users across distinct
> websites, and which pose a substantially greater risk to privacy."
> 
> Second, the mind model applied to first-party analytics: in most
> countries you wouln't
> need to call for an exception. As explained above, getting first-party
> analytics into the
> category of functional cookies in all jurisdictions just wasn't possible.
> 
> Third, the scope: no, I am not arguing for a scope increase. Getting a
> standard to Last Call
> with the scope as it is, is already a difficult task. What I ask for, is
> to have the usefulness
> of the re-usable technical building blocks in the back of our minds
> while creating a meaningful
> standard. The scope is what it is.
> 
> mvg::Rob
> 
> On 14-6-2012 19:07, Vinay Goel wrote:
>> Hi Rob,
>> 
>> Hoping you can help me understand your mind model since applying it is
>> complex given the very different approaches to ePrivacy compliance across
>> the member states.  Different markets are defining what a 'functional
>> cookie' is differently.  And, I know you shared the Working Party's
>> opinion; but its just that -- an opinion by the Working Party, not
>> specific law or guidance from a DPA.
>> 
>> Assuming you take the Working Party's opinion that first-party site
>> analytics is not a strictly necessary function, is your mind model
>> suggesting that the first party needs to use the DNT exception mechanism
>> or well-known URL in order to use the data for users that have DNT:1 for
>> first-party analytics?  If so, isn't that an increase in the scope (where
>> you say "I am also not arguing that first parties must be subject to DNT")?
>> 
>> Thanks in advance.
>> 
>> -Vinay
> 
> 

Received on Thursday, 14 June 2012 20:04:57 UTC