- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Mon, 26 Mar 2012 10:34:04 -0700
- To: Kimon Zorbas <vp@iabeurope.eu>, Matthias Schunter <mts-std@schunter.org>, Ninja Marnau <ULD66@datenschutzzentrum.de>
- CC: "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <63294A1959410048A33AEE161379C8023D1171BED0@SP2-EX07VS02.ds.corp.yahoo.com>
Ninja and I haven't had an opportunity to connect on this topic yet. As Kimon rightly points out, there are varying EU country-level interpretations of appropriate consent expression. My belief is for an Exchange level interaction, if the serving party is significantly limited in their data use (collected upon ad bid), then there is a fair argument that the party may be acting more as a data processor (service provider) than a controller at that moment and therefore may not need consent at all. If you layer this on top of a broad user consent mechanism (must appropriately and fairly articulate to the user the breadth of their exception - aka "*") then this may be acceptable from an EU Data Protection Directive (and further through the draft Data Protection Regulation) - especially as tools are available within browsers today to accept or reject individual 3rd parties as they are introduced to a user. This discussion is more rightly placed in the companion document we discussed last week as outside of the standards document. I don't believe we should develop any country specific features for DNT and instead allow guidance for each country's legal system to begin to tease this out (many elements are in legal "grey areas"). As I believe Kimon and Ninja would agree, there is not a bright-line rule in this case and therefore there will be considerable discussion/debate on this topic (and others related to DNT) within the EU (and other legal jurisdictions, including the US). - Shane From: Kimon Zorbas [mailto:vp@iabeurope.eu] Sent: Monday, March 26, 2012 12:39 PM To: Matthias Schunter; Ninja Marnau; Shane Wiley Cc: public-tracking@w3.org Subject: Re: Are blanked exceptions usable in the EU? [ISSUE-129] Hi Matthias, I am not clear, what the purpose would be? The E-Privacy Directive is not harmonised across the EU and as a consequence there cannot be a certain answer to what consent means (or how far it goes) or how such consent can be expressed (we believe browser settings can be used but it's not that easy either). Sorry not being able to give a simple response on this. Kind regards, Kimon ----- Reply message ----- From: "Matthias Schunter" <mts-std@schunter.org> To: "Ninja Marnau" <ULD66@datenschutzzentrum.de>, "Shane Wiley (yahoo)" <wileys@yahoo-inc.com> Cc: "public-tracking@w3.org" <public-tracking@w3.org> Subject: Are blanked exceptions usable in the EU? [ISSUE-129] Date: Mon, Mar 26, 2012 6:33 pm Hi Ninja/Shane, during our last call, you disagreed whether it is OK (=considered sufficient consent) from an EU legal perspective that an individual accepts an exception for "any" third party used on a given site. While I understood there is no problem to agree to a defined list "thirdparty1, thirdparty2, ...", there seems to be a problem if this list is undefined. A second question is whether an OK to 'any' is OK if the user can then later learn what parties where actually in use. How about either agreeing offline or else starting this discussion on the list? FYI: From a technical perspective, it is OK to include a function that would not be usable in the EU, however, in this case some guidance for sites may be helpful anyway. Regards, Matthias
Received on Monday, 26 March 2012 17:35:07 UTC