Re: ACTION-255: Work on financial reporting text as alternative to legal requirements

On 9/26/12 6:49 PM, "Nicholas Doty" <> wrote:

>On Sep 26, 2012, at 9:02 AM, Alan Chapell
><> wrote:
>> On 9/26/12 11:52 AM, "Rigo Wenning" <> wrote:
>>> Now if you want to continue to do re-targeting and provide proof
>>> that you have successfully re-targeted this individual, I would
>>> guess that the required data collection and use goes a fair amount
>>> beyond what the user expects when sending you DNT:1 . Maybe you can
>>> also understand this DNT:1 as an opt out of the user of the
>>> targeting. Should permitted uses be stronger than such an opt out?
>> I'm not sure what you're arguing here. The rationale behind permitted
>> is that they continue even in the presence of a DNT signal.
>I think the concern that Rigo is expressing here is that if the permitted
>use allows retargeting of a certain kind but the group thinks that
>retargeting is not compliant with a DNT preference, then having a
>permitted use that allows retargeting as required by a contract or an
>auditor would reduce the meaning of compliance with the preference.

Yes. That makes sense. I'm not looking for exemptions to swallow the rule.
Rather, I'm offering examples of exceptions to DNT and data retention
requirements that go above those required by law.
>I'm still a little uncertain on this PCMCP example, per my questions
>earlier on this thread. Is someone suggesting that a DNT header would
>require removing data previously collected about a user or device? (I
>don't think the group has held that, so that shouldn't be an issue.) Are
>you suggesting that the ad network would be using data collected under
>DNT:1 in order to re-target an ad on another site? (I believe this would
>be incompatible with third-party compliance with a DNT preference.) Does
>the ad network need to prove to PCMCP that it re-targeted an ad to
>someone who had previously seen the ad on a particular other website? Or
>is the example that the ad network needs to retain logs about a
>particular ad impression to prove that the impression wasn't for a user
>IP address known to be from a particular country?

I think we may be getting caught up in "retargeting" here, and that may be
distorting things. The PMCPA Code regulates (among other things) the
serving of pharma ads to consumers located in the UK. If a consumer
complains to the PMCPA that they were served a pharma advertisement on, then the those participating in the ad serving chain
would need to demonstrate that they reasonably believed that this visitor
was located outside of the UK. One way for them to do this is via IP
address. However, if the User has DNT enabled and the ad network is
required to remove and/or delink all data within - as John seems to
suggest - a two week period, this would make things difficult if not
impossible. In other words, the website, the advertiser, the ad network
and the agency would potentially be in violation of the PMCPA code.
>I think what Alan is getting at is that there may be some data retention
>not required by financial reporting laws that we would consider
>consistent with an expressed DNT preference. For example, retaining the
>IP address of users who see an ad would be done in order to prove to a
>third-party auditing/trade organization that ads of a certain type are
>not shown to users in a particular country.

I'm not here to advocate for or against the merits of the PMCPA. However,
I do want to make the following points: a) that there are non-legal
requirements for data retention that exist, b)by definition, not every
entity creating these requirements is participating as a stakeholder in
this WG, and c) setting static and inflexible requirements around
exceptions and data retention will undoubtedly have unintended

I understand that some in the WG may feel those non-legal requirements are
trumped by the larger goals of the WG. But if one of our goals here is
implementability by a significant percentage of the marketplace, then we
ignore these types of examples at our own risk.

>If that's right, I think that leaves two questions for the group:
>1) is the group comfortable with the compliance specification allowing
>potentially long-term retention (and sharing) of data from DNT:1 users
>for examples like this one?
>2) if so, can we phrase the requirement to allow retention/sharing for
>this purpose without providing a general permitted use for complying with
>any contractual term?

Nick - perhaps you and I can grab some time in Amsterdam to discuss and
craft language to that effectŠ

>Hope this helps,

Received on Monday, 1 October 2012 14:59:43 UTC