RE: Out-of-Band Consent Standard (ISSUE-65) from Amy Colando (LCA) on 2012-03-14 (public-tracking@w3.org from March 2012)

From: Amy Colando (LCA) <acolando@microsoft.com>
Date: Wed, 14 Mar 2012 17:40:43 +0000
To: Jonathan Mayer <jmayer@stanford.edu>, "Leung, Ted" <Ted.Leung@disney.com>
CC: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <81152EDFE766CB4692EA39AECD2AA5B61320108A@TK5EX14MBXC296.redmond.corp.microsoft.>

Thanks Jonathan.  I think this is helpful in terms of the potential standards under consideration.  I support the approach in (2)(c) - although I am not sure that I personally would agree as to your conclusion on local law in the US, for a company that had chosen to recognize DNT signal - as that approach would help to avoid the pain of W3C working group having to define consent that passes muster in the many different jurisdictions in which we want DNT to be effective.  It also allows for the continued changes in local law.

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Tuesday, March 13, 2012 8:14 PM
To: Leung, Ted
Cc: Tracking Protection Working Group WG
Subject: Out-of-Band Consent Standard (ISSUE-65)

(spinning a new thread since this is a different topic)

I see two separate policy choices on out-of-band consent.

1) Can out-of-band consent be persistent?

2) What is the standard for out-of-band consent?

I believe you're asking about #1; I think the answer should be yes, and as I understand it, just about all participants agree.

#2 has proven much harder for the group.  There are three points of view I've heard expressed.

(a) We should set a high standard for consent (e.g. clear and conspicuous notice with explicit opt-in consent).  That's my view.

(b) We should set a low standard for consent (e.g. discoverable in a privacy policy or terms of service).

(c) We should not specify a standard for consent, and instead defer to local law (which will mean, very roughly, (a) in the EU and (b) in the U.S.).

On Mar 13, 2012, at 7:56 PM, Leung, Ted wrote:

Jonathan,

Can you outline what you feel are acceptable out-of-band consent experiences.   As I understand you right now, it sounds like you want consent to be obtained after the user logs in, each time the user logs in.  Is that what you are looking for?

Ted

From: Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>>
Date: Tue, 13 Mar 2012 19:42:39 -0700
To: Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Logged-In Exception (ISSUE-65)

For purposes of this issue, let's assume the user has not provided out-of-band consent.

While I seriously doubt that we would allow a first party to achieve out-of-band consent by burying it in signup terms or a privacy policy (ISSUE-69), even if we did, some responsible third parties would not take advantage of the loophole.

On Mar 13, 2012, at 7:29 PM, Shane Wiley wrote:

Jonathan,

If "logged-in" equates to "out of band" consent from a user, then I believe this is moot discussion and would equate more likely to #3 - depends on the terms of registration with that party.  I would suggest we treat "logged-in" on the merits of registration with each party and therefore the W3C makes no statement with regard to DNT and a logged-in state.

- Shane

Received on Wednesday, 14 March 2012 17:41:28 UTC