- From: Rob Sherman <robsherman@fb.com>
- Date: Wed, 14 Nov 2012 15:33:40 +0000
- To: David Wainberg <david@networkadvertising.org>
- CC: "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
Thanks for this feedback, David. This is a good reason why we should wait to finalize our definition of "declared data" until we agree on what the impact of data being "declared" means. I think the point you raise is applicable to the entire concept of "declared data," regardless of whether it is declared in a form submission or in a dialogue box. In either case, I think you would argue that the user consented to collection of that data -- so it's not clear to me why we need to define "declared data" for one form of "consent" but not another form. It seems to me that the best way to deal with this is to say that when a party receives first-party information it is bound by its privacy policies, any other representations it makes, and its other legal obligations and leave it at that. I understood Shane to agree that these two kinds of consent are essentially the same thing for the purpose of his "declared data" definition, so I don't know why it would make sense to handle them differently if we address this in the draft. Rob On 11/12/12 8:19 AM, "David Wainberg" <david@networkadvertising.org> wrote: >Hi Rob, > >On 11/11/12 9:58 PM, Rob Sherman wrote: >> On the substance of Shane's proposal, though, I'd suggest that it be >> modified along the lines of my correspondence with Shane >> (http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0310.html) >>to >> make clear that there are situations in which information is "declared >> data" even if it is not "directly and expressly supplied by a user to a >> party." As described in the thread, Shane and I agreed that this >>concept >> includes a situation in which the user authorizes sharing of information >> but does not "directly and expressly suppl[y]" it. (For example, we >> agreed that if you specifically authorize an app to publish information >> about actions you take within the app to your Facebook timeline (or >> specifically authorize Facebook to receive that information), that >> information would be deemed "declared data" as to Facebook even though >>it >> is not provided "directly" by the user to Facebook.) >It sounds like what you're saying is that "declared data" includes any >data and any purpose for which a user has given consent. This is just a >question of what is adequate consent for various uses of data. If the >user gives consent for a use, then that's fine. Why should the DNT spec >say anything about it? > >-David
Received on Wednesday, 14 November 2012 15:34:11 UTC