W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: tracking-ISSUE-184 (Walter van Holst): 3rd party dependencies in 1st party content [Tracking Definitions and Compliance]

From: Rob van Eijk <rob@blaeu.com>
Date: Thu, 25 Oct 2012 10:23:42 +0200
To: <public-tracking@w3.org>
Message-ID: <0ad7b09b803acd68023c43186e0e12dd@xs4all.nl>

I am pleased to see that we are finaly getting into global 
considerations territory.


Kimon Zorbas schreef op 2012-10-25 09:29:
> Fully support Rigo: if a user objects to the data processing, the
> service provider has a right to not provide the service. That is 
> broad
> consensus of policymakers, industry and regulatory authorities (DPAs 
> &
> telecom and other).
>  Kind regards,
>  Kimon
> ----- Reply message -----
>  From: "Rigo Wenning" <rigo@w3.org>
>  To: "public-tracking@w3.org" <public-tracking@w3.org>,
> "rob@blaeu.com" <rob@blaeu.com>
>  Subject: tracking-ISSUE-184 (Walter van Holst): 3rd party
> dependencies in 1st party content [Tracking Definitions and
> Compliance]
>  Date: Thu, Oct 25, 2012 8:58 am
> Walter, Rob,
>  in our setup, a first party doesn't need consent with the current
>  specifications. And the second party is not DNT enabled in your
>  scenario. So you have already a logic break in there.
>  There is a law in Germany that a service can't refuse service merely
>  because the data subject refuses data collection. This hasn't been
>  applied in a case I know of. And for good reasons. If the user
>  refuses necessary data collection, how would I obtain the service?
>  I think we would be ill-guided if we would accept that a service
>  can't refuse service. Forced licenses and services exist for patents
>  and monopolies. We are not there. And if we were there, we would
>  have to define precisely what that minimum service is. I don't think
>  we can do that from here.
>  The only point that Walter has is the following: If the first party
>  responds "3" (as in the EU context) and has other third parties not
>  compliant with DNT and the site is not working without them, one
>  could argue for text that says, the entire site is not DNT
>  compliant. But that has dangers from redirects and other surprises.
>  I would rather say that we add non-normative text that the browser
>  should assume that the site is not usable with DNT. It finally says
>  that the site, by establishing the denial, it links its service to
>  another non-DNT service such that the DNT can't be assumed.
>  Another break is then, that Walter assumes DNT and says: "The user
>  is forced to give consent". But there is no DNT to consent to other
>  than the first party as -by definition- the third party is not DNT
>  enabled.
>  Concluding, I can say that for the EU, the situation is rather
>  simple. Requests are DNT-enabled or not. If those enabled are
>  hardwired with a service that aren't, the entire request must fail
>  or made under the assumption of DNT unset.
>  Rigo
>  On Wednesday 24 October 2012 19:49:46 Rob van Eijk wrote:
>  > > This raises an interesting situation if we have DNT. For example
>  > > we have a 1st party that is trusted by the user and also claims
>  > > to comply
>  > > to DNT and a 3rd party that is neither. Since the 1st party
>  > > content is
>  > > technically dependent on 3rd party content, the user has the
>  > > choice between either granting consent to the 3rd party in
>  > > order to have the 1st party function properly or not getting
>  > > the content at all.
>  > >
>  > > To what extent is such consent informed, genuine and meaningful?
>  >
>  > I would like to add the question the element of free (i.e. freely
>  > given): to what extent is such consent freely given.
>  >
>  > (Recital 17 (2002/58/EC): Consent may be given by any appropriate
>  > method enabling a freely given, specific and informed indication
>  > of the user’s whishes.)
Received on Thursday, 25 October 2012 08:24:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:59 UTC