W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: explicit-explicit exception pairs

From: イアンフェッティ <ifette@google.com>
Date: Sat, 5 May 2012 16:21:21 -0700
Message-ID: <CAF4kx8fh6xYEv8_U1YQZW0j9etfJ8vuZ4Chy6ZLXHdN=H3y0yQ@mail.gmail.com>
To: rob@blaeu.com
Cc: Rigo Wenning <rigo@w3.org>, Nicholas Doty <npdoty@w3.org>, public-tracking@w3.org, Matthias Schunter <mts-std@schunter.org>
I'm curious what you mean by "implied" consent? If the user grants an
exception in response to a dialog presented by the browser on behalf of the
website, that's rather explicit, is it not? I fail to see how that is

I'm not a lawyer and I don't pretend to be one, I'm just trying to figure
out if there's some distinction here that you're drawing that i'm missing.
I looked through the opinion you linked to, and in particular, I'm having
trouble reconciling your statement with the following:

"Recently the ECJ issued a preliminary ruling
 regarding Article 12(2) of the ePrivacy
Directive, concerning the need for renewed consent of subscribers who had
consented to have their personal data published in one directory, to have
their personal
data transferred to be published by other directory services.  The Court
held that where
the subscriber has been correctly informed of the possibility that his
personal data may
be passed to a third-party undertaking and s/he has already consented to
the publication
of those data in such a directory, renewed consent is not needed from the
subscriber for
the transfer of those same data, if it is guaranteed that the data in
question will not be
used for purposes other than those for which the data were collected with a
view to their
first publication (paragraph 65). "

Wouldn't this imply that if you inform the user that their data may be
passed on to third party advertisers for the following (X,Y,Z) purposes,
the addition of another advertiser down the line would not be material?

Also, I don't think you should take the prompt presented by the browser as
the full context of the request for consent. The prompt by the browser is
generated by the user clicking something on the page, the text surrounding
that something on the page is part of the context under which the consent
is given, and can do things like explain what third parties the site uses
and what purposes the site wishes to use your data for.

On Sat, May 5, 2012 at 8:40 AM, Rob van Eijk <rob@blaeu.com> wrote:

> This thread starts to overlap with 'ACTION-172: Write up more detailed
> list of use cases for origin/origin exceptions'
> My assumption in this answer is that the browser reflects valid user
> consent. As a prerequisite, this implies that the user has made an informed
> choice, preferably in the install/update flow of the browser to use DNT
> technology as a granular consent expression mechanism.
> Taking this assumption into account, my answer is easy, and I can be
> crystal clear on this:
> 1) Implied consent for * for an unknown list of parties is unacceptable
> for it does not lead to compliance.
> 2) Implied consent can only be valid for a select list of third parties
> operating in a first party context: the processors who have a legal
> processor-agreement with the first party (controller).
> In Brussels I gave a detailed presentation on the criteria for consent to
> be valid. They are well published in the Art. 29 Working Parties opinion.
> Preso: http://lists.w3.org/Archives/**Public/public-tracking/**
> 2012Jan/att-0268/W3C_v2.pdf<http://lists.w3.org/Archives/Public/public-tracking/2012Jan/att-0268/W3C_v2.pdf>
> Opinion 15/2011 on Consent: http://ec.europa.eu/justice/**
> data-protection/article-29/**documentation/opinion-**
> recommendation/files/2011/**wp187_en.pdf<http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf>
> Rob
> On 4-5-2012 22:31, Rigo Wenning wrote:
>> Ian,
>> this is very clear and I think we are at the core of the issue. I have to
>> leave it to Rob (and it may take some time) to answer the question whether
>> informed consent can be given to an unknown list of third parties tracking
>> me. From my german and french law roots, I have a feeling it doesn't work,
>> but maybe I'm wrong.
Received on Saturday, 5 May 2012 23:21:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:42 UTC