Re: Examples of successful opt-in implementations

Hi Kimon,

Ok. I would simply reiterate that I think it's a good idea to at least 
try and create a mechanism that will take care of as many regulatory 
problems as possible. I also feel legal regimes, opinions and 
requirements are a good touchstone so social norms and that this should 
guide the process. But I'm a lawyer and every problem looks like a 
regulatory problem to me : P

Best,
Tamir

On 6/14/2012 4:00 PM, Kimon Zorbas wrote:
> Tamir,
>
> don't get me wrong: I always believe every well-intended idea is worth 
> discussing and be given room for presentation. And we should certainly 
> find room discussing this in Seattle. (We actually had a great 
> discussion with our members and Rigo on this a couple of days ago).
>
> However, the real question is: are we trying to agree on a legal 
> compliance instrument (for Europe)? Or are we trying to agree on a 
> technical standard (that could be supported by the entire ecosystem 
> and self-regualtion initiatives)?
> We support the latter. How a standard then fits with law and can be 
> supplemented by self-regulatory instruments is the next step – but am 
> not sure this is part of the job of W3C. But maybe I got W3C's mission 
> wrong.
>
>
> Kimon
>
>
> From: Tamir Israel <tisrael@cippic.ca <mailto:tisrael@cippic.ca>>
> Date: Thursday 14 June 2012 21:14
> To: Kimon Zorbas <vp@iabeurope.eu <mailto:vp@iabeurope.eu>>
> Cc: "rob@blaeu.com <mailto:rob@blaeu.com>" <rob@blaeu.com 
> <mailto:rob@blaeu.com>>, "Vinay Goel (Adobe)" <vigoel@adobe.com 
> <mailto:vigoel@adobe.com>>, "public-tracking@w3.org 
> <mailto:public-tracking@w3.org>" <public-tracking@w3.org 
> <mailto:public-tracking@w3.org>>
> Subject: Re: Examples of successful opt-in implementations
> Resent-From: Nicholas Doty <npdoty@w3.org <mailto:npdoty@w3.org>>
> Resent-Date: Thursday 14 June 2012 21:34
>
> Hi Kimon -- not to wade too deeply into choppy EU waters, but even if 
> we do not take Art29WP outputs as 'fact', certainly you do not 
> advocate that we ignore them altogether?
>
> At least in the short term, I'd argue there's a high probability that 
> at least some EU jurisdictions end up deploying as the WP suggests. In 
> the long term, the UK might get taken to task on its regime.
>
> So I don't think it hurts to try and get an understanding of what Rob 
> and his colleagues have in mind, even if we do not treat this as 
> definitive.
>
> I certainly would find it useful to understand what an 'ideal' (from 
> the Art29WP perspective) explicit consent mechanism might look like.
>
> Best,
> Tamir
>
> On 6/14/2012 2:33 PM, Kimon Zorbas wrote:
>> Rob, colleagues,
>>
>> I am sorry, but I have serious problems with the way this group works 
>> and operates. I do not believe that we need to delve into (European) 
>> legal discussion and would appreciate if we could conclude in Seattle 
>> for once and forever about the role of Article 29 WP.
>>
>> Rob, you are pushing so hard for the acceptance of Article 29 WP 
>> opinion as the word of God on data protection issues (and others 
>> also, to be fair) and I don't understand what you are trying to 
>> achieve with this.
>> We may like what Article 29 WP says or not, but FACT is that it is 
>> JUST an opinion. It is not the law. And, frankly the UK, one of the 
>> most engaged EU Member States, is not following the supposed 'baseline'.
>>
>> Kind regards,
>> Kimon
>>
>>
>> From: Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com>>
>> Reply-To: "rob@blaeu.com <mailto:rob@blaeu.com>" <rob@blaeu.com 
>> <mailto:rob@blaeu.com>>
>> Date: Thursday 14 June 2012 20:07
>> To: "Vinay Goel (Adobe)" <vigoel@adobe.com 
>> <mailto:vigoel@adobe.com>>, "public-tracking@w3.org 
>> <mailto:public-tracking@w3.org>" <public-tracking@w3.org 
>> <mailto:public-tracking@w3.org>>
>> Subject: Re: Examples of successful opt-in implementations
>> Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>> Resent-Date: Thursday 14 June 2012 20:08
>>
>> Hi Vinay,
>>
>> Thanks for the rapid respons. I see you are addressing three things. The
>> opinion, the mind model
>> and the scope.
>>
>> First the opinion: I argue that the opinion isn't just an opinion. It is
>> a common baseline, expressed
>> by the dpa's who will enforce the legal framework. That expression is,
>> in the light of differences
>> in national implementations, not to be taken lightly. The common
>> baseline expresses what all dpa's
>> see as a reasonable and defendable position that doesn't conflict with
>> national laws. You can see
>> clearly in the case of the first party analytics, how far the consensus
>> went.
>>
>> p. 10: "However, the Working Party considers that first party analytics
>> cookies are not likely to
>> create a privacy risk when they are strictly limited to first party
>> aggregated statistical purposes
>> and when they are used by websites that already provide clear
>> information about these
>> cookies in their privacy policy as well as adequate privacy safeguards.
>> Such safeguards are
>> expected to include a user friendly mechanism to opt-out from any data
>> collection and
>> comprehensive anonymization mechanisms that are applied to other
>> collected identifiable
>> information such as IP addresses."
>>
>> This means that not all dpa's were able to see first party analytics as
>> functional with respect
>> of the national implementations.
>>
>> An important function of the opinion is to give advice to the European
>> legislator. That is why
>> on the next page we included an advise.
>>
>> p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC
>> be re-visited in the future, the
>> European legislator might appropriately add a third exemption criterion
>> to consent for cookies
>> that are strictly limited to first party anonymized and aggregated
>> statistical purposes.
>> First party analytics should be clearly distinguished from third party
>> analytics, which use a
>> common third party cookie to collect navigation information related to
>> users across distinct
>> websites, and which pose a substantially greater risk to privacy."
>>
>> Second, the mind model applied to first-party analytics: in most
>> countries you wouln't
>> need to call for an exception. As explained above, getting first-party
>> analytics into the
>> category of functional cookies in all jurisdictions just wasn't possible.
>>
>> Third, the scope: no, I am not arguing for a scope increase. Getting a
>> standard to Last Call
>> with the scope as it is, is already a difficult task. What I ask for, is
>> to have the usefulness
>> of the re-usable technical building blocks in the back of our minds
>> while creating a meaningful
>> standard. The scope is what it is.
>>
>> mvg::Rob
>>
>> On 14-6-2012 19:07, Vinay Goel wrote:
>>> Hi Rob,
>>>
>>> Hoping you can help me understand your mind model since applying it is
>>> complex given the very different approaches to ePrivacy compliance 
>>> across
>>> the member states.  Different markets are defining what a 'functional
>>> cookie' is differently.  And, I know you shared the Working Party's
>>> opinion; but its just that -- an opinion by the Working Party, not
>>> specific law or guidance from a DPA.
>>>
>>> Assuming you take the Working Party's opinion that first-party site
>>> analytics is not a strictly necessary function, is your mind model
>>> suggesting that the first party needs to use the DNT exception mechanism
>>> or well-known URL in order to use the data for users that have DNT:1 for
>>> first-party analytics?  If so, isn't that an increase in the scope 
>>> (where
>>> you say "I am also not arguing that first parties must be subject to 
>>> DNT")?
>>>
>>> Thanks in advance.
>>>
>>> -Vinay
>>
>>