W3C home > Mailing lists > Public > public-tracking@w3.org > November 2012

Re: Proposals for Compliance issue clean up

From: Rob Sherman <robsherman@fb.com>
Date: Wed, 14 Nov 2012 15:33:40 +0000
To: David Wainberg <david@networkadvertising.org>
CC: "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <AD30EAA8DFF4B1498B95130E78C8325015138998@SC-MBX02-4.TheFacebook.com>
Thanks for this feedback, David.  This is a good reason why we should wait
to finalize our definition of "declared data" until we agree on what the
impact of data being "declared" means.  I think the point you raise is
applicable to the entire concept of "declared data," regardless of whether
it is declared in a form submission or in a dialogue box.  In either case,
I think you would argue that the user consented to collection of that data
-- so it's not clear to me why we need to define "declared data" for one
form of "consent" but not another form.  It seems to me that the best way
to deal with this is to say that when a party receives first-party
information it is bound by its privacy policies, any other representations
it makes, and its other legal obligations and leave it at that.  I
understood Shane to agree that these two kinds of consent are essentially
the same thing for the purpose of his "declared data" definition, so I
don't know why it would make sense to handle them differently if we
address this in the draft.


On 11/12/12 8:19 AM, "David Wainberg" <david@networkadvertising.org> wrote:

>Hi Rob,
>On 11/11/12 9:58 PM, Rob Sherman wrote:
>> On the substance of Shane's proposal, though, I'd suggest that it be
>> modified along the lines of my correspondence with Shane
>> (http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0310.html)
>> make clear that there are situations in which information is "declared
>> data" even if it is not "directly and expressly supplied by a user to a
>> party."  As described in the thread, Shane and I agreed that this
>> includes a situation in which the user authorizes sharing of information
>> but does not "directly and expressly suppl[y]" it.  (For example, we
>> agreed that if you specifically authorize an app to publish information
>> about actions you take within the app to your Facebook timeline (or
>> specifically authorize Facebook to receive that information), that
>> information would be deemed "declared data" as to Facebook even though
>> is not provided "directly" by the user to Facebook.)
>It sounds like what you're saying is that "declared data" includes any
>data and any purpose for which a user has given consent. This is just a
>question of what is adequate consent for various uses of data. If the
>user gives consent for a use, then that's fine. Why should the DNT spec
>say anything about it?
Received on Wednesday, 14 November 2012 15:34:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:00 UTC